WEBVTT

00:00.000 --> 00:15.000
Okay, next up, our gig and storm us, we'll be talking about creepy data, we need better open source data for CRA compliance.

00:15.000 --> 00:20.000
Yes, we do. Take it away, guys.

00:20.000 --> 00:26.000
All right, welcome all. I know it's already getting late. It's dark outside, but we're happy to see you here.

00:26.000 --> 00:35.000
My name is Thomas Timbergren. I work, I mostly help organizations by using open source should you be safely and effectively.

00:35.000 --> 00:36.000
And with me.

00:36.000 --> 00:45.000
I'm Gail Blink. I'm an open source strategist. My focus on helping organizations become more professional in their use of data and metrics.

00:45.000 --> 00:49.000
We are here because we have the Cyber Resilience Act.

00:49.000 --> 01:00.000
It's coming. The dates are approaching when we need to start to do our reporting and comply with all the obligations there is.

01:00.000 --> 01:03.000
And we want to talk about the data aspect.

01:03.000 --> 01:10.000
For those who are new to the conversation, a little background on why we need Cyber Resilience Cyber Security.

01:10.000 --> 01:21.000
There have been many more attacks over the last years. The trend is increasing and it is on the EU to say, okay, enough is enough.

01:21.000 --> 01:26.000
We need to regulate this. So the software industry is becoming regulated.

01:26.000 --> 01:35.000
And with AI, this is only compounding and we need to have not just new tools to manage the situation.

01:35.000 --> 01:40.000
We also need to make better decisions for which we need data.

01:40.000 --> 01:47.000
When we look at the solutions that are emerging, there are a couple things we want to say to this.

01:47.000 --> 01:53.000
And we need real solutions, not just work around. We cannot rely on doing things by hand.

01:53.000 --> 02:00.000
We need to automate things. We need the reliability of the data and the tools that we are using.

02:00.000 --> 02:04.000
And there are a lot of things already in the works.

02:04.000 --> 02:14.000
And we will need to, of course, support open source with whatever companies and organizations that have the obligations.

02:14.000 --> 02:22.000
They will need to work in the upstream ideally that is my hope as an open source, strategist and advocate.

02:22.000 --> 02:35.000
So one of the things that I believe in, the re-believing, is that we have the digital commons for the software supply chains and there are shared solutions.

02:35.000 --> 02:46.000
And if you picture what the world could look like in the ideal scenario, we have best practices that are shared and easily available.

02:46.000 --> 02:53.000
We have practical standards that are adopted for consistency across the ecosystem.

02:53.000 --> 03:01.000
And in this ideal world, we also have interoperable tools where the data is a standard across and usable anywhere.

03:01.000 --> 03:05.000
And we can plug and play and choose the tools that we want to use.

03:05.000 --> 03:13.000
And then, of course, we need that reliable data, which is in an ideal world available to everyone.

03:13.000 --> 03:24.000
And if you look at this ideal world, there's already a lot being done on creating those shared tools, shared standards, the collaboration is there.

03:24.000 --> 03:33.000
And there's a lot of logos with a lot of initiatives, but really behind the scenes, all of these people working on this, no each other, they're working together, collaborating.

03:33.000 --> 03:39.000
And there are emerging, de facto standards.

03:39.000 --> 03:47.000
Some of them have even gone this step of becoming the Azure standards, like ESO standards in this process.

03:47.000 --> 03:51.000
So there is a lot already happening in this space.

03:51.000 --> 03:59.000
And it really comes to show that when we have good community consensus, we create practical standards.

03:59.000 --> 04:12.000
And that is what we are seeing here some examples, again, of these standards developed by the community, where these are already available today.

04:12.000 --> 04:18.000
It's a mix and match, and I'll pass this to Thomas to talk about this more.

04:18.000 --> 04:29.000
Yeah, so one of the things that I commonly see, I work as a to do ospms with a lot of different organizations, is they come from a world where they have a single vendor, they bought a vendor.

04:29.000 --> 04:32.000
And like, oh, we have to use this vendor for this poem.

04:32.000 --> 04:39.000
In the world where I live in where most of the time I would say, like, look, no, there is not one magical, physical tool that fixes everything.

04:39.000 --> 04:44.000
You have to use and mix a match of tool to basically use a base of what you need.

04:44.000 --> 04:48.000
I know most vendors will promise you everything, and nothing about more should our great commercial benefits as well.

