KubeCon + CloudNativeCon Europe 2024 | Omkhar Arasaratnam | OpenSSF

Clips
News
More from KubeCon + CloudNativeCon Europe 2024

Omkhar Arasaratnam

General Manager

OpenSSF

Three insights you might have missed from the ‘KubeCon + CloudNativeCon Europe’ event

Kubernetes has reached a pivotal moment in its 10-year history, a milestone celebrated throughout the entirety of this year’s KubeCon + CloudNativeCon Europe.Its ubiquity has brought the open-source container management system into the mainstream, delivering new opportunities to meet the challenges of the artificial intelligence era. As the developer community has watched the Kubernetes ecosystem mature, this year’s KubeCon was expected to focus on deployment use cases and provide a chance to see developments as projects moved from the sandbox phase to incubating and eventually graduation. Those opportunities were a central focus for our analysts, reporting onsite

Enhancing open-source security: Collaborative strategies from OpenSSF

The issue of vulnerabilities in open-source components within software supply chains is increasingly attracting attention. For cybersecurity professionals, open source is often the supply chain segment where confidence in security measures is at its lowest.To make open-source better, there is a need for collaboration between the three primary stakeholders the private sector, the public sector and the community, according to Omkhar Arasaratnam (pictured), general manager of the Open Source Security Foundation at the Linux Foundation.“How do we help the community who may not be a security expert but really want to make sure that your code is secure or the providence is good?” he asked

play_circle_outline Three main stakeholders in securing open-source software: private sector, public sector, and the community

play_circle_outline The Significance of SBOMs in Security and the Urgency to Explore Beyond: Insights from Open Source Summit NA

play_circle_outline SOSS Fusion conference aimed at cross-pollination between the open-source and security communities

play_circle_outline OpenSSF's involvement in AI Cyber Challenge and the security of AI models.

Info

Omkhar Arasaratnam | OpenSSF

Omkhar Arasaratnam

General Manager OpenSSF

search

(upbeat music)

>> Hello, and welcome back to Paris. We're here at KubeCon CloudNativeCon EU, really digging deep into what's going on in a lot of different projects and foundations around Kubernetes and cloud native technology. I'm here joined by Dustin Kirkland, helpin' me out with analyzing things, and Omkhar, who's the GM of OpenSSF, has joined us as well, which you were on a little bit ago

when it was your second day. >> Yeah.

>> As GM. >> I was shocked. There was a big conference. You guys are very accommodating. (laughter) It's lovely to be back.

>> Dustin: You feel more settled in now?

>> A little, a little, a little.

>> Yeah, well it's great to have you here, because I know we were just talking beforehand, and you're running all over the place advocating for what has to happen and regulations and where things are going, and not only working with the groups here, but groups outside, like small groups, like the UN and others, and things of that nature.

>> Little groups like that. >> Yeah.

>> I mean, when we think about this mission of securing open-source software, which, it's easy, we're going to be done by the end of the year, (laughter) there's three main stakeholders, right, which is private sector, so the larger organizations that make up our premier membership and our board, the public sector, so US government, the EU, the UN, all these organizations that are accountable for setting policy and providing direction and protecting their citizens, and then the community, so how do we help the community, who you may not be a security expert, but gosh, you really want to make sure that your code is secure or the providence is good. So those are our stakeholders, and by engaging with those three stakeholders, we believe we can help improve the security of open-source software.

>> Yeah, I think for us, we've been talking about SBOMs and attestation and signing of containers with the Notary Project who was just on, and I think it's, people are looking to get beyond SBOMs. And where do you see us in that journey to be, because again, you had the federal directive and things of that nature, but that only gets you so far. Where do you see the state of things?

