Photo by Luis Villasmil on Unsplash
The open source community has always faced challenges around community, governance, and scalability. Recently, there's been a significant amount of discussion about securing the software open source supply chain. This is especially true when addressing challenges brought about by distributed, largely anonymous development teams relying on community participation.
Josh Bressers, VP of Security at Anchore*, fellow podcaster and Open Source Security Foundation* (OpenSSF) volunteer, joins us to talk about why open source isn't broken and how to address the human aspects of open source security and communities.
Katherine Druckman: Tell us what your company, Anchore, does.
Josh Bressers: We call ourselves next-generation source composition analysis (SCA).
What that really means is SBOM-powered vulnerability scanning and asset tracking in the software universe. We have two open source programs, Syft* and Grype*. Syft generates SBOMs. Grype scans SBOMs for security vulnerabilities. It's all very exciting and interesting right now, so I absolutely love every day of it.
Katherine Druckman: It can be difficult to make security sound really cool and and and fun, but I think you just did.
Josh Bressers: I believe my exact words were “security is boring.” We'll just get that out of the way.
Katherine Druckman: You’re also a contributor to the Open Source Security Foundation (OpenSSF). What do you do there?
Josh Bressers: Right now is I am the co-chair, with Kate Stewart, of SBOM Everywhere, where the intention is to unlock the secrets to how we can be more approachable for open source because, and this goes back to my joke that security is boring, let's say we go to an open source project and say, “Hey, we would like you to make SBOMs.” They’ll say, “What’s the benefit to me?” And we’ve got nothing, so we're trying to understand that, and, additionally, we need to understand how to bring SBOMs to open source projects. You can't just go to a project and say, “Hey, you should do SBOMs.” They may not know what that means. We’re trying to understand how to approach open source projects and offer help.
It's a lot of work, but also very interesting...
Katherine Druckman: I should mention that Kate Stewart was a guest on one of our previous podcast episodes...And, while we’re at it, you have a podcast called Open Source Security. (Because what's the point of coming on a podcast if you can't plug your own podcast?)
Josh Bressers: I do that podcast with a fellow named Kurt Seifried. We've been doing it for six or seven years, we're on episode 380 or so...and I have another one called Hacker History.
Katherine Druckman: You had an interesting conversation about securing the software supply chain, and you said: “What is open source but people?” It’s software, but also an ideology and community-based development... In the end, open source is people and human problems and communication. So when we talk about “fixing the open source software supply chain,” what does it mean to you?
Josh Bressers: Let me start by saying there’s nothing wrong with the open source supply chain.
Open source works exactly as it’s meant to work and exactly as it wants to work. This is one of the thorns in my side when we talk about the supply chain. Because many people will tell you all the things we need to do to fix open source. We don't need to fix open source. We need to fix how we use open source. That may sound like a linguistic nitpick, but it's very important. The best example of this concept comes from Thomas Depierre, who wrote a blog post called I Am Not a Supplier...
He explains that he gets these requests for SBOMs and for vulnerability scans and for filling out security questionnaires.
Katherine Druckman: Vendor questionnaires.
Josh Bressers: Right. And he's like, I'm not your supplier. I'm making a thing for fun, then putting it on the Internet. I owe you nothing. That's the key. The Atlantic Council* made a good analogy in their paper describing how the open source universe works. They compare open source to the water ecosystem on the planet where water is a natural resource we use, and if you pollute it, you can't use it. Today we’re polluting open source more than we're using it in a sustainable manner. That's a really important concept. Except you don't blame water when something goes wrong with the water, right? You blame yourself because you screwed it up.
Katherine Druckman: I like it. Community and sustainability came up in our previous episode with Jorge Castro. He said: “If something happened to the Linux* kernel there would be zombies the next day.” This is critical software we're talking about. Many open source projects are critical to the way we live and operate.
Josh Bressers: It literally runs the world at this point. The joke is just that everyone is running open source, right? Whether you know it or not, everything is running open source.
Katherine Druckman: It’s effectively in everything, 90% of software? Given the high stakes, people are working diligently to solve what's perceived as a problem.
Josh Bressers: We’re people. Human beings have the most amazing ability to ignore a problem until they can't. Then they have an amazing ability to solve very hard things. That gives me hope in our usage of open source and everything I see. If you look at the history of nearly any type of safety on the planet, automobile safety, train safety, worker safety or pollution, we let it get really bad before doing anything about it. It annoys me that we probably must let it get bad, but when you look at the way open source works, there are all these organizations using all this code. How many people will say, “Yeah, we kind of screwed up the way we're doing this.” They're going to point the finger at someone else and be like, “Oh, the open source people, it's their fault that it works this way. I did nothing wrong, I just took it and used it.” That's part of this story: no one will say they screwed up. They look for someone that they can point a finger at because none of us like to accept blame. It's just human nature.
Katherine Druckman: Who’s producing open source? It varies tremendously. There are tons of well-funded projects with a lot of corporate contributors, people paid to work on open source projects every day, like Kubernetes* and PyTorch* and the Linux kernel... Then you have the XKCD cartoon projects too, where one person thanklessly maintains a project...
Josh Bressers: I take issue with that comic because there's one little piece of the stack, and it says the open source project maintained by someone in like Nebraska. It's not that. It's a stack reaching kilometers into the air of single maintainer projects that hold up our enterprise software. It’s not one thing, it’s all of it. This is part of what makes open source amazing and what could also make it terrifying, especially when you realize how many bus accidents away from significant problems we have in our entire software ecosystem.
Katherine Druckman: There are some very critical projects supported by a couple of people in Nebraska, but at the other end, and part of what I take issue with, is that it perpetuates the idea that open source is the stuff of hobbyists...But not necessarily -- it's much more complicated and there's a ton of very well-funded open source. There are very smart and well-funded people solving these problems, solving software and engineering, problem solving, security problems, all those things. And I worry that it perpetuates the conversation about the legitimacy of open source.
For more of this conversation and others, subscribe to the Open at Intel podcast:
- Openatintel.podbean.com
- Google Podcasts
- Apple Podcasts
- Spotify
- Amazon Music
- Or your favorite podcast player (RSS).
About the Author
Katherine Druckman, an Intel Open Source Evangelist, is a host of podcasts Open at Intel, Reality 2.0 and FLOSS Weekly. A security and privacy advocate, software engineer, and former digital director of Linux Journal, she's a long-time champion of open source and open standards.