Sustainability and security: it’s time to connect the dots

A presentation at Upstream in June 2022 in by Tobie Langel

Slide 1

Slide 1

Sustainability & Security: It’s time to connect the dots Tobie Langel (@tobie) Principal, UnlockOpen tobie@unlockopen.com

Slide 2

Slide 2

🇵🇹 Image by XKCD, CC BY-NC 2.5. Tobie Langel (@tobie) Principal, UnlockOpen

Slide 3

Slide 3

🏭 INDUSTRY-WIDE EFFORT Organized by the Linux Foundation. Backed by tech giants. 💰 MULTI-MILLION $ FUND Administered by Linux Foundation and a steering group of industry experts. 🎯 GOAL Harden the security of key open source projects. 👓 STRICT FOCUS ON “CORE INFRA” The goal is to prevent a new Heartbleed. Not to make open source as a whole more sustainable.

Slide 4

Slide 4

🔁 CORE INFRA INITIATIVE 2.0 Still run by the Linux Foundation. OpenSSF is membership-driven, so more resourced and more sustainable. 🏆 WIDER SCOPE 10K projects + critical build tools & package managers. Training. Best practices. 🧭 NEW 10 POINT PLAN - prevent security defects and vulnerabilities - improve vulnerability discovery - shorten ecosystem patching response time

Slide 5

Slide 5

Slide 6

Slide 6

Slide 7

Slide 7

The Heartbleed Bug Tobie Langel (@tobie) Principal, UnlockOpen

Slide 8

Slide 8

Heartbleed bug impact 👩⚕ 4.5 MILLION The number of US patient records whose con dentiality was compromised. 💰 $500 MILLION fi Estimated cost to the industry.

Slide 9

Slide 9

Pivotal moment where tech industry realizes open source is: 🌏 UBIQUITOUS 2/3 of active sites on the Internet rely on the OpenSSL library. ⚠ CRITICAL OpenSSL encrypts private communications, bank transactions, medical records, etc. 💸 UNDERFUNDED Only 1 full-time maintainer, shoestring budget ($2k/year).

Slide 10

Slide 10

Tobie Langel (@tobie) Principal, UnlockOpen

Slide 11

Slide 11

Towards a sustainable solution to open source sustainability Tobie Langel, Principal, UnlockOpen

Slide 12

Slide 12

Slide 13

Slide 13

🛥 WHAT IS IT? Red Hat business model for the long tail. 🛎 SERVICES Provides security updates, maintenance, and legal assurances for all open source projects in an organization’s stack. 👨💻 HOW? By paying the actual maintainers to do the work. 🏆 SUCCESS STORY None yet. Still too early.

Slide 14

Slide 14

Photo by Parihav, CC BY-SA 3.0. Tobie Langel (@tobie) Principal, UnlockOpen

Slide 15

Slide 15

Worldwide developer population Non-pro 4.30M Full-time Part-time 11.65M 6.35M Source: IDC, : h t a m e p lo e v n the e f o k c a b k ic Qu 780B $ = K 5 6 $ x 12M FT devs 210B $ = K 5 3 $ devs x T P M 6 + ars ~= 1 trillion doll , 2018.

Slide 16

Slide 16

$100

Slide 17

Slide 17

$10,000

Slide 18

Slide 18

1 million dollars

Slide 19

Slide 19

100 million dollars

Slide 20

Slide 20

1 trillion dollars

Slide 21

Slide 21

100 million dollars

Slide 22

Slide 22

Tobie Langel (@tobie) Principal, UnlockOpen

Slide 23

Slide 23

Tobie Langel (@tobie) Principal, UnlockOpen

Slide 24

Slide 24

Thank you ! Tobie Langel (@tobie) Principal, UnlockOpen tobie@unlockopen.com