Skip to main content

📣 Submit your proposal: OpenSSF Community Day Europe

search
All Posts By

OpenSSF

May 06
Love0

What’s in the SOSS? Podcast #29 – S2E06 Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey Potter

By Podcast

Summary

In this special episode of What’s in the SoSS?, we welcome Stacey Potter, the new Community Manager at the Open Source Security Foundation (OpenSSF). Stacey shares her winding journey from managing operations at a vitamin company to becoming a powerful advocate and connector in the open source world. We explore her community-first mindset, her work with CNCF and Platform Engineering Day, and her passion for inclusion and authenticity. Whether you’re curious about how to get started in open source or want insight into how community shapes security, this episode is for you.

Conversation Highlights

00:00 – Welcome + Introduction
01:34 – Stacey’s Origin Story in Open Source
03:18 – Discovering Community Management at Weaveworks
04:19 – Projects and Evolution Across CNCF and Beyond
06:13 – Co-Chairing Platform Engineering Day
10:15 – Being Openly Queer in Open Source
13:38 – What Stacey Hopes to Bring to OpenSSF
16:23 – Rapid Fire Round
17:53 – Final Thoughts

Transcript

Intro music (00:00)

Stacey (00:02): “It’s given me a deep understanding and appreciation for inclusiveness and being a welcoming community – I have always felt embraced here, these spaces have empowered me to show up fully as myself”

Yesenia (00:021)
Hello and welcome to What’s in the SoSS? Open SSF’s podcast where we talk to interesting people throughout the open source ecosystem, sharing their journey, experiences and wisdom. So Yessenia, I’m one of our hosts and today we have a special announcement and introduction. I am talking to OpenSSF’s Community Manager, Stacey Potter. Welcome to the open source community. Stacey, please introduce yourself to the audience.

Stacey Potter (00:48)
Hey, everyone. Thanks, Yesenia. So I’m super happy to be here. I just joined and think this is week four that we’re recording this right now. So by the time this gets posted, I might have been here for a little bit longer. But I am the new community manager here at OpenSSF. So I am here to facilitate events. I’ll be managing budgets in the background. And in general, just promoting the foundation and all of our technical initiatives. So super stoked to be here. Can’t wait to meet everybody either in person, online, in Slack, et cetera. So super happy.

Yesenia (01:25)
Super, super happy to have you and we’ll kick it off with our first question. Tell us about your journey in the open source world and just what sparked your curiosity.

Stacey Potter (01:34)
Yeah, so honestly, my path into software was more a result of circumstance than intention. I transitioned into the industry a little bit later in my career. Before that, I was working as an operations manager at a small family-run vitamin company based out of Oakland, California. And after I left that role, I applied for an office manager position at a San Francisco startup focused on what we now call Software Composition Analysis or SCA. Though I don’t even know if it was called that back then in 2009. And at the time, our tagline was something like open source software security for enterprises or something like that. I think a lot of people will know our main competitor, which was Black Duck Software. But we were just a tiny little startup having fun in San Francisco.

And that role was really like my first exposure to the world of open source, but not in a really direct way because I wasn’t working with it. And I almost felt like we were kind of pulling open source out of enterprises or making it more restrictive in certain ways. Cause it was like we were bringing to light all the open source licenses and if you should or shouldn’t use them in an enterprise, right? So it felt a little ambiguous, right?

But I spent seven years there working with the CEO and gradually kind of moved through different roles at that company. I was great about working at a startup. I was the sales operations manager. And then later I transitioned into marketing. And then that company got acquired and I stayed on for a couple more years doing marketing things. And then I transitioned out of there in 2019 and went to Weaveworks where I feel like my true journey with open source really began. I started working at Weaveworks and as a community manager at that point, transition from marketing went into community management. Thanks to general good faith in my boss at the time, which was Tama Nakahara. She’s amazing and an amazing mentor. And she was like, I have marketing, you’re fine. You’re personable. You’ll be great as a community manager and really took me under her wing and taught me everything I needed to know. And learning all about Flux and Flagger in that CNCF ecosystem and really being embraced within those communities was where I feel like it really truly began.

Yesenia (04:09)
Nice. It’s nice little journey to start and then just what brought you here now to OpenSSF? Did you come from there or have you explored other open source projects that you would like to mention?

Stacey Potter (04:19)
Yeah. So Flux and Flyer were my true introduction. Been in and around the CNCF for a while. After Weaveworks, I went to Dynatrace and worked on the Open Feature project and the Kept project, which are both CNCF projects as well. Super great communities there as well. And then after Dynatrace, I went to Stacklok, which is another startup. And they had a project called Minder, which we donated to the OpenSSF. And I had kind of heard musings of the OpenSSF when I was kind of in that CNCF ecosystem before, but didn’t really know a whole lot about it. And when I worked at StackLock, kind of became more familiar with the community. We donated that project. I went through the entire process of like what donating a project looks like within the OpenSSF ecosystem. So that was fun and interesting.

Yesenia (05:11)
Interesting.

Stacey Potter (05:18)
And yeah, that’s StackLock like switched positions. It kind of is going a different route now. And so I came to OpenSSF just almost a month ago, not quite a month ago, so three weeks ago now. And yeah, that’s how I got here.

