 Thank you for joining. This is the open Gov contract and again once again excited to introduce these two gentlemen with a really Fascinating topic. So we have Jeffrey here from the IBM team as the WW program director And then we have Arno who is the senior technical staff member with IBM And they're going to walk us through navigating the open source and open standards for better cybersecurity. Thank you gentlemen Thank you and Welcome everyone and happy to be here and I like to start this session Just by mixing it up a little bit Both Arno and I have been very active in the open SSF, but this is more of a broader topic it's 2023 why is cyber security so hard and It's more than just the tech. It's if we can go to the next slide This is a study that I came across A little over a year ago now from the MIT management Sloan School and it talks about this concept of the fact that Cyber security and compliance and the regulatory aspects of it, you know, you feel that they're kind of like Peter Brutter and jelly that they go together really well but they really are driven by two different forces the In fact is that come appliances primarily driven by the enforcement risk So your organization doesn't want to end up in jail or doesn't want to be on the wrong side of the law But cyber security is driven really by the business risk. You don't want to get ripped off You don't want to have your brand image damaged by having a bad malware or ransomware attack and because of those two of Issues are driven by different factors stakeholders Are really there's a lot of them and they all have a different point of view as to what's really important whether it's the legal group the leadership team the security professionals and You can end up being compliant in other words You're on the right side of the law, but you're not going to be very secure or Alternatively, you can be really fairly well locked down But you're not compliant from a regulatory perspective, and so it can be very hard to find that right mix and You can result with the gears just aren't meshing. Well, you can end up with a lack of culture around how to get the right balance difficulty in developing and implementing the right set of regulations that are important to your industry and At the end of the day the cyber world is moving too fast to keep up So with that it's sort of a high-level entry point traditional cybersecurity needs to evolve and I feel a lot of pressure because I've got CROB here right in the front row to make sure I'm on target, but Cybersecurity 66% of security teams do not share their data and now I'm not talking so much on the Supply side is more on the analyst side of the equation 45% of security teams require security engineers to hardwire integrations and This is really challenging and this is part of the reason why cyber security professionals struggle so We need more cooperation and in this survey done by ESG research back in mid-22 84% believe that our products integration capabilities are important why is that because in this space there are a lot of point solutions and It can be very difficult for an analyst to assemble and adequately understand what's going on 83% believe future interoperability depends upon established Standards who's going to establish those So what we really need to move towards is a connected and open analyst experience One that helps with a better user interface one that shares data One that allows community led innovation Expertise starting to sound like open source. I think so open standards and improved operability so These are the four pillars of open security from a IBM and from others in the industry perspective open security standards Open-source code to allow innovation and quickly fix gaps in the IT ecosystem Whether it's commercial gaps or community gaps, etc intelligence and analytics and best practices and It's we're not there yet, but we're moving along this arc of an open security journey to a collective defense so if you can see on the Left side of the screen there improving risk reduction and a collective defense We'll move up this ladder of foundational standards operational standards and compliance threat intelligence sharing and collective defense So as much as we're in a challenging time from an open source software security perspective I think that the way we need to change as a community is Aligning well with the way cyber security experts need to evolve along with the commercial and other players in the industry so IBM is active in this open cyber security Alliance, it's a governed as a oasis open-source project and it's an opportunity for The industry to come together to support open cyber security Ecosystem where products freely exchange information insight analytics and orchestrated processes The challenge is again that Oasis comes at this from more of a standards organization perspective and if you think about what's changed in the industry Go back only about ten years Standards bodies really dominated the landscape and open source was a thing but it was really still all about standards and Standards are great, but they're largely driven by specifications. They largely take quite a bit of time and So what's happened over the last again seven eight plus years is that? There's been this rapid shift towards a dominance of the impact of open source software And I don't have to preach to the choir here. You all know why open-source software is much more frictionless and so In this new era The pendulum is going to need to swing back because right now we're kind of 80% open-source and yes Anders are still important But I'm not going to steal my partners thunder the last thing I want to touch on though is that This non-profit cyber alliance is also Dedicated to trying to help fix this