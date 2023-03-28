Pete Morgan from Phylum has answered our questions regarding the upcoming Open Source Summit event by The Linux Foundation and open-source software. Morgan is the co-founder and CSO of Phylum, and he has been a security researcher for 20 years, specializing in application security, software supply chain security, and reverse engineering.

What do you think about the Open Source Summit, and what do you think will be the hot topics of this year’s event?

Last year was my first time attending, and I absolutely loved it! I was excited to meet developers and engineers that balanced work and open-source interaction and maintained their enthusiasm. I’m no prognosticator, but one wouldn’t need to be one to guess:

GPTs and their use-cases

SBOM

Software supply chain security

Improving the dynamic between OSS developers and companies

How does Phylum contribute to open-source?

We love open-source, and our engineers regularly contribute upstream to projects that touch our world. Phylum has also open-sourced our package installation sandbox, Birdcage. This component helps Phylum protect our users from software supply chain attacks and OSS malware that pollute the software supply chain. We’re very excited about this project and look forward to more open-source interaction going forward.

Do you think that the majority of companies could understand the importance of securing their software supply chain in recent years?

I think everyone is still playing catch-up. The widespread adoption of open source in the private sector happened very quickly. This dramatically improved software development speed, but security teams have been dealing with the consequences since. Most security leaders seem aware of the software supply chain security problem now, but the defensive technology was mostly built for a different need, identifying the software vulnerabilities in open-source software. Modern software supply chain attacks frequently have nothing to do with software vulnerabilities, so this gap has been understandably leveraged by attackers. The startup community has been buzzing with new companies starting to solve those gaps, and we’ll need continued innovation to defend this new attack surface.

What do you think about the current state and the future of open-source?

I’m constantly amazed at the amount of hours people around the world contribute to the craft of software. As I observe this commitment, I become more and more convinced that we need to find a method to incentivize open-source contributions in a major way. The inflection point of corporations completely relying on open-source software is a distant spot in the rearview mirror. We have to find a way to support and compensate contributions and contributors in a reasonable way to sustain the open-source ecosystem over the long term.

I’m also a bit biased toward thinking about the security of open-source, and its going to remain a huge challenge for the foreseeable future, unfortunately. The amount of contributors, contributions, and open-source projects, in general, has skyrocketed in the past handful of years. When I map that against the cascading effects of major vulnerabilities like Log4Shell and the seemingly never-ending stream of new malicious packages polluting the open-source supply chain, I worry about how we’re going to defend the modern idea of open-source.