Episode 24: Securing the FOSS Ecosystem with Gareth Rushgrove

Sponsored By:
Panelists Eric Berry | Justin Dorfman | Richard Littauer |
Allen “Gunner” Gunn Guest Gareth Rushgrove
(https://twitter.com/garethr) Snyk Show Notes In this episode, we
talk with Gareth Rushgrove, from Cambridge, UK, Director of Project
Management at a security software startup called Snyk. He has
spoken at a number of international technology conferences over the
past few years, including FOSDEM
(http://www.slideshare.net/garethr/config-managament-for-development-environments-6836888), RAMP
(https://speakerdeck.com/garethr/the-unavoidable-big-bang), BACON
(https://speakerdeck.com/garethr/monitoring-sucks), QCon
(https://speakerdeck.com/garethr/clouds-in-government-perils-of-portability), PuppetConf
(https://speakerdeck.com/garethr/puppet-module-reusability), Monitorama
(https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring), GOTO
(https://speakerdeck.com/garethr/if-government-can-do-it-dot-dot-dot) and
Velocity. Security and Open Source don’t often go together, in this
episode we explore the topic and more. 01:20 Gareth explains that
Snyk provides tools for developers who use Open Source Software and
help them stay secure. He also expands on vulnerability landscapes.
02:10 Justin asks Gareth at what point does he think the collective
community decided that we need to start digging into security holes
within our software and he answers the question. 04:00 One of the
guys asks Gareth if security is a passion of his and if he joined
the company because that’s what he loves or was it more for Open
Source. 05:30 The guys talk about Guy Podjarney (a.k.a Guypod) and
Steve Souders and how they started the web performance movement.
07:30 Richard states Snyk has 400,000 users on the website and
three times more vulnerability than a public database. Gareth goes
further in-depth about this and what his company does using Java,
Ruby, or Python and how he does a bunch of propriety research and
helps projects do profit disclosure. 11:10 Gareth discusses the
Heartbleed attack & the Equifax data breach and its effect on
the industry’s view on Open Source. Companies want Open Source
ecosystem to be more secure, 17:50 Gunner chimes in with a question
about if there is a list of things Gareth wishes Open Source
projects would do to be better members of ecosystems visa the
security and if there are checklists or places to go for best
practices. Gareth expands on this. 23:49 Gareth talks about
DevSecCon which is a conference that brings developers and security
together in one place. There are eight conferences around the world
this year. 24:33 One of the guys is curious about the effect of
security and how people out there have packages that are used by
millions of other users and how often they don’t know how many
users are using it. Gareth explains. 26:44 Gunner asks about the
role of threat modeling in the work Gareth does and what he
recommends. 28:25 Gareth goes in-depth about the Helm Project and
CNCF sponsoring. 37:31 Gareth gives advice on where people can go
to find more information about security besides talking to Snyk.
Spotlight 38:40 Justin’s spotlight this week is a blog post by
Andrew Mason about Ruby on Rails Development with VS Code
(ttps://andrewm.codes/posts/ruby-on-rails-development-with-vs-code-p1i/)
39:07 Eric suggests getting off Google Chrome and using Firefox
(Developer Edition). 40:15 Gunner’s pick is guix.gnu.org
(https://guix.gnu.org) 40:46 Richard’s pick is crubadan.org
(https://crubadan.org) 41:34 Finally, Gareth’s pick is
openpolicyagent.org (https://openpolicyagent.org) Links Snyk
(https://snyk.io/) Gareth Rushgrove Twitter
(https://twitter.com/garethr) Puppet
(https://puppet.com/people/gareth-rushgrove/) Heartbleed
(http://heartbleed.com/) CNCF
(https://github.com/cncf/sig-security) DevSecCon
(https://www.devseccon.com/) Helm
(https://helm.sh/blog/2019-11-04-helm-security-audit-results/)
HeavyBit
(https://www.heavybit.com/library/podcasts/the-secure-developer/)
Open Policy Agent GitHub (https://github.com/open-policy-agent/opa)
Guy Podjarny Twitter
(https://twitter.com/guypod?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Steve Souders Twitter (https://twitter.com/souders?lang=en) Andrew
Mason - Ruby On Rails
(https://andrewm.codes/posts/ruby-on-rails-development-with-vs-code-p1i/)
Firefox (https://www.mozilla.org/en-US/firefox/) Guix
(https://guix.gnu.org/) An Crúbadán (http://crubadan.org/) Open
Policy (https://www.openpolicyagent.org/) Special Guest: Gareth
Rushgrove.