CRob on open source software security education on TechStrong TV

In the Open Source Software Security Mobilization Plan released this past May, the very first stream – of the 10 recommended – is to “Deliver baseline secure software development education and certification to all.”

As the plan states, it is rare to find a software developer who receives formal training in writing software securely. The plan advocates that a modest amount of training – from 10 to ideally 40-50 hours – could make a significant difference in developer contributions to more secure software from the beginning of the software development life cycle. The Linux Foundation now offers a free course, Developing Secure Software, which is 15 hours of training across 3 modules (security principles, implementation considerations & software verification).

The plan proposes, “bringing together a small team to iterate and improve such training materials so they can be considered industry standard, and then driving demand for those courses and certifications through partnerships with educational institutions of all kinds, coding academies and accelerators, and major employers to both train their own employees and require certification for job applicants.”

Also in the plan is Stream 5 to, “Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.” They are a small team of professional software developers, vetted for security and trained on the specifics of language and frameworks being used by that OSS project. 30-40 experts would be available to go out in teams of 2-3 for any given crisis.

Christopher “CRob” Robinson is instrumental to the concepts behind, and the implementation of, both of these recommendations. He is the Director of Security Communications at Intel Product Assurance and also serves on the OpenSSF Technical Advisory Committee. At Open Source Summit North America, he sat down with TechStrong TV host Alan Shimel to talk about the origin of his nickname and, more importantly, software security education and the Open Source Product Security Incident Response Team (PSIRT) – streams 1 and 5 in the Plan.  Here are some key takeaways:

  • I’ve been with the OpenSSF for over two years, almost from the beginning. And currently I am the working group lead for the Developer Best Practices Working Group and the Vulnerability Disclosures Working Group. I sit on the Technical Advisory Committee. We help kind of shape, steer the strategy for the Foundation. I’m on the Public Policy and Government Affairs Committee. And I’m just now the owner of two brand new SIGs, special interest groups, underneath the working group. So I’m in charge of the Education SIG and the Open Source Cert SIG. We’re going to create a PSIRT for open source.
  • The idea is to try to find a collection of experts from around the industry that understand how to do incident response and also understand how to get things fixed within open source communities. . . I think, ultimately, it’s going to be kind of a mentorship program for upstream communities to teach them how to do incident response. We know and help them work with security researchers and reporters and also help make sure that they’ve got tools and processes in place so they can be successful.
  • A lot of the conference this week is talking about how we need to get more training and certification and education into the hands of developers. We’ve created another kind of Tiger team, and  we’re gonna be focusing on this. And my friend, Dr. David Wheeler, he had a big announcement where we have existing body of material, the secure coding fundamentals class, and he was able to transform that into SCORM. So now anybody who has a SCORM learning management system has the ability to leverage this free developer secure software training on their internal learning management systems.
  • We have a lot of different learners. We have brand new students, we have people in the middle of their careers, people are making career changes. We have to kind of serve all these different constituents.

Of course, he had a lot more to say. You can watch the full interview, including how CRob got his nickname, and read the transcript below.

Alan Shimel 00:06
Hey, everyone back here live in Austin at the Linux Foundation Open Source Summit. You know, we’ve had a very security-heavy lineup this past week. And for good reason, security is top of mind to everyone. The OpenSSF. Of course, Monday was OpenSSF day, but it’s more than that. More than Monday, we really talked a lot about software supply chains and SBOMs and just securing open source software. My next guest is CGrove or CRbn? No, no, you know, I had CRob in my mind, and that’s what messed me up. Let’s go back to Crob. Excuse me. Now check this out a little thing myself. So Crob was actually the emcee of OpenSSF day on Monday.

CRob 01:01
I had an amazing hat. You did. And you didn’t wear it here. I came from outside with tacos, and it was all sweaty.

Alan Shimel 01:08
We just have two bald guys here. Anyway,

CRob 01:14
safety in numbers.

Alan Shimel 01:15
Well, yeah, that’s true. It’s true. Wear the hat next time. But anyway, first of all, welcome, man. Thank you.

CRob 01:21
It’s wonderful to be here. I’m excited to have this little chat.

Alan Shimel 01:24
We are excited to have you on here. So before we jump into Monday, and OpenSSF day, in that whole thing, you’re with Intel, full disclosure, what do you do in your day job.

CRob 01:36
So my day job, I am the Director of Security Communications. So primarily our function is as incidents happen, so there’s a new vulnerability discovered, or researchers find some report on our portfolio, I help kind of evaluate that and kind of determine how we’re going to communicate it.

Alan Shimel 01:56
Love it, and your role within OpenSSF?

CRob 02:01
So I’ve been with the OpenSSF for over two years, almost from the beginning. And currently I am the working group lead for the developer best practices working group and the vulnerability disclosures working group. I sit on the technical advisory committee, so we help kind of shape, steer the strategy for the foundation. I’m on the Public Policy and Government Affairs Committee. And I’m just now the owner of two brand new SIGs, special interest groups underneath the working group. So I’m in charge of the education SIG, and the open source cert SIG. So we’re going to create a PSIRT for open source.

Alan Shimel 02:38
That’s beautiful man. That is really and let’s talk about that SIRT. Yeah, it’ll be through Linux Foundation.

Unknown Speaker 02:47
Yeah, we are still. So back in May the foundation and some contributors created the mobilization plan. I’m sure people have talked about it this week. 10 point plan addressing trying to help respond to things like the White House executive order. And it’s a plan that says these 10 different work streams we feel we can improve the security posture of open source software. And the open source SIRT was stream five. And the idea is to try to find a collection of experts from around the industry that understand how to do incident response, and also understand how to get things fixed within open source communities.

CRob 03:27
So we’re we have our first meeting for the SIG the first week of July. And we’re going to try to refine the initial plan and kind of spec it out and see how we want to react. But I think ultimately, it’s going to be kind of a mentorship program for upstream communities to teach them how to do incident response. We know and help them work with security researchers and reporters, and also help make sure that they’ve got tools and processes in place so they can be successful.

Alan Shimel 03:56
I love it. Yeah. Let’s be honest, this is a piece of work you cut out for yourself.

Unknown Speaker 04:04
Yes, one of my other groups I work with is a group called First, the Form of Incident Response and Security Teams. And I’m one of the authors of the PSIRT services framework. So I have a little help. So I understand that you got a vendor back on that, right? Yeah, we’re gonna lean into that as kind of a model to start with, and kind of see what we need to change to make it work for open source communities.

Alan Shimel 04:27
I actually love that good thing. When do you think we might see something on this? No pressure.

Unknown Speaker 04:32
No pressure? Oh, definitely. The meetings will be public. So all of that will go up into YouTube. So you’ll be able to observe kind of the progress of the group. I expect we’re going to take probably at least a month to refine the current plan and submit a proposal back to the governing board. We think this is actionable. So hopefully before the end of the year, maybe late fall, we’ll actually be able to start taking action.

Alan Shimel 04:57
All right. Love it. Love it. Gotta ask you, Where does the name come from?

Unknown Speaker 05:03
So the name comes from Novell GroupWise. So back in the day, our network was run by an HP VAX. But our email system plugged into the VAX and you were limited by the characters of your name. So my name Chris Robinson. So his first little first letter, first name, next seven of your last, so I ended up being Crobinsoe. And we hired a developer that walked in, he looked at it, and he’s like, ah, Crobinso the chromosome, right? Got shortened to Crob.

Alan Shimel 05:36
Okay, not very cool. So thank you. Not Crob. That’s right. Thank you Novell is right. That was very interesting days. Remember.

Unknown Speaker 05:45
I love that stuff. I was Novell engineer for many years.

Alan Shimel 05:49
That’s when certs really meant something certified Novell. You are? Yeah. Where are they now? See, I think the last time I was out in Utah. Now I was I think it was 2005. I was out in Utah, they would do if there was something they were working on.

Unknown Speaker 06:14
They bought SUSE. And we thought that that would be pretty amazing to kind of incorporate this Novell had some amazing tools. Absolutely. So we thought that would be really awesome than the NDS was the best. But we were hoping that through SUSE they be able to channel these tools and get broader adoption.

Alan Shimel 06:30
No, I think for whatever reason. There’s a lot of companies from back in those days, right, that we think about, indeed, Yeah. Anyway,

Unknown Speaker 06:45
My other working group. So we have more, but wait, there’s more, we have more. So the developer best practices working group is spinning off and education sake. So a lot of the conference this week is talking about how we need to get more training and certification and education into the hands of developers. So again, we’ve created another kind of Tiger team, are we’re gonna be focusing on this. And my friend, Dr. David Wheeler, David A. Wheeler, he had a big announcement where we have existing body of material, the secure coding fundamentals class, and he was able to transform that into SCORM. So now that anybody who has a SCORM learning management system has the ability to leverage this free developer secure software training, really, yes.

Alan Shimel 07:35
And that’s the SCORM. system. If you have SCORM, you can leverage this.

Unknown Speaker 07:39
free, there’s some rules behind it. But yeah, absolutely. It’s plugged in, we’re looking to get that donated to higher education, historically black colleges and universities (HBCU), trade schools like DeVry, wherever

Alan Shimel 07:52
Get it into people’s hands. That’s the thing to do. So that get that kind of stuff gets me really excited. I’ll be honest with you, you know, all too often, we’re good in the tech industry for forming a foundation and, and a SIG and an advisory board. But rubber meets the road, when you can teach people coming up. Right, so they come in with the right habits, because you know, it’s harder to teach the old dogs, the new tricks, right.

CRob 08:23
I can’t take the class. I know the brains full.

Alan Shimel 08:26
Yeah, no, I hear you. But no, but not only that, look, if you’ve been developing software for 25 years, and I’m gonna come and tell you, Well, what you doing is wrong. And I need you to start doing it this way. Now, I’m gonna make some progress. Because no one wants to say I know everything. And I’m not changing. People don’t just say that. But it’s just almost subconsciously, it’s a lot harder.

Unknown Speaker 08:51
It definitely is. And that’s kind of informing our approach. So we have a traditional, about 20 hours worth of traditional class material. So we’re looking at how we can transform that material into things like webinars and podcasts, and maybe a boot camp. So maybe next year, at the Open Source Summit, we might be able to offer a training class where you walk in, take the class, and walk out with a certification.

CRob 09:17
And then thinking about, you know, we have a lot of different learners. We have, you know, brand new students, we have people in the middle of their careers, people are making career changes. So we have to kind of serve all these different constituents. And that’s absolutely true. And that is one of the problems. Kind of the user journeys we’re trying to fulfill is this. I’m an existing developer, how do I gain new skills or refine what I have?

