In this episode, we dive deep into the concept of attestation as it relates to building trust in our software and systems.  Marcela Melara and Vinnie Scarlata take us on a technical tour of both software and remote attestation and how these relate to ideas we've covered previously with software supply chain security and confidential computing. We talk trust and integrity, standards and projects, and share some best practices.   Guests: Dr. Marcela Melara is a research scientist in the Security and Privacy Group at Intel Labs. Her current work focuses on developing solutions for high-integrity software supply chains and building trustworthy distributed systems. She has several publications and patents filed related to her research, and leads a number of internal, academic and open-source efforts on software supply chain security. Prior to joining Intel, she received her PhD in Computer Science from Princeton University and did her undergraduate studies at Hobart and William Smith Colleges. She is a Siebel Scholar, a member of Phi Beta Kappa, and her research on CONIKS was awarded the Caspar Bowden PET Award. Outside of work, Marcela is an avid gardener, bookworm, hiker, and gamer. Vinnie Scarlata is a Principal Engineer in the Security & Privacy Research lab in Intel Labs. He is one of the architects for Intel® Software Guard Extensions and Trust Domain Extensions, and has 20+ years of research experience in various areas of security, e.g. Trusted Computing, Trusted Execution Environments (TEE), Attestation, Recoverable Platforms, Runtime Integrity, and Key Management. He has been granted 50+ patents and co-authored several papers. Vinnie received a MS in Information Security from Georgia Tech and a BS in Computer Science from the University of Massachusetts, Amherst.

Evaluating security risk associated with open source software projects can be a complex or even daunting task, but an Open Source Security Foundation project called OpenSSF Scorecard helps put some order and automation into the process. In this episode, we chat with one of OpenSSF Scorecard's contributors, Brian Russell of Google, and Ryan Ware, Director of Open Source Security at Intel, about the problems Scorecard addresses, and how it might help improve the experience of developers and consumers of open source software. We'll take a deep dive into the automated security checks, how to use the data, and how to include Scorecards in a workflow. Links SCaLE 20x presentation: How do you trust your open source software? Guests: Brian Russell is a Product Manager on Google’s Open Source Security Team. He focuses on software supply chain security and is actively involved in the OpenSSF Scorecards project. In his spare time, Brian enjoys 3D printing and Atari video game programming. Ryan Ware recently returned to Intel to focus on Open Source Software (OSS) security.  He is currently helping drive Intel’s efforts in the Open Source Security Foundation (OpenSSF). Ryan is an industry veteran who has always worked at the intersection of open source software and security, be it implementing security features in open source software stacks, using open source software to find security vulnerabilities in software and hardware, or helping teams utilize OSS in a secure way.

In this episode, we discuss best practices for evaluating and consuming open source software with Ryan Ware, director of open source security at Intel. Ryan will share his wisdom earned over decades working with open source software security. Guest: Ryan Ware recently returned to Intel to focus on Open Source Software (OSS) security.  He is currently helping drive Intel’s efforts in the Open Source Security Foundation (OpenSSF). Ryan is an industry veteran who has always worked at the intersection of open source software and security, be it implementing security features in open source software stacks, using open source software to find security vulnerabilities in software and hardware, or helping teams utilize OSS in a secure way.

This episode explores an open source software vulnerability scanner called CVE Binary Tool, which scans binaries and component lists in your project and reports back known vulnerabilities based on data from NIST’s National Vulnerability Database (NVD) list of Common Vulnerabilities and Exposures (CVEs). My guest is Dr. Terry Oda, a security researcher at Intel and the lead maintainer of CVE Binary Tool, and co-host Chris Norman, Intel Open Source Evangelist joins us to explore the inner workings of the project and discuss contribution, community and the importance of developer-focused initiatives like Google Summer of Code. Guest: Terri Oda has a PhD in horribleness, assuming we can all agree that web security is kind of horrible.   She specializes in saying “no” and explaining things in varied roles as an open source security professional, a parent, and the volunteer coordinator of a summer mentoring program for Python.

