Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Looking at Open Source Security from the Community Angle

Ana Jimenez
March 03, 2024
Technology
0
68

Looking at Open Source Security from the Community Angle

The people behind OSPOs can bring strong potential and opportunities to strengthen the security of open source projects. The recent results from the new State of OSPO report find that 96% of organizations with an OSPO or similar open source initiatives use these entities to provide advice on security decisions and risk mitigation strategies.

People working at OSPOs usually act as the linchpin and point of contact where maintainers of open source projects can reach out and better identify project health issues. Questions arise, such as: How is the working environment of the community that sustains the open source projects critical to my organization? Are maintainers having issues dealing with all the feature requests and problems? Do they need help with infrastructure, funding, etc.?

This talk aims to shed light on different ways OSPOs and security teams can work together, not only from a project risk assessment perspective but also from a more human, relational network of people sustaining those projects.

Ana Jimenez

March 03, 2024
Tweet

More Decks by Ana Jimenez

See All by Ana Jimenez
El valor de las Oficinas Open Source Sostenibilidad del Ecosistema Cloud Native
anajsana
0
32
State of OSPOs in Asia
anajsana
1
23
How Can OSPOs Become a Key Lever for Open Source Sustainability?
anajsana
0
16
OSPOs: A Key Lever for Open Source Sustainability
anajsana
1
190
OSPO, Key Lever For Open Source Sustainability
anajsana
0
100
A walk through the OSPO Five-Stage Model
anajsana
0
250
What InnerSource can bring to emerging Open Source Initiatives?
anajsana
0
46
A walk through the OSPO fivestage Model and Personas
anajsana
0
190
Demystifying OSPOs: What InnerSource can bring to emerging Open Source Initiatives
anajsana
0
79

Other Decks in Technology

See All in Technology
止まらないLinuxシステムを構築する_高信頼性クラスタ入門
koedoyoshida
3
580
家族アルバム みてねにおけるGrafana活用術 / Grafana Meetup Japan Vol.1 LT
isaoshimizu
1
1.1k
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.4k
中年男性がメインフレームから クラウドへキャリアシフトしてみた
uechishingo
0
300
.NET Profiler in 2024.
kkamegawa
2
1.8k
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
15
35k
高専で制御を、大学でセンシングを学び、次は脳みそ
satoshirobatofujimoto
0
110
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
37k
認知症フレンドリーテックとスタックチャン
naokiuc
0
290
Google Cloud Next '24 Recap(Cloud Run/k8s)
mokocm
0
340
ゼロから始めるVue.jsコミュニティ貢献 / first-vuejs-community-contribution-link-and-motivation
lmi
1
150
require(ESM)とECMAScript仕様
uhyo
4
1k

Featured

See All Featured
The Cult of Friendly URLs
andyhume
74
5.7k
Code Review Best Practice
trishagee
56
15k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
34
6k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
21
1.9k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
26
2.3k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
79
43k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
22
1.6k
Six Lessons from altMBA
skipperchong
22
3k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
The Art of Programming - Codeland 2020
erikaheidi
43
12k
Docker and Python
trallard
35
2.7k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k

Transcript

  1. Looking at Open Source Security from the Community Angle March

    2024, FOSSBackstage Berlin Ana Jiménez Santamaría, Linux Foundation TODO Group

  2. About Me

  3. TWO SIDES OF THE SAME COIN Open Source Challenges Security

    IT Challenges

  4. CD Foundation: https://cd.foundation/blog/ 2020/07/07/devsecops-b uilding-a-trusted-softwar e-supply-chain/

  5. open source open source open source open source open source

    open source CD Foundation: https://cd.foundation/blog/ 2020/07/07/devsecops-b uilding-a-trusted-softwar e-supply-chain/

  6. OSPO 101 Training Course: https://github.com/todogroup/ospo-career-path/tree/main/OSPO-101/module6

  7. None

  8. How to Secure Open Source?

  9. How to Secure Technology Stack?

  10. How to Secure Technology Stack? And doing it right with

    effective open source integration?

  11. How is the working environment of the community that sustains

    the open source projects critical to my organization? Are maintainers having issues dealing with all the feature requests, security checks or issues raised by the community? Do they need help with infrastructure, project management tasks, staff, or funding?

  12. OUTBOUND (open source ecosystem) INBOUND (organization) Organizations and Open Source

    Ecosystem NEED A CONNECTOR

  13. OUTBOUND (open source ecosystem) INBOUND (organization) OSPO Organizations and Open

    Source Ecosystem NEED A CONNECTOR

  14. Use Case part of the OSPO book Project (CC-BY 4.0)

    https://ospobook.todo group.org/use-cases/

  15. Use Case part of the OSPO book Project (CC-BY 4.0)

    https://ospobook.todog roup.org/use-cases/

  16. TWO SIDES OF THE SAME COIN Community Value Sustainability Organization

    Value Security

  17. Organization Value Security Developers are constantly adding packages to the

    software supply chain • Long feedback loops • Lack of security-specific knowledge DEVELOPER SIDE

  18. DEVELOPER SIDE Organization Value Security “Security fixes are important, but

    are they more important than meeting existing product deadlines?”

  19. DEVELOPER SIDE Organization Value Security AUTOMATION

  20. DEVELOPER SIDE Organization Value Security AUTOMATION Private components Open source

    components

  21. DEVELOPER SIDE Organization Value Security AUTOMATION Private components Open source

    components OSPO Security

  22. DEVELOPER SIDE Organization Value Security SUPPORT AUTOMATION POLICIES & PROCESSES

    Open source components OSPO Security

  23. OS MAINTANTERS SIDE Community Value Sustainability Maintainers are overwhelmed by

    community request, bug fixes and keeping on track with feature releases More than often, they are not getting paid for all the work they do

  24. OS MAINTANTERS SIDE Community Value Sustainability “Security compliance is important,

    but are they more important than releasing new feature requests?”

  25. OS MAINTANTERS SIDE Community Value Sustainability UPSTREAM CONTRIBUTION Employee contribution

    OSPO Security

  26. OS MAINTANTERS SIDE Community Value Sustainability UPSTREAM CONTRIBUTION Employee contribution

    OSPO Security Open Source Ecosystem OSPO

  27. OS MAINTANTERS SIDE Community Value Sustainability UPSTREAM CONTRIBUTION FUNDING AND

    SPONSORSHIP RELEASING SECURITY TOOLS

  28. Top Three Takeaways

  29. OSPO Integrates of Open Source in organization's IT Infrastructure 🤝

  30. Collaboration between employees, open source staff, and security teams with

    the open source ecosystem, offers a complete security coverage across the whole supply chain 💡

  31. OSPO has the important mission on achieving Digitalization, Innovation and

    Security in a healthy and continuous way 󰵘 Open Source Jobs are Beyond Open Source

  32. About TODO Group (Linux Foundation Project)

  33. THE LARGEST AND MOST ACTIVE OSPO COMMUNITY OF PRACTICE

  34. Other Resources https://ospobook.todogroup.org 20+ Active Contributors across different regions (Japan,

    China, India, North America, Germany, UK, Spain, Netherlands, Sweden and Finland) 👉 Get started

  35. QUESTIONS? 👉 TODO Website 👉 OSPO Book 📨 asantamaria (at)

    linuxfountation.org 📨 ana (at) todogroup.org 󰠁 Front End Projects: https://github.com/anajsana/front-end-miniprojects 🤖 Data Science Projects: https://gitlab.com/anajimenezsantamaria