 As our next group of presentations, I am proud to introduce you all to the Michaels. They are here to talk about Alpha and Omega. Our first Michael, Michael Windsor, is a product manager of Software Supply Chain and CICD at Google, you might have heard of it. Windsor has been building websites and applications since 1984 and today focuses on securing the open-source supply chain as a leader of the Alpha and Omega project and a regular contributor to assorted open SSS projects and working groups. The other Michael, Mr. Scoveta, is a principal security program manager of Microsoft and co-chair of the Identifying Security Threats Working Group. He helps research and mitigate security threats and is also a co-lead of Alpha and Omega, which I think we're going to hear a little bit about in seconds from now. And he is trying to bring better tooling and resources to the open-source ecosystem. So please, give the Michaels a warm round of applause. Let's go. All right. For disambiguation, I am Michael Windsor. Yes, Michael. Let's go back in. So we're going to talk about Alpha and Omega. We have a lot to cover. We will probably go too fast. Have fun. And we have a slight clear here. Great. So our mission is really about the problem here to solve, which is common to everybody here. Making open-source security possible is a huge undertaking, understanding the problem that why isn't secure, where the problem is coming from, what can we do? And at the end of the day, it really comes down to direct action. We're not here to go and create the next future of open-source tooling and protocols and standards. We're here right now to start applying our energies to making open-source more secure today, which really leads to a pretty obvious vision statement of where we want to achieve when it should be possible. We want critical open-source projects to be secure, the ones that are the most critical, the most important to everybody, like just start by getting those to be in a secure place and understanding when they're not and how to get them there. And the vulnerabilities that are found are fixed quickly. There's a lot to put into that. And I want to sort of understate how hard this is. It's hard. We're still learning a lot of things. We'll jump right in. This is the team. There's a lot of incredible people supporting from the Linux Foundation helping it, but ultimately the executive function of the group right now is myself, Michael and Brian. I'm sitting down here, hiding of eight. And we meet on a regular basis and are driving towards the mission we've described, the vision we're doing, building a team to get there and hopefully spending our money. We're still hiring. Right now, this is basically being done on my other job, including all the other jobs I have at Google. And I think Michael is in the same boat. We are hiring folks for Alpha Omega. We'll talk more about that later on as well. So, Michael, you get the clicker now. Wonderful. Thank you. So I do want to talk about, and just level-side, like what is Alpha Omega really? So Alpha Omega are two different kind of sub-projects or areas. We all understand that open source is key to the security of our society, really. And I think this is a theme that you're going to hear throughout this week. Society needs open source to be secure. It's super important. Alpha Omega is just one way of doing this. It is an experiment. We want to try lots of different things and fail at some of them and succeed in others. And hopefully, we move things forward. But Alpha Omega also is not certain things. It is not purely a fund to pay maintainers. It is not a certification process. We're not forking open source projects and taking them over. We're not trading zero days among open SSF or the Alpha Omega team or anything like that. We're also not looking to build an automated scanner that just finds junk vulnerabilities and tosses them over the fence to maintainers. We want the maintainer experience to be delightful. We want them to get very high quality, actionable, real vulnerabilities, along with the help if they would like it to fix it. So we're here with our sleeves rolled up and we are here to help. But Alpha Omega have different focuses. Alpha Omega is primarily against the most critical open source projects. So you could think of this as around 100, 150. But there's a very long tail of still very widely used, but not in the top 100, 150 projects. So what we thought was that with Alpha, because it's a relatively small number of projects, we could put dedicated people on those projects, whether we're funding contract work, with other foundations. But this is where you can have someone spending months of time helping a project or project ecosystem be more secure. Omega takes the opposite approach where we do use automated tooling to look for high quality, real vulnerabilities, and then we triage them. And this is where even Omega is expensive only because tooling is not perfect. So we expect the two results to come out, we sort them, we prioritize. In particular, when we talk about who we're actually hiring, you'll see that a lot of the focus is on this Omega tool chain being very, very high quality. What this really means since we're talking about Omega. We have lots of open source projects. This is somewhere on the order of 10,000 projects. We think we can do more than that, but if we just start there. And we're going to use tools like CodeQL and SEMGREP, and basically the best tools that are out there. We're open to working with commercial vendors who have other static analysis and fuzzers and things like that. But essentially we want to turn that into a black box that takes in a open source project and spits out a list of high quality vulnerabilities. They're going to be triaged by researchers who are going to be staff for Alpha Omega. And then with them, we work with the open source community to get them fixed. So for Alpha, I mentioned we're hiring. Did I mention we're hiring? We're hiring. But we're sort of like that kid who just got that sort of gift card for Christmas or a holiday gift or something like that. There's money burning a hole in our wallet and we want to go spend on some toys. We want to spend the money on making things more secure. And we also really wanted to look at ways that we could really maximize the impact early on. We're still learning about all the different ways to turn money into security. And I think one of the areas that we are seeing as a tremendous opportunity is actually working through the single most leveraged points of contact that we can find across the open source community, the foundations. And so we will be working with the foundations to directly fund initiatives and efforts within