Yesenia (05:31)
That’s amazing. Here you are. Perfect. Yeah, it sounds like a good experience exposure with community building and open source projects for CNCF and OpenSSF, which are big, big organizations when it comes to open source. So very interesting, very interesting indeed. So we’ll move on to the next question. This is during my online recon, we’ll say, consented recon. I discovered you are the co-chair of Platform Engineering Day. Can you share with the audience what this is, what the event is, and what excites you the most about working with this community?

Stacey Potter (06:13)
Yeah, absolutely. So Platform Engineering Day, mean, well, as internal developer platforms, IDPs, really help dev teams move faster by giving them tools and frameworks that they need, right? So Platform Engineering Day is all about sharing real world tips on building great internal platforms, not just the tech, but the people and the processes as well, right? So it’s a chance for platform folks from all different job titles and job roles to trade stories, lessons, and ideas on making the dev experience awesome. So what excites me about working in this community? I think there’s just so many passionate people involved in this space. I know Platform Engineering Day has become kind of this buzzy word of late, right?

Yesenia (07:11)
Marketing.

Stacey (07:13)
Exactly. But I mean, to the people who are in it, they, from my perspective, as I’ve gotten involved in it, they’re super passionate folks, right? And they really want to make this experience, you know, as good as they can. But after chatting with Paula Kennedy, who is my co chair, and Abby Bangser, whom I got to know through an old Weavework’s colleague, we felt the need for not just a bunch of tech talks on the topic. But really, we wanted to provide, as I said before, a place where platform engineers, product managers, solutions architects, and other folks could come together and share lessons learned in building and managing internal platforms, measuring platform maturity and improving these golden paths and the developer experience as a whole.

Yesenia (08:04)
Nice, do you want to do a quick plug on when the next platform engineering day is?

Stacey Potter (08:08)
Well, it’s a colo with KubeCons. So if you’re going to the next KubeCon, which I believe is North America in Atlanta, Georgia, for all those folks who are outside of the States, I’m sorry, that you may or may not be able to come here based on a number of different things. But we’re trying to do it co-located in general with KubeCons, because it kind of fits there and makes sense. And we’ve had a great response so far, right? The first one, we got more CFPs than any other co-located event had ever gotten at any KubeCon, colo event before. And I think we had hundreds and hundreds of folks in the seats listening to all these great talks. And I’ll also just highlight the platform’s working group within the CNCF too. This is a great team of people working on all things platform related. And if you’re interested in learning more about platform engineering in general, the platforms working group within the CNC app is really a great place to go.

Yesenia (09:15)
Yeah, I didn’t know that it was in KubeCon. I’m hoping to go my first year this year in Atlanta.

Stacey Potter (09:21)
Yeah. Yeah. I think Paris was our debut. Yeah. Yeah. Right. Not bad. And we just had our last one in London. Yeah.

Yesenia (09:24)
Hmm, that’s a good debut. Fashion debuted there. there you go.

Stacey Potter (9:31)
We’re so fashionable. Who knew?

Yesenia (09:36)
Talking about fashionable. During my cyber roots, I found your GitHub profile, which I loved and made me giggle and smile in several locations. But you noted you’re queer and for recording purposes, AF. I’d love to hear your perspective on how this has transformed your journey and influenced you being involved in these open source communities and anything you want to share with the audience.

Stacey Potter (10:15)
Sure. So being openly queer in tech and the open source space has been a pretty powerful part of my journey, I guess, in retrospect. It’s given me a deep understanding and appreciation for inclusiveness and being a welcoming community, regardless of what the, I guess, we’re going to call it difference is for whomever is coming into your community.

I think something I’ve been lucky to experience in the Kubernetes and cloud native and broader open source ecosystems is that welcomeness, that feeling of belonging. I’ve never felt like I didn’t belong here, right?

Yesenia (10:45)
Yeah.

Stacey Potter (10:48)
Which I think is pretty special. I mean, it’s a privileged place to be, I think in certain ways too, right? Like I am a cis white woman, right? But I present as butch and I’m you know, that’s my that’s what I call myself, right? That’s how I identify. And some people could be put off by that. But I have always felt embraced here. And, you know, like these spaces have empowered me to show up fully as myself, which has not only boosted my confidence, but also allowed me to connect with and, you know, mentor, I guess, others navigating similar paths, whether that’s being queer or being a woman or whatever.

I think visibility matters and I found that authenticity can be a bridge, right? Whether it’s in a code review, which I don’t do by the way, community calls or just, you know, contributing to projects that reflect shared values that you have, right?

Yesenia (11:48)
Yeah, it’s great because that’s the underlying foundation of open source. It’s just a community of anyone that can come in and contribute and make a project, move a project and make it successful and gave me a little bit of goosebumps there as you were speaking on that one. But because I feel the same when it comes to like the open source space is just they’re very welcoming. Every time folks are like, I’m just so scared. I’m like, trust me, don’t just go ask the questions. Like this is the place to ask the technical quote unquote “this is a dumb question…”

Stacey Potter (12:15)
Yeah, and I mean, they’re just so happy. What I have found is everyone in these communities is just so happy for people to notice them to want to get involved in the first place, right? Like they’re so stoked that you’re there. Like whatever your skill set is, they’re willing to bring you into the fold, right? They’ll make it work.

Yesenia (12:22)
Yeah.

Yesenia (12:41)
We’ll figure it out.

