Christopher "CRob" Robinson Shares an Optimistic Take on Open Source Security

author-image

作者

 

Christopher Robinson, also known as “CRob,” is the Director of Security Communications at Intel. In this role, Robinson handles crisis communications, training and security and incident communications. Half of the team behind the engaging security video series Chips and Salsa, he is also heavily involved in open source security communities and acts a technical advisor for the Open Source Security Foundation* (OpenSSF).  

CRob shares his insights with Open Ecosystem Evangelist Katherine Druckman on the current threat landscape and finding joy in security work. Their conversation has been edited for brevity and clarity. 

 

Q: What made you go into cybersecurity? And what made you stay? 

A: Well, I am old because back in the day it used to be called “information.” And that was it or just security. “Cyber” is a new thing in my trade, but I started off like a lot of people in my generation where I did network and server support, we had to configure firewalls and access control lists, and that naturally flowed into the security discipline. 

And I spent a long time at a super-regional bank and in heavily regulated industries. So, I dealt with a lot of auditors and people from the government explaining how the bank did things, and that's where I really kind of caught the formal bug, trained and got my certified information security professional certification (CISSP). 

From there I haven't looked back. I've stuck with infosec and appsec and devsecops and all the “secs.” 

 

Q: You’re involved in security training at Intel and the education special interest group (SIG) at the OpenSSF, and I know you're passionate about education. What’s your approach to educating the general public? And how do you emphasize the importance of good security practices without scaring people? 

A: Well, first and foremost, you always want to avoid FUD—fear, uncertainty, and doubt. That’s a tactic that a lot of either inexperienced or bad security folks will lean into, where you try to scare the person you're working with into your perspective or what you want them to do... 

When I started my college career, I was going to become a college professor, so I’ve been in and around education my whole life, and I did a lot of customer-service related things. I've always been involved with trying to work with stakeholders or customers and helping talk in terms that they understand and try to avoid jargon and explain things in plain terms. This also works really well in the cybersecurity field, because when you're trying to convince an executive or a business stakeholder to do something, generally when you speak plainly, you talk in terms that they understand. If you're a business person, you understand dollars and cents, and if you talk in those terms, you're going to be much more successful in conveying your message and trying to persuade that person, whatever you're trying to get them to engage in. 

That's been my tactic, whether I'm doing it professionally as an educator, whether I'm doing it as part of my work with the Open SSF, the education SIG, or training I do here within Intel. You try to speak plainly and honestly, present the facts and don't act like a big, scary monster. 

 

Q: Speaking of FUD, everyone's talking about software supply chain security, especially after the Log4j* incident. Is there anything that you think a lot of people miss or get wrong at first? 

A: It has definitely gotten a lot of air time in the media and in government regulators' minds, and it dates farther back than Log4j. If you go back, there's been a string of open source account hijacks or “poisoning the well” attacks like the SolarWinds* breach where their supply chain was compromised. 

That allowed that very skilled set of threat actors to conduct their operation, so supply chain should intrinsically be in every consumer's mind. What am I buying? Where did this come from? What components went into this? Who touched it? How was it changed along the way? 

That becomes especially sensitive in software because with open source software—some figures have it as high as over 90% of all commercial software and publicly available platforms run on an open source- based set of software—because you're running your business on software that you didn't make yourself.

Back in days of yore everyone wrote their own software or bought something off the shelf. Now it’s just become more commonplace to outsource or borrow or take open source components — you don't create your whole solution yourself. And in terms of a supply chain, somebody makes some software, and they designed it for a certain purpose, and then other people before it gets to you might have made alterations that change that behavior and the characteristics of that software. 

But what Log4j showcased to me, because I’m part of that secure, open source, upstream security community, was that that a vulnerability like that can be fixed very quickly – in under 12 hours of public disclosure by the Apache* security team. 

The open source [community] reacted very quickly, but downstream that information was ineffectively shared, so people didn't know that they had this embedded component inside software that they were using supplied to them by vendors. Then Log4j became a supply-chain problem because people didn't understand the third-party components used in their solutions. They had no understanding of what's done to those components before they're delivered to them, and they don't really have good insight into what's operating on their networks and running their critical systems. It goes back to the basics of inventory. You need an inventory of what's in your shop, so to speak. 

