DEV Community: Kristina Kaldenbach

Upstream preview: Government carrot, government stick: Exploring two contrasting approaches to improving open source security

Kristina Kaldenbach — Tue, 04 Jun 2024 21:15:03 +0000

Upstream is tomorrow on June 5, and wow, our schedule is brillant. We’re giving you a sneak preview into some of the talks and the speakers giving them via posts like these. RSVP now!

Governments are starting to believe that their traditional hands-off approach to open source no longer makes sense. But what then? Europe is providing examples of both “carrot” and “stick”: providing incentives to people and organizations to do more security work (i.e. the carrot) or penalizing them for not doing the work or after security incidents happen (i.e. the stick).

In this fireside chat, Tidelift co-founder and Upstream host Luis Villa sits down with Fiona Krakenbürger from the Sovereign Tech Fund and Mirko Boehm from the Linux Foundation Europe to discuss the impending CRA legislation in the EU (the biggest government stick to date) and the Sovereign Tech Fund’s “carrot” approach to funding open security.

If this conversation about the contrast to “carrot” and “stick” of support and regulation peaks your interest, be sure to join us at Upstream on June 5!

RSVP now

About the speakers

Mirko Boehm is a free and open source software contributor, community manager, licensing expert and researcher, with contributions to major open source projects like the KDE Desktop (since 1997, including several years on the KDE e.V. board), the Open Invention Network, the Open Source Initiative and others. He is a visiting lecturer and researcher on free and open source software at the Technical University of Berlin. He joined the Linux Foundation in June 2023 as senior director for community development for Linux Foundation Europe, where he focuses on driving engagement and collaboration between all European open source stakeholders.

Fiona Krakenbürger is the co-founder of the Sovereign Tech Fund, an initiative funded by the German Federal Ministry of Economic Affairs and Climate Action, to support Open Source Infrastructure in the Public Interest. Fiona has a background in Open Source Funding and has helped bootstrap and implement programs in Germany and the US. Besides her career in Open Source Funding, Fiona supported and founded various initiatives for more diversity in tech communities. She serves as a member on several boards and committees in the open source and technology ecosystem.

Upstream preview: Life after the xz utils backdoor hack

Kristina Kaldenbach — Fri, 31 May 2024 21:25:21 +0000

Upstream is next week on June 5, and wow, our schedule is shaping up brilliantly. For the rest of this week, we’ll be giving you a sneak preview into some of the talks and the speakers giving them via posts like these. RSVP now!

In late March, our industry dealt with yet another attack on a popular open source project; this time, in the Linux-level package used for file compression called xz utils.

What was most sinister about this attack, though, was how deeply it impacted trust within the open source community. The attacker spent years engineering multiple sock puppet accounts to gain the trust of the volunteer xz utils maintainer. The reality is that life for those who create and use open source after xz is going to get tougher.

In this panel moderated by Tidelift VP of product Lauren Hanford, we’ll talk to Josh Bressers of Anchore; Jordan Harband, prolific Javascript maintainer; Rachel Stephens from RedMonk; Shaun Martin, IT and security management consulting principal from BlackIce; and Terrence Fletcher from Boeing to get a diverse mix of perspectives on how this changes the landscape of open source software supply chain security.

If this conversation peaks your interest, be sure to join us at Upstream on June 5!

RSVP now

About the panelists

Rachel Stephens is a senior analyst with RedMonk, a developer-focused industry analyst firm. She focuses on helping clients understand and contextualize technology adoption trends, particularly from the lens of the practitioner. Her research covers a broad range of developer and infrastructure products.
Shaun Martin is the IT and security management consulting principal at BlackIce. She has more than 23 years of experience in the IT security, risk, and compliance operations space. Her goal is to build and cultivate inclusive work environments where people can grow and thrive equally.
Josh Bressers is vice president of security at Anchore where he guides security feature development for the company’s commercial and open source solutions. He is a co-lead of the OpenSSF SBOM Everywhere project, and is a co-founder of the Global Security Database project at the Cloud Security Alliance.
Jordan Harband is an open source maintainer, specifically in JavaScript, and the principal open source architect at HeroDevs. He's also a web application developer, database administrator, network engineer, teacher, childcare—he wears many hats. His focus is JavaScript, standards, frontend web development, full stack (frontend + backend + db) architecture design, and overall object oriented code optimization.
Terrence Fletcher is a product security engineer at the Boeing Company where he specializes in vulnerability management, attack surface profiling, and threat intelligence integration. He has over two decades of experience in IT and security, with a strong focus on the defense and intelligence sectors.

