Open at Intel host Katherine spoke with Dan Appelquist, open source strategist at Samsung, about his role in the open source and web standards communities, including the Open Source Security Foundation, or OpenSSF. They talked about the disconnect between web developers and the open source security community, the complexities of securing mobile devices, media authenticity, and the ongoing efforts to bridge gaps through educational resources. Enjoy this transcript of their conversation.
“I'm also an advocate of ethical technology. How do we make sure that what we're building collectively here serves humanity, actually creates a better society?”
— Dan Appelquist, Open Source Strategist, Samsung Open Source Group
Katherine Druckman: Hey, Dan. Thank you for joining me. So, Dan Appelquist of Samsung is joining me today. I'm really excited about this. Dan and I know each other from the OpenSSF community, which is Open Source Security Foundation, but Dan has a long and interesting story in the open source world that I'm hoping he will share with us. Dan, why don't you introduce yourself just a little bit. And thank you again for joining me.
Dan Appelquist: Sure, and thanks for having me on. I really appreciate it. As you said, I'm currently at Samsung. I'm in the open source group at Samsung where I'm working as an open source strategist, participating in OpenSSF as well as the C2PA, which is all about content authenticity.
Katherine Druckman: I would love to talk more about that.
Web Standards and Privacy Initiatives
Dan Appelquist: I also have a history of participating in a lot of web standards, web projects. I've been working in W3C for over 20 years. W3C, the World Wide Web Consortium, is the standards group that Tim Berners-Lee set up about 30 years ago. We just had the W3C at 30 celebration to shepherd the standards of the web. And I chair or I co-chair a group there called the Technical Architecture Group, which is all about shepherding the architecture for the web. It acts as a kind of design authority for development of new specifications, new standards.
As part of that, I've been doing a lot of stuff. For instance, that's the group that produced the security and privacy self-check for people who are working in W3C building new specs to be added to the web platform, new APIs, all the questions that they should be asking themselves about security, about privacy.
I've also been working more recently on something called the privacy principles document, which, again, lays out a whole bunch of principles for developers, but also for web developers, spec developers, and web developers about how we should be thinking about privacy on the web, defining terms with finding what it means, and also giving spec developers actionable guidance about how to build better privacy. I often think about security as an enabler for privacy. I know that's certainly one of the key aspects of security.
Katherine Druckman: Yeah, I feel similarly.
Dan Appelquist: I'm also an advocate of ethical technology. I'm a co-author of something called the Ethical Web Principles, which is about how we make sure that what we're building collectively here serves humanity, creates a better society.
Katherine Druckman: Does no harm.
Dan Appelquist: I'm a keen believer in that as well. I've been at this for a while, right? I was there at the beginning of the web. I was one of the people who helped start some companies and startup companies that were working with early web publishers in the mid to late-'90s. I became a dot-com CTO. I got sent over from New York to London. I now live in London, but to be a CTO for a UK startup. And then I got caught up in the dot-com bubble and the dot-com bust and got stranded over here.
Katherine Druckman: You say that like it's a bad thing. I don't know. It sounds like not a bad problem to have right now.
Challenges in Web and Mobile Security
Dan Appelquist: No, right, yeah, yeah. I've seen a lot in this industry, and I remain very hopeful for the future of the web, for the future of the internet. And that is because I think I see so many really good professionals, strong professionals working in this space in good faith to improve things and to make things better for people, for end users, for what I call the person holding the phone on the bus who's trying to get something done.
When I started my journey in OpenSSF, it was a couple of years ago, and one of the things that struck me was that there was a kind of disconnect between the web developer community and the open source security community. There were a lot of terms being used in OpenSSF land and in open source security, supply chain security. Even the term supply chain security itself was a very foreign term when it came to regular rank and file web developers.
I kind of took it as a mission to start trying to bring together these communities. And last year we held a workshop, a W3C workshop, but it was also jointly held with OpenSSF, with OWASP, and also with JS Foundation to try to bring together people who are talking about security and talking about web development and to really help shape this problem. What is the gap between open source supply chain security and the stuff that we're talking about in OpenSSF land, and the concerns of regular web developers or the spectrum of web developers, right? Because web developer is not monolithic. There are web developers...
Katherine Druckman: Yeah, what does that even mean anymore?
Dan Appelquist:... that work on websites, there are web developers that work on frameworks and libraries, and there's all kinds of websites and scales, and there are commercial web developers and advertising-focused web developers, but they all need the tool, they all use a similar set of tools, and they need consistent information to help them build better stuff, right?
