Friday, November 14, 2025 — Meeting Recap

Open Source Security Funding Challenges

The meeting began with a discussion about avatars and virtual meeting filters, followed by Shawn introducing a new rule that anyone mentioning AI would have to donate to charity, though this was later revealed to be a joke. The main discussion centered on open source security, where Alhaji raised concerns about recent updates to the OWASP Top 10, including supply chain vulnerabilities and misconfigurations, while Neil clarified that MITRE is a non-profit organization funded by the U.S. government. The group discussed challenges around funding and supporting open source cloud security projects, with questions raised about how to make these projects more secure without making them overly burdensome for developers.

Open Source Contribution Strategies

The group discussed open source contributions and GitHub usage, with Neil emphasizing the importance of advocating for and contributing back to open source projects, whether through code, documentation, or financial support. Michael shared his experience contributing to Innersource Commons Foundation and offered to help others get started with GitHub, leading to a plan for him and Kyle to present a "Baby's first GitHub lesson" session. The discussion also covered the potential risks of malicious actors in open source projects and the value of finding passion-driven projects to contribute to.

Open Source Security Challenges

The meeting began with a discussion about GitHub forking, where Alhaji explained that forking a repository involves copying it to a local device to make changes without affecting the original. Neil raised concerns about supply chain issues in open source, particularly the risk of malicious NPM modules, and highlighted the ongoing challenges in addressing these problems since the SolarWinds incident in 2020. The group discussed potential solutions, including minimal containers and open source package manager firewalls, while Brian suggested Linux Weekly News as a resource for contributing to open source projects and managing security risks.

Open Source Security Strategies

The group discussed challenges and potential solutions for securing open-source software, with Kimberly suggesting a "walled garden" approach similar to mobile app stores, though Shawn noted this would be difficult to scale. Ryan shared that large companies sometimes fork open-source projects to maintain control and patch vulnerabilities quickly, while Juninho highlighted Google's approach of forking and hosting internal versions of packages to ensure security and compliance with their own standards. The discussion concluded that while forking is a viable strategy for large organizations, it may not be scalable for smaller companies, who might need to rely on tools like Artifactory, Google's Assured OSS, or ChainGuard for security measures.

Security and Development Team Collaboration

The meeting focused on the challenges and dynamics between security and development teams, particularly in organizations. Participants discussed how silos often arise due to differing priorities, mandates, and communication styles between security professionals and developers. They explored ways to break down these silos, including better collaboration, understanding different incentives, and using tools like psychological profiles to improve team dynamics. The discussion also touched on the importance of integrating security earlier in the development process and the need for leadership to support these efforts.