This episode continues our confidential computing conversation from our previous episode. Mona Vij, principal engineer at Intel Labs, leads Intel's efforts on the Gramine project, which is a library OS that allows for running unmodified applications and, among other things, solves the problem of running applications out-of-the-box on Intel SGX-enabled hardware. We'll dive into Gramine, a Confidential Computing Consortium Project and discuss easing the path to running in a trusted execution environment. Guest:  Mona Vij is a Principal Engineer and Cloud and Data Center Security Research Manager at Intel Labs, where she focuses on Scalable Confidential Computing for end-to-end Cloud to Edge security. Mona received her Master’s degree in Computer Science from University of Delhi, India. Mona leads the research engagements on Trusted execution with a number of universities. Her research has been featured in journals and conferences including USNIX OSDI, USENIX ATC and ACM ASPLOS, among others. Mona's research interests primarily include trusted computing, virtualization, device drivers and operating systems.

What is confidential computing? Learn about protecting data in use with confidential computing powered by open source software with two people working at the forefront of this technology through open collaboration within the Confidential Computing Consortium. Dan Middleton, a principal engineer at Intel, and Dave Thaler, a software architect at Microsoft, share their work with Confidential Computing and their efforts to further this technology via the Confidential Computing Consortium. Learn about confidential computing, the problems it solves, and how you can get involved. Guests: Dan Middleton is a Principal Engineer with over 20 years at intel. He has been privileged to develop and release products in emerging areas including SaaS, Computational Imaging, Blockchain, and Confidential Computing. As an open source leader, he has represented Intel in projects including the Confidential Computing Consortium, The Open Source Security Foundation, CNCF CoCo, and Hyperledger. Dan currently leads Confidential Computing pathfinding in IPAS/S3 (Security Software and Services). Dan is currently the Chair of the CCC’s Technical Advisory Council. Dave Thaler is a Software Architect at Microsoft, where he works on open source and standards, including Confidential Computing.  Dave has over 25 years of standards body experience and currently chairs the IETF group on Software Update for IoT, and is a member of the Confidential Computing Consortium's Technical Advisory Council which he previously chaired for 3 years.  He also previously served as a member of the Internet Architecture Board (IAB) for 11 years.

Marcela Melara, a research scientist in the security and Privacy Research Group at Intel Labs, and Bruno Domingues, a chief technology officer in the financial services industry practice and a SLSA project contributor share their deep knowledge about software supply chain Security, a subject on everyone's minds today. Guests: Dr. Marcela Melara is a research scientist in the Security and Privacy Group at Intel Labs. Her current work focuses on developing solutions for high-integrity software supply chains and building trustworthy distributed systems. She has several publications and patents filed related to her research, and leads a number of internal, academic and open-source efforts on software supply chain security. Prior to joining Intel, she received her PhD in Computer Science from Princeton University and did her undergraduate studies at Hobart and William Smith Colleges. She is a Siebel Scholar, a member of Phi Beta Kappa, and her research on CONIKS was awarded the Caspar Bowden PET Award. Outside of work, Marcela is an avid gardener, bookworm, hiker, and gamer. Bruno Domingues is a Chief Technology Officer in Financial Services Industry practice (SMG), where he is responsible for technical direction and pathfinding across Intel’s product portfolio. He serves as the champion for Digital Transformation in the Financial Services domain. Before joining Intel in 2007, Bruno worked with Microsoft. He was a pioneer in the FSI vertical practice back in the ’90s and developed a rich ecosystem of partners around the Microsoft platform to solve the most challenging industry’s problems. With over 23 years of experience in applying technologies. Bruno developed a deep understanding of the financial industry mojo: Have worked with regulators to help banks ramp up on Basel II and III, architected mission-critical trading-desks operation, and inter-banking national-wide online payment system in different markets and regions in the World. In the last 15 years, Bruno has been focused on cloud adoption in the financial services industry, as it is a unique industry with unique requirements. Bruno also has served as IEEE Computer Society chairman (R9), Academic Liaison Director with CMG, and Board Advisor for Fintechs.

