Open at Intel host Katherine Druckman welcomes back Christopher Robinson, aka “CRob,” OpenSFF’s chief security architect, to discuss the importance of open source software security and the work being done to improve security standards.
“A lot of times we get so wrapped up in our day-to-day grind of whether we're a security person or a developer that we don't necessarily get exposure to what else is going on in the broader ecosystem.”
— Christopher “CRob” Robinson, Chief Security Architect, OpenSFF
Katherine Druckman: Hey, CRob, thanks for joining me again. I feel like I need to mention, I think you were maybe episode two or something ever of this podcast. It was way back in the beginning, and now we're at, I don't know, we're not at a hundred yet or anything, but we're in the seventies.
Christopher "CRob" Robinson: Awesome.
Katherine Druckman: It's a nice time, I think, to invite you back, so I appreciate it.
Christopher "CRob" Robinson: It's solid. Yeah, I'm glad to be back. Thanks for having me. I love doing this stuff. I love talking with my open source friends.
Katherine Druckman: I know. This is the best part of my job, getting to talk to cool nerds. That's how I like to describe it.
Christopher "CRob" Robinson: Well, who do you have up next, because that certainly isn't me.
Katherine Druckman: That's a good question, because I don't know exactly what order I'm going to release them in, so that's a mystery. Let's just say you'll have to tune in next time to find out which cool nerd is next.
Christopher "CRob" Robinson: Awesome. I love it. I love it.
Diving Into Open Source Security
Katherine Druckman: First, I wanted you to join me again today because there's always a lot to talk about in open source software security and because it's important.
Christopher "CRob" Robinson: Yes.
Katherine Druckman: Second, the last time we talked, we talked in very general security terms, but I have never had a conversation with you, on the record, on the show, about your open source security community work, and it is impressive, and there is so much of it, there's a lot to unpack. I wondered if you could start out by telling everybody about your work over the past couple of years in the OpenSSF, which is the Open Source Security Foundation.
Christopher "CRob" Robinson: I would love to. I am Christopher Robinson, aka “CRob.” I do security stuff on the internet, and some of that stuff is, I get to work with organizations like FIRST, which is the Forum of Incident Response and Security Teams. Those are all the vendor security teams in the ecosystem. And then, of the OpenSSF, the Open Source Security Foundation, and that is an organization focused on improving the security of open source software for everyone in the ecosystem.
Understanding the OpenSSF
Christopher "CRob" Robinson: We have 10 working groups, dozens of projects, hundreds of members, and just day to day, we have multiple hundreds of people contributing and participating in this amazing movement. Depending on what study you read, I've seen that most commercial software includes between 90 to 98% of open source components inside, so even though it might have a vendor's label on it, under the hood, there were some amazing men and women that toil away for a lot of different reasons, but almost always it's for the love of creation and trying to solve problems kind of under the hood inside that commercial software that big vendors like Intel or anyone selects and then embeds as part of a product offering.
I've been working with the OpenSSF since the very beginning, the second month of its creation I've been involved, and I started off involved just as a community member. I was part of the Developer Best Practices working group and the Vulnerability Disclosure working group. Because I was there and because I was helpful, I eventually moved my way up and became the working group chair of both those groups. Eventually, I moved into the role I currently have as the Chairperson of the Technical Advisory Council, which helps oversee all of the projects and technical initiatives within the foundation.
Katherine Druckman: Obviously, this is a really, really important organization, and we are both super biased, but it really is. Right? There's so much really important and really excellent work going on there and so much collaboration from people across the ecosystem. But I think there's also a bit of mystery about it.
Christopher "CRob" Robinson: Oh.
Katherine Druckman: I've heard this from a lot of people. They're very curious about the work at the OpenSSF and maybe have a bit of trouble understanding really what makes it tick and what the day-to-day focus of the organization is. I wondered if you could kind of unpack that part a little bit.
Christopher "CRob" Robinson: Absolutely.
Katherine Druckman: What is your priority when you come together and make these decisions on behalf of the TAC, the technical advisory council?