How do we scope that problem? And then what do we need to do effectively to help developers who are developing for the web to take advantage of some of these technologies, some of these patterns that are being developed in the supply chain security side of things?
Katherine Druckman: I love that you observed the kind of disconnect because I felt that too when I kind of left the world of, quote-unquote, "web development" or web software, or web platforms, or whatever it was in web world that I was doing where I understood the vocabulary and I understood the customs and how it all fit together. And then I kind of left that world and I came over, and now I'm a little bit in a different world, and I felt foreign in this world for quite a while because I had to kind of relearn a new vocabulary to an extent, a new way of thinking of things. And it wasn't so different, but there are subtle differences. And I think that's interesting.
I think there's a similar conversation to be had now too as we talk about AI development. I think a lot of people are talking about this thing like it's a completely different thing, but there is commonality to all of these things. At the end of the day, software is software, right? You release software in a very similar way no matter what the software does, and microservice or microservice, and they interact similarly no matter what they do. And the cross-pollination you mentioned, I think that's why that's so critical because people need to have a common vocabulary to think about these things, right?
Dan Appelquist: Yeah. I think the primary kind of mindset that I encountered when I joined OpenSSF was coming from a cloud computing mentality, right? And that's an extremely important part of our infrastructure and our ecosystem here. But when you think about common web developer issues, they are thinking about the front end as well. And they're thinking about issues that... they're thinking about cross-platform clients, right? When you're building a web application, you have to make sure that the front-end JavaScript that you're sending down to the client is going to run on the many different versions of many different browsers across many different platforms that you want it to be able to work on, right? Because some people have a Samsung phone, some people have an iPhone, some people have different kinds of Android phones, some people...
And by the way, the reason I keep talking about phones is not just because I'm working for Samsung, it's because I strongly believe the web has become a majority mobile platform.
Katherine Druckman: Yeah, I think so too.
The Importance of Mobile Security
Dan Appelquist: The majority of web usage is actually from mobile devices. And this is something that I see a lot of misunderstanding of in the web community as well, where we have a lot of web developers that spend all their time in front of huge screens building browsers, building websites, and not really understanding that the end user is on their phone.
It also has important ramifications for security, or considerations for security, because mobile phones are also such a key part of our lives, right? They have all of this private information on them. They have our location, they have sensors on them, they have...There's all kinds of opportunities for exploitation of data, for installation of malware. And the mobile phone is so important to people that it makes it doubly important that whatever code is running on that device be extra secure.
And by the way, because of the nature of the web, you could receive a text message that seems to be from your bank that has a link on it. You click on the link, and then boom, you've just downloaded and run code from a party that you have no idea who that is. It could be your bank or it could be evil.com, right?
Katherine Druckman: Evil.com. What is evil.com? I probably shouldn't try.
Dan Appelquist: The nature of the web has to be that it needs to be safe. One of our key design considerations in the TAG design principles is it should be safe to visit a webpage. It should not be possible that you click on that link and that suddenly the computer that you're connecting to is able to install software, able to gain access to your private information, your location, et cetera. And that's such a key balancing act because we also want to make sure that the web works seamlessly, that you're not being presented with a complex array of permission requests every time you visit a page. A lot of that is inherent in how we design the web.
Threat Models and Security Concerns
Katherine Druckman: You said something about phones. They have accelerometers, they have all these sensors, track your location. I've said before, I think a person's phone is second to their brain, and having possession of the data on the phone is basically having possession of the person, and maybe more so.
And it's kind of like when you think about, you talked about the work you do with OWASP and other security groups and whatnot, but if you consider the threat model, when you talk about what it is that you're trying to protect and from who, and you think about a phone, and you really drill down and think about what it is you're trying to protect, it's kind of terrifying. And then who are you're trying to protect it from? Well, that could depend. Are you trying to protect yourself from a nefarious government actor? I don't know. Are you trying to protect yourself from marketing companies, right? Are you trying to protect yourself from...
Dan Appelquist: There is a range of threat models, right?
Katherine Druckman:... data brokers? To access the data on a person's mobile device might be more invasive than directly accessing their brain or body in a way. And to think about that is actually kind of mind-blowing.
Protecting Yourself and Your Data
Dan Appelquist: And commercial actors will also take advantage of any opportunity they can find to get more information from you from a commercial standpoint. In the workshop last year, we talked about things like SBOMs, for instance. That's software bill of materials. That's something that is very unlikely to be talked about in web developer circles.
