SOSS Fusion 2024: Uniting Security Minds for the Future of Open Source

There is a log cabin in Alpharetta, Georgia, that was constructed by the Future Farmers of America (FFA) in the 1903's. It is still in use today. Students who want to explore pioneer life can go there, just like 90 years ago when it was built, and have hands-on experience. Today, in DevOps, many teams are dealing with legacy systems built in the last century, but unlike that log cabin, our production data still lives in some of these systems. It is a good thing there is a community of folks working together, making free and open tools that allow us to secure these legacy applications and our new ones. These folks gathered in Alpharetta to advance the state of the art at SOSS Fusion 2024.

About 400 participants got together for two full days of sessions with over 50 speakers and a half day of training on using the OpenSSF Scorecard. SOSS stands for Secure Open Source Software. This event was organized by the OpenSSF, part of Linux Foundation organization focused on providing governance for currently 13 open-source security tools and projects, such as SLSA, GUAC, Zarf, and OpenVEX. 

It would be impossible to fully recount all the learning and fun we had at the Alpharetta Conference Center, but the good news is all the talks were recorded and will be available online soon. Until those are released, here are just a few notes from this inaugural event.

Approaching AI as a mediocre minion

In his keynote, "Decoding the AI Revolution; Implications for Security and Society: AI Security Matters," legendary cryptographer, computer security professional, and writer Bruce Schneier explained that when we approach using LLMs, we need to keep four key principles in mind: Speed, Scale, Scope, and Sophistication. Humans and AI have very different definitions and limits for these, but that is the advantage of these LLMs: we can use them to do things we are not good at or simply can't do without them. 

AI is not going to behave like humans. At best, it is a "mediocre minion." While we have been dealing with human mistakes for thousands of years and know more or less how to deal with them, AI makes entirely new types of mistakes, and we are just starting to learn how it errors. We need to get humans in the loop, not just to approve decisions or code, but to see how humans do things in comparison to compare results.

One interesting use case Bruce discussed was the potential use of AI to help solve the giant backlog of Social Security Administration requests. He argued the harm of overdelivering on services by letting AI positively approve most requests is going to be much cheaper in the long run than trying to solve this with just humans. 

He also discussed that while attackers immediately gained an advantage from using AI, the defenders are catching up very quickly. It will not speed up the rate of attacks as we are already being attacked at "computer speeds." What we need to implement next in AI security is to separate the 'data' channel from the 'controls' channel, much the same way the telephone systems did in an effort to prevent phone phreaking.  

We can make the internet work for us again, but it is a choice

In his fast-paced and captivating keynote, "Enshittification Was a Choice," Cory Doctorow, Science Fiction Author, Activist, and Journalist, walked us through how we got to the point where everything about our current state of tech just kind of sucks. He started by asking us if we "remember when Google actually worked as expected instead of serving pages of ads and junk results? Or when Spotify gave us the artist we wanted instead of a suggested playlist that contains AI bands?"  The process of it slowly getting worse over time is what he labels "Enshitification." 

Cory's talk summarized four interrelated factors that led us down this path: 

1. Competition - A loss of competition in the market means there is no incentive to innovate and instead only to maximize profits. This leads to more ad space on a site being sold and less of the content you were looking for, and therefore, a lower quality of experience. 

2. Regulation - More competition in the market actually makes enforcing regulations easier, he argued. As Cory put it, "100 companies is a rabble, and they can't all just BS all the regulators. Cartels of 5 companies can easily lobby and fraud these regulators." He also pointed out that it is one thing to ignore the law, but large monopolies also are stopping new laws from being made through lobbying. 

3. Interoperability - Making it hard, or even illegal, for the customer to use third-party components or solutions with a company's products has led us to a world where printer ink is the most expensive liquid on earth, at the cost of about $10,000 a barrel to the end user. We need to be able to use our tools as we see fit. Open-source software and hardware excel in this area, which is another reason we should embrace this way of building things. 

4. Tech workers - When the damnd is high and the supply is low for good developers, they can call the shots and can afford to hold and enforce ethical standards. In this world, management is terrified of losing someone they can't replace. Right now, we have more supply than demand, which is why we ended up demanding that some engineers sleep under their desks to get new features out on time to maximize profits. He openly calls for tech workers to unionize and unite with all other workers to demand a more just and sustainable world. 

Defining and defending Open Source

In CEO and Co-Founder of Chainguard, Dan Lorenc's keynote "Stop Peeing in the Pool!" he explained how "fauxpen source" licenses are effectively contaminating the world of open source and what that will mean for the future of development. He specifically used the capitalization of Open Source as he walked us through the official definition of the Open Source Initiative (OSI) from 1998.

Despite maintaining the definition and working to get people to adopt those core principles, the OSI has no enforcement power. This has led some licenses to emerge that are almost open source, but not quite. For example, one of the core criteria of Open Source is "No Discrimination Against Fields of Endeavor." Some licenses exist that specifically state you can not use the code in a specific way as it might compete with or harm the company making that software. This is what he has labeled 'fauxpen source."

The real fear is that if we dilute the true meaning and purpose of Open Source licensing, soon it will be very difficult to tell if we are compliant , especially in a world with so many interdependencies. This will slow innovadown tion and eventually involve lawyers much deeper and earlier in our software development lifecycles. Dan concluded by reminding us it took a lot of work to get us where we are today with Open Source software and we need to push back on these practices. 

Learning to speak each other's language drives security forward

All the participants walked away from SOSS Fusion after learning about new projects or ways to approach security issues. Your author was able to share what I knew about projects like CycloneDX, the standard for SBOMs from the OWASP community. I learned a lot, such as about Zarf, one of the coolest named projects, which helps teams update air-gapped systems. It also has one of the best logos aside from our GitGuardian owl. 

One of the common themes throughout this event, and a lot of the events your author has covered this year, is that we can only get better at security by listening to our users. The OpenSSF members built all of the projects they maintain to solve specific, real-world needs of security professionals in a scalable and open way. Each project originated from conversations about the problems we share. That is the real power of community. And events like SOSS Fusion are where this true strength really shines the brightest. 

I'm already looking forward to next year's event, but you don't need to wait til then to talk to the OpenSSF community; they invite everyone interested to learn more, get involved, and join their slack channel whenever you are ready.