 Hey everyone, we're back here live in Austin Continuing our coverage of Linux Foundation open source summit and and forgive me if we're a little security heavy this week, but it's actually It's good for my soul to see security taking center stage here first and front and center Our next guest is Caleb Brown. Caleb joins us from Sydney. Yes I come from Sydney on behalf of Google and the open source security team Absolutely. Caleb first of all welcome and thanks for joining us. My pleasure second of all We were talking off camera. I know several friends in the Google security world, but not in the open source Security team so tell me what's the charter for the Google open source security team? That's a great question and one I should be able to answer at the top of my head I've only been with the team like six to nine months. So I'm still like I feel green but The charter is to like improve the security of open source and to make it safe and secure for people to consume and so We work very closely with the open SSF and and a lot of our work is through them and through the projects that they run Well, Google is one of the biggest corporate benefactors of Open SSF, but they're not alone No, that IBM Microsoft to name some of the big ones and I there's a lot more. I think it's 30 or 50 Oh, it's growing really rapidly and growing every day. I was gonna say that And and I mean look you don't have to be a rocket scientist to figure out why Google is invested in this Google Probably one of the biggest open source Consumers as well as open source creators in the world. So if we're gonna Tackle open source security head-on You'd want Google involved in it. I've been fravius reasons. I totally agree. Yep. Yeah, so Look six to nine months is a lifetime intact, right? This is internet time. You're like 21 years in on this Of but you know, we were talking a little off off camera Your background is is more in in DevOps and so I like so I've worked on a variety of projects but my interest in terms of Places that I I've enjoyed Kind of having an impact and being able to work has been in thinking through like how can we make what we would How can we make the process of development? Like not just easier for developers, but easier to like repeatable and safe and To be able to like be confident that we're gonna be able to ship products that are gonna work for our customers absolutely and You know and again, we were talking off camera this whole notion of calling something so for a supply chain security You know if you're from a DevOps background You know how much it borrows from lean and lean IT and lean engine how much lean IT borrows from lean Manufacturing so that whole notion of supply chain and supply chain security To me is like lifted out of the lean lexicon and and so you know So it's a very DevOps Centric view of how we build software and how we should secure it for sure. Yeah That being said It's been a tough couple years We've had some very very high profile Incidents and You know not to say it didn't happen before and it won't happen again, but certainly the last three years have been a tough No, and it's shined a real spotlight on this. Yeah, I think that's a huge part of driving The growth of the openness. Oh, no space is is the pre prior incidents Yeah, the focus from the White House those sorts of things. Yeah, you know what I've been in security 20 Something almost 25 years. I will tell you there's nothing better for security than a good old breach or incident Right because that gets people religion, right? And and But it's amazing memories are short lived and they go back to their old Non-secure ways is what it is. Anyway Let's talk about, you know, what what is Google and I'm asking you now on behalf of you know in your position here What do you guys seeing from the open SSF that gives you? Like makes you optimistic that says hey, we're doing something on the right track here I am a few things that I'm kind of been really impressed to see particularly yesterday in the open SSF day What is and also in my involvement through the open SSF is the like growing adoption of things like Sig store for artifact signing and attestation and OSV being more broadly adopted So those sorts of initiatives give me some hope that OSV is I'm gonna get the name wrong It's it's basically an open source It could be but it's it's kind of a CVE. I can't remember and I'm like my team in Sydney is the one working on it I wouldn't actually gonna anyway. It's it's kind of a a contributor an open approach to things like CVE, okay, I get it CV is kind of centralized and minor in this and If some one looks at the CV and goes that's wrong or we need to update that it's very hard actually look I was I don't mean to give you a tripped up question. That's not what I do. We've had guests explained it to us and it really From what I know about it and if I'm wrong, you could blame me. Don't blame Caleb From what I know about it is CVE is rather rigid in that they tell you if something is a critical or medium or light kind of vulnerability With OSV there are other factors that get put into the mix That allow an organization each organization on there for their world to rate a given vulnerability or a given condition as Oh, this is Red, you know red yellow or whatever you want to scale it the the other big problem. It's trying to solve is It's really hard to kind of take that and then process it in a way where you can do it at scale So OSV is like a specific schema around how this vulnerability information is defined so that you can build tooling around it Yes, and you can automate the process of linking up your internal dependencies to the report so And putting the cherry on it as it gives organizations a chance to customize this for their own Environments in their own risk factors and everything else, which is important, right? That was always one of the things with CVE. It's just because you're categorizing it as critical. Look, it's Yeah, for us. It's not because for whatever reason, right? We've got it walled off. It's it's whatever I think that is important I'd like to ask so if you had much into involvement with some of the other OSSF partners I'll get to that. Oh, you mean the other companies. Yeah, we've I've been Some small collaboration some with IBM on one of the projects that I'm involved in the which has been really interesting and A little bit with Sonatype as well I've come up like bumped into them on another project that I work on as well I haven't had a lot of opportunities to be engaged and it's like very early days But it's one of the things I'm actually also it's really exciting about this space is that there's this Place where people are communicating right from different companies to try and come up with things together Rather than somebody saying here's a thing we built Yeah, please use it and yeah, and then Look open source security and software supply chain security is so important right now that It's too important to let it become Balkanized right to let it to become You know every company has their own flavor of this because you're never going to really address The totality of of it if it's if it's broken into 