Also, there are web specific technologies, like cores and content security policy, for instance, that are not very often talked about in OpenSSF or open source supply chain security circles, right? In the OpenSSF Best Practices Group, we have a document that is a concise guide for software developers for secure software development, which is a great document and has lots of links off to other resources. But it doesn't have web specific technologies in it. It doesn't have you look at your code. Are you using XYZ APIs? Are you using cores? Are you using content security policy...things like that.
Challenges for Web Developers
Dan Appelquist: There's a gap there where web developers, if they're looking for the best practice when it comes to, “how do I build secure websites?” They're looking at places that are talking about supply chain security, they're not getting the full story, or they're not getting information that's really aimed at them.
At the same time, if you look at a best practice around, say, selection of libraries, or selection of JavaScript frameworks, this is a decision that web developers often have to make. What polyfill should I use? What library should I use to accomplish this goal? What code should I import into my project? And that decision is often made in the absence of security information, information about whether or not that project was developed using secure software guidelines or techniques.
So that's another example where most web developers would not... if they're looking at npm to figure out what library they want to use to accomplish some goal, they're very often or they're very unlikely to also check Scorecard to see if the library in question has good security hallmarks, good security hygiene.
And some of those items...by the way, I'm not advocating that web developers should just be paying attention to the Scorecard score because actually some of the issue is that some of those things that Scorecard is tracking are more or less relevant to web developers and that's something that we're looking at.
Katherine Druckman: Right, right. There's a due diligence no matter what, right?
Open SSF and W3C Collaboration
Dan Appelquist: Yeah. I mean, one of the things that came out of this workshop that we held last year was a call to do some additional work. So that's why I started what's called the Swag Community Group. It's a W3C community group, which means it's an open working group that anybody can join. And it's also, we have a liaison agreement between W3C and OpenSSF. That means that the work that we're doing in that group, I'm reporting on every week, or every two weeks, into the Best Practices Working Group in OpenSSF.
We're effectively using it as a coordination point between OpenSSF and W3C around building out some assets, some documents, some best practice statements that are around the same level as the concise guides that we have in OpenSSF already, but are aimed directly at web developers.
And in the process of trying to figure out what those should be, we've come across all these questions that we're trying to munch through, and come to some decisions on, come to some consensus on what should the guidance be around CSP, what should the guidance be around the use of trusted types, or other new emerging security technologies that are coming out of W3C.
That's a lot of the stuff that we're working on right now, and I'm excited by it because, again, the motivation is how do we create a better, more secure web for people, for end users?
Expanding Security Education
Katherine Druckman: I love that you're doing this work, one, because that is how I got to this place in my life, right? I traveled the web road for a long time, so I feel like you're speaking to former me, and I appreciate it.
As a developer, as a web developer, and again, whatever that means anymore, it's complicated. I remember when people were called webmasters, so that was a long time ago. But whether you're releasing software, releasing npm packages, wherever you fit into that world. How would you recommend those people begin to expand their education on security best practices?
Dan Appelquist: Well, the OpenSSF has a security 101 course, which is really good basic stuff around threat modeling and stuff like that. It's free, and I recommend that anybody who wants to learn more about security should take it.
OWASP also has some really good material that's available. And by the way, OWASP also runs a very highly distributed network of meetups and chapters around the globe. And wherever you are in the world, there's guaranteed to be, or very likely to be, an OWASP meetup or a network that is security professionals, software security professionals, that are also interested in web and also other kinds of software security.
Getting involved in one of those can really be helpful because you're going to gain a stronger understanding of the whole ecosystem that way. For the SWAG Community Group, we'd certainly love to get feedback about your questions, your issues you've encountered, concerns that you have about security when it comes to building for the web, because that would really help to drive our agenda.
Katherine Druckman: I love it. I would love if you could come back, because I would love to dig a little bit more into several of the things you brought up that we haven't gotten a chance to get to. One of them is C2PA, which is actually really interesting, somewhat slightly peripheral, but yet not to this conversation. Could you give us just the really brief highlight of what that is?
The Importance of Media Authenticity
Dan Appelquist: If you go to c2pa.org, you can find out all about C2PA. It's really all about content and media authenticity. The idea being that when you generate media or when you modify media, whether it's using some kind of traditional image editing tool or an AI-based tool, that a kind of audit log of everything that has touched that piece of media is attached to it in some way, and that clients downstream can therefore examine that auditable log and alert the end user, again, the person who's consuming the media. It's important that they understand, hey, this image was generated by AI, or this image was manipulated in some way versus this image... Almost every image that we see online is manipulated in some way, but you can usually get a log of what manipulations were made, and therefore understand whether or not something is trustworthy, whether something's authentic.