Stacey Potter (12:41)
You don’t need to know how to code, right? Work on docs, work on…community management, promote our events, like make us a poster or a cool logo or I mean, there’s so many different ways you can contribute if you don’t write code. I don’t write code and this is my job now. I would have never thought, right? Yeah.

Yesenia (13:00)
Yeah. Who would have thunk it? Yeah, I haven’t written code in such a long time. I write for my own like fun, so I don’t lose the skill. You know, it’s like riding a bike. I’m hoping it’s like riding a bike that you never forget, but I forgot because once again, short term memory issues.

Stacey Potter (13:12)
Yeah, right, right.

Yesenia (13:17)
Ah, this is great. Moving on to the next. You are the newest member of OpenSSF. I’m sure other folks have been hired, so I’m sorry if there’s anybody that’s newer, but as far as his recording, this is what I know. And now the Community Manager, what would you like to see in the upcoming months with the impact you plan to ripple through this ecosystem?

Stacey Potter (13:38)
Wow, that’s a big question. So as the newest member of the OpenSSF team and like you said, the community manager here, I’m really excited to help grow and connect this vibrant ecosystem. In the coming months, I think I want to focus on making it easier and more inviting for people to get involved. Whether you’re seasoned security pro or just a curious first timer, I think a lot of people don’t even know that we exist maybe – the OpenSSF. So I think just awareness in general is also something that I’d like to help promote. But know, like smoothing out the onboarding journey, launching programs like the Ambassador Initiative. I think there’s been a lot of talk internally about trying to ramp that up and get that going and supporting mentorships that help contributors thrive. I’d love to see more stories, more collaboration across projects within the OpenSSF and externally within other communities like maybe CNCF, since that’s where my prior history is, right? And more representation from folks who may not traditionally see themselves in the security space. OpenSSF already has amazing technical initiatives. My goal is to amplify the voices behind them, create inclusive pathways into our work and build bridges to other communities who share our mission. So whether it’s through meetups, events, or even just a warm welcome in Slack, I want everyone to feel like there’s a place for them here.

Yesenia (15:15)
I love it. You’re full of the goose bumps today. I love that warm welcome on Slack. You had mentioned the ambassador program. I personally haven’t heard of it. Is there any, I know you guys are just, it’s in the works. Anything you want to share about it.

Stacey Potter (15:29)
Well, it’s gonna be a top priority for me as soon as I sort of get my feet, find my feet here, right? It’s only week four. But it’s definitely a priority that we want to get this out as soon as possible. And there’s already been so much work done before I came. So it’s getting me up to speed and then, yeah, I’m just super excited. think it encourages more people to join sort of.

Yesenia (15:37)
Yeah

Stacey Potter (15:56)
Also celebrating those who have made us who we are so far as well. But then, you know, lots of people would love to become an ambassador that don’t know how to get started or things like that, right? And bringing more people into the fold.

Yesenia (16:09)
Love it, love it. Well, I look forward to seeing the announcement news and learning more about that. So for those folks listening, hopefully it’s released. Hopefully it’s in the works by the time you listen to this. All right, cool. We’re going to move over to the rapid fire. I just make noises because I don’t get, Krobe’s a fancy noise maker. So we’ll go with the flow with whatever my ADHD brain decides to do. And our first question, Disney or Pixar?

Stacey Potter (16:40)
Pixar for sure. I used to live like around the corner from Pixar, so, and I’ve always been a huge Pixar fan, but this is an acquired Pixar, so they’re one and the same now,

Yesenia (16:52)
In my heart, are they really?

Stacey Potter (16:55)
Yeah, no, in our hearts we know the truth, but Pixar, yeah.

Yesenia (17:02)
Dark or light mode?

Stacey Potter (17:05)
Dark.

Yesenia (17:06)
Dark as my soul.

Stacey Potter (17:09)
Black is the night.

Yesenia (17:11)
Cats or dogs? as she takes a sip of coffee.

Stacey Potter (17:15)
Both. I have two cats and a dog, and they’re all amazing. I love them both for very different reasons.

Yesenia (17:22)
Yeah, I can’t choose between my five, so.

Stacey Potter (17:26)
Oh wow. That’s a lot.

Yesenia (17:29)
Alright, this next question and it may cause chaos to our listeners, alright? Linux Mac or Windows?

Stacey Potter (17:38)
Well, I’m a non-coder, so, and I’m a Mac gal.

Yesenia (17:44)
Mac, there it is. Well, there you have it folks. It’s another rapid fire. Any last minute advice or thoughts for the audience you’d like to share?

Stacey Potter (17:53)
Well, I’ll do some shameless plugging of our upcoming events because I’d love to connect with you all in real life and these events are great places for our community to get together and share ideas and progress on the capabilities that make it easier to sustainably secure the open source software on which we all depend. You can find all of these listed on our website at openssf.org/events

So, we’re going to be hosting some upcoming events:

  • We’ve got Community Day Japan (in Tokyo) on June 18 – which is a colo event after KubeCon’s main event
  • CD North America will be in Denver on June 26 (as a colo event after Open Source Summit, which we are sponsoring so we’ll also have a booth at Open Source Summit)
  • CD India is August 4 in Hyderabad Co-located with KubeCon + CloudNativeCon India
  • CD Europe will be in Amsterdam on August 28 (Open Source Summit, which we are sponsoring so we’ll also have a booth at Open Source Summit)
  • And Open Source SecurityCon is November 10 (colo event pre-KubeCon NA) which is a new event that fosters collaboration and shares innovation in cloud native security and open source software security. The Call for Proposals for this one opens mid May – so be on the lookout for that.

