Contributor to Leader: Securing Open Source Software at OpenSSF

Open source has become instrumental in software innovation. With a massive ecosystem of innovators who are sharing knowledge and skills, open source continually creates new opportunities – both within the open source community and outside of it. Today, it has become so prevalent and so relied upon in modern software development processes that 96 percent of applications have at least one open-source component, according to Gitnux Market Data Report 2024. 
‍

As such, open source has become a large part of the software supply chain, which, simply put, comprises everything that touches the code in the software development lifecycle (SDLC) – from application development to the CI/CD pipeline and deployment. Due to the interconnectedness of the software supply chain, a compromise or vulnerability at one part of the supply chain – such as in an open-source component – can introduce a compromise or vulnerability to every component down the chain. In other words, securing open source is vital for the overall security of the supply chain. 
‍

At the forefront of open source security is the Open Source Security Foundation (OpenSSF). This organization is leading the way in specifications, frameworks, services, and tools for securing the production and consumption of open source software. Its projects – such as SLSA, S2C2F, to name a couple – are cited by the US and other world governments. It also has a number of great members on the governing board from both technical juggernauts like Microsoft, Google, Intel, and IBM, as well as major end users like Citi and JP Morgan Chase. Now, we are pleased that with Kusari, there’s representation from a newer, small company.
‍

Kusari was started with the goal of securing the software supply chain. We are passionate about this problem and have been for many years, but in order to solve this problem also requires securing open source software. As we’ve admired the great work OpenSSF has been doing, and as we’ve begun doing more work with open source ourselves, we wanted to contribute where we could to make the most impact, along with being able to collaborate with some of the best minds working on the problem.
‍

A year and a half ago, after having spent my career on the user side of security for financial institutions and a few years in the open source community, I wanted to see if I could bring my skills and experience to the OpenSSF Technical Advisory Council (TAC). I earnestly ran, but wasn’t elected. Disappointing, but there’s always tomorrow. I continued being active and a good community member. This meant speaking at events such as Open Source Summit, but also participating in the day to day community meetings that the OpenSSF hosts.
‍

For me though, being a part of OpenSSF (and any community) is about more than just engaging in meetings, and advocating for the projects you care about or have helped develop. Rather, it’s about serving the community as a whole: keeping your eye on serving users, and being aware of the adjacencies of each project or working group or committee. That’s where you can provide guidance, influence, and leadership in security by connecting people, finding partnerships, supporting integrations, and helping solve real problems. Doing so helps everyone move forward, do better, and be more secure. 
‍

Then, when someone stepped down mid-year, I had the opportunity to fill the council spot. So, it’s a bit of an understatement to say I am pleased to continue my active participation in OpenSSF, bringing perspective from startups and helping advance the mission of open source security. As a fully elected member now, I’m thrilled to be on the TAC again, which expanded from six to nine members last year, getting to work on technical solutions that are real and fit the mission of OpenSSF. I’ll be extending the work I have been involved with  over the past six months, including.

• Sponsoring projects like Gittuf and SBOMit
• Helping update OpenSSF working group and project governance
• Contributing to the gives and gets for working groups and projects 
  ‍

In addition, being elected to the Governing Board is a real treat. I’m excited to bring my skills and perspective as the only technical member and the only one from a start-up. A balanced representation brings forth a more complete perspective. My participation can help show how startups, tech giants, and end user companies work together in the community to address security’s major issues. We’ll bring forward pathways to engineer open source solutions and offer a structure within OpenSSF to ensure they get the recognition, incentives, promotion, and linkages to thrive. 
‍

Thank you for your support and vote of confidence. I look forward to serving the security community and involving many of you in that journey.