Alan Shimel 09:40
Let me ask you a question. So, I come from the security side of that. Nothing the matter with putting the emphasis on developers developing more secure software. But shouldn’t we also be developing for security people to better secure open source software.

CRob 10:02
And the foundation itself does have many, it’s multipronged. And so to help like a practitioner, we have things like our scorecard and all stars. And then we have a project criticality score. And actually, we just I, there was a great session just a couple hours ago, by one of my peers, Jacque Chester, and it was kind of a, if you’re a risk guy, it was kind of based off of Open Fair, which is a risk management methodology, kind of explaining how we can evaluate open source projects, share that information with downstream consumers and risk management teams or procurement teams, and kind of give them a quantitative assessment of this is what risks you could incur by these projects.

CRob 10:44
So if you have two projects that do the same thing, one might have a higher or lower score will provide you the data that you could make your own assessment off of that and make your own judgment. So that the foundation is also looking at just many different avenues to get this out there, focused on practitioners and developers, and hopefully by this kind of hydraulic approach, it will be successful. It’ll stick.

Alan Shimel 11:07
you know what you just put as much stuff on the wall and whatever sticks sticks man up. So anyway, hey Crob. Right. I got it right. Yep. All right. Thank you for stopping by. So thank you for all you do, right. I mean, it’s a community thing. These are not paid type of gigs, right. Sure. Yeah. No, and I thank you for your for your time and efforts on that.

CRob 11:30
Thank you very much. All right.

Alan Shimel 11:31
Hey, keep up the great work. We’re gonna take a break. I think we’ve got another interview coming up in a moment. And we’re here live in Austin.

Jamie Thomas on TechStrong TV

Jamie Thomas is the General Manager, Systems Strategy and Development at IBM and is also the OpenSSF Board chair. She sat down with Alan Shimel of TechStrong TV during OpenSSF Day in Austin to share about OpenSSF and how the open source community is rallying together to increase the resilience of open source software. 

You can watch the full interview or read the transcript below. But, since we are all busy, I have pulled together some of the key points Jamie made from the interview:

OpenSSF is focused on a proactive posture. How do we prevent these kinds of events? And so to do that, we think there’s a number of things we have to do: 

  • First and foremost is education, of course, in terms of basic security education for developers.
  • Another key tenant is how do you put automation on steroids? So the automation and best practices that are reflected in that automation that open source projects can consume? How do you get that out to the most critical projects, and then provide some support for the long tail projects
  • It’s also about working, frankly, with other industry consortia as well as the government. In Particular, we’ve been working with the US government in the OpenSSF to define what are some actions that are really going to make a difference. 
  • And I think critical to all of this is getting collaboration across the different insights from the governing body, which includes a lot of technology firms, as well as commercial firms. Like there’s a lot of financial firms actually involved in the governing body. What are the key elements that we really need to address first. So getting those priorities set, and then having an execution agenda and really getting something done in the short term, I think is really going to be important for this group.

In the world of cybersecurity, you often learn that no one pays attention to a lot of things unless there’s a huge compelling event. And that’s what log4j was. So while it was not desired, it was helpful in that vein. . . So coming out of all of the meetings that we’ve had, the collaboration that we’ve had across the industry, it is going to be imperative that we execute, and that the things that we have identified as top priorities that we make measurable progress on those projects this year. That’s the importance of this OpenSSF day here today in Austin, which is allowing us, with a key set of stakeholders, to start to share perspectives of the projects that are underway, and how others can engage in those projects. And how, once again, working together, we can actually make a difference. 

 Working together, we can actually make a difference. 

We are turning the corner on a new level of commitment around security, there’s always been a commitment in open source around innovation, around feature function. I mean, that’s what’s driven open source and allowed it to be so successful. And for others, other corporations like IBM, we take an enormous advantage out of that, right, we’ve all gotten a huge advantage in productivity out of that. But now, it’s really about turning the focus a little bit more, getting that focus on security, so that we can use open source and continue to have that productivity, but with confidence as we go forward.

How do we make it easy for the maintainers of these open source projects? How do we make it easy for the contributors, because without doing that, it will not have the consumption by developers at large.

Alan Shimel 0:06
Hey, everyone, we’re back here live at the Linux Foundation’s Open Source Summit here in Austin, Texas. And as we mentioned earlier, today is is a day of, I don’t know if you want to call it daughter-sister foumdations or satellite conferences, the main event really starts tomorrow. But there’s several important foundations who are holding conferences today. One of which, and kind of the one kind of the nearest to me is the Open Source Security Foundation. OpenSSF. And we are really happy to be joined by Jamie Thomas, who is the governing chair or the chair of the governing board. Jamie, welcome to our show. Thanks for joining us. So, look, when you’re not busy running, or being Chair of the Board for OpenSSF you have a day job as well. If you want to share with our audience feel free.

Jamie Thomas 1:05
Well, first of all, Alan, thanks for having me. I’m really pleased to be here to talk about OpenSSF. But I am a general manager at IBM responsible for systems development and delivery as well as IBM’s enterprise security program. And enterprise security, of course, is how I got involved in this particular topic.

Alan Shimel 1:22
Absolutely. And that look, that is a world and job unto itself. And we could probably do a few hours on that. But we’re going to focus on on OpenSSF today. So, you know, for most of our audience is familiar, we’ve covered,we’ve had the pleasure of speaking with Brian from OpenSSF a few times. It was a nice idea I think when it was first conceived about yes, we need to do something about security, about the security of open source tools specifically.

Alan Shimel 1:53
And then kind of all hell broke loose. You know, sometimes, sometimes things just work like that. Right? History runs in currents. So we started the OpenSSF. And then we had this spate of supply chain security issues and the whole SBOM thing with the White House. And then like kind of the cherry on top was log4j, it was around when January or December of last year. And that’s really, I guess, accelerated has it accelerated. Maybe you had big plants to begin with. Talk to us a little bit about kind of the whole OpenSSF and how it all came together. And what’s happened?

Jamie Thomas 2:33
Well, I think it was very fortuitous that the industry did come together last year with the Linux Foundation to create a new governing body around open source security called the OpenSSF. Because as you say, not long after that we had this industry compelling event log4j and realized the industry had already had we’d already had Solarwinds that year before, which also ruined our holiday in December. We had Kaseya, we had a number of these big supply chain attacks.

Jamie Thomas 3:00
But the difference I would say in log4j is just the predominance of the asset in code. It had been out there for over 20 years, it was a very utilized, a very popular piece of code. And so it affected a lot of software.

Jamie Thomas 3:14
So one of the things that you realize when this kind of thing happens, it’s not just about your fidelity of being able to identify it and get it patched. But for all those downstream consuming organizations, how fast do they roll out these patches, because we’re talking about a huge amount of affected software. So I think that there’s nothing like a true test of your governing body. And this was actually a real test run of what we needed to do in OpenSSF. And, of course, it garnered a lot of tension from the US government and other entities that we can we can talk more about.

Alan Shimel 3:48
Sure. Okay. So let’s talk a little bit about the charter or the mission of the OpenSSF. And it’s something I brought up to you off camera, which is okay. Log4J, let’s make that the poster child for a second. So log4j is basically this open source component, if you will, right, that many, many, many, many, many applications have incorporated into their package, if you will, into their source code. And it’s not, look, I’m not blaming the log4j developers or anything. There was a defect, I don’t even want to you know, it became a vulnerability but there’s a defect, while software has defects that we haven’t even found yet. But nevertheless, this one kind of went public and then we saw exploits with it and in the wild and such as the world of security we both live in. What is the chart is that what OpenSSS is about to prevent, or not prevent, but deal with future log4j kinds of events?

Jamie Thomas 4:55
Well, I think first and foremost, OpenSSF is focused on a proactive posture. Right. So how do we prevent these kinds of events? And so to do that, we think there’s a number of things we have to do. First and foremost is education, of course, in terms of basic security education for developers.

Jamie Thomas 5:14
Another key tenant is how do you put automation on steroids? So the automation and best practices that are reflected in that automation that open source projects can consume? How do you get that out to the most critical projects, and then provide some support for the long tail projects, if you will?

Jamie Thomas 5:31
It’s also about working, frankly, with other industry consortia as well as the government. Particularly we’ve been working with the US government in the OpenSSF to define what are some actions that are really going to make a difference. And I think critical to all of this is getting collaboration across the different insights from the governing body, which includes a lot of technology firms, as well as commercial firms. Like there’s a lot of financial firms actually involved in the governing body. What are the key elements that we really need to address first. So getting those priorities set, and then having an execution agenda and really getting something done in the short term, I think is really going to be important for this group?

Alan Shimel 6:14
Well, look, a lot of people look at what you guys have done, and you’ve gotten stuff done, right? There’s been a tremendous groundswell of support. And granted, log4j didn’t hurt you in that regard. But there are others. But there’s been a tremendous groundswell, right, there’s been a I think, about $30 million raised right, between some of the biggest names in tech kicking in here. There’s been the White House and CISA involvement. So it’s certainly, for a relatively new foundation, it has really garnered a lot of, I don’t want to say market share, but a lot of publicity, a lot of attention.

Alan Shimel 7:02
Now, of course, the question is, okay, how does this translate to rubber meets the road? How do we prevent the next slide? I don’t know if we can prevent the next log4j. But how do we minimize that?

Jamie Thomas 7:14
minimize the impact Exactly. Because I would say, if you look at what happened with log4j, the level of preparedness was not there. So how do you get it remediated fast? And how do you identify it? How do you help the open source projects be more effective. In this case, it was of course tied to the Apache Foundation. But not only that, how did the commercial entities then take advantage of that patch and act expeditiously to benefit the clients?

Jamie Thomas 7:45
So I think there’s a real opportunity here. In the world of cybersecurity, you often learn that no one pays attention to a lot of things unless there’s a huge compelling event. And that’s what this was. So while it was not desired, it was helpful in that in that vein, so coming out of all of the meetings that we’ve had, the collaboration that we’ve had across the industry, is going to be imperative that we execute, and that the things that we have identified as top priorities that we make measurable progress on those projects this year. And I think that’s the importance of this OpenSSF day here today in Austin, which is allowing us, with a key set of stakeholders, to start to share perspectives of the projects that are underway, and how others can engage in those projects. And how, once again, working together, we can actually make a difference.

