Who Should Be Responsible for Software Security?
RALEIGH, N.C. — On the morning of All Things Open’s final day of programming Tuesday, Todd Lewis, creator of the open source conference, told the keynote audience that speakers wouldn’t need to rush through presentations, due to a more “relaxed” schedule that day.
The reasons for that unexpected slack in the schedule remained unsaid. But the conference crowd had previously been prompted to expect Matt Mullenweg, creator of WordPress and the center of one of the juiciest dramas in open source software. His company Automattic has been embroiled for weeks in a legal battle with WP Engine, the WordPress hosting provider.
Mullenweg had been announced on Friday to be interviewed remotely as part of Tuesday’s keynote lineup. Then, late Monday afternoon, Lewis sent an email to ATO attendees, saying that Mullenweg would not be featured due to a “logistical/scheduling issue.”
On Tuesday, Lewis, the conference’s operations, strategy and community lead, declined to comment on the record about Mullenweg’s late addition to the program and subsequent cancelation. “We look forward to working with him in the future,” he said.
A spokesperson for Automattic emailed The New Stack that the cancellation of Mullenweg’s appearance came from the event organizers, after back-and-forth communication from Automattic, which is based in San Francisco, and ATO.
“The latest round of confirmation of Matt’s attendance virtually, directly from Matt himself, came in the early morning hours of Sunday,” Automattic stated. “Conference organizers then sent another lengthy email with a time change and logistical details. By the time we could sign on Monday morning, ATO sent us an email requesting that we cancel and consider speaking at the 2025 event.
“Matt genuinely enjoys these opportunities to connect with the community, and while we did everything we could to confirm, the ATO conference organizers made the final decision. We’re hopeful for a better outcome next year!”
The remaining keynote speakers made the most of their time, notably Jack Cable, senior technical advisor at the Cybersecurity & Infrastructure Security Agency (CISA). Cable made an argument that the responsibility for the security of open source software lay not so much with individual open source developers but with the companies that produce and distribute that software.
Security: Putting Software Vendors on Notice
In making his case for how the software industry should handle security, Cable offered an analogy to how the automobile industry evolved to take responsibility for producing safer cars. In the wake of exposes like Ralph Nader’s 1965 book “Unsafe at Any Speed,” car makers bowed to subsequent government regulations and made voluntary efforts to improve safety. Cable pointed to the Chevy Corvair, a key subject of Nader’s book and a vehicle whose design flaws made it notorious for single-vehicle accidents.
“When Nader wrote that book, the conventional wisdom of the time that car accidents were the fault of bad drivers, that they simply had to do better, that car manufacturers couldn’t possibly do anything to make the cars they were creating safer,” Cable said.
Jack Cable of CISA shows off the notorious Chevrolet Corvair at All Things Open.
“We know today that isn’t true. We know that airbags and seatbelts and antilock brakes can significantly contribute to the safety of cars, and indeed, we’ve seen quite remarkable improvement in auto safety.”
The same, he said, should be true of software manufacturers and the products they produce.
“We’ve had parameterized queries for about two decades, and yet, we continue to see these basic vulnerabilities being used to cause harm at scale,” he said. “So how can we do better?”
Cable pointed to “Secure by Design,” a set of guidelines updated in October 2023 by CISA and 17 other U.S. and international cybersecurity agencies. “We are laying out how technology manufacturers can do better, how they can prioritize the security of their customers to benefit us all.”
He added, “We’re not asking for a perfectly secure product. We’re asking for something that is more resilient to common classes of attacks.”
The guidelines follow three principles, he said. First, to “take ownership of customer security outcomes. We know that tech manufacturers must view the security of their customers as an extension of their own.
“Second is to lead with radical transparency and accountability, to be open about their successes and failures in security. And third, to lead from the top,” putting the responsibility squarely on the shoulders of “recognizing that it is up to the business executive leadership.”
CISA is seeking companies to sign on to the “Secure by Design” pledge, and thus far has more than 200 signatories, including Amazon Web Services, GitHub, GitLab, Google, IBM and Microsoft.
In October of this year, CISA and the FBI jointly released a report called “Product Security Bad Practices,” for which the agencies are gathering comments until Dec. 16.
“We laid out actions that we, as well as the FBI, view as unacceptable in software development products in 2024 and this includes things like developing new product lines in memory-unsafe programming languages, like providing raw user input in the context of a database query, or not having a published vulnerability disclosure policy,” Cable said.
The document also includes what its authors consider bad practices around open source software, such as “to include open source components with known exploitable critical vulnerabilities. And we include a list of recommended actions that we believe every software manufacturer should take.”
Open Source and CISA: Building a Relationship
In September 2023, Cable said in his keynote, CISA published its “Open Source Software Security Roadmap,” which laid out its goals to help make open source software more secure.
The first goal was to build stronger relationships to open source communities, he said. “Our role should not be to show up in trying to control or regulate open source, but rather to show up as a community member and contribute our resources,” Cable said.
Two prominent members of the open source community, Aeva Black and Tim Pepper, have joined CISA this year, he noted.
This past March, CISA sponsored a summit with about 50 people from open source foundations, package repositories, and individual contributors.
“One of the things we did there was we held a tabletop exercise responding to what, at the time, was a hypothetical vulnerability in an open source component,” Cable said.
“It wound up looking somewhat similar to the [xz utils] compromise that happened about a month later. And we heard that that exercise was useful in helping prepare for that, and we were then able to leverage those relationships we had to facilitate real-time sharing of information as xz unfolded.”
Other Highlights From the Keynotes
The other keynoters on Tuesday addressed community building, optimizing LinkedIn profiles for job hunting, and improving developer experience.
- Danny Thompson, director of technology at This Dot Labs and a prominent voice among developers on social media, laid out a formula for creating a successful meetup agenda: “Connection. Education. Networking.” — in that order.
- Kelly Vaughn, director of engineering at Spot AI, warned the audience to not use AI to write the “About” section of their LinkedIn profiles; it’s too easy to detect AI-written copy and you’re missing an opportunity to express your personal voice. AI, she said, is “a useful tool. It should not write content for you. I have reviewed LinkedIn profiles of resumes where people did not even remove the quote marks around the text they copied.”
- Chris Coyier, co-founder of CodePen, gave a raucous talk about creating good developer experience, in which he compared it to creating the ideal garage door opener — one that only needs a single touch, or “boop,” to work. Said the speaker, “I like interfaces that make it hard to screw up.”