and you can see that the open cyber security alliance is down there listed as one of the members of this oh wasp is also here and This is a larger umbrella initiative of not-for-profits that see a similar problem and want to see this effectively addressed So with that I'm going to step back and Have our know Take us through the next section So talking about government and standards and open source I mean it must have occurred to you that you know, there's more and more activities going on Essentially what we have right software is under attack and open source is part of it open source is used in every software now and You know bad actors have discovered that there is kind of a soft spot right now on open source because We haven't always used best practices and you know in all open source software Development and so what we are seeing is there is clearly a movement across the board Around the world right with different governments stepping up and saying okay industry This is enough and I mean there is good reason for it right? It's costing a lot of money first of all it's impacting economies around the world more and more We have this you know cyber security issues that come up But in fact it even leads to public safety issues, right? We have critical infrastructure that are being you know put in danger when you think about you know security You don't necessarily think public safety per se But in fact when you think about you know your house has more and more Devices that are plugged into software which you know we hear these stories of like baby monitors for instance where people are hacking This becomes a public safety issue So it's not surprised that governments are saying okay enough. We need to get this under control So in the US we have seen Several executive orders being published now that are trying to push You know the industry to act and of course they have a huge leverage because essentially they are going to say These are the requirements that industry must meet for us to buy your products you buy your offerings And this is going to lead the whole industry to follow suit because you know all our customers going to say well If it's good for the government, it's good for me as well. I want the same kind of guarantees regarding security So the first one the executive order from 2021 You know tries to push the envelope in in setting some requirements about cloud offering specifically But also get into as bombs saying well, you know one major problem We have we don't even know what's in those software that you're selling us So that's you know what we want to know now what's in it and that will be the first step towards Understanding what the security vulnerabilities might impact the software we use and so there's a series of those Regulations coming up in Europe, especially we we see that now there is the CRA It's been you know is being currently Discussed quite broadly because there is definitely some impact that could even touch the open source World and and it's true. This is just this is not exhaustive right this list it ends with the Japan But we you see similar activities all around the world Is there anyone in the audience who doesn't know what an S-bomb is yet? You get a sticker from of all people Crab for sure. So as the Arno continues keep your start to formulate some of your questions questions get stickers Incentives goodies no But so I think everybody kind of knows what an S-bomb is at this point, right? It's the bill of material It's a concept that exists in other industries the IT industry just never got to do this and now I mean we see it, you know, I think every company every time there is some you know As a CVE that gets published the first problem is well, where does that impact us? Right because often vendors. I don't think out, you know I'm divulging very big secrets there even vendors often don't know what they are using we have all developers that are using all sorts of open source software and We don't necessarily have a full understanding of what ends up in our products And so S-bomb is a way to try to address this problem by clearly listing all the content of The software and so there are different activities in this space. There are different formats being pop being developed Cyclone DX and SP DX are the main ones. There are others actually but What? Yeah, that's yesterday's news. Come on. Oops. Sorry. So for those who are online Crab said sweet and that's why I said I wanted to acknowledge their orders But clearly, you know, these are the most dominant ones or the leading ones Cyclone DX and SP DX and and this is very, you know quickly evolving because they started with this idea of, you know, basically listing the components that are in a piece of software and Typically, you know in case of SP DX there was a focus on licenses for instance what kind of licenses were into this products and and is quickly evolving with all the dependencies and now they are also trying to capture what, you know, the build environment that was involved in generating the code or the actual artifact and so on So open SSF you probably have heard of it Open SSF is a you know part of the Linux foundation I don't know if some of you may have attended the open SSF day yesterday that was fully focused on this As Jeff was saying earlier, he and I both active in open SSF Open SSF started actually quite a while ago in 2020 at the time though We were in the COVID time when company was a bit shy. We're a bit shy about spending a lot of money We didn't know how much, you know, it was going to impact the economy And so there was very little resources put towards this project Even though there was a recognition that there was a need for the industry This is bigger than any single company, right? So we have