 

Q: This is something that a lot of people are still working out, and that's an important conversation.  

A lot of people are focusing their energy on supply chain issues, bills of materials, etc. What isn't getting enough attention?

A: Many organizations aren't conducting the basics of an information security program well. They don't understand where their critical data is, who can access it, what acceptable patterns of traffic and access are into and out of their networks. There was an announcement recently of a Python* phishing attack, and, almost always, the main threat an end-consumer will see is something around ransomware and phishing. That's the cheapest way a threat actor can get an attack in your inbox and get it to you, by harvesting your credentials. But if you implement very remedial tools like multi-factor authentication it will virtually eliminate many of these attacks because the attacker doesn't have enough information to steal your identity. 

If consumers implement basic security controls like access controls, logging, traffic monitoring, and then things like multifactor or temporal or geographic controls, it would eliminate a lot of the most common threats. Then maybe someday we can worry about the esoteric, academic, James Bond-problems.

 

Q: I love it. James Bond problems.  

A: Like Tom Cruise sliding in on the wire. It doesn't happen to everybody. Everybody has email though, and you're probably going to get spam and phishing.

 

Q: Yep. That’s a certainty in life I think, at this point. There were two results from that struck me in the the Linux Foundation*  and Snyk*, State of Open Source Security 2022 report.   

One is that “41% of organizations don't have enough confidence in their open source software security. Or in the security of their software development process.”  

The other: “Data shows that the time it takes to fix vulnerabilities in open source projects has steadily increased from 49 days in 2018 to 110 days in 2021.”  

Two questions: What’s the root of that lack of confidence? And why do vulnerabilities take longer to fix, especially in open source projects?

A: So, there's a lot in there. Unfortunately, with the pressure of an always-connected world we've gone from where you had a bastion server, an enclave that didn't have access to the internet, to now where everything is connected to everything else, and the internet can touch everything. 

As people have migrated to things like the cloud, they haven’t implemented effective security controls along the way to help protect themselves. The same goes for organizations and vendors. When they have software developers, they're pushed to hit a deadline. You must hit time and budget and you can't go over. And normally security requires a little bit of additional time, a little bit of thinking. If you plan up front, you can ease that, shift things left. You can ease that transition into a more secure state, but most people don't want to spend the time. 

They're just shifting and lifting something somewhere and they don't want to invest a lot of effort. And the reason people don't have confidence is because, whether it's a product manager or a development manager, either they don't understand how open source works—it's very complex, it has a lot of different models—and how open source software is developed and communicated, so they either don't know, or they don't care because they're just writing something and then shoving it over to a support organization and it's not their problem anymore. So, they've kind of shifted, they've moved the technical debt somewhere else. 

Businesses have incurred a significant amount of risk because they've not done effective due diligence or the software that they're ingesting. Things like software bill of materials (SBOM), that will tell somebody what's inside of the software they're trying to run. Without those tools, you lose that confidence, and you get scared by big, scary headlines because The Register says the Internet's broken, and that's not necessarily the case.  

If you have effective software management practices, effective software development life cycle (SDLC), good security controls around scanning and management of code and vulnerability management, open source can be more secure than a closed-source solution because you can actually observe it with your own eyes. If you're unsure and you're a little afraid, you can open up that code, look at it yourself, then  apply your own tools and verify for yourself the authenticity and security.

 

Q: How have global events changed the security landscape in the last few years? There’s a lot going on -- COVID completely disrupted digital and physical worlds, there's a war in Ukraine, rising tensions in Taiwan. 

How do these affect the way you and others approach security? What is your current state of mind right now?

A: Afraid. Concerned. What recent global events [showed], from my perspective because I've had to deal with some of these adversaries in previous lives—and it used to be based off what your business was or where your position was in the world—you could expect certain types of threat actors to try to come in and steal your stuff. If you were a home user, you might have a script kiddie phishing-and-farming type attacker, where they're purely in it for money. [They] want to get data to extort you with, or [they] want to steal financial information. 

