Intel exec affixes OpenSSF, CNCF open source security efforts

Intel's Arun Gupta, now governing board chair of both the CNCF and OpenSSF, discusses his plans to bring all three organizations together to improve open source security.

CHICAGO -- One person has become a human bridge among three of the most influential open source security organizations in the industry, at a time of turmoil in software supply chains and cloud-native tech disruptions.

Arun Gupta was already vice president and general manager of open ecosystem initiatives at Intel Corp. and in a unique position as chair of the Cloud Native Computing Foundation (CNCF) governing board, a position he's held since 2021. But last month, he was also named governing board chair of the Open Source Security Foundation (OpenSSF). Gupta has also worked at several major tech vendors in his nearly 30-year career, including HP, Oracle, Red Hat, AWS and Apple.

TechTarget Editorial sat down with Gupta during KubeCon + CloudNativeCon to learn how he intends to use his experience and multiple leadership roles to advance open source security.

Last year, the OpenSSF put out a proposal for $150 million in funding. But earlier this year, then OpenSSF general manager Brian Behlendorf said the organization hadn't gotten close to that. How can OpenSSF change that funding picture and build more momentum?

Arun Gupta, vice president and general manager, open ecosystem initiatives, Intel; governing board chair of CNCF and OpenSSFArun Gupta, Intel

Arun Gupta: A lot has changed. [Behlendorf] left OpenSSF about four months ago. The new executive director [Omkhar Arasaratnam] is bringing a lot of energy into OpenSSF. He's hired a chief of staff, a program manager and a technical architect. About eight weeks ago, we were at the White House for the Secure Open Source Software Summit. We met folks from CISA [the Cybersecurity and Infrastructure Security Agency], NIST [the National Institute of Standards and Technology], the National Science Foundation, about 70 federal government and private-sector people. There were deep conversations on what we should do. [This week,] we are having a meeting of the OpenSSF governing board, thinking about what should the OpenSSF strategy be? What should the priorities look like? There is the Alpha-Omega project -- there's a lot of work happening there, and $7.5 million in funding as part of it. We are looking at running a Sigstore service -- should OpenSSF become like an SRE to manage that service?

I consider myself to be in a privileged position as CNCF governing board chair and as OpenSSF governing board chair -- I'm bringing the two executive directors [of those foundations] closer. Any recommendation coming out of OpenSSF needs to be adopted by CNCF, and I don't want OpenSSF to build recommendations in a silo -- they need to bring CNCF in as a partner early on. The TOC [CNCF Technical Oversight Committee] and the TAC [OpenSSF Technical Advisory Council] chairs are both good friends of mine. The TAC chair is [Christopher Robinson] from Intel and the TOC chair is Emily Fox [from Red Hat]. They have known each other, but they haven't really talked to each other in that OpenSSF/CNCF chair capacity. So I got them connected.

CISA has explicitly left out cloud-native applications from its SBOM guidance. There are projects like GUAC that are looking to help track vulnerabilities in ephemeral and cloud-native workloads, but what else do you think needs to be done to catch SBOMs up with cloud native tech?

Gupta: Those are the exact kinds of discussions I have in mind when I'm connecting the OpenSSF and the CNCF worlds together, because so far, those discussions haven't happened. A couple of weeks ago, we were all at the Linux Foundation Member Summit -- [CNCF CTO] Chris Aniszczyk, [Arasaratnam]; his chief of staff, Harry Toor; [CNCF Executive Director] Priyanka Sharma; and me. We had a meeting at the summit to identify collaboration opportunities, and we want to set up a quarterly sync between the executive directors and the TOC and the TAC chairs -- a meeting of the minds. Put them together in a room, and they will figure things out.

Meanwhile, the White House issued a cybersecurity plan this year, but at the same time, year after year, surveys come out that say a high percentage of companies still aren't doing basic things like patching. How does the industry get to a tipping point with cybersecurity? What's it going to take?

It's a conscious effort on our side, on educating CISOs: Do you know what your security strategy is for open source?
Arun GuptaVP and GM, open ecosystem initiatives, Intel Corp.; chair, CNCF and OpenSSF governing boards

Gupta: One of the things we've been thinking in the OpenSSF world is … let's create a CISO panel. We have some of the top companies in the world, Fortune 50 companies, already part of the governing board. Another thing we proposed last year, which is getting close to release in the coming weeks, is a set of secure software development guiding principles. In the sense that when you have a vulnerability, you're going to disclose it, and you're going to say, 'I'm going to fix it' or 'I'm not going to fix it,' and when I'm going to fix it, what's my timeline look like? That doesn't exist today. That's something that Intel started. We worked with Dell and a lot of our partners. Now it has been approved by the best practices working group in OpenSSF. It's been approved by the TAC, and now we are working with CNCF and other foundations, Eclipse and all of those, to get them to endorse it. If all the governing board member companies at OpenSSF, which are Fortune 50 companies, can say, 'We all subscribe to that,' it all starts with them. It's a conscious effort on our side, on educating CISOs: Do you know what your security strategy is for open source?

At Intel, we … proactively went through our 6,500-plus public code repos; my team ran that effort in vulnerability detection. What are the repos that are dormant? What are the repos nobody maintains, and how do we make sure that the vulnerabilities in those are fixed on a proactive basis? Once you have done that exercise, it doesn't stop there. How do I set that up as a cron job, so that is actively happening on a three-month basis? If you have not seen an activity in the repo [in that time], you send a notice to the owner: 'Hey, are you updating this, or should I archive this?' Because I don't want customers to get an impression the repo is not maintained. We do a lot of internal thinking, and now we're looking at leading by example, [saying] 'This is how we do it.'

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on IT systems management and monitoring

Software Quality
App Architecture
Cloud Computing
Data Center