Katherine Druckman: And you can identify if it was taken in the location that they claim to have been taken in, right?
Dan Appelquist: I mean, yeah, that's a key aspect. I live in the UK, BBC is huge here, and BBC has a team that is called BBC Verify that's associated with their BBC News where all they do is verify information. They're participating in this work. And they've made some public blog posts about how they're integrating C2PA into their whole workflow for verification of media. It's very exciting stuff.
Katherine Druckman: I think so. I think it's great. The whole concept around authenticity and the web and software is really important and very interconnected to security and privacy, I think in many ways. And so, I don't know, this is an area that interests me personally, so I enjoy talking about it, and I enjoy following projects like this.
Dan Appelquist: I mean, I'm very privileged to be able to work on problems like this that I think are important to society as well as important to technology providers, right? Because we have to collectively agree that we're not going to build the dystopia, that we're going to avoid that, that what we do adds hope...
Katherine Druckman: Yeah, we hope.
Dan Appelquist:... adds value to people's lives. And, yeah, so I'm big into that.
Katherine Druckman: If only we could all agree on what dystopia is, that would be a good start.
Dan Appelquist: Yeah.
Katherine Druckman: Oh, well, that's a conversation for next time, I think since we're almost out of time here. I wondered if was there anything you wanted to get to today that we didn't get to?
Final Thoughts and Future Discussions
Dan Appelquist: I would love to talk in more detail about anything that we talked about. I mean, we didn't talk too much about the threat model for the web. I do think that it's important to note that people use the web for everything in their lives. And we talked about this a little bit, how the phone is almost people's brain. But it's sometimes difficult to think about what all those different things can be. They can include things like registering your car, registering for benefits, government services, paying your taxes, financial services, sure, but healthcare, end of life care, all kinds of stuff that is extremely private information that you really don't want to be spreading out there or that you want to keep to yourself.
And again, that's another thing that drives me is kind of thinking about all of those corner cases, the cases of the extremely personal way that people interact with digital services and how we need to keep focused on that if we want to understand who our customers are when we're building secure software.
Katherine Druckman: Well, thank you for those parting thoughts. But yeah, let's dive deeper into this next time. I think there's got to be another next time.
Dan Appelquist: Sounds good, sounds good.
Katherine Druckman: That'll leave everybody a hint about what's to come. Thank you so much for joining me and thank you, everyone, for listening.
Dan Appelquist: Thank you.
Katherine Druckman: You've been listening to Open at Intel. Be sure to check out more about Intel’s work in the open source community at Open.Intel, on X, or on LinkedIn. We hope you join us again next time to geek out about open source.
Resources
- W3C SWAG Group: https://www.w3.org/community/swag/ - and GitHub repo https://github.com/w3c-cg/swag with meeting minutes
- Last year's W3C / OpenSSF/ OWASP / OpenJS "Secure the Web Forward" workshop: https://www.w3.org/2023/03/secure-the-web-forward/ (includes videos of all talks and workshop report)
- W3C Ethical Web Principles https://www.w3.org/TR/ethical-web-principles/
- W3C Privacy Principles https://www.w3.org/TR/privacy-principles/
- W3C Security & Privacy self-check https://www.w3.org/TR/security-privacy-questionnaire/
About the Guest
Dan Appelquist, Open Source Strategist, Samsung Open Source Group
Dan Appelquist is open source strategist at Samsung Open Source Group. He is a web and mobile industry veteran and long-time participant and leader in open source and open standards. He has been co-chair of the W3C Technical Architecture Group for the last ten years. He was an early web pioneer and "dot-com CTO." He's led efforts at Vodafone, Telefónica, Samsung and the UK Government relating to open standards and the open web. You may find him on the Fediverse at @torgo@mastodon.social.
About the Host
Katherine Druckman, Open Source Security Evangelist, Intel
Katherine Druckman, an Intel open source security evangelist, hosts the podcasts Open at Intel, Reality 2.0, and FLOSS Weekly. A security and privacy advocate, software engineer, and former digital director of Linux Journal, she's a long-time champion of open source and open standards. She is a software engineer and content creator with over a decade of experience in engineering, content strategy, product management, user experience, and technology evangelism. Find her on LinkedIn.