Those were known things, and we had techniques, tools and procedures to handle them. When you got to the level of nation states, it was fairly well understood how those actors behaved. They wanted to further the political agenda of the nation they're representing, and some of them were there purely to steal intellectual property to further and improve their own economy. Others were looking for a reputation attack or they wanted to make people look bad, expose you or make you look silly, or like you're a bad person. So again, pre-COVID the world wasn't easy, but it was a little more predictable because you understood how the different types of threat actors operate and what they wanted. 

But now, tools for hacking are much more easily available, anybody can become an attacker and anyone who has a political agenda or any kind of agenda can very easily enact that through the anonymity of the internet and the ease of access. What’s troubling is that with today’s geopolitical events, we're seeing a lot more skilled threat actors moving outside their areas of common interest. They've moved on from government attacking government to governments attacking critical infrastructure to shut down [opponent’s] capabilities -- the power grid, water-treatment plants. 

It’s an evolution and shift where we always had a little bit of that, but the frequency was much smaller. And today, with all the turmoil we're seeing around the world—it's very cheap and effective, and you don't have to have as many people, you don't have a giant army and billions of dollars behind you—you can be just as effective fighting and moving your agenda forward with some shell scripts, some Python here and there, and that's what concerns me. We're seeing more nation state actors spill over into a consumer or a critical infrastructure space than before, where it used to be kind of a cold war, so to speak, where people might snoop around, but today we don't know. Maybe they might decide to flip a couple of switches here and there. And that's a risk we're trying to navigate through with our politicians.

 

Q: Interviews with security experts are always filled with doom and gloom, but let’s flip that around: What are you most excited and hopeful for right now in your work?

A: To be honest, I know I'm very heavily biased about this, but I'm super excited about the work we're doing with the OpenSSF.  I'm excited because there’s always been a group of people— open source folks out there doing their thing, sometimes a little fringe, sometimes not—but with the OpenSSF we're bringing together traditional maintainers and projects and project contributors in the same room as major industry players like Intel or Microsoft* or GitHub*, and we're getting together to collaborate on very real-world problems. 

Along the thread you've been weaving here around supply chain and government concerns in the United States, President Biden released an Executive Order on Improving the Nation’s Cybersecurity that outlined the administration's goals around helping improve the cybers. 

Well, the OpenSSF and all of our members got together, read it and put together a 10-point plan saying  if we fund these 10 initiatives, we‘ll be able to increase the security profile of all open source. Because a rising tide lifts all boats, we'll be able to focus on specific things, but also help improve the whole ecosystem for everybody. 

So, I'm super excited and super happy to be part of that because we are making things with global impact and are making things better, but it takes time and takes people to help out. Patches are always welcome!

 

Q: On a more personal note, when are you happiest in your work?

A: I’m happiest when I'm able to make that connection for people. When you have someone that doesn't understand a concept and maybe I help educate them and you can kind of see the light bulb go on, or if somebody is working on a hard problem and I'm able to connect them with the right person or the right tool to help them solve that. 

So, I just like helping people and that's what makes me happy. That's why I spend so much time with education and all these kinds of philanthropic things.

 

Q: That's a wonderful answer. And finally, do you have a one-sentence piece of security advice for technologists? And do you have a different one for everyone else? Or is it the same? 

A: Um, one sentence. Boy that is tough. I would have a couple of them.  

First, from a consumer enterprise perspective, always be patching. Software is always changing. There are always vulnerabilities and threats that come up that are found. You need to be aware of that and constantly adapt and react to it.  

And from an end-user perspective, I would advocate a good dose of skepticism. Don't always trust what you read on the internet. Don't always trust what's in your inbox. Give it a sniff test, give it an extra look, maybe do a little additional research before you click a link. A good dose of healthy skepticism will always help you and help you avoid getting owned.

About the author  

Katherine Druckman, an Intel Open Source Evangelist, is a co-host of podcasts Reality 2.0 and FLOSS Weekly. A long-time Drupal enthusiast and former digital director of Linux Journal, she's a 15-year veteran of the marvelous world of open source software.