Upstream 2024 agenda is live!

Kristina Kaldenbach — Tue, 28 May 2024 15:01:22 +0000

If you were waiting to sign up to attend Upstream, our one-day, virtual event bringing together open source maintainers and those who use their creations, until the speakers were announced, today’s the day. The Upstream agenda is live. 🎉 If you haven't already marked June 5, 2024 on your calendars, you should do it now! RSVP here. ✅

This year our theme is unusual ideas to solve the usual problems. By “the usual problems,” we mean the health and security of open source, which last we checked was still not a solved problem. By “unusual ideas,” we mean who are the people out there exploring the most interesting and unusual ways to make the open source software we all rely on more healthy, secure, and resilient?

Come prepared to hear some exciting new ideas, because we have them lined up for you. Here’s a taste:

Luis Villa, Tidelift co-founder and general counsel, will use his opening talk to set up this year’s theme. He’ll make the case that our current way of "fixing" open source health and security is simply not working, and he’ll introduce some of the new ideas we’ll be hearing more about through the course of the day.
Frank Nagle, assistant professor at Harvard Business School, will sit down with Luis, in our first fireside chat of the day, to discuss a recent paper Frank co-authored where he estimated the value of the world’s open source infrastructure at $8.8 trillion dollars.
Aeva Black and Jack Cable, from CISA (the U.S. Cybersecurity Infrastructure and Security Agency; and the only government agency that cares so much about security they put it in their name twice!), will sit down with Tidelift CEO and co-founder Donald Fischer to discuss the industry-wide effort they are leading to make security by design a core business requirement in products versus an aftermarket technical feature.
Vincent Danen, VP of Product Security at Red Hat, will join Donald to make the case that our current system of patch management is in desperate need of a revolution (and he’ll share what a better approach focused on risk mitigation might look like).
Aisha Gautreau, OSPO lead at a large Canadian telecommunications company, will sit down with Tidelift VP of product, Lauren Hanford, to share the journey of building an open source program office and what advantages it has created for them so far.
Tosha Ellison and Gabriele Columbro of FINOS (the Fintech Open Source Foundation) will join John Mark Walker, director of the OSPO at Fannie Mae, and Donald Fischer to chat about what financial services organizations are doing to improve open source security and invest in the open source they depend on, while sharing advice and strategies that all organizations in all industries can use to inform their own work.
Fiona Krakenbürger from the Sovereign Tech Fund and Mirko Boehm from the Linux Foundation Europe will sit down with Luis Villa to discuss the impending CRA legislation in the EU (the biggest government proverbial "stick" to date) and the Sovereign Tech Fund’s "carrot" approach to funding open security.
James Berthoty, CEO of Latio Tech and security engineer at PagerDuty, will go over how to get CVEs out of GitHub Issues and why it’s frustrating for compliance teams and maintainers both.
Tatu Saloranta of jackson-databind, Wesley Beary, who maintains popular Ruby projects fog and excon, Irina Nazarova of Evil Martians, and Valeri Karpov, from Mongoose, make up our maintainer panel this year and will discuss the state of life as an open source maintainer in 2024.
Andrey Sitnik, front-end principal at Evil Martians, will give insights on how to make your open source project popular from his 15 years of making open source tools, some a success with others a failure.
Rachel Stephens, senior industry analyst at RedMonk, Shaun Martin, IT and security management consulting principal at BlackIce, Josh Bressers, VP of security at Anchore, Jordan Harband, principal open source architect at HeroDevs, and Terrence Fletcher, product security engineer at Boeing, will join Tidelift VP of product, Lauren Hanford, to discuss how the xz utils backdoor hack has changed the landscape of open source software supply chain security.

This agenda is 🔥 You don't want to miss out. Register for this free, one-day virtual event here.