Jamie Thomas 8:36
I think this on this ongoing level of engagement, making sure that we have the right stakeholders engaged, is going to be important to make progress. And as you know, in the world of open source, the nice thing about OepnSSF is we do have the ability to hire critical roles that can focus on this full time. Because the nature of open source typically is that it’s a it’s a volunteer army. Right? And there’s 1000s and 1000s of volunteers out there. But then how do we help with these resources, enable those volunteers to be more effective.

Alan Shimel 9:10
And frankly, that’s been one of, I think, the key ingredients to the Linux Foundation’s formula for success is, you know, herding. It’s a bit like herding cats herding the open source community, it’s vast, the 1000s, hundreds of 1000s, millions, but you need a few full timers who are, this is their day job, right? This is their this is what they do.

Alan Shimel 9:36
Jamie, I want to talk a little bit for people who are watching this now at home. Or maybe, you know, recorded later on. They weren’t here. They didn’t get what was happening, especially today, which is kind of you know, the OpenSSF’s day. Give them if you don’t mind a little bit of maybe a synopsis of what they’re missing.

Jamie Thomas 9:58
Well, we just got started of course, so we have a little bit more to go today, of course, in terms of the actual kickoff of OpenSSF Day. But I think what I see is real commitment, particularly from the presenters I’ve seen so far, a commitment that they’ve all personally made and outside of their day jobs, frankly, to make a difference in security for open source software. And that’s really the key here.

Jamie Thomas 10:23
Are we turning the corner on a new level of commitment around security, there’s always been a commitment in open source around innovation, around feature function. I mean, that’s what’s, loved it, you know, that’s what’s driven open source and allowed it to be so successful. And for others, other corporations like IBM, we take an enormous advantage out of that, right, we’ve all gotten a huge advantage in productivity out of that. But now, it’s really about turning the focus a little bit more, getting that focus on security, so that we can use open source and continue to have that productivity, but with confidence as we go forward. And I’ve really been, I’ve been impressed with all the speakers today and their personal commitment to this topic. And, and that’s really impressive. And I think we’ll see that for the rest of the day as well.

Alan Shimel 11:12
I’m gonna come back to it that to you in one second. I want to touch on something else, though. And that and that is this look, I’ve been in security for 25 going on 30 years. Well, security 25, IT 30 plus years. And, I, you know, if I had a nickel for every survey I read that said security is one of the top three priorities of IT, or the CIO, or an organization, I’d be a rich, rich person right now. But as like I always said their arms were too short to reach their pockets oftentimes. And it wasn’t until something bad happened like a log4j. You know, some incident. Yeah, Code Red. And I could go through a whole history of the things that people trying to get religion, right.

Alan Shimel 12:00
Excuse me, sometimes it takes that for them to get religion. I don’t, I don’t know why. I hope I always hope that it changes that people finally do start taking it seriously. I think for the OpenSSF though, the important thing to remember, especially in our audience, this is a fact we give them all the time, today’s applications, they are 75% 80% open source components added kind of stitched together with maybe 20- 25% of you know, sort of original code, if you will.

Alan Shimel 12:35
And so if someone’s not watching the store on those open source components, whether they’re artifacts or scripts or whatever. Your it’s only a matter of time. It’s not if, it’s when right. And so that’s why I think this is such a vital, it’s such a vital function, this Foundation. Something needed to happen. Yeah. And this is a perfect place for it. And we I step off the soapbox, you mentioned a couple of speakers anything stand out to you or that you can kind of clue our audience and tell

Jamie Thomas 13:11
I think other than the commitment of there’s a keen focus on making it easy for the developers, right? How do we make it easy for the maintainers of these open source projects? How do we make it easy for the contributors, because without doing that, it will not have the consumption by developers at large, right. And I know this, even inside a corporation, we have the same challenge, really, it’s all about codifying the best practices in an automation framework. And, you know, whatever that is for your organization, that’s going to be critical. And that’s why it’s so critical for these open source projects.

Jamie Thomas 13:45
You know, I think that with the right approach, we will make a difference. But it also, as you said, require stakeholders involved to continue to educate their organizations about why is it important, because all of us actually have the ability to increase the number of contributors we have on these projects, to contribute our expertise. And that’s going to be very important. I think that we as the governing body and other organizations really create a sustaining promise around open source. So it’s not just what the OpenSSF is doing itself. But how we enable that to be successful in the long run. Because we’re all getting the advantage from open source, and, like IBM we of course, it’s IBM plus our company, Red Hat, it has a little bit to do with open source. But those kinds of efforts and keeping that keen focus are going to be very, very important as we go forward.

Alan Shimel 14:38
There’s no doubt about it. It also goes back to what we said before is, look there’s a new lock log4j kind of horizon out there every day where there is so you’re not going to prevent them. You’ve you’ve got to put in your response. You’ve got to have your protocols in place.

Jamie Thomas 14:59
I will tell you that It, you know, I have a window into cyber operations, which is my job every day at IBM. And we’re getting over 100 billion events a day. So that gives you kind of the context for what you got to deal with and landscape. And product security, of course, is one of those triggers. If it’s not, if you’ve got malware, if you got issues, they’re going to be one of your events, right? So it’s a little bit of a reflection on our responsibility to enable effective cyber operations for organizations. I mean, we have a huge responsibility. But we have a huge opportunity here. And I think I want to make heroes out of developers for really worrying about security. That’s kind of one of the goals.

Alan Shimel 15:41
You know, look, you’re preaching to the choir here, because, you know, I started devops.com in 2013, 2014. And I did it because, as a security person, I thought it was the best thing that happened in security. If we can get developers security, aware, security conscious, that’s half the battle. And, you know, for a long time it was it was an uphill battle. Let me say that. But this whole notion of what we call DevSecOps and making security for developers, it’s really gone mainstream. Right. And I think part of that is realizing is developers, security is everyone’s responsibility is a very overused thing.

Alan Shimel 16:24
Developers are not security people, but I’ve never met a developer in my life who says, I’d like to develop insecure software, right. I want to use an old version of an open source, you know, component that has some known vulnerabilities. None of them want to, we don’t have pride in our work. It’s just we need to make it easier for them to do, and I think that’s something OpenSSF can really help with.

Alan Shimel 16:55
Anyway, I know you’re busy as heck, I want to thank you for coming down and hanging out with us a little bit. To you, Brian, the whole OpenSSF team, keep up the great work well, we’re expecting big things. No pressure. We’re expecting big things from you guys. You really make make a difference.

Jamie Thomas 17:11
Thank you, Alan. I’m really pleased to be here today and immerse myself in this topic and get to know many of the players that are here today. And thanks. Thanks for the opportunity to chat. No problem.

Alan Shimel 17:20
Just before we leave real quickly, the OpenSSF website. I think it’s openssf.org. So go check it out. If you’re not here in person, I believe it is virtual, as well. We love to see you as part of it in support the OpenSSF. We’re gonna take a break here in Austin. We’ll be back in a bit.

Stephen Hendrick and Matt Jarvis on TechStrong TV

While open source software is ubiquitous and generally regarded as being secure, software development practices vary widely across projects regarding application development practices, protocols to respond to defects, or lack of standardized selection criteria to determine which software components are more likely to be secure. Consequently, software supply chains are vulnerable to attack, with implications and challenges for open source project communities. 

To help improve the state of software supply chain security, the Linux Foundation, the Open Source Security Foundation (OpenSSF), Snyk, the Eclipse Foundation, CNCF, and CI/CD Foundation conducted research and released the findings in the report, Addressing Cybersecurity Challenges in Open Source Software, during the 2022 Open Source Summit North America. 

At the Summit, Stephen Hendrick, LF’s Vice President of Research, and Matt Jarvis, Director of Developer Relations at Snyk, sat down with Alan Shimel of TechStrong TV to discuss the findings and next steps. Here are some key takeaways:

Alan: “ I think we’re always disappointed when we do the surveys that we find out, you know, beyond the lip service that gets paid to security, what actually is going on under the covers, and we’re always wishing for and hoping for more. That being said, I don’t want to be pessimistic. I am of the glass half full opinion that we are doing better and more security now than we probably ever have done.”

Stephen: “On the issue of, do organizations have an open source security policy. What we found was 49% said they had one, that’s good. 34% did not. And 17% said they don’t know.”

Matt: “In larger enterprises… you’ve got that kind of ingrained culture over a long time in terms of security and about how you consume software. . . the hardest problem in security isn’t really about technology at all. It’s always about people and culture. . . We’ve got two kinds of things happening in almost a perfect storm. At the same time, we’ve got this massive rise in supply chain attacks on open source, because, you know, it’s a victim of its own success. And attackers have realized it’s a lot easier to get into the supply chain than it is to find zero days in end user applications. So you’ve got that going on, where all of a sudden, folks are going, well, everything we do is based on open source, like, what do I do about security? And then, as Steve pointed out, you’ve got this, this ongoing, massive transformation of how we develop software, you know, this superfast high velocity.”

Stephen: “We asked. . . how do you intend to improve on the situation?. . . Top of the list was organizations are looking for more intelligent tools. . .  That was at 59%. . . Right behind that at 52% was a strong desire to understand and essentially codify best practices for how to do secure software development”

Matt: “Culture change is such a big part of how you make that transition from your kind of old school, security as gatekeeper kind of function, to this thing, where we put it to the developers, because the developers are the ones who, you know, you fix it at the developer eyeball before it’s got anywhere near production. That is the cheapest.”

Stephen: “You know, I did a report last year on SBOMs. And I gotta tell you that factors right into this. . . we did some stats in this survey on dependencies, you know, both direct and transitive, and found, really, sort of low levels of strong, strong security around organizations understanding the security posture of all these different dependencies and dependencies of dependencies. Really low numbers there. SBOMs would go so far in helping sort all that out.

“They’re going to give you knowledge about the metadata, it’s gonna give you usability, so you know that you’re licensed to use the stuff, and it’s going to know if it was good, if you trust that not only what you’re looking at for metadata is not falsified, but also understanding quite clearly, you know, what’s been fixed, what hasn’t been fixed from a vulnerability standpoint.”

Matt: “I think when people think about policies, they think, Oh, this needs to be like a 100 page document of some kind, you know, then it becomes overwhelming, but really a policy can be a one liner.”

Watch the full interview and read the transcript below.

Alan Shimel 0:00
This is Alan Shimel witih Tech Strong TV. We’re back here live in Austin streaming out at you from the Open Source Summit. We’re having a great time. This is our third day of coverage here, though technically, it’s only day two of the event. It’s a long story, but we’ll talk about it later. Let me introduce you to our next two guests. This is a conversation I was really looking forward to. To my left here is a gentleman who’s been on fixture on TV a few times with us and talked in person, great person. He’s the VP of Research for the Linux Foundation, Steven Hendrick. Steven, welcome.