Key Personas in Open Source Security
Christopher "CRob" Robinson: Well, predominantly, we focus on broadly four personas. These are stakeholders or participants within the ecosystem. First and foremost, my primary persona that I work a lot with are the developer maintainers, those folks that actually produce the software.
Then we focus in on people who are open source consumers, and this could be other open source developers, or a vendor like a commercial enterprise, or even just a regular enterprise like a bank or a retail place that uses open source software.
Then, I think about the chief security officer and the public policy type people. These are folks that have requirements, or they have legal obligations, so they need to have information about the quality of the stuff that they're using inside their environments.
And then that last persona would be security researchers, which are a big part of our ecosystem, whether they're studying how open source works, or maybe they're like a professional bug hunter. These are the men and women that help find problems. They report it to projects and try to help get these problems fixed. Each one of those broad types breaks down into sub personas where it's very specific, but, broadly, it's those four types of people we do our work for.
Depending on what your persona is, what community, what camp you live in, we have different offerings. If you're a developer, we have a lot of information about best practice, documentation, white papers, concise guides, training, and we also have tooling to help developers do their work more quickly and with less friction.
If you're thinking about an open source consumer, one of the big things we do is we focus in on reporting information. Here are the security qualities of a project, and we're not making a value statement that one is better than the other, we're just trying to provide the facts. These are common things that you should look for as you're ingesting a third-party component, open source or not, and help give people a little measuring stick on how they can understand the quality of the software that they are using inside their own organizations or projects. That also applies to both the supplier and the CISO regulator persona, as well, as they care a lot about the details and everything that goes into making the sausage.
Katherine Druckman: Yeah, that's fantastic. Again, there's so much good work. I really appreciate that you bring up that kind of consumer thing. Even as a developer, you have this tendency as someone new to open source to be like a kid in a candy store. There's all this stuff you can use that's really useful. There's so much good stuff out there, and you can just go and find any functionality you need, and you can just ingest that into your project. Again, in a more junior position, and maybe even a more senior position, you don't always consider the consequences of that and what that really means to take on somebody else's code, and so I do really appreciate that level of education.
Christopher "CRob" Robinson: There's a lot of different motivations about why people write software, but, broadly, they are trying to help others and solve a problem, at its most fundamental. But because you're helpful and you're a nice person doesn't necessarily mean you have all the skills or tools to do it securely or deliver at a level of quality that the downstream might expect. So, that's again, organizations like us, like OWASP or anything like the Python Foundation, these groups are focused on trying to help their constituents and try to help them make the best quality software that they can.
Katherine Druckman: I keep saying that I'm biased, but I really am. But I also think my attraction to the field of security is largely out of fear and anxiety. It’s a healthy kind of fear and anxiety. It's not the bad kind. I feel like a little healthy amount of fear when you're releasing software for other people to use is just being a responsible adult. But, yeah, every time you tag a release, it's on you to take ownership of the security of the project you're working on, in my opinion, and hopefully others. To have a group of people dedicated to making my life easier as the person releasing that software is really incredibly valuable.
Educational Resources for Developers
Katherine Druckman: But I wanted to pivot just a little bit beyond the scope of what the organization itself does and talk about something that you mentioned, which is training and learning materials. I wondered if we could go a little bit more into that. As a developer or software engineer, what is my first step if I want to learn from all of this massive work that's happening at the OpenSSF?
Christopher "CRob" Robinson: There's a couple different approaches, and it really depends on where the developer is in their career. If you're just starting out and you're a student, it's much easier to dedicate the time to go through a formal class. But if you're someone that's a little bit further along in their career and you have obligations where you have deliverables on the project you've got to execute on, and you've got family, you don't have as much free time to devote to this type of stuff. Again, we understand that people have different constraints, so we try to offer a spectrum of ways to help provide that awareness and education to the developer.
We do have a free secure development fundamentals class that teaches developers how to identify common mistakes that are in software that lead to vulnerabilities and how to avoid them. That's a free class, and if you want, you could pay and get a certificate if you like being the gold star trophy kind of person.
Katherine Druckman: That's cool.