We’ll also be attending & sponsoring events for the remainder of the year as well:

  • We’re sponsoring, and thus have a booth at Open Source Summit North America in June (Colorado) Europe August 25-27
  • Blackhat & DefCon in Vegas in early August
  • We’re sponsoring, and thus have a booth at Open Source Summit Europe August 25-27
  • Sponsoring Open Source in Finance Forum in NYC October 21-22

I can’t wait to meet you all. I’m super excited to be here. And if you join us in Slack, please say hi. If you have any interest in any of our projects, I just encourage you to just jump in, right? Say hello. And usually that’s all it takes to get a really warm welcome from anyone in this community. And I look forward to working with all of you.

Yesenia (20:16)
There you have it from Stacey Potter. Thank you for your impact and contributions to our open source communities. I’m looking forward to the impact that you’ll have and how your ripple effects the open SSF being a part of it. Stacey, I appreciate your time and thank you.

Apr 22
Love0

What’s in the SOSS? Podcast #28 – S2E05 Secure Software Starts with Awareness: Education & Open Source with the Council of Daves

By Podcast

Summary

In this episode of What’s in the SOSS, host CRob is joined by the “Council of Daves” – Dr. David A. Wheeler of the OpenSSF and Dave Russo from Red Hat – for a deep dive into the intersection of secure software development and education. From their open source origin stories to the challenges of educating developers and managers alike, this conversation covers key initiatives like the LFD121 course, upcoming resources on the EU Cyber Resilience Act, and how AI is shifting the landscape.

Whether you’re a developer, manager, or just open source curious, this is your crash course in why security training matters more than ever.

Conversation Highlights

Intro & Meet the Council of Daves (0:16)
Open Source Origin Stories (1:22)
The Role of the Education SIG (4:05)
Why Secure Software Education Is Critical (6:30)
Inside the LFD121 Secure Development Course (8:01)
Training Managers on Secure SDLC Practices (12:24)
Why AI Makes Education More Important, Not Less (13:53)
What’s Next in Security Education: CRA 101 and More (16:04)
Rapid Fire Round: VI vs. EMACS, Tabs or Spaces & Mascots (20:20)
Final Thoughts & Call to Action (22:04)

Transcript

[Dave Russo] (0:00 – 0:16)
If you’re a people manager, understanding the amount of time and effort and skills that are needed to perform these different activities is vital to know.

[CRob] (0:16 – 0:46)
Hello and welcome to What’s in the SOSS, the OpenSSF’s podcast where we talk to interesting people from around the amazing open source ecosystem. I’m Krobe, your host. Today we have a real treat.

I’m joined by the Council of Daves and we’re going to talk about a topic that is near and dear to both our hearts, but let’s start off with some introductions. I’ll go with David Wheeler first, and then we’ll go to Dave Rousseau. So David, why don’t you introduce yourself real quick?

[David Wheeler] (0:47 – 1:03)
Okay, sure. David Wheeler. I work at the Open Source Security Foundation, OpenSSF, which is part of the Linux Foundation, and I’ve been involved in how do you develop secure software or developing open source software for literally decades.

[Dave Russo] (1:03 – 1:20)
My name is Dave Russo. I work at Red Hat on the product security team. I’m the governance portfolio manager.

I don’t have quite as long a history with open source as Dr. Wheeler does, but I’ve been working on SDLC related activities for quite some time.

[CRob] (1:22 – 1:33)
Awesome. I think we’re gonna have a great chat today about secure software development and education, but let’s get your open source origin stories. Dave Rousseau, how did you get involved in upstream open source?

[Dave Russo] (1:34 – 2:18)
So I was not directly involved in open source for very long in my previous arrangement. I did do some work in the software industry, then I was working in an industry that was not around development. So around 2016, when I joined Red Hat, my good friend Krobe introduced me to a lot of the awesome open source stuff that was going on in and around Red Hat and the upstreams a little bit prior to that.

And a lot of the conversation was aligned with SDLC activities, specifically secure development practices, which is an interest of mine. And then after joining Red Hat, obviously I became much more involved in a lot of different areas of open source, primarily around, again, secure development.

[CRob] (2:19 – 2:24)
Cool.

David Wheeler, how did you get involved? What’s your origin story?

[David Wheeler] (2:24 – 3:46)
That one’s a little challenging because I’ve been involved in it for such a long time, I don’t even remember the first time I gave, you know, I just just contributed to release some, well, what wasn’t called open source software, because the term hadn’t been invented yet.

People were occasionally sharing around source code. Since before I was born, frankly, they just didn’t use these terms. And, you know, necessarily have figured out some of the legal stuff.

So I think the big change to me, though, was the first time I held a very, very early version of Red Hat Linux in my hand. This is back when it was being distributed on CDs. Because at the time, there was a general agreement that yes, of course, people can share source code on, you know, on bulletin boards, and maybe this internet thing, but you couldn’t build something big with it.

And all of a sudden, an entire operating system was open source, and useful. And I think this is where instead of the, oh, sure, we can sometimes share with this, oh, this can be used for building large scale systems. And that was kind of the, and I later on did analysis of this and been doing things involving open source for quite well, since before the name was created.

[CRob] (3:46 – 4:04)
Cool. Well, thanks for sharing, gentlemen. So let’s dive into it.