Stephen Hendrick 0:42
Thanks, Alan.

Alan Shimel 0:43
And joining Stephen and I from our friends at Snyk. Matt, Javis. And Matt, if I’m not mistaken, your director of developer relations. Welcome.

Matt Jarvis 0:55
Thank you.

Alan Shimel 0:55
So Steven, and Matt presented, was it yesterday. Yeah, yesterday, on a new survey that you guys recently announced and revealed and report. Why don’t you if you don’t mind share with everybody

Stephen Hendrick 1:10
Sure, I’d love to. OpenSSF is a very large project inside of the Linux Foundation. Brian Behlendorf, yeah. And so at his request, we went out and did a survey into sort of what’s happening in the open source space as far as secure software development. So we put together a survey in March, we fielded that it in April, we wrote it up in May, and had it produced in June. And so it’s being released here at the event. I think that happened yesterday morning. We did it in partnership with Snyk. So that’s why we’ve been working together with the messaging on all this.

Stephen Hendrick 1:55
And it’s it was not a surprise from the standpoint of what the results were. But it wasn’t, I was a little disappointed in kind of where we are at this point, from the standpoint of the uptake of attention to security when it comes to open source. So anyway, so we’ve got information that talk a little bit about, you know, where we are, you know, help, sort of, to understand the context of the problem. And then they have information about what people are doing about it. And it’s, that’s more exciting in many respects, because good things are happening.

Alan Shimel 2:33
I agree. So first of all, look, I think we’re always disappointed when we do the surveys that we find out, you know, beyond the lip service that gets paid to security, what actually is going on under the covers, and we’re always wishing for and hoping for more. That being said, I don’t want to be pessimistic I am of the glass half full opinion that we are doing better and more security now than we probably ever have done. Yeah. Yeah, I agree. That being said, Before we dive into it, I just wanted to really just quickly, so OpenSSF is the website? Yeah. And I’m going to assume that the report is there for anyone who wants to download it. That’s right. Let’s take let’s say that up front for people at home following along, or whether it’s live while you’re watching this.

Stephen Hendrick 3:30
It’s on the Snyk site. It’s so on the Linux Foundation site and it’s on OpenSSF. So yeah, it’s everywhere.

Alan Shimel 3:37
I think we might have covered it via Snyk over on Security Boulevard.

Matt Jarvis 3:41
I think I did some I did some press interviews. Before flying out here. So, yeah, we may have.

Alan Shimel 3:46
It may very well be on our Securityf Boulevard site. But nevertheless, it’s out there for people. Yeah. Let’s dive in now, though, what was some of the findings? Steven?

Stephen Hendrick 3:55
Sure. Well, let’s see what we’ll start with this, this whole issue of do organizations have an open source security policy? And what we found was 49% said they had one, that’s good. That’s good. 34% did not. And 17% said they don’t know. Everybody uses open source – 98% of organizations use it so. So they don’t even know they don’t know if they have won or not. So if you take put aside the don’t knows at this point, you’ve got about a 60/40 split between use that don’t have have a policy and don’t have a policy.

Stephen Hendrick 4:37
I mean, if you look at little more deeply into that, what you find is that small companies are more likely to not have a policy and that’s not surprising, they have resource constrained so it’s harder for them to have CISOs and OSPOs and policies be it for either just software development or open source software development so I can understand challenges there. So, but the idea of when you, even if you look at company size, we still ended up with about 30% of large in very large organizations that don’t have a policy for open source software development.

Alan Shimel 5:16
So a couple of thoughts. First of all, I empathize with small SMB businesses. We are an SMB business, but in today’s day and age, and maybe it’s when you’re a hammer, everything looks like a nail, but in today’s day and age, how do you not have security policies?

Matt Jarvis 5:40
Yeah, I mean, I think that there’s, there’s a couple of different things at play there. I mean, you know, addressing open source security, you know, is, is more complex than than it seems, because it’s not just about the code itself, you’ve kind of got to understand how open sources is created, how projects are governed, because governance can have a big play into, you know, whether we’re looking at some of those recent things around the sort of protestsware movement, where we’ve seen maintainers kind of go rogue, you know, and this comes down to single maintainer governance projects. And you need to take those things like governance into account if you’re going to base your business on something.

Alan Shimel 6:24
Right, but you just said, and that’s a completely loaded question. I would bet, if I was a betting man, right, that at the large enterprise level, you’re 100%, correct. At the SMB level, if you ask most of these people a threshold question of where is your open source software, it’s 10 o’clock, where’s your open source software? And a lot of them don’t know, because they’re SAS-ops companies, right? They don’t they don’t have a server closet, their cloud installation – they run it on SAS. And so the beautiful part about SAS is, one of the nice things about it, is you don’t know what’s behind the curtain, you just know, you log in on the website, and you’ve got all your information there that you need. Are they using an open source database? Are they using, you know, what are they using behind the curtain? A lot of smaller companies don’t know. And as part of their due diligence, they don’t dig that deep. So I could, again, I can empathize with the larger ones, the larger enterprises, though, that’s a problem that is that I think,

Matt Jarvis 7:39
You know, in a lot of those larger enterprises, you’re you’ve got that kind of ingrained culture over a long time in terms of security and about how you consume software. And you know, the hardest problem in security isn’t really about technology at all right? It’s always about people and culture. And I think, you know, probably in a lot of larger organizations, you’ve got kind of, you know, that sort of friction of, well, we’ve always done it like that.

Stephen Hendrick 8:07
Well, you also have a lot of change going on from standpoint of how software is being developed. And I think that’s part of the problem as well, which is that, you know, change is always hard for people. And especially given the rapid evolution of tools and standards, in essence around how we should do security for software. Everything’s changing so quickly, it’s I think, it’s probably hard for people to keep up.

Matt Jarvis 8:33
Because we’ve got these two kind of things happen in almost a perfect storm. At the same time, we’ve got this massive rise in supply chain attacks on open source, because, you know, it’s a victim of its own success. And attackers have realized it’s a lot easier to get into the supply chain than it is to find zero days in end user applications. So you’ve got that going on, where all of a sudden, folks are going, well, everything we do is based on open source, like, what do I do about security? And then, as Steve pointed out, you’ve got this, this ongoing, massive transformation of how we develop software, you know, this superfast high velocity,

Alan Shimel 9:10
I blame DevOps?

Matt Jarvis 9:15
Unless you do, and unless you can transform, you know, someone’s going to eat your lunch, right? Because there’s some hungry competitor behind you who’s disruptive and who does have a superfast software delivery pipeline. They can deliver new features, they know how to analyze the data. And so for a lot of big organizations, you’ve got these two big problems happening right at the same time, because that change in software development requires a completely different approach to security. You know, this space that it’s the thing that sneaks talk about all the time about developers?

Alan Shimel 9:45
I mean, you look at let’s say, the Phoenix Project by Gene Kim, right. And that’s based on a book called The Goal. Yeah, right. And the thing about, so The Goal is about manufacturing, but really the principle behind The Goal, and I think Gene tried to capture that in the Phoenix Project, is that, look, as soon as we kind of erase one bottleneck, we see that next bottleneck right behind it. Don’t think that once you get rid of that bottleneck its smooth sailing, it’s not. We have massively, revolutionarily speeded up the pace of software development. We did it in large part by creating this software factory pipeline, CI/CD, DevOps kind of things. The enabler of that was having this massive library of open source that we can assemble into a very high quality software.

Alan Shimel 10:43
Man, we blew through that roadblock at 150 miles an hour. The wall we hit right after is, wait a second, now, that’s become a huge security problem. Right? So for companies that are developing their own code, this is a major thing? Knowing that though, and still telling me that 30% of the companies don’t have a policy around it, scary. Yeah, it is.

Stephen Hendrick 11:09
Well, let’s we should we should talk about what people are doing about trying to deal with this. Right.

Alan Shimel 11:14
Here’s the good news.

Stephen Hendrick 11:14
So we asked a question, which was, okay, so how do you intend to improve on the situation? What do you what are you doing, and we had quite a long list of responses. Top of the list was, organizations were looking for more intelligent tools from a threat where repetitive security focus. So we’re talking SCA, SAS DAST, IAC, you know, all the usual suspects, and looking really, to those tools to be able to help them improve their security posture. So that was top of the list. That was 59%.

Stephen Hendrick 11:52
And then right behind that at 52% was a strong desire to understand and essentially codified best practices for how to do secure software development. That was really encouraging, because we know all about best practices. Yep. Know exactly what they all are. In fact, David Wheeler, at LF.

Stephen Hendrick 12:14
We had David A. Wheeler. We interviewed David yesterday and we have a follow-up as well.

Stephen Hendrick 12:32
He and I had lunch yesterday, and we were talking about this, because I said, you know, how many best practices do you have? So we know counted them all up – he’s got like, 150, 160. So that’s kind of daunting. And he said, like the last 25 to get to the highest level can take, in some cases, years to master. So this is, this is, despite understanding what these best practices are, it’s still very challenging to wrap your head around what is necessary to be successful there.

Matt Jarvis 13:00
It’ll be good. And partly because, you know, as we were just talking about that, that culture change is such a big part of how you make that transition from, you know, you kind of old school, security as gatekeeper kind of function, to this thing, where we put it to the developers, because the developers are the ones who, you know, you fix it at the developer eyeball before it’s got anywhere near, you know, production. That is the cheapest.

Alan Shimel 13:28
Say 10 to 100x cheaper to do there.

Matt Jarvis 13:30
I mean, we look at the other interesting thing here that’s slightly tangential to this, but is like how many developers there are in the world, right, and how many we anticipate there being you know, there’s something like, I think the anticipation is something like 30 million developers in the world, and there’s only, like, a tiny proportion of security folk.

Alan Shimel 13:51
So I go by GitHub accounts. Right? There’s about 70 plus million GitHub accounts right now. So let’s assume it’s not one-to-one. But I think it’s safe to say this 40 to 45 million developers, probably growing at somewhere in the area of 10% a year.

Matt Jarvis 14:08
And security professionals aren’t aren’t growing at that rate.

Alan Shimel 14:13
So security professionals are growing because we’re starting to see, look, when I came up, you didn’t have a cybersecurity major in college. We’re seeing schools churn out cybersecurity majors. Are they security professionals? I’ll leave it to you. But there are people coming out here who want to work in security, but not anywhere near I mean, you’re talking here in here.

