Presenters

Source

Open Source Security: Navigating the Future with Core Principles 🚀

Hey tech enthusiasts! Emily Fox, Portfolio Security Architect at Red Hat, recently shared some incredibly insightful thoughts at Open Source Security Con, and we’re here to break it all down for you. In a world buzzing with new regulations and mind-bending technologies, Emily reminded us of the fundamental principles that have always been the bedrock of open source: autonomy, transparency, and collective action. These aren’t just buzzwords; they’re our compass for navigating the complex challenges ahead.

Embracing Digital Sovereignty: Autonomy in Action 🌐

The principle of autonomy, often seen as self-determination, is evolving into digital sovereignty in today’s tech landscape. This isn’t just a trendy term; it’s the natural progression of zero trust principles, especially with the increasing influence of geolocations and regional politics.

The good news? Open source already has the tools to help!

  • Confidential Computing & Attestations: These technologies are paving the way for organizations to ensure system security before deploying sensitive data and workloads.
  • Emerging Open Source Projects:
    • Confidential Containers: Enhancing security for containerized environments.
    • KCO’s Trustee: Providing verifiable security for your systems.
    • Key Lime: Aiding in the verification of system integrity.

These projects are bringing enterprise-readiness to the forefront, empowering you to truly own and control your digital destiny.

Shining a Light on AI: The Imperative of Transparency ✨

When it comes to artificial intelligence, transparency can feel like a distant dream. Emily didn’t shy away from this challenge, emphasizing the critical need for us, as engineers, to demand and practice transparency.

  • The AI Code Slop Concern: Without mindful practices, AI coding assistants can lead to unmanageable, vulnerable code. We don’t want “cloudy with a chance of vulnerable meatballs riddled throughout our spaghetti code”!
  • Community-Driven Solutions: Thankfully, the open source community is stepping up!
    • Model Card Standard: This emerging standard aims to provide clarity on how AI models are built.
    • AI System Cards: Similar to model cards, these offer insights into the capabilities and underlying structure of AI systems.

These initiatives are crucial ingredients for building trust and understanding in the age of AI. Don’t hesitate to ask about them at the Red Hat booth!

The Long Tail of Dependencies: Collective Action for a Quantum Future ⏳

We all know that open source thrives on collective action, building upon the incredible work of countless contributors. However, this interconnectedness creates a vast “long tail” of dependencies that we must diligently manage. This becomes particularly critical as we face the looming challenge of cryptographic migrations before the advent of cryptographically relevant quantum computers (often referred to as “Q-day”).

  • The Crypto Agility Challenge: This transition is poised to be even more complex than the two-decade shift from DES to AES.
  • The Widening Skills Gap: Perhaps an even bigger worry is the growing disparity between available engineers and the understanding needed to integrate new technologies into existing systems.

But fear not! The ecosystem is actively working on solutions:

  • SIGstore: Exploring post-quantum cryptographic plugins to future-proof our security.
  • Kubernetes: Now supports ML for many of its core components, enhancing its capabilities.
  • RPM 6.0.0: Recently released with support for multiple signatures per package, allowing verification of both classical and post-quantum signatures.

Our Collective Responsibility: Securing the Open Source Commons 🤝

As participants, adopters, and creators in the open source world, we all share a profound responsibility. Emily posed a compelling question: How will you apply open source principles to secure our future and preserve digital rights amidst these evolving challenges?

This isn’t a task for a select few; it requires everyone.

  • Invest in Securing the Open Source Commons: This means developers, project managers, documentarians, and especially security engineers need to actively contribute to the projects we rely on.
  • Collaborate on Real-World Problems:
    • Secured Agent Interaction: Working together to ensure secure communication between agents.
    • Oasis Data Provenance Standard: Contributing to building trust in AI through clear data lineage.
  • Engage in Public Policy: Applying open source principles to policy discussions ensures a secure, open future and preserves digital rights for all.

As the age-old adage goes, “More eyes make all bugs shallow.” But participation is the key. By recommitting to the core principles of transparency, autonomy, and collective action, we can build a more secure, resilient, and equitable digital ecosystem for everyone.

Thank you, Emily, for this inspiring call to action! Let’s all show up and contribute to the future of open source security.

Appendix