>> SBOMs are great, but SBOMs on their own aren't a security property per se. They allow you to do a lot of interesting security things, but on their own, they don't provide security utility. So one of the things that we're going to be doing, we're going to be at Open Source Summit North America, we're having our SOSS, Securing Open Source Software, Community Day on the 15th of April, just before that. And in addition to all the wonderful talks that we normally have, we're going to be having three workshops. The first workshop is on Scorecard. So if you always wanted to contribute to Scorecard but didn't know how, come in, learn about the code base, raise your first PR, do great things. The second is a SLSA workshop. So if you want to adopt SLSA and you want to be SLSA two or three level, a lot of people don't know how to do that, and the documentation is extensive. The SLSA team will be there and they will help contributors and maintainers achieve SLSA levels within that workshop. And then the third, the one I'm most excited about, I was on Wall Street for about 10 years and our regulators always made us do these simulation exercises called tabletops, and it was to exercise your security operations team, engineering team, general counsel comms team, so that when an event happens, everybody knows their marks, they know what's going to happen, you're not reading the process book for the first time when things are melting down. We're going to do a tabletop exercise with maintainers, cloud providers, and the community at Open Source Summit North America to really exercise that, okay, so I have an SBOM, security incident happened, what the heck am I going to do? How am I going to use Sigstore in an incident? So all of that's going to be exercised, and the output of that is going to be a guide that we're going to provide to the community to help us whenever the next Log4j should occur to have a playbook by which we can operate.

>> Amazing. So you're going to help develop and share that process for organizations that may not have a tabletop exercise process in place today?

>> Absolutely. And this isn't a one and done, right? So this is going to be the base artifact. From there, we're going to continue to iterate at our events and explore. One of the things I'd love to see, after each of these kind of exercises, we'd typically, when I was on Wall Street, do a hot wash where we sit back and we reflect what went well, what didn't. I really want to hear from the community where they feel we're a little bit soft in our incident response so that we as OpenSSF can start advocating for, whether it be technology, education, additional guidance to help make that better next time.

>> Where do you see kind of the Scorecard playing out, and kind of describe the Scorecard, because there's a lot of organizations who don't know about it, and I know you've released it and you actually had some findings that you published at the end of the year, or the beginning of this year, about what had happened last year, and the Scorecard is something that I think organizations should be looking at, to your point about, "hey, they should also be doing tabletops."

>> Yeah.

>> And we advocate for tabletops all the time, but I think, so that's awesome, because I think getting involved and understanding that process, because having been someplace where Log4j and we had to figure out,

okay, where is this- >> Yep.

>> In all of our software, which was not a trivial thing, to put it mildly. How does the Scorecard really help organizations and what really is it?

>> Absolutely. So Scorecard, as the name implies, is literally a report card that you can run against the open-source dependencies that you have in your project. And it will take a set of known-to-be-good security properties and test the repo either in GitHub or GitLab to validate that they're present. It could be things like branch protection, two factor, well, I guess two-factor authentication's a default now, but it checks all these security properties and pops out a score for you. As a consumer of open source, and there's two different perspectives here, but as a consumer of open source, that allows you to reason over, I need to use an SSL library, should I use OpenSSL, PolarSSL, BoringSSL? And it allows you to make a risk-based assessment based on the criteria as to which one you should take on. The second perspective of is that of a maintainer. All maintainers want their projects to be adopted by the world. What better way to do that than to have this Scorecard badge that says, hey, OpenSSF has checked my security properties

and- >> I'm safe to adopt.

>> Exactly. >> Yeah.

>> Exactly.

>> You mentioned in your sort of list of three, the Scorecard, of getting more people involved and contributing to that. Do you've got, do you have a list of GitHub issues or-

>> Oh yeah. >> Something that people-

>> Omkhar: There's a laundry list of GitHub issues

that are open. >> Yeah.

>> Our TPM's going to have a burn-down list ahead of our contributor workshop.

>> That's great.

>> And we're looking forward to getting everybody out there and helping build Scorecard out.

>> How do you see the community kind of coming together? Because there's a lot of projects out there aimed at different aspects of security.

>> Omkhar: Yeah.

>> How do you see that all coming together? Again, looking at, there's 114 or so sandboxed, there's like another 50 or so in incubation, and 27 graduated. How does the community, how do you see them all working together?

>> It's, I mean, like many open-source projects, it's all bottoms up. We find that a lot of the most avid users of OpenSSF technologies are CNCF projects.

>> Rob: Yeah.