Dave Russo, you are the current chair of the OpenSSF’s Education SIG, which is part of the BEST working group. Could you maybe talk a little bit about what the Education SIG is and what you all get into?

[Dave Russo] (4:05 – 4:27)
Sure. So the Education SIG is obviously around educating our open source developers to do a better job of incorporating security practices in the development and delivery of these projects. Now, a lot of my previous life experience was in development, so I’ve got a fairly good amount of experience in this area.

[David Wheeler] (4:28 – 4:39)
It is very obvious to a lot of people who’ve been doing this for a while that education has not been a focus area when it comes to developers, especially around security.

[Dave Russo] (4:40 – 6:17)
Developers are mostly interested in creating cool new stuff, which I completely agree with. That is the primary purpose is to put new features and functionality in their software to make it do more cool things, better, faster, stronger, etc. However, security for the longest time was not even a consideration for a lot of software development and delivery.

And over the past 10, maybe 15 years, there’s been a little bit more attention paid to it. But there’s been a movement to try and provide good education courses that talk about secure development practices to the development communities themselves. So at the Education SIG, what we are trying to do is help address that need.

We’re trying to help understand what kind of information and materials we can provide to our upstream communities to help the developers understand what it means when we talk about developing and delivering software more securely and specific techniques and ways that they can incorporate this into their projects, such as hardening guides, delivery guides, compiler rules, general awareness of some of the reasons behind having security, not only from a risk based perspective, just making the project a little bit more robust, but now also because of a lot of international regulations and expectations by different industries and geos that are compelling developers of various types to provide very specific attestations or statements of conformity when it comes to doing things in a certain way while they’re doing their development delivery.

[CRob] (6:17 – 6:30)
Awesome. So it sounds like, Dave, you touched on it a little bit. But David, could you maybe expand a little bit about you know, why do you feel it’s important to get this type of content in the hands of developers?

[David Wheeler] (6:30 – 8:01)
Well, I think the short answer is that if developers don’t know how to develop secure software, they won’t develop secure software. It really is that simple. I often tell people that we get software that’s more secure than we deserve.

Because why should we expect that software be secure when for the most part, developers aren’t told how to do that? It’s it’s it’s not a magic trick, but it does require some knowledge. By the way, we actually did a survey of developers about the state of secure software development education last year.

And I mean, we found that overall, you know, 28% of the professionals weren’t familiar with secure software development. It jumped up to 75% for those who had less than a year of experience because the colleges and universities for the most part, are not requiring it. And so yes, they they increasingly get it over on the job.

But the on the job is often spotty, it has holes. And by the time they become more knowledgeable, there’s more that have come in, again, with that lack of knowledge. And so we’re just constantly on this treadmill of people who don’t know how to do it.

And lack of training was the was one of the primary reasons that people gave for why don’t you know how to do this.

[CRob] (8:01 – 8:17)
So I’m aware that the SIG has a couple artifacts that they work on. The first thing we’ll talk about is the LFD 121 course. So maybe Dr. Wheeler, if you could give a little taste about what that is all about.

[David Wheeler] (8:18 – 8:30)
Absolutely. I’ll quickly note, by the way, both of my participants have used my title doctor, I do have a PhD. But my experience is when people use my title, they’re just yanking my chain.

[CRob] (8:30 – 8:32)
So we love you, sir.

[David Wheeler] (8:33 – 10:14)
Well, thank you. Yeah, so the so we’ve got a course called LFD 121, developing secure software.

Now, we’re here talking about open source. But I want to make sure everybody knows that this is absolutely for open source software. It’s also for closed source software.

It’s for anybody who develops software, because the frank reality is attackers don’t care what your license is. They just don’t. They just want to take over things and do bad stuff and make everyone stay miserable.

So we’re here to help developers deal with that. I just looked at the numbers and we have including, you know, up to now, for both our Japanese and English through edX and through TI, all these are, we’ve had over 30,000 in [Crob: Wow], in that course, which is, you know, fantastic. That’s a lot of people.

That’s a lot of people. So we’ve got a course, we very much focus on the practical, how do you do stuff. And we have optional hands on labs, they’re not required.

But we do encourage people at least do a few. Because doing things hands on is really, really helpful. I’ll do a quick note.

Some people have gotten the wrong impression that security is always expensive. Generally, that’s not true. It’s retrofitting security.

That’s expensive. And so what we should be doing is stopping the retrofit. It’s not hard to do most of the stuff if you just know ahead of time what you’re supposed to do.

But once you once you’ve dug the hole deep, it’s very hard to get out.

[CRob] (10:15 – 10:21)
Speaking of security, not being expensive. This sounds like an amazing class. How much does it cost to take?

[David Wheeler] (10:23 – 10:48)
Oh, what a pitch. Of course, as you know, it’s completely free. The course is free, the labs are free, whole thing’s free.

So, you know, please don’t please don’t make costs a limiting factor for this. You know, it’s basically important for us all around the world that anybody who develops software knows the basics. And that’s what this this particular course covers.

[CRob] (10:49 – 11:08)
So a big part of your world, Dave Russo, is, you know, secure software development and SDLC, secure development lifecycle. From your perspective, you’ve looked at the LFD 121 class. What do you find that to be a useful artifact as you’re sharing it with your engineers?

It is.

