Industry recap: Open Source Security Summit 2024
- Blog
- Industry recap: Open Source Security Summit 2024
Learn more about the annual Open Source Security Summit.
The annual Open Source Security Summit brought together global participants for the fifth time with deep dives into how open source tools cultivate security and trust through transparency and collaboration. Highlights from September 2024 included a deep dive into the role and evolution of AI with expert Daniel Miessler, a panel on security resilience led by CNET, and a discussion on the importance of developing an engaged community for open source solutions.
To explore past summits, many session recordings for 2023, 2022, 2021, and 2020 are available at opensourcesecuritysummit.com or on the Bitwarden YouTube channel.
Daniel Miessler, AI expert and founder of Unsupervised Learning, demonstrated how to trust the output from AI systems: “Why don't we trust them? I think it comes down to the quality of the results and the lack of visibility into the process.” According to Miessler, the quality is improving rapidly, but “the transparency issue is actually much bigger. The problem is that AI is a black box.”
“The way that AI starts to affect business going forward is it's going to start replacing the function of a human performing various intelligence tasks like analyzing a mole or writing a report. Eventually, it will replace the whole pipeline.”
Understanding how something works leads to trust. However, he points out that humans are more of a black box than we care to admit, and many people think humans are more dependable than they actually are. Miessler walks through an example of sending code to three different systems, Snyk Open Source, Llama AI, and Code Review, along with a security policy text that will run against the code. The fourth piece of his equation is the AI evaluator, which looks at the results of the previous evaluations and provides a visual for the full process.
“Some things matter more than others, so we will need more validation steps for some things versus others, including a human in the loop for the last piece. So, if I'm right, the way we're going to end up trusting AI and its results is by having AI run multiple disparate types of tests and then explain each test to us, the methodology that was used for the test and why it believes that we should actually trust the result.”
Bree Fowler, senior writer at CNET, led a panel discussion between Schlomo Schapiro, principal engineer at Tektit Consulting, and Bjoern Sjut, managing director of productivity and IT at Front Row. The panel explored the current trends and challenges of security resilience and employee adoption. Employees hate friction, so “if we want our security to be effective, it has to be enabling the user to actually do their job. The moment security gets in the way, users will find another way to do their job” (Schapiro). This is why it’s important for the IT department to be approachable and to make sure the path of least resistance doesn’t circumvent security: “It's really about collaboration and finding the right balance between productivity and security” (Sjut).
The panelists cautioned that many organizations underestimate the threat posed by their SaaS tech stack, pointing to a trend of blind trust in SaaS systems and vendors and how that lack of control can lead to security gaps: “One of the worst things to have are accounts in applications that you don't know about that stay active when people leave, where they never rotate passwords, where they don't have multifactor authentication enabled. That's how you give up control” (Schapiro).
The panel urged the industry to push for a shift in perspective when it comes to treating security as an enterprise feature, rather than an essential functionality for all users. In addition to the rapid technological developments of the last few years, the increased mobility of the workforce has introduced new layers of complexity in managing shadow IT.
“When we want to make them productive, that means we have to deal with a much, much larger device graph than we did five or six years ago. If we don't want to arm everybody with dedicated devices, then we always have a BYOD environment, at least with mobile devices, and in conjunction with cloud tools, it means we have new attack vectors on devices and applications that are different to manage than in past times.” ~ Bjoern Sjut, Front Row
In an effort to enable the workforce beyond just the IT department, Sjut seeks out those that are enthusiastic about a specific tool, those that enjoy reading manuals or watching tutorials, and then leverages them as evangelists. In this way, IT is able to support users rather than dictating to them which tools to use for their work: “We need people in the actual business divisions to have that technical understanding and be able to drive application adoption.”
Cédric Demers, president at RTINGS.com, shared how engaged communities are essential for maximizing the benefits of open source transparency. He walked through his team's process to create a trustworthy system and explained why they landed on transparency as a core value. “Community engagement increases agility;” an engaged community can identify challenges and propose solutions more quickly than a closed system. He notes, “Open source doesn’t create community engagement by itself.” It must be cultivated, “you need to nurture that community to create these benefits.” In order for a community to grow and stand by a project or company, they must believe in your mission. When identifying which tools to incorporate into your tech stack, “look for an active community when evaluating open source solutions.”
Get started protecting your business and yourself online today! Sign up with a free individual account or start a business trial.
Stay informed about other events and security resources by connecting with the Bitwarden community!
See you at the next Open Source Security Summit!