Alan Shimel 14:39
Here’s an interesting thing, though. And I think it’s what’s turning up the heat on all of this, is that this is getting major focus from the White House, from the federal government. The whole world is saying hey, this is a problem. This is a big problem.

Stephen Hendrick 14:58
Well, you know, you got to do something you You know, I did a report last year survey on SBOMs. Yep. And I gotta tell you that factors right into this No, of course, because, you know, we did some stats in this survey on dependencies, you know, both direct and transitive, and found, really, sort of low levels of strong, strong security around, you know, organizations understanding the security posture of all these different dependencies and dependencies of dependencies. Really low numbers there.

Stephen Hendrick 15:34
SBOMs would go so far in helping sort all that out, because, you know, SBOMs, they’re going to give you knowledge about the metadata, it’s gonna give you usability, so you know that you’re licensed to use the stuff, and it’s going to know if it was good, if you trust that not only what you’re looking at for metadata is not falsified, but also understanding quite clearly, you know, what’s been fixed, what hasn’t been fixed from a vulnerability standpoint.

Alan Shimel 15:59
So I’ll tell you over the last two days, we’ve, we’ve done a lot of interviews, but no shortage of people talking about SBOMs and SBOM solutions. I think we’re going to see, just like everything else in technology, we’re gonna see sort of a camp Cambrian explosion of SBOM solutions out there, and then the market will figure out which ones make sense, which ones don’t. My fear is that we, we think SBOMs are a magic bullet for supply chain security, because we have a tendency of doing that in security.,

Matt Jarvis 16:33
Ultimately I think the real challenge here is going to be the chain of trust part of that, right? Because what’s an SBOM at the end of the day, it’s a text file with some stuff.

Alan Shimel 16:43
Oh, no, but they’re, you know, they’re, they’re building some elaborate text files in there.

Stephen Hendrick 16:49
It’s a lot of good metadata. Yeah, but one more point I want to touch on, though, is that the number three issue from the standpoint of doing improvements to your software security posture was more automation. So IAC tools ended up ranking very highly from the standpoint of helping you address that particular need, and just for our audience, IAC (infrastructure as code), right. Okay. So that one actually surprised me, because this whole idea of, you know, developers/manual activities, not only that is a great way to invite in problems. And so more automation, ultimately, is better.

Matt Jarvis 17:33
We did some some work last year as part of our cloud native application security report. And what was really interesting there was, you know, we kind of use high levels of development automation, i.e.automated CI/CD pipelines and all that stuff as a as a proxy for how far along your cloud native journey you are. I think it’s a pretty reasonable proxy to take. And in organizations with those high levels of of deployment automation, for a start, we see much higher levels of adoption of security tooling, because automation gives you lots of places where you can hook in other automation. But, most importantly, we see massive reduction in the time to fix the vulnerabilities. Because through directly through a direct correlation to okay,

Alan Shimel 18:25
I’ve been in security a long time. We had a vulnerability solution company I founded back in 2005. Back then, there was a company called Hercules – Citadel was the company Hercules was the product, right? They were doing, you know, they were pushing automated remediation. There’s several companies today that have automated remediation. For whatever reason, up until now, organizations have been hesitant to adopt automated remediation, because they’re afraid it’s going to break something else if it’s in a totally automated situation. Now, doing this further left in the in the development pipeline, if it’s broken, supposedly, that should come up in testing.

Matt Jarvis 19:16
I mean, this is again what we see when when companies adopt Snky, is like, you know, the the automated remediation part of in terms of automated fix PRs, you know, is, is probably not where people start, but very quickly, they go out.

Alan Shimel 19:33
Yeah, look, this is a no brainer. Yeah, absolutely, because it goes back to what I said before blame DevOps, right. If we are going to automate the CI/CD pipeline, we’re going to automate building software, the answer cannot be that we’re going to manually do security. It just doesn’t work. It’s a disconnect.

Matt Jarvis 19:54
Yeah, I mean, and it’s an anti-pattern in terms of velocity, right. I mean, velocity is the key differentiator for whether, sort of, visitors in the cloud era are going to survive. Absolutely, because if you don’t have velocity, you are probably don.e.

Alan Shimel 20:08
No, but a lesson we learned in security, or we should have learned over the last 25 years, is if we are going to drag our heels and dig our heels in and say no, no, no, no. You know what? The train leaves the station without you. Yeah. So easy to get on board and figure out yes, we can. And here’s how we’ll get out of the way. Right? Lead, follow, get out of the way. Security cannot be the drag on this because velocity is too important.

Matt Jarvis 20:36
And where we see folks who’ve successfully made this transition to developer-first, you see this sort of this change in security teams from kind of being gatekeepers to being enablers.

Alan Shimel 20:41
DevSecOps right there. Yeah, you just the just the the heart of it. That’s it. Steven, anything else?

Stephen Hendrick 21:02
So what’s the answer to this issue of not having a security policy? I mean, is it, Do you need to start with the CISO? Did you start with an OSPO? Do you need, or at least part time roles and people in organizations, you know, in those functions if you are small? I’m not sure what the answer is, but I mean, we need one.

Matt Jarvis 21:27
I think when people think about policies, they think, Oh, this needs to be like 100 page document of some kind, you know, this is it becomes overwhelming, but really a policy can be a one liner.. I mean, we, we have this conversation a lot when people start to adopt security scanning, right, they’ve done no security scanning before, and they scan this software, and they go, Oh, my God, I’ve got like 500 vulnerabilities. What do I do? But you’ve got to just pick a starting point. Right. And I mean, usually, you know, a sensible place would be no critical vulnerabilities that have got a fix in production. Well, there’s a policy right there, right. And it’s three lines. I, and it’s better than having these zeros.,

Alan Shimel 22:06
100% right. I run into this firsthand. People, they hear we need a security policy, they think I need the employee handbook, right, that comes from you know, this thick. You know, it could be one page or five bullet points. Anything that’s critical is worthy to stop production. Anything not critical does not stop production but has to get fixed within 30 days. That’s a policy.

Matt Jarvis 22:32
I mean, there’s plenty of great, templated stuff of usage of open source. You know, this stuff by the way.

Alan Shimel 22:39
I’d love to the OpenSSF have a library of that kind of thing. Yeah.

Stephen Hendrick 22:47
And actually, the good news is once you have policy then automation can follow up pretty quickly. That’s that’s, that’s the right path. You’re right.

Alan Shimel 22:54
Guys, we’ve got our next guest here in the wings. We could talk about this all day, I’m sure. I’d love to, but it wouldn’t be fair to them. Again, you can get this survey over on the Snky site, which is snky.io. Or on the OpenSSF site.

Alan Shimel 23:17
Steven, good work again. I love you surveys. Very good. We are going to take a quick break. We’re going to make up our next guest and we’ll be right back here with live in Austin.

10th annual jobs report facts

The tenth annual Open Source Jobs Report from the Linux Foundation and edX was released today, examining trends in open source hiring, retention, and training

SAN FRANCISCO – June 22, 2022The Linux Foundation, the nonprofit organization enabling mass innovation through open source, and edX, a leading global online learning platform from 2U, Inc. (Nasdaq: TWOU), have released the 10th Annual Open Source Jobs Report, examining the demand for open source talent and trends among open source professionals.

The need for open source talent is strong in light of continuing cloud adoption and digital transformation across industries. As the COVID pandemic wanes, both retention and recruitment have become more difficult than ever, with 73% of professionals reporting it would be easy to find a new role and 93% of employers struggling to find enough skilled talent. Although the majority of open source professionals (63%) reported their employment did not change in the past year, one-in-three did report they either left or changed jobs, which puts additional pressure on employers trying to hold onto staff with necessary skills. While this may not reach levels of a “Great Resignation”, this turnover is putting more pressure on companies.

“Every business has struggled with recruiting and retaining talent this past year, and the open source industry has been no different,” said Linux Foundation Executive Director Jim Zemlin. “Organizations that want to ensure they have the talent to meet their business goals need to not only differentiate themselves to attract that talent, but also look at ways to close the skills gap by developing net new and existing talent. This report provides insights and actionable steps they can take to make that happen.”

“This year’s report found that certifications have become increasingly important as organizations continue to look for ways to close skills gaps. We see modular, stackable learning as the future of education and it’s promising to see employers continuing to recognize these alternative paths to gain the skills needed for today’s jobs,” said Anant Agarwal, edX Founder and 2U Chief Open Education Officer.

10th annual jobs report factsThe tenth annual Open Source Jobs Report examines trends in open source careers, which skills are most in-demand, the motivation for open source professionals, and how employers attract and retain qualified talent. Key findings from the Open Source Jobs Report include: 

  • There remains a shortage of qualified open source talent: The vast majority of employers (93%) report difficulty finding sufficient talent with open source skills. This trend is not going away with nearly half (46%) of employers planning to increase their open source hiring in the next six months, and 73% of open source professionals stating it would be easy to find a new role should they choose to move on.
  • Compensation has become a greater differentiating factor: Financial incentives including salary and bonuses are the most common means of keeping talent, with two-in-three open source professionals saying a higher salary would deter them from leaving a job. With flex time and remote work becoming the industry standard, lifestyle benefits are becoming less of a consideration, making financial incentives a bigger differentiator.
  • Certifications hit new levels of importance: An overwhelming number of employers (90%) stated that they will pay for employees to obtain certifications, and 81% of professionals plan to add certifications this year, demonstrating the weight these credentials hold. The 69% of employers who are more likely to hire an open source professional with a certification also reinforces that in light of talent shortages, prior experience is becoming less of a requirement as long as someone can demonstrate they possess the skills to do the job.
  • Cloud’s continued dominance: Cloud and container technology skills remain the most in demand this year, with 69% of employers seeking hires with these skills, and 71% of open source professionals agreeing these skills are in high demand. This is unsurprising with 77% of companies surveyed reporting they grew their use of cloud in the past year. Linux skills remain in high demand as well (61% of hiring managers) which is unsurprising considering how much Linux underpins cloud computing.
  • Cybersecurity concerns are mounting: Cybersecurity skills have the fourth biggest impact on hiring decisions, reported by 40% of employers, trailing only cloud, Linux and DevOps. Amongst professionals, 77% state they would benefit from additional cybersecurity training, demonstrating that although the importance of security is being recognized more, there is work to be done to truly secure technology deployments.
  • Companies are willing to spend more to avoid delaying projects: The most common way to close skills gaps currently according to hiring managers is training (43%), followed by 41% who say they hire consultants to fill these gaps, an expensive alternative and an increase from the 37% reporting this last year. This aligns with the only 16% who are willing to delay projects, demonstrating digital transformation activities are being prioritized even if they require costly consultants.