[Dave Russo] (11:08 – 12:23)
The content in the course does a very good job at talking about what the different activities that should take place along the different times of the software lifecycle should be. And again, to kind of repeat from what we said earlier, awareness is a big problem that we have. A lot of developers don’t understand what it means when we say we should develop things securely.

And then you start using words like risk assessment, penetration testing, threat modeling, attack surface analysis, and people’s eyes just kind of glaze over because they have no idea what you’re talking about. The course is able to go into these topics and provide a good amount of information, provide an understanding to a developer what we mean when we talk about these sorts of things. And additionally, to David’s point earlier, making the developers aware of this early so they can build it into the plan instead of trying to go back and do it after certain things have been done, makes adopting and implementing these things much, much easier.

So the combination of knowing what these activities actually are, the amount of effort that is needed to complete them, and when to insert them into the lifecycle make the course absolutely invaluable for people who are doing software development.

[CRob] (12:24 – 12:38)
That was one of the OG projects that David Wheeler brought into the foundation. Let’s talk about some of the more current work. Who would like to talk about the security for developer manager class we’ve all been working on?

[Dave Russo] (12:38 – 13:52)
So I’ll go and I’ll start off from a general level. And then I’ll let David go into some things a little bit more in depth. So the intent of the secure software development for managers course is to again, inform.

Awareness is a problem. If I’m a development manager, and someone says to me, you need to do your stuff securely, what does that mean? There’s a lot of different factors involved.

From a risk perspective, if we don’t do these activities, what does that mean? What does it mean for the actual software itself? What does it mean for the organization or company that I work for?

What kind of risk may be exposing the company to? More importantly, if you’re a people manager, understanding the amount of time and effort and skills that are needed to perform these different activities is vital to know. You need to understand when to put these things into roadmaps and timelines, how much time to allocate for them.

And does anybody on your team actually know what it means to do, for example, a penetration test? If not, you’re going to need to find some additional resources to help you with that. So again, not necessarily diving down into the deep weeds on a lot of these topics.

This is meant to provide additional awareness and understanding to someone who’s in a development manager position.

[David Wheeler] (13:53 – 16:04)
And if I can jump in with some additions. Fundamentally, if management’s not on board, it’s probably not going to happen.

And unfortunately, some managers are kind of assuming things like, well, the the IT security department will somehow take care of it. Well, no, they won’t. They certainly do have an important role to play.

There are things that they that they will do that will be very, very helpful. But if you’re managing the development of software, there are things that you as a manager need to know need to do need to make possible. We spend more than a little time in the course helping you understand some terminology, understanding what needs to happen, and frankly, making sure one of the key things a manager needs to do is making sure that the developers know what they need to know.

In many organizations, managers aren’t necessarily writing the code, but they need to make sure that the people they’re bringing in know what they need to know. And if they don’t, fixing that with what is fundamentally a training problem, an education problem. Because just like any other field, if you don’t know what you’re doing, you’re not likely to do a good job.

And it doesn’t mean that they’re stupid. It just means that they lack some important information. I will quickly note, just because I’m thinking of it.

Lots of people talking about AI. AI is awesome. The majority of developers nowadays are using AI to develop code, according to some surveys.

And here’s the problem. Just because some AI generated code does not make it secure code. What do you think that that system was trained on?

Right. So this actually AI is actually increasing the need for education by developers and by their managers. Because if you’re using an AI system, who is going to be reviewing it?

Not just the AI, I hope. You’re going to need people to know what they’re doing. Which brings us back to the need for more education.

The increased need for education, not the decreased need because of AI.

[CRob] (16:04 – 16:15)
Excellent point. Broadly, what other things are on the horizon from an education perspective? What do you got in the hopper in the back? It’s going to come down the road.

[David Wheeler] (16:18 – 16:20)
Well, Dave, you want to go ahead?

[Dave Russo] (16:20 – 18:23)
Sure. So the USSF is putting a lot of attention on education.

There’s some expectations as to what our SIG can help contribute moving forward in 2025. And again, I’ll hit this from an awareness perspective, I think, and I’ll let David dive in to a couple things a little bit deeper. We need to get the message out.

We need to get information out there into the upstream communities and the projects and let them know what it is we’re trying to accomplish and what materials we already have that they could leverage and use right now, as well as understanding how to bring more people into the group, into the USSF in general, and provide their subject matter expertise to help us generate even more materials on top of that.

So we’re going to be making some additions to the information we’ve got on our GitHub page and such. We’re going to try and socialize some of the things that we’ve already put together as a group, some of the hardening guides we’ve done, we already talked about some of the education courses that are being worked on. We’re taking a little bit of a look right now, something that’s in progress, a little bit of behind the curtain for everybody.

We’re working on a CRA 101 course. Again, the EU Cyber Resiliency Act has been passed by their parliament, and everyone is trying to understand exactly what that means to them. So we’re trying to put, again, a general information course together that makes it digestible for people with a couple different types of roles to understand what the CRA means and what the expectations are going to be moving forward as it begins to come into effect.

So these regulations are becoming more common. There’s a couple other ones that are in progress at various geographies around the world, so we expect we’re probably going to do this for a couple other ones as they become available. Hopefully, we’ll have some representatives speaking at certain conferences, talking about the OSSF mission in general, some of the education information in particular, and again, trying to make sure that we are looking at the right ways to bring the right information to our constituency.

David?