those foundations to help them fix their security culture improve their security outcomes, actually fix specific vulnerabilities, shore up whatever missing gaps they are. I think we all need to start recognizing this is an industry-wide tech debt that has been unfunded, ununderstood, unrealized, and is now looming large. And it requires additional effort to get there. It's sort of like a Y2K problem without the same clarity of the problem, the solution or the date, which is a great place to be, right? So we have some exciting news today. We've actually been working with a bunch of foundations, and I'm not going to call on a couple of our partners to come up and speak. Dustin, would you mind jumping up right now? I'll procure a microphone. Make sure that it's got an on switch. I think it's already on. So you up? Come on up. And you get a click or two. This is work. Okay, there we go. Hi. Hey, folks. So I'm Dustin Ingram. I'm on Michael's team on the Google open source security team. I'm also a director of the Python Software Foundation. And if you are not familiar with the PSF, the PSF is the organization that sort of owns and maintains Python the language and some other projects. We also operate the Python package index, and we also produce PyCon US, which is the largest Python conference in the US. And we are, there we go, you don't know Python. Whether you like it or not, Python is one of the most widely used programming languages. And we sort of recognize that security improvements for Python and the ecosystem around it sort of have huge dividends for the entire open source community. So Alpha Omega is planning to make an investment in the PSF to support a security developer in residence. This person, in addition to a security audit. So the security developer in residence will sort of work with the PSF as a staff member of the PSF to formalize some existing security practices that we have in terms of responding to security vulnerabilities in Python the language and packages on PyPI. They're also going to become more proactive in making some security improvements to those things. It's not going to be entirely volunteer-based. And then through that person, they will address new security issues in all of the PSF's projects, but primarily within CPython and things on PyPI and PyPI itself. So I'm super excited about this, both as an open source developer and as a director of the PSF and as a manager to the open SSF. So this is super exciting. And now, thanks. And there's more. All right, great. So we'll also have Mikhail come up from the Eclipse Foundation. Thank you, Dustin. By the way, Dustin had exactly five minutes, maybe seven minutes' warning that he was going to be giving this talk this morning. He had not even seen the slides, which shows I think just how well he understands the problem here. Mikhail, you're up. Thank you. Hi, Barbara. I'm the head of security at the Eclipse Foundation. So for those of you who would not know us, we are a European-based open source foundation. We provide an environment for open source collaboration and innovation to individuals and companies. So we are very focused on the business-friendly part of open source. We are a non-for-profit membership-based foundation. So we are a strategic member. So those who are participating the most and are part of the board of the foundation. By the number, we have many, many projects, so 420 more projects, a lot of contributors as well. Two-thirds of those contributors are actually from Europe and two-thirds of our member companies are also from Europe. So that's why we pivoted to Europe in the last couple of years. We also have a BASIC3, we know our base in Brussels, Belgium, as a ASBL, so international association, not for profit. You may know us by our projects, so we have many various projects. So we started with the Eclipse ID, the good old desktop ID, but you may have heard about Adoption, which is a new ad-op to PENJDK openJDK. We have projects also around open hardware, we've got five, Eclipse GT, the HTTP server, Kipple for NFC, Keycard, Power, MQTT implementation, so a wide range of projects. All those projects are organized into key focus areas, so we started as a tools foundation providing Eclipse ID and other tools around the IDE community. We are also very focused on IoT, a lot of MQTT implementations and other protocols, automotive. We have a new working group that has just been created, the software defined vehicles to help promote open source software around the next generation of cars. And also Clonft is Java with the new Java enterprise which has joined the foundation a couple of years ago already. So we are managing those projects. We are working with those projects by providing to them four pillars, or we used to provide them four pillars of open source. So first in infrastructure, we provide tools and services hosted at the foundation. We provide ecosystem development with marketing, conferences and other communication. We provide a governance, we have a strong process for developing open source software and also for managing IP and trademarks for those projects. So that's very important to get a leveling field and a freedom of action for all those projects that someone, the foundation manage that for them. And today, thanks to Alpha Omega and other initiatives, we want to provide a new pillar, a new pillar service for projects around security and more specifically on supply chain security. So with the Alpha Omega investment, we would like to tackle three main issues. At first, is first the automation of generating S-bombs. So S-bombs is very important for projects. We want to automate that for them. We don't want to put the burden of generating S-bombs on their shoulders. They already burn out or very busy doing other things. So we want you to help them with that. So we will start with static source based S-bombs and maybe move to some more sophisticated ones later on. We will implement a Salsa based badging program for our projects so that all of our projects will start at level zero and then we will work with them to actually get their current level and help some of them to reach a higher level of Salsa. And finally, we will initiate a number of security audits with our projects with the help of Steve, for instance, and other company. So for some of the high profiles foundation projects, we will start soon probably with the Eclipse IDE project and their update process. And we are still working with other who are willing to participate in such code audits. So this is all pretty exciting stuff. In the spirit of like last minute presenters, anybody from Node here today? We've been putting this debt together kind of on the fly, obviously. But last, earlier