20 different flavors languages, that's right and variations you this this is something that screamed out for a Industry-wide Response and it just so happened that open SSF was I mean sometimes things happen for a reason right I was talking to the guy the person before you a supply chain security company based in Tel Aviv They were founded. I think in December of 2019 the next month solar winds that was that sneak by the way No, no, no, they're older than okay. They're legit. I think was the name of it. Oh, okay Yeah sneaks a little older, but um, but anyway, you know talk about better to be lucky than smart sometimes You're gonna start a software supply chain company a month or two before the solar winds incident isn't a bad time to do it No, that's very fortunate. Yeah, but an unfortunate for people who suffered from right And we know I'm not minimizing any of the suffering or aggravation. It's close, but you know, certainly It seems to me as just someone sitting here, I'm not as involved as you are that excuse me having an Organization like this to tackle the problem that we're seeing right now If this was five years ago, what would we be doing? That's right, you know, we'd be yeah people were in trouble so I like like even the collaboration Amongst the the package repositories it's been amazing to see where you have people from Maven and ruby gems and pipey and npm all these different Parts of the world like an open source being together in a room and talking about what's going on and how can they improve their Their security is that's a great thing to see and I think it's gonna have absolutely. I think it will You know when 90% of the software we're using has open source in it It's a it's a it's the time has come for this, right? This is this was best time Even so I'm really happy to be you know involved in that you mentioned several projects you're involved in Why don't you tell us a little sure thing? So I'm involved into kind of they're still growing and establishing projects the first is About scoring and discovering critical projects so one of open SSF's a kind of biggest thing is to make spend money and and make the most critical projects secure or more secure and I guess a big question in that is like what are the critical projects? So There is a working group that is involved in trying to like answer that question And there are various approaches. So the open SSF spent money like work collaborated with Harvard to produce the Harvard Census report, which is academic researchers looking at data from some organizations about how their dependencies Fit together and how what what are the critical dependencies based on that? And then they're in the working group as well. They're Talking about how can we engage experts in communities to be able to get their thoughts on what is or isn't critical? The project I'm specifically involved in is about doing that programmatically and automatically by basically querying sources of data on the internet collecting a bunch of signals about all the projects that are out there and then trying to like computer score basically That we can use to discover what is critical and what's not critical Attention, it's good stuff. So yeah, the big big part of this is about automating it and making it So we can keep repeating it. It's hard to query Experts over and over again. It's hard to conduct research In a way that's regular and repeatable But computers are really good at doing automatic things. So Yeah, that's what we're trying to do. There's something's gonna work. That should work, right? Yeah so Yeah, that's at the stage where like Trying to kind of get it get it up and get Get it automated but we're also interested in how organizations can use this project for understanding their own dependencies and what things that they use that are critical as well so that Yeah, they can see the like where they're there I guess gaps and exposure is to and hopefully invest back into open source in those areas where Where they can and where they need to so That's that project. Yeah And I also work on another one It's it's got a really boring name. It's just called package analysis. Okay, and what it does is The way I've been explaining it because it's kind of tricky is it's basically like a virus virus scanning for open source packages on package repositories When you say it's looking for virus, so it's not it's not actually looking for viruses It's what it's trying to do is collect behavioral data And the way it works is it watches for an update From the package repository. So it's someone posts a new package to MPM It'll detect that and download it and then it does Currently only does dynamic analysis, but it'll run dynamic analysis on the MPM package in a sandbox And it sees what are the DNS requests is it making what are the sockets? It's opening and what are the files that's touching as it exec executing commands and From that it then stores that information and then the idea is that Researchers could use that as a way to find malicious packages, which is what I've basically been doing with it for the moment But you can also then use that over time to start to get a picture of how Package might change in terms of its behavior So if somebody compromises an account for a repository maintainer or a package maintainer We can see that this thing was just doing normal stuff and now suddenly it's hitting some Random domain on the internet. Maybe that's a problem Could be yeah, and so hopefully like in the next steps. It's about Kind of integrating in a way where developers Can better use that data that we're generating so that we can be meaningful Like that data is meaningful and useful for somebody other than people who are using that the database as a security researching tool So yeah, so that's where we're heading with that and it's kind of Both interesting to see what it can detect It's very early stages. So we haven't got a whole lot of kind of smarts built into it But even still we're detecting things which yeah, it's great, but it's also kind of like a Sign of how much we've how far we've got to go and improving things. So it's a fine beginning as they say in Las Vegas That's right. And the other thing is it's really important I feel it's important to be doing this as well because supply chain integrity is It's going to solve a lot of problems where you can be confident that That binary that package you've got is what they're like is from somebody But if you don't if that person is untrustworthy and build something Insecure or malicious and then delivers it to you they can have the perfect supply chain software supply chain integrity All the signing and signatures can be correct. The attestation might be correct But if that thing is itself malicious Then that's a place for packaging else to sit there and be able to detect where that's still happening. So Love it. Sounds great, man. Hey Caleb. We're over time. I gotta pull it But it's all principal. Thank you for coming all the way here from Sydney Thank you for your involvement in the open SSF and for the projects you're on and wishing nothing but success with this man Thanks, Ellen. We're all pulling for you. Yeah