[David Wheeler] (18:24 – 20:18)
Yeah, so let me jump in specifically on the Cyber Resilience Act, which is kind of a big thing that’s coming up. Strictly speaking, it only applies to software, and so on, that is released to the EU market.

I guess more accurately, I should say products with digital elements, which is the term of art that they use within the regulation. But the reality is, Europe’s a big place. Most organizations, especially in the software world, are global.

So this is going to affect many, many, many. Indeed, it’ll affect many who have never really needed to look at this kind of thing before. And so we’ve been trying to develop this, what we’ve been calling a CRA 101.

We actually even have an official number for it, it’s LFEL 1001, when it’ll get released. But basically, it’s a little introduction, explanation, what does this say? What does it require?

And it’s going to be a big change, I think, to industry, to the market. It even has some requirements specifically on what’s called open source software stewards. It’s a relatively light touch, but it does impose some requirements.

It does talk about open source software developers. I think in many cases, it will be much less of a touch, but it’s not completely none. And so this is going to affect, and of course, people who develop open source software, that software usually gets pulled into larger systems in many cases.

So this is going to affect a lot of folks. And so it’s gonna be important for us all to be prepared. So we’ve been working very hard to get that introduction developed, and we’re hoping to get that out the door as soon as we can.

[CRob] (20:20 – 20:43)
Excellent. Well, I’m looking forward to taking it, so I can become smart about the CRA. Thank you, gentlemen.

Let’s move on to the rapid fire part of the interview. All right. I got a couple wacky questions, and I would like you both to answer the first thing that comes to your mind.

First, most important question. VI or EMACS?

[Dave Russo] (20:43 – 20:44)
VI.

[David Wheeler] (20:44 – 20:45)
VIM.

[CRob] (20:46 – 20:54)
Excellent answer. Now, the next one, potentially even more controversial.

Tabs or spaces?

[David Wheeler] (20:55 – 20:56)
Spaces.

[Dave Russo] (20:56 – 20:56)
Spaces.

[David Wheeler] (20:58 – 20:59)
Always spaces.

[CRob] (20:59 – 21:09)
I can go back and count, but that is a very contentious, verging on religion for many people. What’s your favorite open source mascot?

[Dave Russo] (21:11 – 21:11)
Tux the Penguin.

[David Wheeler] (21:12 – 21:14)
Oh, it’s it’s hard to beat Tux.

[CRob] (21:16 – 21:17)
Classic.

[David Wheeler] (21:18 – 21:27)
Classic.

I’m planning to print up one on a 3D printer soon, because Tux is fun. But I will say that Honk the Goose. Honk the Goose?

[CRob] (21:28 – 21:28)
Honk the Goose.

[David Wheeler] (21:28 – 21:29)
He is a kind of fun goose.

[CRob] (21:29 – 21:36)
I am personally a fan of the goose. And last question. What’s your favorite vegetable?

[Dave Russo] (21:37 – 21:38)
None of the above.

[David Wheeler] (21:39 – 21:43)
I’ll count corn as a vegetable. Corn on the cob.

[CRob] (21:43 – 22:04)
There you go. Thank you, gentlemen.

Now, as we wrap up, do you have a call to action or some advice you’d like to share with our listeners who are where they have a lot of people across the industry that listen to this newcomers or people that aren’t familiar with open source or cyber security? So what kind of advice or what call to action do you have for our listeners?

[Dave Russo] (22:04 – 22:31)
Get involved.

Get involved. Understand what’s out there. The OpenSSF has a lot of really good information, a lot of different working groups that are going through things that affect all the open source communities, trying to, you know, make our security better, reach farther, make us more proficient in those areas. So if there’s something you think you contribute or if it’s something you want to learn or just want to listen and see what’s going on, join a couple of the working group calls and see what’s happening.

[CRob] (22:32 – 22:34)
Excellent. David?

[David Wheeler] (22:34 – 23:41)
I’ve got a couple.

So for get involved, if you’re interested in security, open source and security, obviously OpenSSF, if you are the happy user of an open source project where it’s starting to become important to you, get involved in that project. If you are a developer of software, please, please learn how to develop secure software. I think our course is great.

I don’t really care if you take that course per se. If you take another course, that’s great. Because what’s more important is all of society now depends on software.

We need that software to be more secure. And the vast, vast, vast majority of the problems we’re seeing today are the same problems we’ve been having for decades. It’s well understood how to systemically counter them.

But people need to know how to do it first. And I, I don’t, as I said earlier, AI is not going to change that. AI will simply mean that we can write bad code faster.

It means we can write good code faster. But to write the good code, the humans have to know what good code looks like.

[CRob] (23:43 – 24:05)
Well, what a difference some Daves make. Gentlemen, some of my favorite people to collaborate with. I appreciate your time and all of your contributions to help trying to improve the quality of life for open source developers and ultimately the users that use all that amazing software.

So that’s a wrap. Thank you all for joining What’s in the SOSS and happy security, everybody.

(24:09 – 24:46)
Like what you’re hearing? Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, Antenapod, Pocketcast, or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all.

Check out the newsletter for open source news, upcoming events and other happenings. Go to OpenSSF.org slash newsletter to subscribe. Connect with us on LinkedIn for the most up to date OpenSSF news and insight and be a part of the OpenSSF community at OpenSSF.org slash get involved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS.