>> So, I believe there was a talk just earlier, it was either today or yesterday, on how one of the projects was using Sigstore in order to attest provenance of their lineage. The other opportunity that we have, or the other thing that we saw as an opportunity, and I'm speaking as somebody that's been doing both open source and security for a really long time, the open-source community has their events and their watering holes, the security community has theirs, right? So on the open-source side, it's FOSDEM, it's CNCF, KubeCon, it's Open Source North America and EU. And similarly on the security side, we have the trade shows,

right, RSA, Black Hat- >> Sure.

>> We have the hacker community at DEF CON, we have the academics at... USENIX and Real World Crypto and stuff like that. And one of the safe spaces we want to make for the intermingling of the open-source and security communities is a conference we're going to be hosting this year in Atlanta in October called SOSS Fusion. And it is focused on that cross pollination between our communities to make sure the security folks and the open-source folks are working hand in hand. So we're really looking forward to that.

>> Wow. >> And I think that's-

>> OpenSSF is the organizers of that?

>> We are the organizers. It is called SOSS, Securing Open Source Software-

>> Yeah. >> Fusion.

>> Really cool. I think that, and also, we'll be at Open Source Summit in Seattle.

>> Omkhar: Excellent.

>> So it'd be great to have you on after you've done the tabletop and have some just, I would say qualitative output that you found, because I think that organizations need to see, this is how they have to do it. I mean, we go to a lot of the different security conferences and I think one of the things is that if you haven't done a tabletop in two years, the last two years, you're pretty screwed. I mean, 'cause and having run DR for a major financial company, I think-

>> You know where I'm coming from.

>> I know where you're coming from. (laughter)

'Cause I had the book. >> Yeah.

>> And you didn't want it to be the first day-

>> You're blowing the dust off the cover.

>> Yeah, when the fiber got back hoed by...

>> Well- >> People. It's like you're sitting there like, "okay, now what?" And it's like, "okay, I'm getting the page at two in the morning, "now what do I do to shut down all these servers?"

>> Exactly. >> And stuff like that.

>> Dustin: Well-rehearsed incident response.

>> Yeah.

>> I mean, you can see the results when that's well-rehearsed and everyone knows what they're doing.

>> Absolutely.

>> It's still a tough situation, but at least people knowing how to address and what their responsibilities are.

>> It's going to be a tough situation, but it shouldn't be a panic.

>> Right. >> Right.

>> Right, yeah.

>> It should be not routine. >> Yeah.

>> But you should not be worried about going into executing.

>> One of my neighbors is a paramedic and the, there's an analog with how paramedics operate. You'll never see a paramedic running through an accident scene. They will move deliberately, they'll move quickly, but they will always follow their steps because rush and panic in an incident can actually cause more damage than what you're trying to rectify.

>> Absolutely. Where do you see OpenSSF beyond, okay, so we're, we get to the SOSS Fusion, where do you see by next year this time when we're sitting somewhere up north of here? (laughs)

>> So, I mean, I already told you, we're going to fix all the open-source problems in security by the end of the year, so here we are.

>> Rob: Oh, there we go.

Awesome. >> Mission accomplished.

>> Yes. (laughs)

>> So a lot of the stuff we're working on really hard this year focuses in three main areas. One, convening. We talked a lot about bringing the communities together, talking with public sector and ensuring that they're advocating for things that'll support better security in open source. We're also really strong believers in education. We're right now in the middle of revamping our secure developer education. There's a survey that Linux Foundation Research is putting out right now where we've asked the community, hey, based on your incidents, based on the issues you have in your code base, where could we be doing better in terms of providing you instruction? And in addition to that, if we think about the watering holes of our security community, it's really the security repos, right, or the package repos. It's PyPI, it's Rust Cargo, it's NPM. We recently put out some guidance along with CISA talking about how to secure repositories because we believe that's a great choke point in which we can positively affect the security properties of open-source software that everyone consumes. We're going to be putting a lot more effort behind that over the course of the year, and to the point that we're going to develop some much more specific security standards that repo owners and maintainers should be adhering to, so that there's an even bar that when you choose to enter the business of being a repository, you know that there's good providence, you know that there's good production quality control, and access control, all of these different properties. So we're looking forward to doing that as well.

>> Reproducibility maybe- >> Reproducibility.

>> And being able to verify those attestations.

>> Verify the attestations, a well-formed SBOM, perhaps. Yeah.