to have a movement at the industry level to try to have a chance to address this problem And so this open SSF was created with basically the mission of looking into this problem and Collaboratively trying to address it facilitate, you know addressing the issue Increasing the security posture of all open source software, which is of course a big task And just as you transition to the next slide, I just want to make the point for the audience online It's not that we're saying open source software is more or less secure than proprietary software Open source is not the problem. It's part of the solution But open source has become so massive in its use in the software supply chain That it's become an attractive attack surface and that is why this is the right time to begin to address this So open SSF went through some what of a reboot in in December 2021 Where we basically the company said okay now we are ready to invest more broadly and so the activity became fully funded that's when I personally got involved in it just probably at the same time around and So we've been involved in this instead from a regular to report of you going back to what I was talking about So the EU is you know has been leading the charge in many ways on that front There's been several acts that we you know been produced by the European Union over the years. They started several years ago in 2016 they had the first cyber security Act for critical infrastructure and they have been going on On that path since then with the cyber cybersecurity act and then more recently You know, we've heard of this CRA. I will talk a little bit more about that But they also had one regarding wireless devices and communication in general You have to understand a little bit how EU functions, right? There is a legislative framework that I was put in place where essentially it functions in two different levels There is at a first level from a legislative point of view the parliament is going to issue an act that define some kind of requirements Things that they feel need to be met to ensure the security Then at the lower level the European Commission once the act has been enacted by the parliament They will actually ask the Commission to implement it and the way the Commission implements it is by turning to Standards bodies to define standards that will implement the you know define how the requirements are actually going to be met practically speaking So it's a multi-level process and typically We they will end up with some European standards that there are three main Organizations recognized by the European. It's sense and elect and Etsy sense and elect Initially two different organization, but actually you'll have you will never hear basically one or the other independently They always come together sense and elect. So it sounds like they are only two organization Those organization function as part of you know the whole spectrum of the jury organization These are like formal organization along with ISO, IC and ITU which are the international level In the process they will consider adopting international standards that will help them meet those standards But if it doesn't work they may issues European specific standards Of course vendors like IBM and others that have a global market have an interest in trying to minimize things that are regional specific So we engage to make sure that as much as possible the standards that are being adopted as international as possible There's also you know many different organizations that are not dangerous standards like there were three COAs and others We've actually been working with the European you know commission to get them to acknowledge the existence of those standards organization And not necessarily require every one of those standards to go through the ISO process to make it you know usable at the European level If you look at the CRA in particular because it's a big topic right now What's going on again is these two layers that I was referring to We for now we are still in the legislative process where they are defining the CRA It's actually fairly late in the phase now of development where they have defined already all the requirements And they are in the very final phase but in fact this is only the beginning of the process Because once the legislative process ends and the parliament issues the act They will then again turn to the European Commission to kick off the technical process Which will be this process of how do we actually go at implementing this And there will be another you know possibly of negotiating here in practice You know it's supposed to implement the requirements There is some leeway in how this gets done because you know it's like the first part the first layer is done by a politician The second is by technical people and so then there is you know some room for appreciation as to how the two you know match So looking at IBM more specifically what do we actually do in that space right So first I mean we actually have a policy blog on supply chain security and open source You have a QR code there you can scan to get directly to it We you know from an IBM point of view you recognize it So we actually support open source community security initiatives This is something we do across the board not just in open SSF we're involved in different organization You know we support the the bill of material software bill of material you can learn about it And we are we are supporting improving security execution right And contributing to open source project overall And I just want to add to that point that from an SBOM perspective right now what we feel that everyone should be doing is getting their hands dirty Metaphorically speaking right now is not the time to just be generating SBOMs and