Open Source Security Summit 2021 Recap
At the Open Source Security Summit 2021, participants explored advancements in open source security and how to empower individuals and businesses with credential management. In December 2021, the Summit brought together users, business leaders, and industry visionaries to chart a path to further expand open source security solutions.
The second annual Open Source Security Summit was jam-packed with insight from industry leaders Tutanota and Mattermost, celebrity guests Steve Wozniak, Nicole Perlroth, and Bruce Schneier, and passionate, informative conversations with experts about the intersection of open source software and security.
Here are the main takeaways from the Open Source Security Summit 2021.
Three of the many highlights from this Summit were our fireside chats with Steve Wozniak, Co-Founder of Apple, Nicole Perlroth, bestselling author and cybersecurity journalist for The New York Times, and Bruce Schneier, internationally renowned technologist.
Woz spoke on many topics, from his dogs to what Steve Jobs was like when they were in high school together. But mainly, he shared his thoughts on what makes open source solutions extraordinary. He said that open source technology allows you to “customize your own world” in a way that closed source companies simply can’t. With open source, “you’re not subject to a bunch of companies making decisions for their own reasons. You’re in control of where your product goes and what you need it to do.” The open source community, according to Woz, is exactly the right place for “the curious, the explorer, and the inventor.” In our conversation with Woz, he agreed:
“The principles of open source are good. If you’ve got some technology today, other people should be able to see it so they can learn from it and develop beyond it. That’s how all of our education goes, and open source is really good for that - taking advanced steps based on what we had before and being able to see what possibilities there are.”
He emphasized the benefits of having many minds working together to solve problems and identify improvements: “Sometimes people have a unique need. Someone may use a product and think: ‘What if it did this one extra thing? It’d be perfect for my customers!’” And so, a new dimension of the product can come into being that may never have existed otherwise.
Woz shared his experience as an educator and how being an entrepreneur and working with open source projects are great ways to deeply learn any technology. Woz urged:
“Don’t equate school with education. You get an education from everything you do in life. Not every student is the same and sometimes the structure of school stifles creativity.”
When asked what advice he would give to new entrepreneurs, Woz said:
“You’ve gotta be sure the passion is in you and that it matters to you. If it’s been with you your whole life, you will do it.
Startups, entrepreneurship, and starting companies are extremely important. The economic health of countries is on the line, but it’s also the most fun you could ever have in your life to try and make something that didn’t exist before.
You may have to change direction, you may even have some failures along the way but it’s absolutely the most fun thing when you work hard, hard, hard (and you’re young enough) you just look back and it’s so incredibly beautiful.”
Nicole Perlroth is the award-winning author of "This Is How They Tell Me The World Ends: The Cyber-Weapons Arms Race" and a cybersecurity journalist for The New York Times for the last decade.
In this interview, Perlroth dove into the state of cybersecurity globally and in the U.S., the threat of cyber warfare, and the importance of individuals in the fight against cyber threats. She made it clear that cybersecurity is not simply a government or military problem, it affects all of us. Many people tend to talk about cybersecurity in the U.S. as if “we’re an island separated by two oceans and, on the internet, that’s just simply not the case.” Perlroth also explained the history of the first known international cyber attack, Stuxnet, and told the moving story of Ahmed Mansoor, an Emirati human rights activist. While she spoke about many elements of cybersecurity and cyber warfare, the main takeaway from this interview was the following metaphor:
“A useful analogy isn’t a ‘digital Pearl Harbor,’ but a digital pandemic because like the pandemic now, sure governments need to set policies, businesses will help with vaccines and also set up their own rules around mandates and remote workforces, as individuals we still need to mask up, socially distance, and get vaccinated - a lot of it comes down to individual behavior.
The same thing is true with cybersecurity. But over and over again, what you hear is people saying: ‘I don’t have anything worth stealing so I don’t really need to worry about this. I don’t need to use a password manager, who cares about hacking me?’
What people don’t realize is that, ok, maybe you don’t have anything important, maybe you’re the most boring person on earth, but you could be a conduit for a hack of your brother, sister, neighbor, company, government agency, or a national security threat.”
Perlroth’s parting advice for how everyone can stay secure online:
“You can’t outsmart hackers when it comes to stolen passwords, the best thing you can do is use a password manager, and use multi-factor authentication… it’s one of our best defenses.”
Bruce Schneier is the author of over a dozen books, a fellow and lecturer at Harvard, a board member of the Electronic Frontier Foundation, and the Chief of Security Architecture at Inrupt, Inc.
Our fireside chat with Schneier began with a discussion on the pros and cons of open vs. closed source code. For Schneier, “open source is a net positive” but there is a critical asterisk there for him. He explained:
“In security, what I want is for the code to be analyzed. I need smart people to look at the software, find the vulnerabilities and fix them.
There are two ways I can do that. I could be like Microsoft, closed source, and hire a bunch of experts to stare at the code, or I could be like Linux, open source, and rely on the community to do it.
Both of those work and both of those fail. Lots of software companies, most of them, are closed source but don’t hire anybody to look at the code. And most open source is open but nobody bothers to look at the code because it’s obscure, nobody cares, and there are a gazillion open source projects.
It’s not enough to open source, we need to incentivize people to look at the code. I would rather have an open source project than a closed source - there’s a better chance of getting a good outcome.”
Schneier also discussed the future of passwords and authentication. He offered as an example: when people don’t use a password manager, they often rely on the “forgot password” reset option to get into their accounts via their email. Which means, the security of your email is what is securing your other accounts, just like the security of the contents of your phone is ensured by the security of your physical phone and your ability to get into it: “That’s why someone hacking your gmail account is so valuable. They can change all your other passwords.” And that is why the first priority after getting a password manager is to secure your email accounts.