Christopher "CRob" Robinson: But, then, thinking about people who are embedded either in a language or an ecosystem, we have guides that talk about how to compile C and C++ more securely, hardening things. We have a Python security guide, so if you're a Python developer, there's a means that you can see examples of bad Python code and how to avoid that.
And then we also do things like concise guides. It's like a checklist, and that's I think the most palatable for working developers, is that they have a checklist of 10-15 things they can look at and kind of tick it off, and each one of those items has a whole library of other materials. We give you the statement, you should do this or that. You should turn on multi-factor authentication, for example. And then we provide resources on how to do that, where to go, what your options might be.
And then, for example, if we're talking about secure coding practices, we try to find authoritative resources. We're not the greatest C or GO or Rust developers, but we know of those people. And so we try to fob off and point to those man pages, or if a community has really good instructions, we'll try to showcase that through our work to say, "Hey, if you want to know how to program in Rust securely, here's the Rust Secure Coding Guide," and forward people over to that community so they can get access to what they need.
Getting Involved with OpenSSF Projects
Katherine Druckman: Let's say I've taken it a step further, and I am using an OpenSSF tool. For example, one of my favorites, something like Scorecard. I think Scorecard is a great tool. I think it's super handy. If I'm just getting started with something like that, how accessible is that community to me? Can I just drop in to the working group meeting or to the meeting where people working on the tool itself gather? Can I do that? Can I ask those people questions directly?
Christopher "CRob" Robinson: I'm going to say yes, asterisks. Absolutely.
Katherine Druckman: Excellent.
Christopher "CRob" Robinson: All OpenSSF projects are 100% open to the public, so our source code is in GitHub and available to everybody. Our meetings are all public. We record them in videos, so you log in and you can see the videos of the topics you're interested in. All of our notes and our Slack channel, all of that is open to the public, so it's very easy to dip your toe in and get a feel for things.
Now, a large, complex, established project like Scorecard is a little tougher. It's not as hard as onboarding to Kubernetes or the kernel work, but there's some expectations that you have some certain degree of understanding, and that's where, like you mentioned, you very easily can pop in and listen to a meeting, and if you have questions, the folks will be very supportive and try to answer them, whether it's in a meeting or in our Slack. But sometimes you need to understand the community's contribution guide, how they might accept work, or even they might have a listing of things they're looking for help on. That's a special super bonus for newcomers, when the project points you to a list of things like, "Hey, we really would like to revise our documentation," or "We need help with these two PRs," or, "We need comments on these issues." When the communities steer newcomers to that, it makes your onboarding experience much simpler.
Katherine Druckman: Fabulous.
Christopher "CRob" Robinson: But compare Scorecard to something like OpenVex or Protobom where those are smaller projects, those are a little bit more intimate experience, because it's a smaller community, so you might get a little bit more mentoring than you may with Scorecard.
Katherine Druckman: Fabulous. Fabulous. I love it. I think it's important to remember that there are so many open source communities out there, again, doing great work, very welcoming, a lot of people there to really collaborate and to help people along in their own software journeys, whatever those may be. But, I think sometimes it is kind of hard to get over the intimidation factor or figure out where your entry point is.
Christopher "CRob" Robinson: Yeah, we do so many things, and some of the work we're going to be doing in the coming months is to try to help simplify that. Again, I think keying off these personas, have that be the landing point, and depending on what that person's role is, will ideally be able to help better steer them to the resources and communities that they're interested in, as opposed to saying, "Okay, here's a hundred things. Good luck."
Upcoming Event: SOSS Fusion
Katherine Druckman: There's another thing that I really wanted to mention that's something that's coming up.
Christopher "CRob" Robinson: Oh.
Katherine Druckman: Let's say I've leveled up in my security learning. I've gone through a little bit of training. I've checked out some guides. I might even be using some tooling. But I want to take the next step in my learning, and that might be to attend an in-person event where you can learn from so many different people all in the same place.
Christopher "CRob" Robinson: Right.
Katherine Druckman: I love open source events. I always have. I've been going to them for, well, I won't even say how long, because that's how I learned when I first got started. I would've never been able, I don't think, to find my way had I not been a regular attendee at some events, which can be difficult, but ultimately worthwhile. There is a such event coming up really soon that I wanted to make sure to mention-
Christopher "CRob" Robinson: Yes, there is.
