The Burden of Security in Software Maintenance

In this episode, John Kjell, Director of Open Source at TestifySec, discusses his involvement in various open source projects and the intricacies of maintaining such projects. John sheds light on his work with the CNCF and OpenSSF, and the impact of tools like Witness, Archivista, and SLSA. He outlines the challenges maintainers face, especially around security, and offers insights into balancing professional and personal responsibilities. John also explores the significance of community, inclusivity, and a secure developer identity in open source ecosystems. 00:00 Introduction and Guest Background01:20 Maintainer Burnout and Security Challenges04:41 Balancing Multiple Projects and Personal Life07:15 Security Risks in Smaller Projects10:13 Developer Identity and Reputation19:37 Open Source Origin Story and Community Involvement24:11 Optimism for the Future of Open Source Security Resources: Enhancing Open Source Security: Introducing Siren by OpenSSF – Open Source Security Foundation Security at Every Step: Why Software Supply Chains Are Critical Guest: John Kjell is responsible for open source at TestifySec, a software supply chain security startup. He is a maintainer for the Witness and Archivista sub-projects under in-toto. Additionally, John is an active contributor to CNCF's TAG Security and multiple projects within the OpenSSF. Before TestifySec, John was an engineering leader at VMware, helping to bring supply chain security features to the Tanzu Application Platform.