>> Yeah, so I think it's, you also get to see this from a different level because you are interacting with governments and things of that nature. Kind of give us an idea of what you're seeing. Are there differences between what's happening in the US and what's happening over here in Europe or in Asia? What are you seeing from a, how people are putting themselves out there and really trying to work always in a secure manner?

>> So from our perspective, as the foundation, we're here to ensure technical correctness. And the reason that I start there is I'm a software engineer, most of the folks that work on OpenSSF are technical. We're not lawyers and we're not politicians. And we are quite happy for those folks to invoke the appropriate legislative processes that are the cultural norms of where they are. We're here for technical correctness. So what we see in the US is the US politically has generally let innovation occur and then when things start trending badly, come in with a bit of a heavy hammer around legislation and regulation. In Europe, culturally, it seems like the EU wants to get ahead of that. So they're trying to look beyond the next horizon and figure out what's coming up. Examples being things like the CRA, as well as the AI Act that they recently passed.

>> Rob: Yeah.

>> So culturally, I think the top-down versus bottoms-up approach to legislation is different, but the intent's the same, like everybody recognizes security's incredibly important and we can't keep getting burned with supply chain issues and ransomware attacks on such a regular basis. Otherwise, not only will our economies collapse, but our citizens won't be safe anymore.

>> Right.

>> So you hit on it there, and we'll kind of end on this question, but AI, I mean, signing models, trying to understand where models came from and their lineage, and the data, securing the data and making sure that PII is protected. Where do you see OpenSSF playing a role, from an open-source perspective, with that?

>> Two perspectives on that. One, I think AI itself can be a great enabler of security for open source. So we're partnered with DARPA on the AI Cyber Challenge in which DARPA has challenged the community and researchers to, I think it's up to $18 million now in prize money-

>> Wow. >> Wow.

>> Midpoint check, the open competition's occurring right now, midpoint check in at DEF CON 2024, finals DEFCON 2025. And we challenged the community to say, hey, how can you apply large-language models to solve entire class of vulnerabilities in open source? As for the security of LLMs, a lot of the existing open-source, OpenSSF security software can be used. So if you're talking about model providence, you can sign using Sigstore and assure the providence of the model. If you're talking about some of the basic open-source components that go into the LLM, again, you can use security score, or you can use OpenSSF Scorecard and tools such as that. We have an AI and ML workgroup that's currently working on some of the higher-order challenges around AI and machine learning. But I'd love to see us produce something like a responsible disclosure guidance for large-language models and things of that nature.

>> Well, Omkhar, thank you for coming on. I think, again, even two days in, you were great, but I always learn something when I talk to you and I really appreciate you coming on board today and being with Dustin and I to talk about this.

Thank you. >> It's a pleasure. I look forward to seeing you in Seattle and talking about the tabletop.

>> Absolutely. We'll see you there. And we'll see you here, so keep it tuned from KubeCon CloudNativeCon EU live from Paris here on theCUBE, the leader in high-tech news and analysis. Stay tuned. (upbeat music)

Omkhar Arasaratnam | OpenSSF

search

(upbeat music)

>> Hello, and welcome back to Paris. We're here at KubeCon CloudNativeCon EU, really digging deep into what's going on in a lot of different projects and foundations around Kubernetes and cloud native technology. I'm here joined by Dustin Kirkland, helpin' me out with analyzing things, and Omkhar, who's the GM of OpenSSF, has joined us as well, which you were on a little bit ago

when it was your second day. >> Yeah.

>> As GM. >> I was shocked. There was a big conference. You guys are very accommodating. (laughter) It's lovely to be back.

>> Dustin: You feel more settled in now?

>> A little, a little, a little.

>> Yeah, well it's great to have you here, because I know we were just talking beforehand, and you're running all over the place advocating for what has to happen and regulations and where things are going, and not only working with the groups here, but groups outside, like small groups, like the UN and others, and things of that nature.

>> Little groups like that. >> Yeah.

