Securing software requires a cultural shift
By Kim Lewandowski
I vividly remember the experience that set me on the path to becoming a security professional: I was walking to one of my final exams on campus at Rochester Institute of Technology in blizzard conditions—hands frozen, face numb and that was it, I needed to get out of Upstate New York ASAP. I ended up transferring to sunny Florida State University to finish up my last year of undergrad in Computer Science. I didn’t have the money to pay for tuition, so I was always on the lookout for scholarships. I stumbled on the CyberCorps Scholarship for Service, applied and thankfully accepted the award. I got a nice stipend to finish up undergrad and grad school, with the requirement that I focus on computer security and work at a federal agency for two years after graduation. I'd never considered a security path before then, but it was a pretty sweet gig and the first time I didn't need to hold down a full-time job while studying, so I was happy to shift my academic focus.
After graduation I made my way out to the west coast and landed at Lawrence Livermore National Laboratory (LLNL) developing GUIs for the world’s most powerful laser. Even though I focused on security in school and worked for a nuclear research lab, security was never really a passion for me in my early career as an engineer. My classes had been filled with theory and less about practical applications. I don’t think I ever understood or appreciated the problems well enough to get excited about it back then.
My most memorable security moment at LLNL was the one time we had human/goose conflict training as the geese in the area could be quite aggressive. I think back to my last year at LLNL and, despite being one of the first adopters of the open source project Hadoop, I can’t even remember thinking about its security posture or where the code came from. My experiences in startups after I left LLNL were similar: there were no deep discussions on threat models or vulnerabilities, and security wasn’t baked into our culture as we focused on delivering features and functionality as fast as possible.
It wasn't until starting my most recent role at Google that security became my focus again. Now that I lead the Google Open Source Security Team, I feel like my career has gone full circle, and I'm in a position that I love. Software supply chain attacks and malicious code are becoming a weekly, if not daily occurrence. Companies are scrambling to better protect themselves, and developers are looking for easy solutions. While helping design the next generation of open source security tools and frameworks, it really sunk in that improving the security of software and how it’s produced truly is a cultural shift above everything else. Developers need to think twice before merging in that random package they found off the internet. Security needs to be a priority for developers and not an afterthought.
We need to move away from the mindset that I (like so many others) had earlier in my career where security wasn’t top of mind, and embrace an intentional focus on understanding the risks and hygiene of the software we all depend on. We need to keep driving awareness to this topic by supporting the developers and maintainers of critical open source projects, educating each other, and sharing best practices. Last but not least, we need to continue building tools and processes that are so easy for developers to adopt that they don’t have any excuses not to.
If security of open source software or supply chain security are topics you’re passionate about, come join us on this journey. There are a number of security experts active within the OpenSSF and other open source communities trying to push forward these big changes that we all need. Feel free drop in on one of our working group meetings, or reach out to me on twitter to continue the conversation.
Google is a Story Changes Culture Consulting client.