Ryan Ware is a Senior Technologist at Western Digital focusing on software supply chain security with a long history of building secure products with open source software. Before Western Digital, he was at Intel for 22 years. In his career, he has been the security architect on 3 different Linux distributions (Moblin, MeeGo & Tizen), the Zephyr RTOS as well as Intel's 1Android effort. He is currently focusing on better ways for companies to be transparent about the open source software they are including in their products to ensure customers have ways of better understanding the security of those products.
Debian is deployed in a large number and wide variety of environments. Why? Because it’s a central pillar of the Linux community and the quality of the distribution shows it. That said, those that deploy Debian just like Debian itself, are facing new challenges in a computing ecosystem that have dramatically changed over the last decade! The quantity of publicly documented security vulnerabilities in the MITRE National Vulnerability Database has increased by almost 5X. The number of vulnerabilities that don’t get documented in official databases is growing. The number of silent fixes being done by communities because they don’t want to deal with the overhead is growing. The unique environments that Linux is being deployed is growing. It’s an onslaught that continues to trend in the wrong direction ending up in creating things like US Presidential Executive Order 14028.
There are some ways that Debian can help those that consume it face these daunting challenges. To that end, I’d like to discuss some possible ways the community can help make it easier to face these challenges as well as ways others can help the community.
The audience for this talk is all Debian Developers. Security vulnerabilities affect everyone. What will they get out of it? Hopefully, the spark of an idea for how we all can help Debian face these challenges? What will I cover? Everything from changes in the computing ecosystem, problems the current industry vulnerability tracking systems are facing, how communities are responding to CVEs, Software Bill of Materials (SBOM), and other ways of making it easy for consumers of Debian to understand the security of their software.