This year’s report is based on survey responses from 1,672 open source professionals and 559 respondents with responsibility for hiring open source professionals. Surveys were fielded online during the month of March 2022.

The full 10th Annual Open Source Jobs Report is available to download here for free.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

# # #

Media Contact:
Dan Brown
The Linux Foundation
415-420-7880
dbrown@linuxfoundation.org

state of open source security report

The State of Open Source Security Highlights Many Organizations Lacking Strategies to Address Application Vulnerabilities Arising from Code Reuse

BOSTON — June 21, 2022 — Snyk, the leader in developer security, and The Linux Foundation, a global nonprofit organization enabling innovation through open source, today announced the results of their first joint research report, The State of Open Source Security.

The results detail the significant security risks resulting from the widespread use of open source software within modern application development as well as how many organizations are currently ill-prepared to effectively manage these risks. Specifically, the report found:

  • Over four out of every ten (41%) organizations don’t have high confidence in their open source software security;
  • The average application development project has 49 vulnerabilities and 80 direct dependencies (open source code called by a project); and,
  • The time it takes to fix vulnerabilities in open source projects has steadily increased, more than doubling from 49 days in 2018 to 110 days in 2021.

“Software developers today have their own supply chains – instead of assembling car parts,  they are assembling code by patching together existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns,” said Matt Jarvis, Director, Developer Relations, Snyk. “This first-of-its-kind report found widespread evidence suggesting industry naivete about the state of open source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue building fast, while also staying secure.”

“While open source software undoubtedly makes developers more efficient and accelerates innovation, the way modern applications are assembled also makes them more challenging to secure,” said Brian Behlendorf, General Manager, Open Source Security Foundation (OpenSSF). “This research clearly shows the risk is real, and the industry must work even more closely together in order to move away from poor open source or software supply chain security practices.” (You can read the OpenSSF’s blog post about the report here)

Snyk and The Linux Foundation will be discussing the report’s full findings as well as recommended actions to improve the security of open source software development during a number of upcoming events:

41% of Organizations Don’t Have High Confidence in Open Source Software Security

Modern application development teams are leveraging code from all sorts of places. They reuse code from other applications they’ve built and search code repositories to find open source components that provide the functionality they need. The use of open source requires a new way of thinking about developer security that many organizations have not yet adopted.

Further consider:

  • Less than half (49%) of organizations have a security policy for OSS development or usage (and this number is a mere 27% for medium-to-large companies); and,
  • Three in ten (30%) organizations without an open source security policy openly recognize that no one on their team is currently directly addressing open source security.

Average Application Development Project: 49 Vulnerabilities Spanning 80 Direct Dependencies

When developers incorporate an open source component in their applications, they immediately become dependent on that component and are at risk if that component contains vulnerabilities. The report shows how real this risk is, with dozens of vulnerabilities discovered across many direct dependencies in each application evaluated.

This risk is also compounded by indirect, or transitive, dependencies, which are the dependencies of your dependencies. Many developers do not even know about these dependencies, making them even more challenging to track and secure.

That said, to some degree, survey respondents are aware of the security complexities created by open source in the software supply chain today:

  • Over one-quarter of survey respondents noted they are concerned about the security impact of their direct dependencies;
  • Only 18% of respondents said they are confident of the controls they have in place for their transitive dependencies; and,
  • Forty percent of all vulnerabilities were found in transitive dependencies.

Time to Fix: More Than Doubled from 49 Days in 2018 to 110 Days in 2021

As application development has increased in complexity, the security challenges faced by development teams have also become increasingly complex. While this makes development more efficient, the use of open source software adds to the remediation burden. The report found that fixing vulnerabilities in open source projects takes almost 20% longer (18.75%) than in proprietary projects.

About The Report

The State of Open Source Security is a partnership between Snyk and The Linux Foundation, with support from OpenSSF, the Cloud Native Security Foundation, the Continuous Delivery Foundation and the Eclipse Foundation. The report is based on a survey of over 550 respondents in the first quarter of 2022 as well as data from Snyk Open Source, which has scanned more than 1.3B open source projects.

About Snyk

Snyk is the leader in developer security. We empower the world’s developers to build secure applications and equip security teams to meet the demands of the digital world. Our developer-first approach ensures organizations can secure all of the critical components of their applications from code to cloud, leading to increased developer productivity, revenue growth, customer satisfaction, cost savings and an overall improved security posture. Snyk’s Developer Security Platform automatically integrates with a developer’s workflow and is purpose-built for security teams to collaborate with their development teams. Snyk is used by 1,500+ customers worldwide today, including industry leaders such as Asurion, Google, Intuit, MongoDB, New Relic, Revolut, and Salesforce.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

There are some universal truths about open source software (OSS). It has revolutionized our world and become the foundation of our digital society, the backbone of our digital economy, and the basis of our digital existence. Every household and enterprise brand name in technology is built upon it, whether that name is Alexa or Android, Azure, or AWS. 

Open source software has played a significant part in everything from the internet and mobile apps we use every day to operating systems and programming languages used to construct the future. Even the systems we traditionally think of as being closed, such as Microsoft Windows and Apple’s Mac and iPhone, are developed using open source software.

Just as a powerful current drives the arteries of a river, open source software is the force that propels our digital economy and allows for scientific and technological advancements that benefit our lives. 

But only a few decades ago, few people had even heard of open source software, and it was limited to a small group of enthusiastic devotees. Yet the concept of free and open source software (FOSS) has been around a long time, going back to the early days of the user communities for IBM mainframes and academic institutions. FOSS is software that anyone can use, study, modify, and distribute without restriction. The term “open source” was coined to describe this type of software, and the concept was formalized with the launch of the Open Source Initiative (OSI) in 1998.

Organizations involved in building products or services involving software, regardless of their specific industry or sector, are likely to adopt OSS and contribute to open source projects deemed critical to their products and services. Organizations are creating open source program offices (OSPOs) to manage their open source activities, from adopting OSS and compliance with applicable licenses to participating in open standards and foundations. 

Many new industries and thousands of businesses have joined the open source revolution. Those organizations that chose a deliberate OSS strategy, incorporating best practices,  methods, and engineering processes, emerged as leaders in their industries or verticals for open source initiatives.

And yet, many organizations have not embraced open source at all. Some see it as a risky undertaking, lacking a strategy to move forward, needing pathways to see the value proposition of free and open source software, and requiring migration from a risk point of view to a value point of view. In addition to challenges with open source consumption, many organizations prohibit their employees from open source contributions either on their behalf or personally in the employee’s spare time.

To help guide organizations through their own open source journeys, Ibrahim Haddad, Ph.D., Executive Director of LF AI & Data, has written a report that offers a practical and systematic approach to establishing an OSS strategy, which includes developing an implementation plan and accelerating an organization’s open source efforts. 

The past two decades have been critical for open source software in enterprise engagement and adoption. The challenge for organizations is their transition from ad hoc and incidental adoption to open source value delivered back to the business using a strategic and planned methodology. This report delivers on the promise of helping enterprises establish an open source strategy, develop and execute an implementation plan, and accelerate their open source efforts to support their business goals. 

Ibrahim Haddad, Ph.D.

This research is a collection of learnings and best practices that Dr. Haddad has developed, collaborating with the LF AI & Data community members who have pursued their own open source journeys for years.

Effective organizations have guided their open source usage through strategy, honed over time with communities such as LF AI & Data and the TODO Group to guide their ongoing use of OSS and their engagement with the open source ecosystem.

This report helps to address the fears of transitioning to open source and explore the many opportunities it offers by covering the following topics:

  • The business case for open source software
  • How to develop an open source strategy
  • Creating an open source program office
  • Implementing an open source strategy
  • Measuring success with open source
  • Best practices for organizational involvement in open source projects

happy first birthday LF research

When I started at The Linux Foundation (LF) a few weeks ago, our research was one of the first things I dug into as I absorbed and learned what all the LF does to advance open source. Plus, since I started, it seems like the LF Research team has published a new report every few days. What a wealth of information!

So, imagine my surprise when I learned that LF Research has just been around for one year. April 15th marked their one year birthday – and they have set the bar high in their first year. 

But are they making a difference? I know my inclination, especially having spent time working in government, is that research reports get published and then sit on virtual shelves, never to be seen again. But LF Research uses the open source model of bringing people together to solve problems and to share the solutions widely. They engage LF members and the community, across the ecosystem, to answer the question, what are the tools we can create, together, for shared value. And, importantly, their reports focus on action items.

Over the past twelve months, LF Research has published 12 reports across a variety of topics and industry verticals. Each of them are presented below. Take time to look at their work, dig in deeper on topics that interest you, and then go, make a difference. 

And  stay tuned for more impactful research in 2022 on topics such as cybersecurity insights in the developer process, mentorship, a guide to enterprise open source, an updated state of the open source program office, a new jobs report, and much, much more.

The Carbon Footprint of NFTs – NFTs are simultaneously overhyped and met with both skepticism and a general lack of understanding on what they are and how they work. Serious concerns have also been raised over energy-intensive proof-of-work (PoW) consensus mechanisms. The report, just released last week, studies the concern that energy-intensive PoW consensus mechanisms for NFTs have a significant impact on the climate. The report details the changes taking place in the blockchain industry to address this issue, and describes howNFTs can have varying carbon footprints depending on their underlying technology stacks. Read it to learn how we can make a difference now.