Apr 22
Love0

OpenSSF Newsletter – April 2025

By Newsletter

Welcome to the April 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR

This month, the OpenSSF highlights a new free training course, “Understanding the EU Cyber Resilience Act (CRA) (LFEL1001),” designed to help organizations prepare for the CRA’s full application by December 2027. The course covers essential requirements, roles, and compliance processes to help teams reduce risk and meet regulatory standards. The OpenSSF also invites you to join upcoming Community Day events in Japan, North America, India, and Europe to help drive collaboration in open source security. Don’t forget—submit your proposal to speak at OpenSSF Community Day Japan by April 27 and check out the live agenda for Community Day NA 2025. Explore key takeaways from VulnCon 2025, learn about the launch of Model Signing v1.0 to secure the ML supply chain, and preview our latest tech talk on global policy and the Open Source Project Security Baseline. Dive into IDC’s new research on software supply chains, enroll in the free course on the EU Cyber Resilience Act.Stay connected with OpenSSF community updates, upcoming events, and working group news!

Tech Talk Preview: Strengthening Open Source Through Security Standards and Global Policy

TechTalkApr2025

Open source is the backbone of today’s digital infrastructure – but with great power comes great responsibility. As cybersecurity threats grow and global policies evolve, open source projects must meet increasing security expectations. Join Christopher “CRob” Robinson (OpenSSF) (Moderator), Ben Cotton (Kusari), Emily Fox (Red Hat) and Megan Knight (ARM) for a tech talk that dives into these challenges and highlights the OpenSSF community’s solution: the Open Source Project Security Baseline. Learn how this framework helps projects align with key standards and prepare for compliance. 

Don’t miss out – register now and join the conversation to strengthen open source through community-driven security and global policy engagement.

NEW FREE COURSE: Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)

Enroll in LFEL 1001

With the Cyber Resilience Act (CRA) officially published as Regulation (EU) 2024/2847 and entering into force on December 10, 2024, the countdown is on for organizations to understand and prepare for its full application by December 11, 2027. The CRA introduces broad obligations for products with digital elements, aiming to reduce cybersecurity risks and increase trust in the European digital market.

To help organizations prepare, LF Education and the Open Source Security Foundation (OpenSSF) launched a free training course: “Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)” – now available online.

This course covers the key requirements of the EU’s Cyber Resilience Act (CRA), including terms, roles, obligations, essential cybersecurity requirements, product markings, compliance processes, and penalties for non-compliance. It prepares decision-makers, software developers, OSS developers, and OSS stewards to navigate CRA compliance, mitigate risks, and meet regulatory standards. 

Enroll in the free course!

Key Takeaways from VulnCon 2025: Insights from the OpenSSF Community

In “Key Takeaways from VulnCon 2025: Insights from the OpenSSF Community”, Christopher Robinson (CRob), Chief Security Architect at OpenSSF, reflects on the power of collaboration and innovation that defined this year’s VulnCon. Held in Raleigh, NC, the event brought together global security professionals to tackle pressing challenges in vulnerability management. CRob shares firsthand insights from OpenSSF’s active involvement throughout the conference, highlights the importance of metadata, open source supply chain security, and evolving global regulations like the EU’s Cyber Resilience Act. If you’re passionate about strengthening the open source ecosystem and want to hear how the OpenSSF community is leading the charge, check out this blog.

Last chance to speak at OpenSSF Community Day Japan!

Call for Proposals closes Sunday, April 27 at 23:59 JST.

Join us in Tokyo and share your insights on open source security, tooling, education, AI, and more. Whether it’s a 5-minute lightning talk or a 20-minute session, we welcome diverse voices from across the ecosystem.

👉 Submit your proposal today

OpenSSF Community Day NA 2025 Agenda Live!

1200x628 AgendaLive

We are excited to share that the agenda for OpenSSF Community Day North America 2025 is now live! Join us on June 26 in Denver, Colorado, for a day filled with collaboration, technical insights, and future-focused conversations on securing the open source ecosystem.

Launch of Model Signing v1.0: OpenSSF AI/ML Working Group Secures the Machine Learning Supply Chain

In Launch of Model Signing v1.0: OpenSSF AI/ML Working Group Secures the Machine Learning Supply Chain, authors Mihai Maruseac (Google), Martin Sablotny (NVIDIA), Eoin Wickens (HiddenLayer), and Daniel Major (NVIDIA) introduce the first stable release of the model-signing project from the OpenSSF AI/ML Working Group. This blog presents the motivation, features, and broader goals of the project, including how model signing helps secure the integrity and provenance of machine learning artifacts across the supply chain. Read the full blog to learn how this initiative marks a key milestone toward a secure AI future and how you can get involved.

Community Member Updates:

Google Cloud and Canonical recently sponsored a new report by IDC on the State of Software Supply Chains. According to the report, which surveyed over 500 decision-makers in IT and Information Security roles, 7 in 10 responsible teams spend more than 6 hours per week on security patching. The report also reveals that compliance with regulations remains a challenge for most organizations, with more than a third of respondents reporting that they struggle to understand how regulations apply to specific systems and software components. The adoption of artificial intelligence is increasing compliance burdens with 60% of organizations reporting that they have only basic or no security controls to safeguard their AI/ML systems.

Download the report on Canonical’s website for other interesting stats and learnings on open source supply chains.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at [email protected], and see you next month! 

Regards,

The OpenSSF Team

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved
Close Menu
OSZAR »