>> I mean, when we think about this mission of securing open-source software, which, it's easy, we're going to be done by the end of the year, (laughter) there's three main stakeholders, right, which is private sector, so the larger organizations that make up our premier membership and our board, the public sector, so US government, the EU, the UN, all these organizations that are accountable for setting policy and providing direction and protecting their citizens, and then the community, so how do we help the community, who you may not be a security expert, but gosh, you really want to make sure that your code is secure or the providence is good. So those are our stakeholders, and by engaging with those three stakeholders, we believe we can help improve the security of open-source software.

>> Yeah, I think for us, we've been talking about SBOMs and attestation and signing of containers with the Notary Project who was just on, and I think it's, people are looking to get beyond SBOMs. And where do you see us in that journey to be, because again, you had the federal directive and things of that nature, but that only gets you so far. Where do you see the state of things?

>> SBOMs are great, but SBOMs on their own aren't a security property per se. They allow you to do a lot of interesting security things, but on their own, they don't provide security utility. So one of the things that we're going to be doing, we're going to be at Open Source Summit North America, we're having our SOSS, Securing Open Source Software, Community Day on the 15th of April, just before that. And in addition to all the wonderful talks that we normally have, we're going to be having three workshops. The first workshop is on Scorecard. So if you always wanted to contribute to Scorecard but didn't know how, come in, learn about the code base, raise your first PR, do great things. The second is a SLSA workshop. So if you want to adopt SLSA and you want to be SLSA two or three level, a lot of people don't know how to do that, and the documentation is extensive. The SLSA team will be there and they will help contributors and maintainers achieve SLSA levels within that workshop. And then the third, the one I'm most excited about, I was on Wall Street for about 10 years and our regulators always made us do these simulation exercises called tabletops, and it was to exercise your security operations team, engineering team, general counsel comms team, so that when an event happens, everybody knows their marks, they know what's going to happen, you're not reading the process book for the first time when things are melting down. We're going to do a tabletop exercise with maintainers, cloud providers, and the community at Open Source Summit North America to really exercise that, okay, so I have an SBOM, security incident happened, what the heck am I going to do? How am I going to use Sigstore in an incident? So all of that's going to be exercised, and the output of that is going to be a guide that we're going to provide to the community to help us whenever the next Log4j should occur to have a playbook by which we can operate.

>> Amazing. So you're going to help develop and share that process for organizations that may not have a tabletop exercise process in place today?

>> Absolutely. And this isn't a one and done, right? So this is going to be the base artifact. From there, we're going to continue to iterate at our events and explore. One of the things I'd love to see, after each of these kind of exercises, we'd typically, when I was on Wall Street, do a hot wash where we sit back and we reflect what went well, what didn't. I really want to hear from the community where they feel we're a little bit soft in our incident response so that we as OpenSSF can start advocating for, whether it be technology, education, additional guidance to help make that better next time.

>> Where do you see kind of the Scorecard playing out, and kind of describe the Scorecard, because there's a lot of organizations who don't know about it, and I know you've released it and you actually had some findings that you published at the end of the year, or the beginning of this year, about what had happened last year, and the Scorecard is something that I think organizations should be looking at, to your point about, "hey, they should also be doing tabletops."

>> Yeah.

>> And we advocate for tabletops all the time, but I think, so that's awesome, because I think getting involved and understanding that process, because having been someplace where Log4j and we had to figure out,

okay, where is this- >> Yep.

>> In all of our software, which was not a trivial thing, to put it mildly. How does the Scorecard really help organizations and what really is it?

>> Absolutely. So Scorecard, as the name implies, is literally a report card that you can run against the open-source dependencies that you have in your project. And it will take a set of known-to-be-good security properties and test the repo either in GitHub or GitLab to validate that they're present. It could be things like branch protection, two factor, well, I guess two-factor authentication's a default now, but it checks all these security properties and pops out a score for you. As a consumer of open source, and there's two different perspectives here, but as a consumer of open source, that allows you to reason over, I need to use an SSL library, should I use OpenSSL, PolarSSL, BoringSSL? And it allows you to make a risk-based assessment based on the criteria as to which one you should take on. The second perspective of is that of a maintainer. All maintainers want their projects to be adopted by the world. What better way to do that than to have this Scorecard badge that says, hey, OpenSSF has checked my security properties

and- >> I'm safe to adopt.

>> Exactly. >> Yeah.