Katherine Druckman: That is SOSS Fusion. It is in the greater Atlanta area coming up in October.
Christopher "CRob" Robinson: That's right. Towards the end of October, right before Halloween.
Katherine Druckman: Right before Halloween. I think it's the 22nd and 23rd. You can just Google it. It's SOSS Fusion, or you can go to OpenSSF.org and it's on there. But CRob, you will be there, as well, right?
Christopher "CRob" Robinson: I will.
Katherine Druckman: I will be there, and you will be there?
Christopher "CRob" Robinson: Sweet. Mm-hmm.
Katherine Druckman: Yeah. Awesome.
Christopher "CRob" Robinson: SOSS Fusion is really interesting. This is the first year we've decided to do something like this, and it's a conference where we're trying to help grow our community. We're trying to reach out and bring new members in that may not historically go to an open source or a security conference. We're trying to engage with students, new developers, people looking to change careers, security experts. It's going to be a really interesting gathering of folks.
Like you mentioned, one of the best ways that I've learned throughout my career is, we call it the hallway track or a lobby con, is you go, you learn, you sit through an interesting presentation, you might talk to the presenter, but then it's all the activities that surround the event, and that ability to have a really in-depth conversation with somebody that has deep subject matter expertise. My experience with the community is they're very giving of their time, and this is a way that they're very willing to share what they've learned or their insights and try to help bring new people in. I think SOSS Fusion is a really great opportunity about that.
The Value of Open Source Events
Katherine Druckman: That's a really great point about the hallway track, and this is one of those things if you're trying to justify travel to something like this. I can tell you, actually, I can't even remember all of the times, but there have been so many times when I have been stuck for a very long time on a technical problem. Years ago, I was involved in this massive ... it was an upgrade at its core, but a lot of upgrade migration. Anyway, a complicated project. I had been stuck. I'd been working on this thing. I had hit a wall. I went to a conference, and I met somebody who was working on one of the tools I was using, an actual contributor to the project.
Christopher "CRob" Robinson: Oh. Yeah.
Katherine Druckman: I think I had a two-hour conversation over beers at midnight at some random after-party, and this person in that conversation solved my problem.
Christopher "CRob" Robinson: Oh.
Katherine Druckman: I was able to go home and finish the project within the next month or so. That's not an exaggeration. It's hard to put a quantitative measure on the value of attending events like that, but sometimes you would be surprised at what you can get out of them.
Christopher "CRob" Robinson: Also, a lot of times we get so wrapped up in our day-to-day grind of whether we're a security person or a developer, that we don't necessarily get exposure to what else is going on in the broader ecosystem. That's where those amazing talks that are on this docket, where you're going to be exposed to ideas that you might've heard of, you might've heard what an SBOM is, Software Bill of Materials, or VEX, which is a new way of sharing vulnerability information. You might've heard of it or saw somebody mention in a video or an article. Well, there'll be people there talking about these concepts, talking about things like the EU's CRA and how that legislation is going to affect both producers of open source software, but predominantly manufacturers and things. They're going to have to understand and forge better relationships with upstream communities so they can be compliant with the CRA. Yeah, so many amazing talks and amazing people there, that you get that opportunity for that hallway track is just brilliant.
Katherine Druckman: Yeah, I'm a little biased, again. I guess in the interest of full disclosure, I was on the programming committee for this event, but so were a lot of other really, really smart people. We were all excited about the stuff we had to choose from. The ones that I'm most excited about are the ones in areas where I really don't have a lot of expertise; I'm excited to go and learn from some great people.
Christopher "CRob" Robinson: From my perspective, I've been doing the foundation for four years, looking through the speakers and the topics, the program committee, my hat is off to you, because you've really done a good job bringing in some new voices. I'm excited to see some of the new people and their fresh perspectives. We have somebody coming over from a large manufacturer from India, and I'm excited to look at that person's talk. It's just these are voices we don't always get in our day-to-day working groups. I'm interested, and I'm very excited to have some more people collaborating with us.
