<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">
Upstream PC Image

Upstream 2024 Schedule

June 5, 2024

Upstream community
The hallway
10:30 AM - 6:00 PM EDT
×

The hallway

Join us live the morning of Upstream for commentary and special guests.
Luis Villa
Co-founder and Upstream host
Tidelift
Amy Hays
Upstream chair
Tidelift
Kanish Sharma
Product marketing
Tidelift
Chris Grams
Chief marketing officer
Tidelift
Sofia Javed
Software engineer
Tidelift
Welcome to Upstream 2024: Unusual ideas to solve the usual problems
11:00 AM - 11:20 AM EDT
×

Welcome to Upstream 2024: Unusual ideas to solve the usual problems

A recent Harvard Business Review study found that open source is worth $8.8 trillion. To put that in perspective, the US interstate highway system is valued at only $742 billion and the entire U.S. electrical grid is valued at only $1.5 - 2 trillion. So, in a world where open source has become one of the most valuable pieces of infrastructure we have, why is open source health and security still not a solved problem? In the wake of the recent xz utils hack, where an unpaid and underappreciated open source maintainer was taken advantage of by an extremely sophisticated hacker, Luis Villa will use this opening talk to make the case that our current way of “fixing” open source health and security is simply not working, and that we need to explore new ideas that match the value of what we’ve created. We’ll surface some of the best ideas we’ve heard through the course of the day.
Luis Villa
Co-founder and Upstream host
Tidelift
Fireside chat: The value of open source software
11:20 AM - 11:50 AM EDT
×

Fireside chat: The value of open source software

“How much is open source worth?” is an age-old question. Thanks to new work from professors at Harvard and University of Toronto, it is also a question with a new, creative, and important answer. In this fireside chat, Luis Villa sits down with Frank Nagle, assistant professor in the Strategy Unit at Harvard Business School, to discuss the recent paper called The Value of Open Source Software that Frank co-authored. This paper concluded that open source is worth $8.8 trillion dollars.
Frank Nagle
Assistant professor
Harvard Business School
Luis Villa
Co-founder and Upstream host
Tidelift
Patch management needs a revolution
11:50 AM - 12:35 PM EDT
×

Patch management needs a revolution

One of the biggest concerns with modern patch management is that we haven’t truly challenged our thinking around “patching everything” in 40 years. Yet available evidence shows that most vulnerabilities do not and will not ever see exploitation. In this conversation with Tidelift CEO and co-founder Donald Fischer, Red Hat VP of Product Security Vincent Danen will challenge some of the common perceptions about open source software security. By changing how we think about open source security from an exercise in creating “vulnerability-free” software (a compliance-driven exercise) to one where the purpose is minimizing the potential or severity of a breach (a risk-driven exercise), we may actually reduce our security costs and improve our outcomes at the same time.
Vincent Danen
Vice president, Red Hat Product Security
Red Hat
Donald Fischer
CEO + co-founder
Tidelift
Panel: Life after the xz utils backdoor hack
12:35 PM - 1:20 PM EDT
×

Panel: Life after the xz utils backdoor hack

In late March, we all dealt with yet another attack on a popular open source project; this time, in the Linux-level package used for file compression called xz utils. What was most sinister about this attack, though, was how deeply it impacted trust within the open source community. The attacker spent years engineering multiple sock puppet accounts to gain the trust of the volunteer xz utils maintainer. In this panel moderated by Tidelift VP of product Lauren Hanford, we’ll talk to Josh Bressers of Anchore; Jordan Harband, prolific Javascript maintainer; Rachel Stephens from RedMonk; and Terrence Fischer from Boeing to get a diverse mix of perspectives on how this changes the landscape of open source software supply chain security.
Lauren Hanford
VP of product
Tidelift
Rachel Stephens
Senior industry analyst
RedMonk
Shaun Martin
IT and security management consulting principal
BlackIce
Josh Bressers
VP of Security
Anchore
Jordan Harband
Principal open source architect
HeroDevs
Terrence Fletcher
Product security engineer
Boeing
Secure by design: a proactive approach to open source health and security
1:35 PM - 2:15 PM EDT
×

Secure by design: a proactive approach to open source health and security

In this session two of CISA’s leading security experts will share more about the industry-wide effort they are leading to make security a core business requirement in products versus an aftermarket technical feature. They’ll share historical analogies of where this design-first approach has had real impact in other industries, and they’ll cover how they are working directly with industry leaders and the open source community to proactively improve practices in ways that will lead to the security outcomes we need.
Donald Fischer
CEO + co-founder
Tidelift
Jack Cable
Senior Technical Advisor
Cybersecurity and Infrastructure Security Agency
Aeva Black
Section Chief, Open Source Security
Cybersecurity and Infrastructure Security Agency
Fireside chat: How a large Canadian telecommunications organization built an OSPO
2:15 PM - 2:35 PM EDT
×

Fireside chat: How a large Canadian telecommunications organization built an OSPO