>> Exactly.

>> You mentioned in your sort of list of three, the Scorecard, of getting more people involved and contributing to that. Do you've got, do you have a list of GitHub issues or-

>> Oh yeah. >> Something that people-

>> Omkhar: There's a laundry list of GitHub issues

that are open. >> Yeah.

>> Our TPM's going to have a burn-down list ahead of our contributor workshop.

>> That's great.

>> And we're looking forward to getting everybody out there and helping build Scorecard out.

>> How do you see the community kind of coming together? Because there's a lot of projects out there aimed at different aspects of security.

>> Omkhar: Yeah.

>> How do you see that all coming together? Again, looking at, there's 114 or so sandboxed, there's like another 50 or so in incubation, and 27 graduated. How does the community, how do you see them all working together?

>> It's, I mean, like many open-source projects, it's all bottoms up. We find that a lot of the most avid users of OpenSSF technologies are CNCF projects.

>> Rob: Yeah.

>> So, I believe there was a talk just earlier, it was either today or yesterday, on how one of the projects was using Sigstore in order to attest provenance of their lineage. The other opportunity that we have, or the other thing that we saw as an opportunity, and I'm speaking as somebody that's been doing both open source and security for a really long time, the open-source community has their events and their watering holes, the security community has theirs, right? So on the open-source side, it's FOSDEM, it's CNCF, KubeCon, it's Open Source North America and EU. And similarly on the security side, we have the trade shows,

right, RSA, Black Hat- >> Sure.

>> We have the hacker community at DEF CON, we have the academics at... USENIX and Real World Crypto and stuff like that. And one of the safe spaces we want to make for the intermingling of the open-source and security communities is a conference we're going to be hosting this year in Atlanta in October called SOSS Fusion. And it is focused on that cross pollination between our communities to make sure the security folks and the open-source folks are working hand in hand. So we're really looking forward to that.

>> Wow. >> And I think that's-

>> OpenSSF is the organizers of that?

>> We are the organizers. It is called SOSS, Securing Open Source Software-

>> Yeah. >> Fusion.

>> Really cool. I think that, and also, we'll be at Open Source Summit in Seattle.

>> Omkhar: Excellent.

>> So it'd be great to have you on after you've done the tabletop and have some just, I would say qualitative output that you found, because I think that organizations need to see, this is how they have to do it. I mean, we go to a lot of the different security conferences and I think one of the things is that if you haven't done a tabletop in two years, the last two years, you're pretty screwed. I mean, 'cause and having run DR for a major financial company, I think-

>> You know where I'm coming from.

>> I know where you're coming from. (laughter)

'Cause I had the book. >> Yeah.

>> And you didn't want it to be the first day-

>> You're blowing the dust off the cover.

>> Yeah, when the fiber got back hoed by...

>> Well- >> People. It's like you're sitting there like, "okay, now what?" And it's like, "okay, I'm getting the page at two in the morning, "now what do I do to shut down all these servers?"

>> Exactly. >> And stuff like that.

>> Dustin: Well-rehearsed incident response.

>> Yeah.

>> I mean, you can see the results when that's well-rehearsed and everyone knows what they're doing.

>> Absolutely.

>> It's still a tough situation, but at least people knowing how to address and what their responsibilities are.

>> It's going to be a tough situation, but it shouldn't be a panic.

>> Right. >> Right.

>> Right, yeah.

>> It should be not routine. >> Yeah.

>> But you should not be worried about going into executing.

>> One of my neighbors is a paramedic and the, there's an analog with how paramedics operate. You'll never see a paramedic running through an accident scene. They will move deliberately, they'll move quickly, but they will always follow their steps because rush and panic in an incident can actually cause more damage than what you're trying to rectify.

>> Absolutely. Where do you see OpenSSF beyond, okay, so we're, we get to the SOSS Fusion, where do you see by next year this time when we're sitting somewhere up north of here? (laughs)

>> So, I mean, I already told you, we're going to fix all the open-source problems in security by the end of the year, so here we are.

>> Rob: Oh, there we go.

Awesome. >> Mission accomplished.