because I heard I had to do it I went and bought a point product and now I can and now I'm going to pass them around like trading cards Not a recommended approach right You need to be using and developing your skill as a and let's face it we're all software development companies to varying degrees today Right in this age of digitalization you've got to have strong skills in this space So right now you should be developing those skills internally and using that learning to understand where the problems are in your own software supply chain And the other point I want to emphasize that are no touched on is that if you are a smaller business or a midsize organization and you don't feel you can support the open source projects that you're consuming At least think of sourcing that code from a vendor who does like a MongoDB or a SLEZ or a Red Hat right That's another way you can help to ensure that the ecosystem is going to improve So again you know we are very much involved in open SSF and you know this is a way to show some of you know it's kind of bragging rights To show the level of involvement we have we actually have how many people do we have involved in open SSF total This is just a short segment of how many people we have I think you said bragging rights I think you mispronounced proud leadership We have Jamie Thomas who's a general manager within IBM who is a very busy person but is dedicating significant portion of her time to serve on the governing board And she's proud to be there with a lot of other leading firms like Y-Pro and AWS, Microsoft, Google there's a whole list you can check it out on the website I myself am chair of the governance committee we're trying to help ensure that there's proper structure without becoming bureaucratic And Arno he's being modest but he was just elected along with CROB, CROB is the chair of the TAC and Arno is the vice chair So we're excited to help So we don't just participate in the governance and helping open SSF be successful I mean this is essentially what we're trying to do is since we're invested in this we want the organization to be as successful as possible But we actually also contribute to some of the activities and this is actual code contribution that we have made in that space We've made contribution of a licensed scanner to OWASP This is something that actually we used internally so we can actually scan code and recognize different licenses And we contributed that to OWASP and we have also an SBOM utility Of course a lot of focus is on SBOM again but there is actually a lot of code out there that generate SBOM that are completely broken So we need to also have tools that help us you know validate SBOM Just first at the format level and then eventually try to go beyond that Try to understand the semantic aspect of the information ensuring that it actually is valid also at that level And the tool actually one of our colleagues is working on this Matt Rokowski And he is trying to do things like being able to show the difference between two versions of an SBOM Because SBOM are going to be huge typically you know they contain a lot of data Even if it's technically human readable practically it's not The crub is laughing you know what I'm talking about And so you need tools that will help us you know try to manipulate this data And so he's working on a diff that will help you see what has changed from an SBOM to another So when you go from a version to another We also have made some contribution to Scorecard which is a program developed as part of OpenSSF Which basically runs a bunch of tests against an open source project or repository And they will you know give you some notion of how security is based on a whole bunch of different criteria And not just the code it's not just trying to find vulnerabilities It's more about you know the policies how the open source project is governed Do you have like you know peer reviews that are being enforced and things like this And we have actually worked again trying to we are interested in being able to see the evolution of the Scorecard Between different versions for instance And then there is another thing that's coming out of IBM research You know why we are focusing very much on this SBOM that typically tries to you know pass the source code And try to understand all the dependencies out of passing the source code They took a different approach which is to actually look at the actual binaries And basically come up with very smart technology to have a very fine footprint or fingerprint of the code that's running So they can actually recognize different components and be able to have a digital signature of a program And so there's a talk about this at 6 p.m. today And if you want to know more it's really fascinating I encourage you to go attend this session Yeah our colleagues out of research their propellers spin pretty darn quickly So I highly recommend that 6 p.m. slot if you can get there So we've I think we've did pretty compelling story between myself and our know I wanted to return to these four silos associated with open security standards They remain important they're going to become even more important And they're going to sprout more teeth than they currently have So we all collectively need to be engaged in paying attention Open source code this is a great opportunity I talked earlier about how early 10 years ago it was all about standards And then now the pendulum is swung where it's largely dominated by open source We're going to see the pendulum swing to some new equilibrium I'm not going to predict where it's going to land But this is a huge opportunity for the open source community and standards organizations To more proactively figure out how to effectively work well together Open source projects