this year, we actually already funded with Node Foundation a similar effort investing in a similar sort of development residence focused on security for the Node community and putting together towards, you know, figuring out what they want, practices, audits, you know, triaging the things like that. They have a long list of things they already know needs to work on. We're very excited to be part of that effort as well. I want to emphasize again that what we're doing here is experimentation. Nobody knows how to do this, right? And part of what the work is happening here with these three foundations is it going to be a monthly report back to us about how it's playing out, right? A lot of them are like, well, what do you want us to do? What details do you want us to have? You figure it out. You know your stuff. Go figure it out and tell us how it worked out because then we can actually play that back, loop it back to the community, help the other foundations learn from each other and build on that, which is really how we're trying to tie it all together, right? Alpha Omega is a giant experiment. We're basically just throwing money into the pile and seeing if we can figure out how to turn that into security at the end of the day. It's pretty obvious. If somebody could fill in step four, again, volunteers welcome. We'd be super happy to have that figured out. But this is what we're watching in action right now. We're going to watch the various efforts happening in these foundations, the work that we're going to do directly inside Omega with our own security research that's already happening right now. And then as we add more people to that project, more things will happen. And we'll keep reporting back how it goes out. There's a very clear hands-on, we're doing it now. We're putting money into it now and we're seeing what happens with it. As a part of the news today, I'm super, is Madera in the room today? Is Madera here? Is everyone saying hi to Madera? Madera is one of my colleagues at Google has been administering this program called SOS, SOS.dev, which has been about paying bounties back for fixing vulnerabilities. And we're pretty excited to be working with Madera and the SOS program to bring it into the Alpha Omega. It's very mission-aligned to what we're doing. One of the first things we hear is like, well, you're going to find all these vulnerabilities. Who's going to fix them? There's usually another word after that, some epithet of some kind. And again, we're learning, we're figuring it out, but SOS is a great place to start doing that. This is something we started in October last year. We've put a bunch of money in towards that and been paying it out to developers coming in. Some developers have figured out and are showing up very regularly. Great, we love that. But we'd like to see a broader involvement there and we're going to use our umbrella and pulpit, if you will, to broadcast that out. So with that, Michael, you're back up. Click for you. Cool. So whenever you present this, people ask, how can I get involved? The Alpha Omega team, we're small, we meet, we have monthly meetings or monthly public meetings. But there's lots of other ways where you can get involved and help advance the Alpha Omega mission. So first, get involved in the network groups. If you're not already regularly attending any of them, just join. Pick one that sounds interesting. Join if it's not for you. Join a different one. The Alpha Omega announcements mailing list, you can join that. You'll see at least the high level things that come up. We have the Slack channel, which is pretty regularly, you know, there's activity going on there. There's also an interest form. But if you're interested in getting deeper involved, just contact us. Let's talk. As we learn and as we experiment, we're going to find new opportunities where something can be easily kind of carved off and run separately. And what we really want to do is work on one Alpha Omega to be driving a mission, but be spawning off separate projects that are doing specific things. So the same way that we don't want to reinvent coordinated vulnerability disclosure. We just want to use whatever process the open SSF likes and advocates for. Similarly, in terms of tooling, we want the tooling, the tool chain that we use for Omega to be public. So we invite contributions and improvements there from anyone. And even to the point of when I talked about Alpha Omega, we're talking about the Alpha side, you know, those top 100, 150, we're not deciding those 150, we're relying on the critical projects working group to define out that list. And we're kind of pulling from there. So there's lots of opportunities to get involved. And we're hiring. I mentioned that, right? We're hiring. I think I mentioned that a couple of times. Yeah, we are probably looking for job. So we have three three roles that are active right now that we're looking for. First one is a lead lead project manager program manager. This is again, mostly because Michael and I both this is our fourth job. And we do not want to be bottlenecks to this. We want someone to come in and focus, you know, exclusively on driving this program. But we also want the tools on the on the right side are mostly about Omega. The middle one, the engineer is to build this amazing tool chain that that takes in an open source project and spits out a high quality vulnerability. And on the right side, it's that's basically the triage. So understand what a vulnerability is. How is it? What rating is it working with the upstream projects to get it fixed on owning that kind of end to end. So job descriptions are all on the front page of open SSF.org. If you know anybody, please refer them. If you're interested, please apply. So I'm super excited to, to, you know, kick to have Alpha Omega kind of continue. We haven't been around for that long. We've spent Alpha mega was started with $5 million investment funds. We to date, I think we've spent between node Eclipse and Python. We're spending around 20% of that. So we want to spend more. We want to do do more with this. We want to learn lots and iterate and keep going. So if you have any questions, if we have time, we have time, we have three minutes for questions, three whole minutes, three whole minutes. So answers might take longer and be outside, but we'll take the questions. And if not, we're happy to meet outside and chat anyway. So all right, we've stunned them into silence, Michael. That's perfect. By the way, there's no truth to the rumor that you have to be named Michael in order to work at Alpha Omega. But you know, doesn't hurt. All right, again, thanks very much, everyone. Have a great talk for the rest of the sessions.