Jamie Thomas is the General Manager, Systems Strategy and Development at IBM and is also the OpenSSF Board chair. She sat down with Alan Shimel of TechStrong TV during OpenSSF Day in Austin to share about OpenSSF and how the open source community is rallying together to increase the resilience of open source software.
You can watch the full interview or read the transcript below. But, since we are all busy, I have pulled together some of the key points Jamie made from the interview:
OpenSSF is focused on a proactive posture. How do we prevent these kinds of events? And so to do that, we think there’s a number of things we have to do:
First and foremost is education, of course, in terms of basic security education for developers.
Another key tenant is how do you put automation on steroids? So the automation and best practices that are reflected in that automation that open source projects can consume? How do you get that out to the most critical projects, and then provide some support for the long tail projects
It’s also about working, frankly, with other industry consortia as well as the government. In Particular, we’ve been working with the US government in the OpenSSF to define what are some actions that are really going to make a difference.
And I think critical to all of this is getting collaboration across the different insights from the governing body, which includes a lot of technology firms, as well as commercial firms. Like there’s a lot of financial firms actually involved in the governing body. What are the key elements that we really need to address first. So getting those priorities set, and then having an execution agenda and really getting something done in the short term, I think is really going to be important for this group.
In the world of cybersecurity, you often learn that no one pays attention to a lot of things unless there’s a huge compelling event. And that’s what log4j was. So while it was not desired, it was helpful in that vein. . . So coming out of all of the meetings that we’ve had, the collaboration that we’ve had across the industry, it is going to be imperative that we execute, and that the things that we have identified as top priorities that we make measurable progress on those projects this year. That’s the importance of this OpenSSF day here today in Austin, which is allowing us, with a key set of stakeholders, to start to share perspectives of the projects that are underway, and how others can engage in those projects. And how, once again, working together, we can actually make a difference.
Working together, we can actually make a difference.
We are turning the corner on a new level of commitment around security, there’s always been a commitment in open source around innovation, around feature function. I mean, that’s what’s driven open source and allowed it to be so successful. And for others, other corporations like IBM, we take an enormous advantage out of that, right, we’ve all gotten a huge advantage in productivity out of that. But now, it’s really about turning the focus a little bit more, getting that focus on security, so that we can use open source and continue to have that productivity, but with confidence as we go forward.
How do we make it easy for the maintainers of these open source projects? How do we make it easy for the contributors, because without doing that, it will not have the consumption by developers at large.