don't need to become standard specialists per se And standards organizations can't develop software development capabilities at the drop of a hat So we need each other And then with better intelligence and analytics and best practices We can really help get our arms around what is a significant problem And lastly for the folks here in the room and out on the web We've got some recommendations about what can you do to get started in this space I mentioned the open cybersecurity alliance early on I would really recommend that if you're in the industry check that out CISA is actively holding open calls And again that's not for everyone But if you're interested in that space and you've got a way to contribute Go check it out In the open SSF we have some great best practices guides CROB has done some great cat herding to put together some valuable information Definitely want to recommend that At IBM we have an IBM security community And you can figure out what we're trying to do to try and again break down silos And develop better execution against this And then as another proof point Our last link in this is just from a week ago And the federal government, if you hadn't caught it yet Has issued a paper that's basically doubling down on their perspective On the importance of standards Not just the federal government on a national level But on an international level as well And if you think about it It's kind of like analogous to the post-World War II era Where the U.S. invested in the rest of the world with the Marshall Plan And other ways of helping to reach out and establish infrastructure Across the globe that improved the human condition And in the last decade or so There's been a lot of sort of turning inward in the part of the U.S. administration Well, the current administration is basically planning a flag back into the space Saying the country needs to be more proactive in these international standards entities Provide leadership, ensure a level playing field And help secure the software supply chain And with that, I think we've gotten through with enough time For five or seven minutes of questions And we've got a roving microphone and we've got stickers Crabb, you want to prime the pump with a softball? So let's say I work for an organization that might use open source How can I potentially either kind of monitor what's going on with open source and these standards Or how could I potentially contribute to these efforts? Maybe how could I donate my time or resources or efforts to make this better? I'll take a first swing at that I bet there's this U.S.-based chip manufacturer that's got a great website That Intel might have a lot of information similar to what IBM's sharing up here About creating a community around cyber security But in addition to that Everyone needs to just step back and think about this space differently Because there's a concept that was early in open source called the tragedy of the commons And it's a metaphor about how when something belongs to everyone It gets overused, trashed, and ultimately becomes a fraction of its former self And honestly with our rush to embrace the value of open source over the last decade And the way that cloud platforms have driven up exponentially the consumption of open source The industry hasn't been doing a good enough job, IBM included, of maintaining that right balance When I talk publicly about open source at IBM I really, you know, my chest puffs up a little bit because I like to say I stand on the shoulders of giants In the early days of open source, IBM leadership really understood the importance of both responsible contributions as well as consumption And we all need to think about what is the right balance for us as individuals As well as the organizations we work for How do we strike that right balance of benefiting from and consuming open source As well as contributing back to make sure that it's a quality resource that will be there not just now or next year But for the foreseeable future And to follow up, I mean on a practical level, right My recommendation would be for organizations that use open source is to look at the open source they're actually using And see if they can engage with those open source, do they have best practices, you know, are they using best practices So for instance, I'll give an example, very personal I'm also involved in Hyperledger, which is another Linux Foundation project And you think, you know, security is a big deal for blockchain And when I started engaging OpenSSF and I found the best practices and things like vulnerability disclosures and stuff like this I looked and I said, I'm not sure Hyperledger is really, you know, up to notch on this one And I started bringing that up And I'm also a member of the technical steering committee at Hyperledger or technical oversight committee now it's called And I brought that up And I think this is the kind of, so now the Hyperledger is looking very closely at this and trying to improve its security posture And this is something that's fairly simple that any organization can do Is you look at the, and it's, you know, it's in a way self-serving as well because you look at the open source they actually depend on And you say, okay, what can I do? And it can just be this, being the advocate for this improvement in security posture Trying to, you know, make sure that people who are actually developing the software that you use Are aware of this movement because OpenSSF alone cannot reach out to all the different committees, all the different projects out there So we in the industry can all play a role in passing the world that there is something that needs to be done And I'll provide one additional answer to that with a quick show of hands How many had their holiday