Open Source in AI report cover

AI and Data in Open Source – The report reviews critical challenges in the open source AI ecosystem, such as the talent shortage, the trust gap for AI-enabled products, implementing and verifying trusted and responsible AI systems and processes, and more. But, with challenges are opportunities – opportunities that could change the world. Imagine how marrying AI with edge computing enhances performance and real-time decision making, or how CDLA licenses enable wider sharing and use of open data and the innovation that sparks in AI and machine learning models. The report also reviews how the LF AI & Data Foundation is empowering innovators and accelerating open source development. Read the full report and get excited!

report: artificial intelligence and data in open source

Paving the Way to Battle Climate Change: How Two Utilities Embraced Open Source to Speed Modernization of the Electric Grid – New technology has to be easy to use and workable to be adopted widely enough to make a difference – this holds true in electricity production. As the energy sector innovates to do its part to arrest climate change, it must find solutions to ease the adoption of new energy sources. As the electricity infrastructure modernizes, electricity is provided into the grid from a variety of sources – homes, business, wind and solar farms, etc. – rather than just from the local power plant. It goes from TSOs (main power lines) to DSOs (the “last mile” so to speak). Netherlands’ Alliander, a DSO, and France’s RTE, a TSO, contributed to three LF Energy projects (SEAPATH, CoMPAS, and OpenSTEF) so their electrical substations will become more modular, interoperable, and scalable. This report digs into the case studies to show how working together via open source enables them to develop more software solutions up to ten times faster than working on their own proprietary solutions.

paying the way to battle climate change with open source

Open Source in Entertainment: How the Academy Software Foundation Creates Shared Value – Truth be told, when I try to explain open source software and what we foster at the LF among my friends and family, I use the Academy Software Foundation as an example. I mean, let’s be honest, movies are way more interesting and relatable than software supply chains or licensing. The ASWF also serves as a stellar example of why companies would want to join forces and collaborate on a common software solution – let’s share resources to make the foundational tools together and then innovate on top of that on our own. We can all grow together by raising the foundation we start at. This report is a story about industry competitors, who, by working together, have shared and developed the technologies used to create mesmerizing visual effects for professional studios and filmmaking enthusiasts alike. It should spark open source innovation in other industries too (see FINOS below). 

open source in entertainment report

Census II of Free and Open Source Software – Application Libraries – There are more software vulnerabilities out there than there are resources available to fix them, so knowing which ones are more widely utilized and which ones are used in more critical instances allows for better resource prioritization. Makes sense, right? This report builds on the Census I report, which focused on the lower level critical operating system libraries and utilities. It utilizes data from partner Software Composition Analysis (SCA) companies including Synk, the Synopsys Cybersecurity Research Center (CyRC), and FOSSA.  They looked at over half a million observations of Free and Open Source Software libraries used in production applications at thousands of companies.  See the data and read the report written by and see the data here

harvard census ii report image

The Evolution of the Open Source Program Office – The TODO Group is an LF project community to help organizations run successful and effective open source program offices or similar open source initiatives. This report was produced in partnership with them to provide rich insight, direction, and tools to implement an OSPO or an open source initiative with corporate, academic, or public sector environments. It also has case studies from Bloomberg, Comcast, and Porsche – the last of which was especially cool for the car geek in me. Check it out here

the evolution of the open source program office

The State of the Software Bill of Materials (SBOM) and Cybersecurity Readiness – An SBOM is a formal and machine-readable metadata that uniquely identifies a software package and its contents. It allows organizations to quickly and accurately determine which software applications and libraries are used and where so they can effectively address vulnerabilities. The report offers fresh insight into the state of SBOM readiness and helps organizations looking to better understand SBOMs as an important tool in securing software supply chains. They need to be adopted now – so go read the report.

Diversity, Equity, and Inclusion in Open Source – Diversity, equity, and inclusion (DEI) in the technology industry — and within open source specifically—is an opportunity we need to continuously leverage for the benefits it brings. In addition to the survey findings on the state of DEI, this research explores a number of DEI initiatives and their efficacy and recommends action items for the entire stakeholder ecosystem to further their efforts and build inclusion by design. Access the report here.

DEI in open source report cover

Data and Storage Trends Report – The SODA Foundation is an open source project under the Linux Foundation that fosters an ecosystem of open source data management and storage software for data autonomy. The report is based on a survey in English, Chinese, and Japanese-speaking markets to identify the current challenges, gaps, and trends for data and storage in the era of Cloud Native, edge, AI, and 5G. The intention is to use this survey data to help guide the SODA Foundation and its surrounding ecosystem on important issues and help its members be better equipped to make decisions, improve their products, and the SODA Foundation to establish new technical directions.

2021 data and storage trends report

The State of Open Source in Financial Services Report – While the financial services industry has been a long-time consumer of open source software, contributing to software and standards development has not been at the core of their business models and tech strategies. This report creates a baseline of their current activities, highlights obstacles and challenges to improving industry-wide collaboration, and lays out a set of actionable insights for improving the state of open source in financial services. You can read the report here

FINOS survey

9th Annual Open Source Jobs Report – ​​ The LF partnered with edX to shed light on the changes and challenges in the global open source jobs market. Employers can use its actionable insights to inform their hiring, training, and diversity awareness efforts. It also gives professionals clear, unbiased insights on which skills are most marketable and how reskilling and certifications benefit job seekers. Dig in here

2021 open source jobs report

Hyperledger Brand Study – The study explores the state of the enterprise blockchain market and the Hyperledger brand. It looks at whether enterprises have or are considering adopting blockchain, which solutions they are familiar with, what are desirable attributes of solutions, what problems they are addressing with blockchain technology, and much, much more. You can read the results and access the underlying data here

enterprise blockchain and the hyperledger brand

Open Source Software (OSS) is a proven model that delivers tangible benefits to businesses, including improved time-to-market, reduced costs, and increased flexibility. OSS is pervasive in the technology landscape and beyond it, with adoption across multiple industries. In a 2022 survey by Red Hat, 95 percent of IT leaders said they are using open source in their IT infrastructure, which will only increase.

Artificial intelligence (AI) is no different from any other technology domain where OSS dominates. In a recent paper published by Linux Foundation Research, written by Dr. Ibrahim Haddad, General Manager of the LF AI & Data Foundation, over 300 critical open source projects have been identified offering over 500 million lines of code, contributed by more than 35,000 developers who work side by side to advance the state of technology in an open, collaborative, and transparent way.

As with other industries, OSS adoption in the AI field has increased the use of open source in products and services, contributions to existing projects, the creation of projects fostering collaboration, and the development of new technologies due to this amazing success story.

In this paper, you will read that while AI in open source has followed a similar model to other industries embracing the popular methodology, Dr. Haddad has some unique observations to share, which include:

  • An incubation model for AI open source projects is effective when appropriately executed by neutral organizations that can scale them, such as the Linux Foundation.
  • Consolidation is bound to happen around platforms, frameworks, and libraries that address similar challenges. Unlike typical fragmentation scenarios, where there are winning and losing projects, Dr. Haddad believes the net result will be a win-win as successful projects grab their share of contributors.
  • License choices can affect a project’s growth — and licenses approved by the Open Source Initiative (OSI) are most preferred because developers and enterprises are already familiar with them.
  • Open data licenses such as Community Data License Agreement (CDLA) have begun to commoditize training data. These license terms will help democratize the overall AI marketplace by lowering the barriers to entry when offering an AI-backed service. Proprietary datasets will continue to exist, but data availability under the CDLA licenses (two versions exist) should allow everyone to build credible products, including smaller players.

So what does this mean for the future of AI? It means that businesses will continue to rely on open source software to power their AI initiatives and that collaboration will be key to success. The open source model has been successful in AI because it allows developers to come together and share code, data, and ideas. This type of collaboration is essential for advancing any technology, and we can expect to see even more impressive innovations come out of the AI community in the years to come. Ultimately, we are faster and more innovative together.

Jason Perlow, Director of Project Insights and Editorial Content, spoke with Stephen Hendrick about Linux Foundation Research and how it will promote a greater understanding of the work being done by open source projects, their communities, and the Linux Foundation.

JP: It’s great to have you here today, and also, welcome to the Linux Foundation. First, can you tell me a bit about yourself, where you are from, and your interests outside work?

SH: I’m from the northeastern US.  I started as a kid in upstate NY and then came to the greater Boston area when I was 8.  I grew up in the Boston area, went to college back in upstate NY, and got a graduate degree in Boston.  I’ve worked in the greater Boston area since I was out of school and have really had two careers.  My first career was as a programmer, which evolved into project and product management doing global cash management for JPMC.  When I was in banking, IT was approached very conservatively, with a tagline like yesterday’s technology, tomorrow.  The best thing about JPMC was that it was where I met my wife.  Yes, I know, you’re never supposed to date anybody from work.  But it was the best decision I ever made.  After JPMC, my second career began as an industry analyst working for IDC, specializing in application development and deployment tools and technologies.  This was a long-lived 25+ year career followed by time with a couple of boutique analyst firms and cut short by my transition to the Linux Foundation.

Until recently, interests outside of work mainly included vertical pursuits — rock climbing during the warm months and ice climbing in the winter.  The day I got engaged, my wife (to be) and I had been climbing in the morning, and she jokes that if she didn’t make it up that last 5.10, I wouldn’t have offered her the ring.  However, having just moved to a house overlooking Mt. Hope bay in Rhode Island, our outdoor pursuits will become more nautically focused.

JP: And from what organization are you joining us?

SH: I was lead analyst at Enterprise Management Associates, a boutique industry analyst firm.  I initially focused my practice area on DevOps, but in reality, since I was the only person with application development and deployment experience, I also covered adjacent markets that included primary research into NoSQL, Software Quality, PaaS, and decisioning.  

JP: Tell me a bit more about your academic and quantitative analysis background; I see you went to Boston University, which was my mom’s alma mater as well. 

SH:  I went to BU for an MBA.  In the process, I concentrated in quantitative methods, including decisioning, Bayesian methods, and mathematical optimization.  This built on my undergraduate math and economics focus and was a kind of predecessor to today’s data science focus.  The regression work that I did served me well as an analyst and was the foundation for much of the forecasting work I did and industry models that I built.  My qualitative and quantitative empirical experience was primarily gained through experience in the more than 100 surveys and in-depth interviews I have fielded.  

JP: What disciplines do you feel most influence your analytic methodology? 

SH: We now live in a data-driven world, and math enables us to gain insight into the data.  So math and statistics are the foundation that analysis is built on.  So, math is most important, but so is the ability to ask the right questions.  Asking the right questions provides you with the data (raw materials) shaped into insights using math.  So analysis ends up being a combination of both art and science.

JP: What are some of the most enlightening research projects you’ve worked on in your career? 

SH:  One of the most exciting projects I cooked up was to figure out how many professional developers there were in the world, by country, with five years of history and a 5-year forecast.  I developed a parameterized logistics curve tuned to each country using the CIA, WHO, UN, and selected country-level data.  It was a landmark project at the time and used by the world’s leading software and hardware manufacturers. I was flattered to find out six years later that another analyst firm had copied it (since I provided the generalized equation in the report).

I was also interested in finding that an up-and-coming SaaS company had used some of my published matrix data on language use, which showed huge growth in Ruby.  This company used my findings and other evidence to help drive its acquisition of a successful Ruby cloud application platform.