Intel Open Source Evangelist Chris Norman hosts this special bonus episode, a Q&A with Intel's Dan Williams. A chance encounter with open source software during an high-school internship put Dan Williams on a path to become Principal Engineer on the team responsible for Intel’s persistent memory (PMEM) enabling in the Linux* kernel. Here he talks about the “janitorial” aspect of maintainers, what he’s seen in 17 years of commits, his take on the discontinuation of the Intel Optane* as well as his new role as chair on the Technical Advisory Board (TAB) at the Linux Foundation*. Read the full Q&A: https://community.intel.com/t5/Blogs/Tech-Innovation/open-intel/Dan-Williams-Kernels-of-Wisdom/post/1446111   Guest:  Dan Williams

SBOM stands for Software Bill of Materials, and this humble but critically important document is getting a lot of airtime recently, especially after United States Executive Order 14028 issued strong guidance on requiring SBOMS for government software acquisitions. Alexios Zavras of Intel's Open Ecosystem Group and Kate Stewart of the Linux Foundation are SBOM experts who are active contributors to the SPDX SBOM standard, one popular format currently in use. In this interview, they walk us through some key background and useful information all developers should understand about SBOMs.   Guests: Alexios Zavras Chief Open Source Compliance Officer, Intel Corp. Alexios is part of the Open Source Program Office (OSPO) at Intel. He has 40 years’ experience in Free and Open Source software and is an evangelist of all things Open. A software licensing expert, he is an active participant in the Software Package Data Exchange (SPDX)*, OpenChain*, and the TODO Group. He frequently speaks at industry and academic conferences, including the Open Source Leadership Summit, FOSDEM, and CopyleftConf. He holds a PhD in Computer Science after having studied in Greece and the USA. Kate Stewart VP, Dependable Embedded Systems,  The Linux Foundation. Kate Stewart works with the safety, security and license compliance communities to advance the adoption of best practices into embedded open source projects. She was one of the founders of SPDX (which is now ISO/IEC 5962:2021), and remains active in specification evolution and adoption. Since joining The Linux Foundation, she has launched the ELISA and Zephyr Projects, as well as supporting other embedded projects.  With over 30 years of experience in the software industry, she has held a variety of roles and worked as a developer in Canada, Australia, and the US and for the last 20 years has managed software development teams in the US, Canada, UK, India, and China.

Christopher Robinson, also known as “CRob,” is the Director of Security Communications at Intel. In this role, Robinson handles crisis communications, training and security and incident communications. Half of the team behind the engaging security video series Chips and Salsa, he is also heavily involved in open source security communities and acts a technical advisor for the Open Source Security Foundation* (OpenSSF).   CRob shares his insights with Open Ecosystem Evangelist Katherine Druckman on the current threat landscape and finding joy in security work.   Guest: Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. CRob is a 41st level Dungeon Master and a 24th level Securityologist.  He has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups as well as a Technical Advisory Committee (TAC) member.  He enjoys hats, herding cats, and moonlit walks on the beach.

Intel Open Source Evangelist, Katherine Druckman, speaks with Intel open source security experts John Whiteman and John Andersen about threat modeling. Threat modeling should be step one in any security conversation, so please join us as we jump down the rabbit hole!   Guests: John Andersen lives life with curiosity. His current focus is around leveraging threat model and architecture information to facilitate automated context aware decentralized gamification / continuous improvement of the security lifecycle / posture of open source projects. John L. Whiteman is a security researcher for Intel Corporation and a part-time adjunct cybersecurity instructor at the University of Portland in Oregon. He taught the UC Berkeley's Extension Cybersecurity Bootcamp. John was also a technical editor and proofreader for the latest (ISC)2 CCSP Official Study and Exam Guides published by Sybex/Wiley. He holds a MSCS from Georgia Institute of Technology, BSCS from Portland State University, and a BA in Asian Studies from the University of Maryland University College Global Campus in Japan. He has multiple security certifications including CISSP and CCSP. He is a U.S. Navy veteran who honorably served as a surface sonar technician and shipboard instructor. You can hear him host the OWASP PDX security podcast. He grows wasabi and brews kombucha for world peace.