04:48.000 --> 04:55.000
But in reality, most software companies, unless you're very small startup, you don't have and one is just like where everything is the same.

04:55.000 --> 05:04.000
You have multiple different problems, and you just like just simply said, don't think everything, because you have everything is a nail.

05:04.000 --> 05:08.000
Sometimes these players, unions on this soul, it's exactly the same, you need to have a tool set.

05:08.000 --> 05:16.000
And so that's really where you see the difference happening, and you see actually the leading edge when you look at the CRA, it's all open source tools.

05:16.000 --> 05:22.000
Because people are like, oh, hang on, we need to do things, we can't do this, we need to do this differently.

05:22.000 --> 05:32.000
And that's where you're basically like, yes, oh, I need to mix match of tools that this interval, I need to be taking from one thing, I need to connect to the other thing and be able to do my CRA patient.

05:32.000 --> 05:43.000
Oh, ideally, I wanted to be community driven, because guess what, the CRA is still developing, we don't know, like everybody in the community's old trying to figure out the CRA, how it works, how it can connect things together.

05:43.000 --> 05:47.000
So you really want to have a community driven tool where really input is done.

05:47.000 --> 05:54.000
You also want to have a decentralized and fertilized, because guess what, there are slightly different differences between each country.

05:54.000 --> 06:03.000
We're in jurisdiction, the law is not the same. So you want to have tools that, hey, one tool might be perfectly working in France, because that's the particular way how they operate in this particular organization.

06:03.000 --> 06:09.000
But in other side, they're like, oh, hang on, we're not, but still, that's why the benefit on the opposite side is to code this open.

06:09.000 --> 06:16.000
I take things that are happening in France, that as well, so I was in Germany, that completely don't apply in my legal session, but still, I said, hey, that's a clever idea to do package detection.

06:16.000 --> 06:22.000
I will take this little snippet they're doing, they are writing it in goal, I were writing it in Python, but I just take that bit that is useful.

06:22.000 --> 06:31.000
Of course, give them credit, don't don't don't, I don't think so. And also, what I look, what we do as a small post office, we work together.

06:31.000 --> 06:37.000
So don't, what I see, especially in Cerele, all things, oh, it's a security topic, no.

06:37.000 --> 06:42.000
It yes, it's a security topic, but it's also a legal topic, it's also stop on figure developers.

06:42.000 --> 06:51.000
You really need to start learning to work together, and this is where having basically open, so software is usually easier, because the people in those teams

06:51.000 --> 06:57.500
means, they can play with a tool already beforehand, and they can discuss, within their group,

06:57.500 --> 07:00.380
within their peers, like, hey, I have this new open source tools, but do you think about

07:00.380 --> 07:01.380
it?

07:01.380 --> 07:04.500
And you see basically a more diverse of the opinions.

07:04.500 --> 07:10.020
So this picture, I would just put the futures, in reality, I tried to put more than 180

07:10.020 --> 07:14.220
different tools related to the CRA, because I often get asked about it.

07:14.220 --> 07:16.500
We try to put some of the major ones.

07:16.500 --> 07:24.340
So again, it is a little complex, yes, I would love, we were working on, we had a workshop yesterday

07:24.340 --> 07:27.740
in the last interview to workshop where we actually discussed, like, hey, we would be ideal

07:27.740 --> 07:31.380
if we started making a landscape picture out of it, so it's made for it easier.

07:31.380 --> 07:36.180
And there, open chain project, there is actually a tooling mapping already being worked

07:36.180 --> 07:40.700
on, so to make it the user, but it said, just keep mind that there's not a single tool that

07:40.700 --> 07:41.700
is perfect.

07:41.700 --> 07:48.700
And I'm saying this is my tool, I'm a tool creator myself, I, on a regular basis, advise

07:48.700 --> 07:52.060
people not to use even my own tool, people like I, but you are an org maintainer, why are

07:52.060 --> 07:57.580
you not the vice versa, but in the context of that organization, my tool, it might not be

07:57.580 --> 08:01.940
the best solution, a tool from somebody else, maybe a better solution.

