 Security, yes, take it away. Thank you so very much. So I understand I have about 25 minutes. And I'm here to talk about improving open source software security. I can't actually see the questions right while I'm presenting. So why don't we hold questions to the end and I'll go. So I'll give my presentation and I'm going to try to leave a little time for questions. Is that scene fair enough? Yeah, the plan. So people who are participating are invited to enter their questions in the shared notes session rather than interrupt you so that you can then address them at your convenience at the end. So yes, perfect. Okay. All right. So as the title side says, I'm at the Linux foundation. My title says I'm the director of open source supply chain security. So I hopefully don't need to do much of a pitch here about the value of open source software, but I think it's useful to show some numbers about how critical open source software is today. Synopsis to the study finding that about 98% of both general code bases and Android apps contained open source software. There's variations depending on your data sources, but more recent data suggested anywhere between 70 to 90% of software. Once you open it up, look inside is in fact open source software even if say the application itself isn't. And the use of open source software components is increasing. Only back in 2016 synopsis found an average of 84 open source components by 2020 it had risen to 528. And of course we know how averages work. That's just the average that means that many are more. But of course, when you once you have a lot of software, unfortunately, the attackers come and this is not an open source unique problem. All software is under attack directly via its vulnerabilities in production and operation, but also through its supply chains. Attackers are attacking the way that software is developed and distributed that built and distributed. And so these are just some images of some of the examples of important well known vulnerabilities. Heart bleed and shell shock. The solar winds, the attack on the solar winds build system. It's a real thing. And it's, I think it's sometimes helpful to step back and look at how software is developed to answer the question. Well, how is software attack. And in particular, I want to talk a little bit about the building and packaging of software because. Attackers are increasingly not just attacking the software where it's deployed, but they're going back and attacking how it's built, how it's packaged. Because if they can slip in there, they gain control over all the deployments, for example. Now, here's the sad truth. There is no silver bullet. There's no one thing you can do to eliminate all security problems both in deployment. You know, basically all the way through the reality is that you really need different kinds of countermeasures for different issues. And, you know, some people have commented about, you know, the things I'm going to show you about some of the things that open SSF and other folks are doing saying, well, why do you have all these different things going on? And the answer is because there are many different kinds of attacks. And so we need to counter them and you need different measures to do different to counter different kinds of attacks. So one organization that I particularly want to focus on today is a group called the open source security foundation. That's a foundation within the Linux foundation. For those of you who aren't familiar, the Linux foundation is essentially a foundation that creates foundations, great foundations for a number of different tasks. But this particular foundation is particularly focused on improving security of open source software. It's tagline, in fact, for the open source software source security foundation is securing the open source ecosystem. And it's a little bit of a challenge to get your hand over all the different things that the open source open source security foundation is doing. So let me just show you a quick org chart that kind of gives you a lay of the land, like most links foundation foundations, there's a governing board, you know, it decides where money goes. And then there's a technical advisory council. These do have a different names that within the Linux foundation, but they oversee the technical decisions. Most of the work within the open source security foundation happens within working groups. There are six working groups right now there's a seventh one in formation that I think is going to become a seventh working group. But, and they basically focus on different areas the best practices working group, understandably focuses on developing best practices, promulgating best practices. Vulnerability disclosures how do you disclose vulnerabilities fix them quickly. Identifying security threats is probably the strangest named group. They focus on metrics and how we identify software that's more or less secure security tooling, improving tools, supply chain integrity. How do we make sure that the that that supply chain diagram that you showed you is kept integral and securing critical projects identifying what's the most critical project so that we can focus resources on them. Now I'm going to show you basically those two overlaid. Basically that simple how does offer get developed resource repositories built packaged. And there's a huge number of different projects that the open SSF does. I've got a little color code is in the bottom. But fundamentally, the open source software foundation has a large number of different projects all focused on different parts of these processes. I'm going to talk about a couple of them. I could but I'm not going to try to discuss them all. But what I want to show with this picture is that in fact, there's a number of different projects, each of them focused on different aspects. Okay, I'm also going to at least briefly talk about a few others, but I do want to make it clear that not all security work, even just within the Linux foundation is within the open SSF. There's a large number of other related projects that are doing really interesting things and, you know, are doing important things for security. Goodness gracious, there's a long list like just looking at here things like let's encrypt currently the world's largest certificate authority. So, you know, there's a lot of other things that are going on. I just don't have time to talk about today. All right. So, I am often asked, hey, I'm a developer, I develop open source software. What in the world do I need to do. So, let me make a quick pitch on a couple specific projects and then I'm going to talk about some of them. What should I do? What could I do? Well, first of all, most software developers are not told how to develop secure software. So please take a course. We have a free course on how to develop secure software. There's the link right there costs you nothing to take, nothing to get a certificate. So, if you use the LF training platform, it's also available on the edX platform. If you're an open source software project, try to get an open SSF best practices batch. There's a link right there. Use a lot of tools to find vulnerabilities through your through CI pipeline. There's a lot of different tools. None of them are perfect. None of them guarantee to find all the problems. Almost all of them will have what's called false positives. They'll find something, but in your particular context, it's not a serious problem. That said, it's really important to have tools in your CI pipeline because it's not possible to depend only on manual processes at today's scale. Monitor for the known vulnerabilities in the components you depend on. In fact, other people's software components that you're reusing. And so since that's almost the functionality is you need to monitor those to rapidly update. And of course that means you need to make sure you're prepared to rapidly update when there's a vulnerability found in them. Use packages, managers, use automated tests. Evaluate before you even select your dependencies and make it easy for your users to update. And of course, continuously improve the attackers are always getting better. So I mentioned earlier that course. You know, it's basically a set of three courses. It's free. It's not a huge time commitment. It's