Tim Mackey, head of supply chain risk strategy of Synopsys has answered our questions regarding open-source software and the upcoming Open Source Summit event. He is a veteran in the industry; prior to Synopsys, he was at Citrix System for more than 10 years. He joined Synopsys as part of the Black Duck Software acquisition where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. As a security strategist, Tim applies his skills in distributed systems engineering, mission-critical engineering, performance monitoring, large-scale data center operations, and global data privacy regulations to customer problems.

Can you please introduce yourself? What is your role at Synopsys?

My name is Tim Mackey and I currently hold the role of Head of Software Supply Chain Risk Strategy for the Synopsys Software Integrity Group.

What do you think about the Open Source Summit and what do you think will be the hot topics of this year’s event?

I’m particularly interested in seeing how open-source security and project health management have evolved over the past year. Projects like CII, OpenSSF, SPDX, and OpenChain are core to my current role, but I still follow many relate to cloud and virtualization.

In what kind of situations does Synopsys prefer open-source? Are there any crucial open-source solutions that are irreplaceable for Synopsys?

Synopsys has been supporting the responsible use of open source for well over 15 years and I have personally been involved with open source for over 20 years. From Synopsys’s perspective, responsible use of open source crucially includes aiding consumers of open source in the efforts to identify healthy projects and encouraging them to contribute back to open source.

How does Synopsys contribute to open-source?

Open-source contributions are often thought of as code contributions, but that’s only part of the picture. Synopsys directly supports Linux when deployed on the ARC processor, but we also work to promote healthy engagement with open-source projects, offer free tooling to improve open-source security and have free access to open-source SBOMs.

Do you think that the majority of companies could understand the importance of securing their software supply chain in recent years?

The concept of secure software supply chains is something most companies are only starting to understand the complexities around. For many, the topic of a software supply chain started either with President Biden’s Executive Order on Cybersecurity or as a result of an attack on developer assumptions like the “dependency confusion” attack paradigm from 2021. What most don’t realize is that open source usage is but one of many ways that third-party software decisions impact businesses and create potential security risks for a business.

What do you think about the current state and the future of open-source?

While we tend to think of open source as resilient and vibrant, the reality is that most open-source projects are supported by a handful of developers. It’s only a handful of top projects like Kubernetes, Xen, or Linux that become popular. This means that there are very few open-source projects that have a level of built-in sustainability and resilience to ensure the ongoing viability of the project long-term.

For the rest, a limited pool of committers could mean that the project could languish if the core committer needs to take a break from their project for reasons as simple as family obligations. To combat this risk, I routinely encourage businesses to identify which open source components their business depends upon and then proactively identify staff members who can devote part of their time to actively engage with the project.

After all, if you’re dependent upon a component, and there is a reported security issue impacting that component, but where there isn’t anyone with the skills necessary to fix the issue, that unpatched vulnerability isn’t someone else’s problem, it’s yours.