08:01.940 --> 08:07.680
So I'll talk about tools, one of the projects that we are working on, which we got some

08:07.680 --> 08:13.320
subsidy from your permission, it's a project called Octat U, if you have any questions,

08:13.320 --> 08:18.640
well, Martin is also in the room as well, we're basically trying to work for small media

08:18.640 --> 08:25.040
and businesses, oh yeah, at there, in the back, threats like this is your DEL, to basically

08:25.040 --> 08:29.440
make it easier for small media enterprises that might not have to know how to basically

08:29.440 --> 08:34.240
say, like, hey, fill in the survey things, we're trying to help them out with this, again,

08:34.240 --> 08:37.680
I know a lot of faces in the room, I don't know if some of them work for large companies,

08:37.680 --> 08:42.280
you have the benefit of big corporate backing you, small media enterprises might not have

08:42.280 --> 08:46.560
that support, so luckily the EU commission said, like, hey, we're working on a solution

08:46.560 --> 08:54.480
for that, but set, yeah, we have a saying in my little net of the help of social

08:54.480 --> 09:00.120
community, a full with a tool, a still a full, in this case, there's all things saying,

09:00.120 --> 09:05.200
like, tools only good as this input data, so I was not saying garbage in garbage out,

09:05.200 --> 09:09.360
what I see with a lot of tools when I compare them and I do this in a regular basis is like,

09:09.360 --> 09:13.000
oh yeah, why is there such a difference between these tools and then you start looking

09:13.000 --> 09:19.640
at, like, yeah, it's data, all the tools operate on different data, luckily there are

09:19.640 --> 09:26.680
more projects coming and if I like, why is it not one project? Do you know how big

09:26.680 --> 09:32.200
the Opusus ecosystem is? You know how many millions of Opusus packages in there, with

09:32.200 --> 09:38.120
all their various specific things, so there's, yes, there's different people working on different

09:38.120 --> 09:43.000
parts of the corners from a different angle, which is good, because then you have different

09:43.000 --> 09:49.960
opinions and you can say, basically, how, um, ecosystem as such, as this, oh, as this says

09:49.960 --> 09:56.360
that, I know, we're working this in, I know because I work with sometimes, in some ecosystems

09:56.440 --> 10:00.760
I trust this provider better than the other provider and then I just make some match, but it's

10:00.760 --> 10:06.040
very good to see the differences. We do not want to have one provider that is dominant and

10:06.040 --> 10:10.520
at least every, I like diverse opinions. I think in Europe, we kind of prefer this as well,

10:10.520 --> 10:16.360
otherwise we would have thought that being the United Nations of Europe, um, so what do we

10:16.360 --> 10:20.040
still need? If we have all this projects and all of this stuff, we have already so many things

10:20.200 --> 10:27.640
around. And, um, well, data, data, data, we, we only start scratching the, the initiatives that

10:27.640 --> 10:35.800
we have now, they look, they're great, but we don't have deep data. Like, we now have, like,

10:35.800 --> 10:42.680
oh, we have all the package metadata, that, that is great, but we don't always have good data,

10:42.680 --> 10:48.360
for instance, on what yours, like, on project health, is, can I type in a random thing and so

10:48.360 --> 10:53.960
like, is, how is this project doing? Um, how, like, yes, do you have most of them,

10:53.960 --> 10:58.920
oh, the amount of containers for this project? I myself work with no container, um, Josh

10:58.920 --> 11:04.920
Brescher, I, I'm one of the security guys I follow, she showed me like in the MPM, the top 10,000

11:04.920 --> 11:09.400
MPM packages, I think, have like 40% has a single maintainer. So if you write the policy in your

11:09.400 --> 11:14.120
series policy, oh, our risk profile says like, we do not like furnishes with a single maintainer,

11:14.200 --> 11:18.280
well, then you don't use note anymore. You can exclude all of that from your stack,

11:18.280 --> 11:22.440
because the majority of note packages are maintained by a single container, and other ecosystem

11:22.440 --> 11:27.800
type of similar picture. But you need to know that. So what do we need? We actually need open,

11:27.800 --> 11:32.760
trusted, actionable, and curing data that you can rely on. And this is still in there.

11:33.800 --> 11:38.600
We run it at that time. Ooh, then I'll go quick. Um, three,

11:38.600 --> 11:44.200
bit of the data that we need. Your clock was telling me something different. Um, we need data

11:44.200 --> 11:48.200
about packages. We need data better data about vulnerabilities. As I said, our project is working

11:48.200 --> 11:54.120
this, and we need community data. Uh, I said, there's a lot of screen-to-projects already working

11:54.120 --> 11:59.000
in. We ourselves are fortunate enough that we are working on a new project in this space. Uh,

11:59.000 --> 12:05.800
again, funded by the European Commission. So he posted will post on Zoom. Um, let's all collaborate

12:05.800 --> 12:08.600
on data. That's it.