design. It's split into three parts requirements design and reuse and a lot of courses that talk about developing secure software. Don't talk about reuse, which I think is unfortunate because that's key today. Of course, implementing the software, verifying other more specialized topics take you about approximately 16 hours, 14 to 18 hours to go through and you can go out. It's completely online. You can go through it in your own pace and teaches the fundamentals, things like the design principles, how to use accept list to constrain your inputs, the most common kinds of vulnerabilities and how to prevent them, how to harden things. And the whole, in fact, the text is also available under an open license, the sec by license. And this is actually a project within the openness is specifically the best practices working group. So there's a URL. We've been delighted for everybody to take those that course. Next up. I mentioned earlier the openness is best practices badge. What is that? Well, it's a system for identifying best practices for open source software. Projects. The goal overall is to encourage projects to take steps to increase the likelihood of better quality in general and security specifically. So things like you've got to use HTTPS. You've got to have an automated test suite. You've got to use at least one static code analysis tool. You know, publish how you people can report vulnerabilities to you because even if you take good steps mistakes can happen. So you need to make it easy for people to report a vulnerability. If an open source offer meets best practices criteria, according to certain rules, it earns a batch. There's actually three batch levels. Passing silver and gold. We'd certainly like people to get the other the higher levels to silver or even gold, but even getting passing is important. And it's prime. It's a combination of self certification, automated checks. You can think of as a form. You look at you answer some questions. We try to automatically fill those in where we can. And those answers are posted publicly so people can check them out for themselves. There's thousands of participating projects. And you can see the current statistics that you're all there. And again, see that URL there to go get yourself a batch. One of the more recent activities in the open source software foundation. I'm sorry, the open source security foundation. I keep making that mistake. Sorry about that is something called the Alpha Omega project. And this has gotten a lot of interest because this is I think this is something new and I think very, very interesting. It's funded by a few large organizations. I think lightning specifically this is actually funding from Google, Microsoft, although certainly Morris is of interest. And it's got two parts, Alpha and Omega. The Alpha side, the goal is to identify a few of the most critical open source projects. And then go interact with them directly work with those maintainers. What are your needs? And then help that specific project identify, fix security vulnerabilities and work and improving their overall security posture to make future vulnerabilities less likely. On the Omega side is focused more on a much larger set, say the top, I'm going to approximate number 10,000 projects. And focusing much more on applying automated security analysis, but then having people look at those tool reports, figuring out what's real and working with those communities to get them fixed. We're actually hiring. So if you're interested in working full time on improving the security of open source software projects. Ah, come talk to us. Go that URL. Okay. So now how can you how can you help if you're interested in this alpha make a project. You know, two of the things you can do frankly we'll be working with the open SSF securing critical projects working group, because that groups trying to identify the most critical open source projects, which then feeds into this. And of course, the best practices working group is working to identify and improve best practices, which we hope to then help important projects apply. And you can go to that URL, but also make it to learn more. We talked briefly about a couple other projects that I think are really interesting. One is sick store. The technology to do signing and to do cryptographic signing or digital signing and verification of those signatures has been around for decades. But here's the problem, just because it exists doesn't mean it's practical for use. A lot of people have tried to do cryptographic signing and found that it's signing and particularly its verification is too hard to apply in a practical sense. So a vast amount of open source software is not signed. And that's a potential problem. So sick store is a new relatively new project with the idea of making cryptographic signing and verification of those signatures, much, much easier. It takes a very different approach to it. The idea is that it makes it easy for people to sign code and then verify them in particular uses a transparency log to make it transparent what's been signed. And then it also enables monitoring of activity to monitor those signatures second supply chain levels for software artifacts salsa. And this is a, it basically is like it's a spec of various good activities to increase the integrity of the build and distribution processes to counter attacks on on those processes. It's got four levels anywhere from basic protection all the way up to maximum protection the idea is that we want people to apply different practices that will counter a huge number of attacks there. Now, if you're a user of open source software remember I showed earlier a list of hey, you know how do you develop open source software well frankly, if you're considering the use of open source software say bringing in as a dependency. There's things you can do the problem with the simplest and most obvious one is to look for evidence that the developers are working to make it secure. You know looking for badges looking for security tools. You know looking for documentation might secure look at it stocks by the way is it easy to use securely if you have to do a lot of configuration to make it secure and by default it's insecure. That's probably a dangerous component to use. Is it maintained. Does it have significant use now have to be careful here just because a big company uses a component does not mean it's the right component for you. I always worry about fads in the world of software, you know, they use it so I should use it. No, not necessarily. However, if there are no users that probably means there are no reviewers reviewers and that makes it a higher risk that doesn't make it useless, but it does mean you may need to check it more carefully. What's the license. If it's important, what's your own evaluation. And did you acquire it downloaded securely, in particular, one of the most common kinds of attacks on open source software something called typo squatting, creating a project with almost the right name. So before you bring in a project, double check its name. Take you 10 seconds to just double check to do type the name incorrectly. And yet that can eliminate one of the most common kinds of attacks. So, let me try to close up here by saying basically if you're interested in improving open source software security. Get involved. There's a lot of different projects and foundations I've mentioned in particular the open source offer foundation, which has a lot of projects within it. There's a number of other projects as pdx is an international standard for software build materials that helps people you know what is in the software that they're using or thinking about using. I've already mentioned six store. There's many, many other projects foundations all involved in improving open source offer security by all means if you're interested in any of these get involved. If you're interested in improving the security of a particular project get involved in that particular project help it improve its security. The world is made by the people who show up. And so please I encourage you if you have an interest show up just learn what's going on. Get involved. I think you'll be glad you did and the world will be a better place for it. So thank you very much. I'm going to stop there.