Last week I had the opportunity to attend and speak at the OpenSSF SOSS Fusion 2024 event. This is the first full multi-day OpenSSF security event and it was a privilege to be able to attend and speak. I gave the same talk that I did at BSides back in September as I believe it needs to shared broadly and heard by many.
The talk focused on the implicit acceptance of risk in proprietary software (you accept the risk of what you don’t see or know about) versus the need for an explicit acceptance of risk in open source software (accept the risk of what you can see and know about). We dug into some numbers of vulnerabilities in open versus proprietary, obviously using Red Hat as the example of an open source vendor, and a well-known and unnamed proprietary vendor as the contrast.
The Q&A was also included which was great surprise as there were a few good questions. Unfortunately there weren’t microphones so the questions can’t really be heard, although hopefully the answers stand alone and you can infer what the question was.
The video went up last night so you can watch the talk here: The Open Source Paradox: Unpacking Risk, Equity, and Acceptance
There were a bunch of other great talks as well, the entire playlist of talks is also available.
Huge shoutout and thanks to the OpenSSF folks that put in so much work and the sponsors who helped make it happen (had some great discussions with those folks!).