>> Yes. (laughs)

>> So a lot of the stuff we're working on really hard this year focuses in three main areas. One, convening. We talked a lot about bringing the communities together, talking with public sector and ensuring that they're advocating for things that'll support better security in open source. We're also really strong believers in education. We're right now in the middle of revamping our secure developer education. There's a survey that Linux Foundation Research is putting out right now where we've asked the community, hey, based on your incidents, based on the issues you have in your code base, where could we be doing better in terms of providing you instruction? And in addition to that, if we think about the watering holes of our security community, it's really the security repos, right, or the package repos. It's PyPI, it's Rust Cargo, it's NPM. We recently put out some guidance along with CISA talking about how to secure repositories because we believe that's a great choke point in which we can positively affect the security properties of open-source software that everyone consumes. We're going to be putting a lot more effort behind that over the course of the year, and to the point that we're going to develop some much more specific security standards that repo owners and maintainers should be adhering to, so that there's an even bar that when you choose to enter the business of being a repository, you know that there's good providence, you know that there's good production quality control, and access control, all of these different properties. So we're looking forward to doing that as well.

>> Reproducibility maybe- >> Reproducibility.

>> And being able to verify those attestations.

>> Verify the attestations, a well-formed SBOM, perhaps. Yeah.

>> Yeah, so I think it's, you also get to see this from a different level because you are interacting with governments and things of that nature. Kind of give us an idea of what you're seeing. Are there differences between what's happening in the US and what's happening over here in Europe or in Asia? What are you seeing from a, how people are putting themselves out there and really trying to work always in a secure manner?

>> So from our perspective, as the foundation, we're here to ensure technical correctness. And the reason that I start there is I'm a software engineer, most of the folks that work on OpenSSF are technical. We're not lawyers and we're not politicians. And we are quite happy for those folks to invoke the appropriate legislative processes that are the cultural norms of where they are. We're here for technical correctness. So what we see in the US is the US politically has generally let innovation occur and then when things start trending badly, come in with a bit of a heavy hammer around legislation and regulation. In Europe, culturally, it seems like the EU wants to get ahead of that. So they're trying to look beyond the next horizon and figure out what's coming up. Examples being things like the CRA, as well as the AI Act that they recently passed.

>> Rob: Yeah.

>> So culturally, I think the top-down versus bottoms-up approach to legislation is different, but the intent's the same, like everybody recognizes security's incredibly important and we can't keep getting burned with supply chain issues and ransomware attacks on such a regular basis. Otherwise, not only will our economies collapse, but our citizens won't be safe anymore.

>> Right.

>> So you hit on it there, and we'll kind of end on this question, but AI, I mean, signing models, trying to understand where models came from and their lineage, and the data, securing the data and making sure that PII is protected. Where do you see OpenSSF playing a role, from an open-source perspective, with that?

>> Two perspectives on that. One, I think AI itself can be a great enabler of security for open source. So we're partnered with DARPA on the AI Cyber Challenge in which DARPA has challenged the community and researchers to, I think it's up to $18 million now in prize money-

>> Wow. >> Wow.

>> Midpoint check, the open competition's occurring right now, midpoint check in at DEF CON 2024, finals DEFCON 2025. And we challenged the community to say, hey, how can you apply large-language models to solve entire class of vulnerabilities in open source? As for the security of LLMs, a lot of the existing open-source, OpenSSF security software can be used. So if you're talking about model providence, you can sign using Sigstore and assure the providence of the model. If you're talking about some of the basic open-source components that go into the LLM, again, you can use security score, or you can use OpenSSF Scorecard and tools such as that. We have an AI and ML workgroup that's currently working on some of the higher-order challenges around AI and machine learning. But I'd love to see us produce something like a responsible disclosure guidance for large-language models and things of that nature.

>> Well, Omkhar, thank you for coming on. I think, again, even two days in, you were great, but I always learn something when I talk to you and I really appreciate you coming on board today and being with Dustin and I to talk about this.

Thank you. >> It's a pleasure. I look forward to seeing you in Seattle and talking about the tabletop.

>> Absolutely. We'll see you there. And we'll see you here, so keep it tuned from KubeCon CloudNativeCon EU live from Paris here on theCUBE, the leader in high-tech news and analysis. Stay tuned. (upbeat music)