When this Canadian telecommunications’ corporate security team came up with directives and policies, they realized that many of these security directives were around open source—and there was no shared foundation in IT on how to follow them. There was no support, tooling, guidance around licensing. This was back in 2019, long before Log4Shell shook the world. This telecommunications company knew that they wanted to leverage the strategic advantages of open source to compete in the telecom market, so they decided to build a process around open source internally, and the OSPO was created. In this fireside chat, Tidelift VP of product Lauren Hanford sits down with Aisha Gautreau, who leads the OPSO at this large Canadian telecommunications company, to hear about the journey of this nascent OSPO and what advantages they have leveraged so far.
Lauren Hanford
VP of product
Tidelift
Aisha Gautreau
Senior Specialist - Cyber Security - OSPO Leader
Government carrot, government stick: Exploring two contrasting approaches to improving open source security
2:35 PM - 3:15 PM EDT
×

Government carrot, government stick: Exploring two contrasting approaches to improving open source security

Governments are starting to believe that their traditional hands-off approach to open source no longer makes sense. But what then? Europe is providing examples of both “carrot” and “stick”: providing incentives to people and organizations to do more security work (i.e. the carrot) or penalizing them for not doing the work or after security incidents happen (i.e. the stick). In this fireside chat, Tidelift co-founder and general counsel Luis Villa sits down with Fiona Krakenbürger from the Sovereign Tech Fund and Mirko Böhm from the Linux Foundation Europe to discuss the impending CRA legislation in the EU (the biggest government stick to date) and the Sovereign Tech Fund’s “carrot” approach to funding open security.
Mirko Boehm
Senior director, community development
The Linux Foundation
Luis Villa
Co-founder and Upstream host
Tidelift
Fiona Krakenbürger
CTO & Co-Founder
Sovereign Tech Fund
How can we get CVEs out of GitHub Issues?
3:35 PM - 4:00 PM EDT
×

How can we get CVEs out of GitHub Issues?

In this session I'll give an overview of what the problem is with submitting CVEs to GitHub issues—why it's frustrating for compliance teams and maintainers both. I'll cover the nature of vulnerability scanners and compliance requirements that make security teams submit numerous unvalidated vulnerabilities upstream. I'll also talk about why these reports drive maintainers crazy, and the current standards are unrealistic. I'll then highlight how the solution to this problem comes from both sides: clearer maintainer security policies and better understanding of what compliance requirements actually are. I'll talk about why Argo's security policy is a great starting place, and that vulnerability scanners need to focus on upstream direct dependencies instead of the endless transitive dependency pain.
James Berthoty
CEO / Security Engineer
Latio Tech / PagerDuty
Panel: New approaches to open source security and resilience from the financial services industry
4:00 PM - 4:50 PM EDT
×

Panel: New approaches to open source security and resilience from the financial services industry

For obvious reasons, the financial services industry has been a leader in embracing new approaches to ensuring the security and resilience of the open source software we all depend on. In this panel we'll learn what a few top experts are doing within their organizations to harden their defenses and invest in the open source they depend on, while sharing advice and strategies that all organizations can take back to inform their own work.
Tosha Ellison
Strategic advisor
FINOS
Gabriele Columbro
Executive director
FINOS
Donald Fischer
CEO + co-founder
Tidelift
John Mark Walker
Director, Open source program office
Fannie Mae
How to Make Your Open Source Project Popular
4:00 PM - 4:20 PM EDT
×

How to Make Your Open Source Project Popular

This talk summarizes my 15 years making open source tools. Some of them have become popular (PostCSS, Autoprefixer, and Nano ID have more than 60M downloads per month) but most projects did not (but their fails taught me more than the successful projects). The talk is not about the dark patterns, but about the things which many maintainers forget: about the users and the fact, that users don’t have enough time: — Why open source dream is a lie? — What are good and bad reasons to create an open source project? — How to write docs readable (even for users who have a hard-working day)? — What to do if you are not a native English speaker? — How to deal with hate? — A few tricks to reduce burnout a little.
Andrey Sitnik
Front-end principal
Evil Martians
Panel: State of the open source maintainer in 2024
4:50 PM - 5:40 PM EDT
×

Panel: State of the open source maintainer in 2024

What's it like to be an open source maintainer in 2024? In an annual Upstream tradition, we sit down with a group of maintainers to hear directly from them to find out. This year's panel includes Valeri Karpov from Mongoose, Irina Nazarova of Evil Martians, Tatu Saloranta of jackson-databind, and Wesley Beary, who maintains popular Ruby projects fog and excon. We'll ask them about how the recent xz utils hack made them feel, how community and project health looks from their perspectives, ways enterprise users and organizations can help maintainers, and much more!
Kanish Sharma
Product marketing
Tidelift
Tatu Saloranta
Maintainer
jackson-databind
Wesley Beary
Founding engineer and maintainer
Rubygems fog and excon projects
Irina Nazarova
CEO
Evil Martians
Amy Hays
Upstream chair
Tidelift
Valeri Karpov
Maintainer
Mongoose