Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Looking at Open Source Security from the Commun...

Looking at Open Source Security from the Community Angle

The people behind OSPOs can bring strong potential and opportunities to strengthen the security of open source projects. The recent results from the new State of OSPO report find that 96% of organizations with an OSPO or similar open source initiatives use these entities to provide advice on security decisions and risk mitigation strategies.

People working at OSPOs usually act as the linchpin and point of contact where maintainers of open source projects can reach out and better identify project health issues. Questions arise, such as: How is the working environment of the community that sustains the open source projects critical to my organization? Are maintainers having issues dealing with all the feature requests and problems? Do they need help with infrastructure, funding, etc.?

This talk aims to shed light on different ways OSPOs and security teams can work together, not only from a project risk assessment perspective but also from a more human, relational network of people sustaining those projects.

Ana Jimenez

March 03, 2024
Tweet

More Decks by Ana Jimenez

Other Decks in Technology

Transcript

  1. Looking at Open Source Security from the Community Angle March

    2024, FOSSBackstage Berlin Ana Jiménez Santamaría, Linux Foundation TODO Group
  2. open source open source open source open source open source

    open source CD Foundation: https://cd.foundation/blog/ 2020/07/07/devsecops-b uilding-a-trusted-softwar e-supply-chain/
  3. How to Secure Technology Stack? And doing it right with

    effective open source integration?
  4. How is the working environment of the community that sustains

    the open source projects critical to my organization? Are maintainers having issues dealing with all the feature requests, security checks or issues raised by the community? Do they need help with infrastructure, project management tasks, staff, or funding?
  5. Use Case part of the OSPO book Project (CC-BY 4.0)

    https://ospobook.todo group.org/use-cases/
  6. Use Case part of the OSPO book Project (CC-BY 4.0)

    https://ospobook.todog roup.org/use-cases/
  7. Organization Value Security Developers are constantly adding packages to the

    software supply chain • Long feedback loops • Lack of security-specific knowledge DEVELOPER SIDE
  8. DEVELOPER SIDE Organization Value Security “Security fixes are important, but

    are they more important than meeting existing product deadlines?”
  9. OS MAINTANTERS SIDE Community Value Sustainability Maintainers are overwhelmed by

    community request, bug fixes and keeping on track with feature releases More than often, they are not getting paid for all the work they do
  10. OS MAINTANTERS SIDE Community Value Sustainability “Security compliance is important,

    but are they more important than releasing new feature requests?”
  11. Collaboration between employees, open source staff, and security teams with

    the open source ecosystem, offers a complete security coverage across the whole supply chain 💡
  12. OSPO has the important mission on achieving Digitalization, Innovation and

    Security in a healthy and continuous way 󰵘 Open Source Jobs are Beyond Open Source
  13. Other Resources https://ospobook.todogroup.org 20+ Active Contributors across different regions (Japan,

    China, India, North America, Germany, UK, Spain, Netherlands, Sweden and Finland) 👉 Get started
  14. QUESTIONS? 👉 TODO Website 👉 OSPO Book 📨 asantamaria (at)

    linuxfountation.org 📨 ana (at) todogroup.org 󰠁 Front End Projects: https://github.com/anajsana/front-end-miniprojects 🤖 Data Science Projects: https://gitlab.com/anajimenezsantamaria