Episode 24: Securing the FOSS Ecosystem with Gareth Rushgrove

Sponsored By: Panelists Eric Berry | Justin Dorfman | Richard Littauer | Allen “Gunner” Gunn Guest Gareth Rushgrove Snyk Show Notes In this episode, we talk with Gareth Rushgrove, from Cambridge, UK, Director of Project Management at a security software startup called Snyk. He has spoken at a number of international technology conferences over the past few years, including FOSDEM, RAMP, BACON, QCon, PuppetConf, Monitorama, GOTO and Velocity. Security and Open Source don’t often go together, in this episode we explore the topic and more. 01:20 Gareth explains that Snyk provides tools for developers who use Open Source Software and help them stay secure. He also expands on vulnerability landscapes. 02:10 Justin asks Gareth at what point does he think the collective community decided that we need to start digging into security holes within our software and he answers the question. 04:00 One of the guys asks Gareth if security is a passion of his and if he joined the company because that’s what he loves or was it more for Open Source. 05:30 The guys talk about Guy Podjarney (a.k.a Guypod) and Steve Souders and how they started the web performance movement. 07:30 Richard states Snyk has 400,000 users on the website and three times more vulnerability than a public database. Gareth goes further in-depth about this and what his company does using Java, Ruby, or Python and how he does a bunch of propriety research and helps projects do profit disclosure. 11:10 Gareth discusses the Heartbleed attack & the Equifax data breach and its effect on the industry’s view on Open Source. Companies want Open Source ecosystem to be more secure, 17:50 Gunner chimes in with a question about if there is a list of things Gareth wishes Open Source projects would do to be better members of ecosystems visa the security and if there are checklists or places to go for best practices. Gareth expands on this. 23:49 Gareth talks about DevSecCon which is a conference that brings developers and security together in one place. There are eight conferences around the world this year. 24:33 One of the guys is curious about the effect of security and how people out there have packages that are used by millions of other users and how often they don’t know how many users are using it. Gareth explains. 26:44 Gunner asks about the role of threat modeling in the work Gareth does and what he recommends. 28:25 Gareth goes in-depth about the Helm Project and CNCF sponsoring. 37:31 Gareth gives advice on where people can go to find more information about security besides talking to Snyk. Spotlight 38:40 Justin’s spotlight this week is a blog post by Andrew Mason about [Ruby on Rails Development with VS Code](ttps://andrewm.codes/posts/ruby-on-rails-development-with-vs-code-p1i/) 39:07 Eric suggests getting off Google Chrome and using Firefox (Developer Edition). 40:15 Gunner’s pick is guix.gnu.org 40:46 Richard’s pick is crubadan.org 41:34 Finally, Gareth’s pick is openpolicyagent.org Links Snyk Gareth Rushgrove Twitter Puppet Heartbleed CNCF DevSecCon Helm HeavyBit Open Policy Agent GitHub Guy Podjarny Twitter Steve Souders Twitter Andrew Mason - Ruby On Rails Firefox Guix An Crúbadán Open PolicySpecial Guest: Gareth Rushgrove.