JP: I see that you have a lot of experience working at enterprise research firms, such as IDC, covering enterprise software development. What lessons do you think we can learn from the enterprise and how to approach FOSS in organizations adopting open source technologies?

SH: The analyst community has struggled at times to understand the impact of OSS. Part of this stems from the economic foundation of the supply side research that gets done.  However, this has changed radically over the past eight years due to the success of Linux and the availability of a wide variety of curated open source products that have helped transform and accelerate the IT industry.  Enterprises today are less concerned about whether a product/service is open or closed source.  Primarily they want tools that are best able to address their needs. I think of this as a huge win for OSS because it validates the open innovation model that is characteristic of OSS. 

JP: So you are joining the Linux Foundation at a time when we have just gotten our research division off the ground. What are the kind of methodologies and practices that you would like to take from your years at firms like IDC and EMA and see applied to our new LF Research?

SH: LF is in the enviable position of having close relationships with IT luminaries, academics, hundreds of OSS projects, and a significant portion of the IT community.  The LF has an excellent opportunity to develop world-class research that helps the IT community, industry, and governments better understand OSS’s pivotal role in shaping IT going forward.

I anticipate that we will use a combination of quantitative and qualitative research to tell this story.  Quantitative research can deliver statistically significant findings, but qualitative interview-based research can provide examples, sound bites, and perspectives that help communicate a far more nuanced understanding of OSS’s relationship with IT.

JP: How might these approaches contrast with other forms of primary research, specifically human interviews? What are the strengths and weaknesses of the interview process?

SH: Interviews help fill in the gaps around discrete survey questions in ways that can be insightful, personal, entertaining, and unexpected.  Interviews can also provide context for understanding the detailed findings from surveys and provide confirmation or adjustments to models based on underlying data.

JP: What are you most looking forward to learning through the research process into open source ecosystems?

SH: The transformative impact that OSS is having on the digital economy and helping enterprises better understand when to collaborate and when to compete.

JP: What insights do you feel we can uncover with the quantitative analysis we will perform in our upcoming surveys? Are there things that we can learn about the use of FOSS in organizations?

SH: A key capability of empirical research is that it can be structured to highlight how enterprises are leveraging people, policy, processes, and products to address market needs.  Since enterprises are widely distributed in their approach and best/worst practices to a particular market, data can help us build maturity models that provide advice on how enterprises can shape strategy and decision based on the experience and best practices of others.

JP: Trust in technology (and other facets of society) is arguably at an all-time low right now. Do you see a role for LF Research to help improve levels of trust in not only software but in open source as an approach to building secure technologies? What are the opportunities for this department?

SH: I’m reminded by the old saying that there are “lies, damned lies, and then there are statistics.” If trust in technology is at an all-time low, it’s because there are people in this world with a certain moral flexibility, and the IT industry has not yet found effective ways to prevent the few from exploiting the many.  LF Research is in the unique position to help educate and persuade through factual data and analysis on accelerating improvements in IT security.

JP: Thanks, Steve. It’s been great talking to you today!

Jason Perlow, Director of Project Insights and Editorial Content at the Linux Foundation, spoke with Hilary Carter about Linux Foundation Research and how it will create better awareness of the work being done by open source projects and their communities.

JP: It’s great to have you here today, and also, welcome to the Linux Foundation. First, can you tell me a bit about yourself, where do you live, what your interests are outside work?

HC: Thank you! I’m a Toronto native, but I now live in a little suburban town called Aurora, just north of the city. Mike Meyers — a fellow Canadian — chose “Aurora, IL” for his setting of Wayne’s World, but he really named the town after Aurora, ON. I also spend a lot of time about 3 hours north of Aurora in the Haliburton Highlands, a region noted for its beautiful landscape of rocks, trees, and lakes — and it’s here where my husband and I have a log cabin. We ski, hike and paddle, with our kids, depending on the season. It’s an interesting location because we’re just a few kilometers north of the 45th parallel — and at the spring and fall equinox, the sun sets precisely in the west right off of our dock. At the winter and summer solstice, it’s 45 degrees to the south and north, respectively. It’s neat. As much as I have always been a bit obsessed with geolocation, I had never realized we were smack in the middle of the northern hemisphere until our kids’ use of Snapchat location filters brought it to our attention. Thank you, mobile apps! 

JP: And what organization are you joining us from?

HC: My previous role was Managing Director at the Blockchain Research Institute, where I helped launch and administer their research program in 2017. Over nearly four years, we produced more than 100 research projects that explored how blockchain technology — as the so-called Internet of value — was transforming all facets of society — at the government and enterprise-level as well as at the peer-to-peer level. We also explored how blockchain converged with other technologies like IoT, AI, additive manufacturing and how these developments would change traditional business models. It’s a program that is as broad as it is deep into a particular subject matter without being overly technical, and it was an absolutely fascinating and rewarding experience to be part of building that.

JP: Tell me a bit more about your academic background; what disciplines do you feel most influence your research approach? 

HC: I was a Political Studies major as an undergrad, which set the stage for my ongoing interest in geopolitical issues and how they influence the economy and society. I loved studying global political systems, international political economy, and supranational organizations and looking at the frameworks built for global collaboration to enable international peace and security under the Bretton Woods system. That program made me feel incredibly fortunate to have been born into a time of relative peace and prosperity, unlike generations before me.

I did my graduate studies in Management at the London School of Economics (LSE), and it was here that I came to learn about the role of technology in business. The technologies we were studying at the time were those that enabled real-time inventory. Advanced manufacturing was “the” hot technology of the mid-1990s, or so it seemed in class. I find it so interesting that the curriculum at the time did not quite reflect the technology that would profoundly and most immediately shape our world, and of course, that was the Web. In fairness, the digital economy was emerging slowly, then. Tasks like loading web pages still took a lot of time, so in a way, it’s understandable that the full extent of the web’s power did not make it into many of my academic lectures and texts. I believe academia is different today — and I’m thrilled to see the LSE at the forefront of new technology research, including blockchain, AI, robotics, big data, preparing students for a digital world.

JP: I did do some stalking of your LinkedIn profile; I see that you also have quite a bit of journalistic experience as well.

HC: I wish I could have had more! I was humbled when my first piece was published in Canada’s national newspaper. I had no formal training or portfolio of past writing to lend credibility to my authorship. Still, fortunately, after much persistence, the editor gave me a shot, and I’m forever grateful to her for that. I was inspired to write opinion pieces on the value of digital tools because I saw a gap that needed filling — and I was really determined to fill it. And the subject that inspired me was leadership around new technologies. I try to be a good storyteller and create something that educates and inspires all in one go. I suppose I come by a bit of that naturally. My father was an award-winning author in Canada, but his day job was Chief of Surgery at a hospital in downtown Toronto. He had a gift to take complex subject matter about diseases, such as cancer, and humanize the content by making it personal. I think that’s what makes writing about complex concepts “sticky.” When you believe that the author is, at some level, personally committed to their work and successful in setting the context for their subject matter to the world at large and do so in a way that creates action or additional thinking, then they’ve done a successful job. 

JP: Let’s try a tough existential question. Why do you feel that the Linux Foundation now needs a dedicated research and publications division? Is it an organizational maturity issue? Has open source gotten so widespread and pervasive that we need better metrics to understand these projects’ overall impact?

HC: Well, let me start by saying that I’m delighted that the LF has prioritized research as a new business unit. In my past role at the Blockchain Research Institute, it was clear that there was and still is a huge demand for research — the program kept growing because technologies continued to evolve, and there was no shortage of issues to cover. So I think the LF is tapping into a deep need for knowledge in the market at large and specific insights on open source ecosystems, in particular, to create greater awareness of incredible open source projects and inspire greater participation in them. There are also threats that we as a society — as human beings — need to deal with urgently. So the timing couldn’t be better to broaden the understanding of what is happening in open source communities, new tools to share knowledge, and encourage greater collaboration levels in open source projects. If we accomplish one thing, it will be to illustrate the global context for open source software development and why getting involved in these activities can create positive global change on so many levels. We want more brains in the game.

JP: So let’s dive right into the research itself. You mentioned your blockchain background and your previous role — I take it that this will have some influence on upcoming surveys and analysis? What is coming down the pike on the front?

HC: Blockchain as a technology has undoubtedly influenced my thinking about systems architecture and how research is conducted — both technological frameworks and the human communities that organize around them. Decentralization. Coordination. Transparency. Immutability. Privacy. These are all issues that have been front and center for me these past many years. Part of what I have learned about what makes good blockchain systems work comes from the right combination of great dependability and security with leadership, governance, and high mass collaboration levels. I believe those values transfer over readily to the work of the Linux Foundation and its community. I’m very much looking forward to learning about the many technology ecosystems beyond blockchain currently under the LF umbrella. I’m excited to discover what I imagine will be a new suite of technologies that are not yet part of our consciousness.

JP: What other LF projects and initiatives do you feel need to have deeper dives in understanding their impact besides blockchain? Last year, we published a contributor survey with Harvard. It reached many interesting conclusions about overall motivations for participation and potential areas for remediation or improvement in various organizations. Where do we go further in understanding supply chain security issues — are you working with the Harvard team on any of those things?

HC: The FOSS Contributor Survey was amazing, and there are more good things to come through our collaboration with the Laboratory of Innovation Science at Harvard. Security is a high-priority research issue, and yes, ongoing contributions to this effort from that team will be critical. You can definitely expect a project that dives deep into security issues in software supply chains in the wake of SolarWinds.

I’ve had excellent preliminary discussions with some executive team members about their wish-lists for projects that could become part of the LF Research program in terms of other content. We’ll hope to be as inclusive as we can, based on what our capacity allows. We look forward to exploring topics along industry verticals and technology horizontals, as well as looking at issues that don’t fall neatly into this framework, such as strategies to increase diversity in open source communities, or the role of governance and leadership as a factor in successful adoption of open source projects.

Ultimately, LF Research will have an agenda shaped not only from feedback from within the LF community but by the LF Research Advisory Board, a committee of LF members and other stakeholders who will help shape the agenda and provide support and feedback throughout the program. Through this collaborative effort, I’m confident that LF Research will add new value to our ecosystem and serve as a valuable resource for anyone wanting to learn more about open source software and the communities building it and help them make decisions accordingly. I’m looking forward to our first publications, which we expect out by mid-summer. And I’m most excited to lean on, learn from, and work with such an incredible team as I have found within the LF. Let’s do this!!!

JP: Awesome, Hilary. It was great having you for this talk, and I look forward to the first publications you have in store for us.