A cinephile, there's nothing I like more than going to the movies (preferably with others!) and eat some popcorn. I can watch just about anything, from superhero flicks to period dramas to slapstick comedy. Some of the best movies I've ever watched are so bad... but so, so good.
Professionally... let's just say I've been around. Started off as a structural engineer, but soon migrated to developing software for engineers for a while. After a hiatus doing an MBA, went on to work in the financial industry doing data science. Looking to make more of an impact, I went off to work with...
GOSST was created in response to the increasing supply-chain attacks on projects that consume open-source code. It works along with the Linux Foundation's Open Source Security Foundation (OpenSSF) to improve the security of the open-source ecosystem. GOSST and the OpenSSF develop solutions to make open-source software safer at scale. See here for info on Google's open-source initiatives.
I'm part of a GOSST sub-team responsible for working hand-in-hand with the open-source community. We focus on helping individual critical projects increase their security. Our goals are to:
- develop specific approaches for each project;
- suggest solutions or enhancements that fit the project's needs and don't overburden maintainers;
- talk with maintainers about our suggestion or about any other solutions they might prefer;
- implement the changes and submit them as PRs;
- collect all feedback to be shared with the rest of GOSST and the OpenSSF.
See below some of the tools developed by GOSST and the OpenSSF:
- Scorecard: automated checks to evaluate a project's security practices and suggest improvements as needed;
- SLSA (pronounced "salsa"): a standard and protocol to ensure an artifact's provenance, guaranteeing it comes from the expected location and process. This aims to prevent tampering and improve the integrity of infrastructure and consumed packages;
- Sigstore: keyless signing and verification of artifacts;
- OSS-FUZZ: automated fuzzing at scale;
- OSV: a human- and machine-readable database of vulnerabilities that maps affected software versions across open source ecosystems;
- GUAC: graph database of security metadata (in development).