Guest: Omkhar Arasaratnam (LinkedIn)
Organization: OpenSSF (Twitter)

While keeping open source secure remains a key priority for many, this is only made possible with the cooperation between the public sector, private sector, and the community. Yet while the US Government has been engaging more actively with the security community, the EU’s Cyber Resilience Act (CRA) is still sparking concerns as to the potential implications it could have on the future of open source.

In this episode, Omkhar Arasaratnam, General Manager of the Open Source Security Foundation (OpenSSF), while at Open Source Summit in Bilbao, Spain, talks about the need for cohesion between the public sector, private sector, and community in ensuring open source remains secure. He also discusses some of the key trends in security and what the current focuses for OpenSSF are.

• While the need to have the right security principles and all the invariants present has not changed, the last few months has seen a significant change in terms of the US Government’s engagement with the security community and getting its input. Arasaratnam talks about how this closer engagement is helping the public sector, private sector, and the community work together to ensure that open source remains secure.
• Arasaratnam discusses some of the key initiatives the US Government has undertaken to engage with the community to talk about how to secure open source software. He goes on to share his thoughts on CRA and to talk about the dissonance that can occur if lawmakers do not understand the nuance of the community.
• AI has been another key focus for OpenSSF with the organization announcing a partnership with DARPA to run the AI Cyber Challenge. Arasaratnam talks about the opportunity this presents for artificial intelligence (AI) to be applied to solving entire classes of security problems within open source software.
• Arasaratnam believes that the maintenance of open source between public sector, private sector, and the community is a shared responsibility. He tells us that this is one of the reasons why the Linux Foundation set up Linux Foundation Europe in order to promote this better in Europe.
• Open source and security within the AI space continue to be complex topics, but Arasaratnam feels that traceability, provenance, and deterministic outputs are key areas for consideration from a security perspective. He talks about the risks should these aspects not be in place and the potential benefits of using AI such as to convert legacy languages into memory safe languages like Rust.
• Arasaratnam discusses why the open sourcing of AI isn’t a straightforward decision and how it’s not just a case of open sourcing the technology. He explains how in order to understand the way an AI model works, you would need to understand not just the algorithm behind it but also how the model weights were derived from the training data.
• CISA recently published an open source security roadmap at the Secure Open Source Software (SOSS) Summit 2023. Arasaratnam talks about the key focuses of the summit: to better understand how open source software is used within critical infrastructure as well as within the federal government, and to better partner with the community on these pillars.
• Upcoming Linux Foundation events include the Linux Foundation Member Summit 2023, the OpenSSF Day Japan in December, and numerous other events lined up for next year.

This summary was written by Emily Nicholls.