Katherine Druckman: Yeah, it's going to be a good time.
Christopher "CRob" Robinson: Patches are always welcome.
Katherine Druckman: Yes. Yes. I really do hope that this one becomes the foundation of a really interesting annual event. Again, as a security nerd, as someone who has been trying to become a bigger and bigger security nerd over the last few years, I think it's great to have that kind of perfectly tailored content to what I'm looking for, so I'm personally quite looking forward to it. Hey, listeners, by the way, thanks for letting us go on and on about this event that we're both obviously very excited about. I hope we'll see some of you there.
Christopher "CRob" Robinson: I just like getting outside of the house once in a while and meeting people.
Katherine Druckman: I know. Humans in person. It's so much fun. Sometimes. I mean, in moderation. These people are going to be great.
Final Thoughts and Future Plans
Katherine Druckman: Thank you so much. Is there anything else you wanted to mention that you haven't yet about your role, the work that you've done, something you're excited about happening in the open source security world?
Christopher "CRob" Robinson: No. Again, I just really appreciate the community throughout my career, which is 30 years or so of service. I have benefited so much from open source software, the open source community, and the security community, and I feel it's kind my obligation through the OpenSSF to give back. I'm not a developer, but I can definitely help empower developers, make their days easier. I can help large enterprises understand how open source works. I feel this is my obligation giving back for everything that I've been given throughout the years with all this amazing software.
I know that coming up we are going to be releasing the 2025 strategy for the foundation and you'll see that in November, and ideally, we're going to hit on some current topics and try to motivate some people to help us solve some big problems. We're looking to try to integrate DevSecOps practices into AI, ML, and LLM development.
Katherine Druckman: Very exciting.
Christopher "CRob" Robinson: That's some really interesting stuff that we're going to try to partner on and work together with.
Katherine Druckman: Well, I look forward to that. I wholeheartedly agree about giving back to this ecosystem that we've both been a part of for a long time, and now it kind of runs the whole world. Getting back to that 90 to 98% thing. Yeah. To quote somebody, Luis Villa of Tidelift, who I interviewed not too long ago on this very podcast, "We haven't just won. We really, really won," in terms of open source adoption.
Christopher "CRob" Robinson: I think '25 is going to be the year of the Linux desktop.
Katherine Druckman: It might be, yeah. Finally. Finally. But it doesn't need to be. It's everywhere else.
Christopher "CRob" Robinson: Right.
Katherine Druckman: Everywhere else. Well, on that note, thank you again. I really appreciate it. I will see you at SOSS Fusion next month.
Christopher "CRob" Robinson: Yes, you will.
Katherine Druckman: I hope to see a bunch of other people at SOSS Fusion next month and at other open source events where we will, together, solve the world's problems.
Christopher "CRob" Robinson: Excellent. Yeah, we're all better together.
Katherine Druckman: You've been listening to Open at Intel. Be sure to check out more from the Open at Intel podcast at open.intel.com/podcast and at Open at Intel on Twitter. We hope you join us again next time to geek out about open source.
About the Guest
Christopher “CRob” Robinson, Chief Security Architect, OpenSFF
Christopher Robinson (aka CRob) is the chief security architect at OpenSFF. When this podcast interview was recorded, he was Intel’s director of security communications. CRob is a 41st level dungeon master and a 24th level securityologist. He has worked at several Fortune 500 companies with experience in the financial, medical, legal, and manufacturing verticals, and spent six years helping lead the Red Hat Product Security team as their program architect. CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter and is also a children's cybersecurity educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups as well as a technical advisory committee (TAC) member. He enjoys hats, herding cats, and moonlit walks on the beach. Find him on LinkedIn.
About the Host
Katherine Druckman, Open Source Security Evangelist, Intel
Katherine Druckman, an Intel open source security evangelist, hosts the podcasts Open at Intel, Reality 2.0, and FLOSS Weekly. A security and privacy advocate, software engineer, and former digital director of Linux Journal, she's a long-time champion of open source and open standards. She is a software engineer and content creator with over a decade of experience in engineering, content strategy, product management, user experience, and technology evangelism. Find her on LinkedIn.