disrupted about 14, 15 months ago by Log4J raised your hand? About half the room raised their hands, the other half didn't want to admit it But I know that CROB, for example, as well as a number of folks at Intel and IBM and other places spent a lot of time scrambling And it isn't a question of if another Log4J will happen, it's a matter of when So the impetus to take action is now, it's not going to be a sprint, it's going to be a marathon But if we all collectively work at it like we'd like to do in open source And again, reach out to standards organizations and engage with them effectively We can start to move the ball down the field Okay, we have another question I'm Hassan Yassar from Carnegie Mellon University and also faculty member and so director at the research pieces I have been contributing many standardization IEEE, IEEE, Open Group, anything else We have a lot of standards, but you said that one is the best practice I think as a community, we have to think about a best practice So what that means best practice because best practice depends on who you're asking Depends on who are the standards owners What do you think about that the landscape have many standards but lack of best practices? Well, the old punchline comes to mind of I love standards because there's so many to choose from But beyond that, it is a big challenge I mean, if you look at my slides again upon review, you'll see many, many entities identified We can't all be everywhere at once So it really comes back to making sure that all of us have limited resources What's most important to your organization and you as a developer And where are you going to make some investments, right? Because the answer can't be, oh, this is overwhelming I'm going to just, you know, not participate And that's my high level answer I'll ask if you have any other thoughts on that No, but I was going to say something similar I mean, yes, there are many and I think anyone is better than doing nothing When I say complex, if you look at any standards, more than 30 pages, 50 pages Is it time to read the 50-30 pages of report? We feel your pain because that's one of the things We try to message back to the federal government as well as other standards organization, right? Simplification is needed Yes, thank you The correct response of something like this call to action around open source Shouldn't be that yesterday we had to read 400 pages of directives And now we have to read 600 So we're also trying to work through IBM's G.R.A. or government and regulatory affairs group To politely but strongly message back to standards organizations and governments That simplification and clarity of direction So that you don't have one part of government saying Oh, I own this and I say X And another part of the same umbrella government organization saying Well, I have a stake in this and I say Y So it's not, you know, there are going to be hills and speed bumps along the way It's going to be challenging I like to have a simplification like usually developing instead of 10 steps, 5 steps Whatever the steps are We can bring the level of developers and say Here is user 10 steps as an example I'll give you an honest answer again from an IBM perspective Because we're trying to solve three tough challenges simultaneously IBM is working hard to improve its own supply chain security internally And we're doing that with a mix of both third party products As well as IBM technology so that we can drink our own champagne Because customers come to us quite often and say Man, IBM, I've got this headache, you know, you must have had to fix this What are you doing? In addition to those two challenges, we're working out here in the open SSF Because what happens in the open ecosystem will be highly influential And if we just hunker down and focus only on those two tough initial challenges And don't actively participate like I know myself and others are doing What happens out here could have a big impact and put us behind the curve But I think part of the solution to the problem is also going to be tools that help You know, alleviate some of these excruciating work And we have also systems like Salsa And there's already a badging mechanism that exists in open SSF Salsa in a way provides a new type of badging That will, you know, kind of allow us to identify quickly Okay, this build system is Salsa level three And that comes, you know, with a set of guarantees that you can rely on And I think we're going to have more of that that will help us, you know So we don't have to get buried into all the details The requirements are at a much higher level that simplifies things And again, just total candor, and we've got one last question coming up Is that right now we're doing a lot of this SBOM generation in part manually Because the quality of the tools available isn't there yet But ultimately we have to find a way to crawl, walk, run towards a level of automation Because the scope of this problem is such that it really is going to require, you know, better tools and automation I have a question My question is, can I get a sticker? Absolutely On that? And show us the tools page so we can take a photo of the URL So the SBOM utility, when you click on that, where does it go? Oh, the, go to OWASP Yeah, it's actually, this is the original, but it's been contributed to OWASP now So you can go directly to OWASP Absolutely And in closing, I'd like to really thank my colleague, esteemed colleague, Arno Because I submitted this talk with another IBM colleague based out of Germany He was not able to arrange his calendar to attend So Arno jumped in and, you know, with his accent He most expertly covered the European landscape much better Exactly So thank you all and thank you Arno Thank you for being here