While passwordless authentication is gaining traction and popularity as a concept, Schneier believes passwords are here to stay:
“There’s always going to be a need for that kind of authentication interface. So, no I don’t think passwords will disappear. We have more passwords than ever now. We all should use some kind of password manager.”
The 2021 Summit kicked off with two keynote addresses from leaders in the open source security industry.
Ian Tien, CEO of Mattermost, an open source developer collaboration platform across teams, tools, and clouds with 25K GitHub stars, 4K open source contributors, and 30K code contributors, focused his keynote address on three key lessons of open source security under the premise: “if it’s not open, it’s definitely not secure.”
He began by noting that “nothing useful can be secure” because “all useful systems have vulnerabilities” and while we can reduce these vulnerabilities, we can’t eliminate all of them. “Security is about making trade-offs” between usefulness, risk, and resources.
The second concept he covered was the perhaps unintuitive: “Get PWN3D (ethically),” which means, invite ethical security research via a Responsible Disclosure Policy - ask the community to identify your vulnerabilities, and then celebrate them for what they find, “communicate to your community that you are invested in their security.”
Part three is simple: do the right thing by vetting your dependencies and supporting your supply chain.
“The secret of open source and security done right: the more you give away, the more you keep.
Ultimately, security is about trust. When you create trust from your community, supply chain, end users, and customers - that’s the whole ball game of security.”
Join the Mattermost community here.
Hanna Bozakov, head of marketing for the last seven years at Tutanota, the world’s first end-to-end encrypted mail service that encrypts the entire mailbox, emphasized in her keynote address:
“Security is based in transparency. We believe security is only possible with open source.”
When the code for a project is published on GitHub, everyone can see what is being done and see for themselves that there is no back door into the product. Open source does not require the same trust as a closed source product; the proof that projects like Tutanota are secure is in the code, which is visible for anyone to review. This openness naturally fosters community, and by making the code available for everyone to see, you invite feedback and suggestions from your users that expedites the improvement of the product:
“The community allows us to make Tutanota better faster. We receive regular improvement suggestions and pull requests from our users, which speeds up our development process.”
Join the Tutanota project here to work on a secure alternative to Google and Microsoft.
The 2021 Summit also included two sessions led by users of open source security software who offered their insights into the benefits and uses of open source technology when it comes to security in their businesses.
Ed Horn, a Software Product Manager at Automated Logic, shared his insight from working under Carrier Global for well over a decade. In his presentation, he illustrates how his team chose open source partners for his company’s credential vault storage solution to scale building management.
Shane Rodness, Systems Administrator at MaRS Discovery District, which supports Canada’s most promising startups, spoke about how organizations can leverage open source in the never-ending pursuit of more secure environments.
Security Expert Roundtable
The Open Source Security Summit 2021 concluded with an expert panel featuring Dr. Raphael Reischuk, head of cybersecurity and distinguished consultant at Zühlke, Dr. Sal Aurigemma, Associate Professor of Computer Information Systems at the University of Tulsa, and Lisa Plaggemier, the Interim-Executive Director of the National Cybersecurity Alliance.
The panelists began with advice for business leaders trying to improve security practices within their employee base and a discussion of how businesses can work with academic institutions and students to better instill security practices before students enter the workforce. Dr. Reischuk echoed the sentiments from the keynote address by Mattermost that organizations should proactively and ethically hack themselves before a security breach occurs. In Dr. Reischuk’s experience, this is one of the best exercises to create employee to C-suite level awareness within an organization so everyone can understand what and who is vulnerable. Once the weaknesses have been identified, you have a clear path of priorities moving forward. Lisa Plaggemier noted the importance of tone in the messages we send and conversations we have around cybersecurity:
“We use militaristic language like ‘attack’ and ‘threats,’ and the average person is going to have a fight-or-flight response to that, and that causes people to disengage. We should be talking about the peace of mind you get when you use a password manager, or the convenience and speed of using one, instead of talking about all the scary reasons why you should use one.”
The conversation flowed into how businesses can educate employees on security best practices and keep their workforce engaged. Dr. Reischuk offered insight into Switzerland’s digital privacy and security laws and how they affect the government and public sector.
Plaggemier spoke about the work the National Cybersecurity Alliance does every October during National Cybersecurity Awareness Month in partnership with the Cybersecurity and Infrastructure Security Agency (CISA). Her advice? Don’t feed people lunch, make them hungry. She encourages those in the cybersecurity space to cater advice to specific groups through engaging, consumer-grade content that makes people hungry to learn more. The security advice for a software developer, for example, is different from the security advice you would give your mom, or your children. The high-level cybersecurity messages from leaders in this industry need to reflect and serve those different needs.
The panel concluded with a discussion on how open source and security come together to help businesses. Dr. Aurigemma emphasized the importance of the community aspect of open source projects when it comes to education and career transitions. Open source tools come with a built-in support network of people working together to find solutions:
“Open source security tools have a huge place in preparing the future workforce, whether it be students or people transitioning from different career fields, to understand what it’s going to take to help secure the nation and the world moving forward.” - Dr. Aurigemma
“Open source is the fundamental prerequisite for getting security right.” - Dr. Reischuk
The Open Source Security Summit is a forum to explore the intersection of open source and security. In 2020, our inaugural year, we chose to focus on credential management, which remains a critical first line of defense for individuals and companies to mitigate cyberattacks.
Watch the session recordings from the Open Source Security Summit 2020.
In 2021, we expanded to cover open source security more broadly, engaging a community of like-minded enthusiasts sharing their ideals and tactics to make open source security more well understood, and available to software developers and users.
Watch the session recordings from the Open Source Security Summit 2021.
See you at the Open Source Security Summit 2022!
Follow Bitwarden on Twitter to get notified about our future events.