Navigating the Intersection of Open Source, AI, and Cybersecurity in Business with Paula Paul

[00:00:00] How can we leverage open source? And how do we tell our customers that they need to care about it? Paula Paul is the founder and distinguished engineer at Grayshore, a team of experienced and talented technologists who help organizations adopt cloud-native technologies to deliver

[00:00:17] products and platforms more efficiently. She also serves on the board of the OpenJS Foundation, an organization that promotes widespread adoption and continued development of deep JavaScript technologies. She joins me on this bonus episode of Business in Tech.

[00:00:36] Are you ready to spot opportunities by aligning IT with your clients' business strategies? Get in Sync equips MSPs and IT professionals with the tools, methods, and training to deeply understand client strategies, ensuring IT investments directly support key business

[00:00:53] objectives for tangible outcomes. With Get in Sync, you gain critical insights that empower decisive actions, enhancing your competitive offering. This solidifies your role as a trusted advisor and supports your clients' strategic needs, bringing greater success.

[00:01:09] Test your readiness to become a certified Get in Sync trusted business advisor with our free online assessment. Accept the challenge to discover if you have what it takes to become an indispensable strategic partner for your clients.

[00:01:24] Begin your journey with Get in Sync. Visit getinsync.ca slash MSPradio to learn more. Well, Paula, thanks for joining me today. It's nice to be here. Thank you for having me. Now, I'm going to dive right in because when your team approached me, they sort of pitched

[00:01:43] for the idea of why businesses need open-sourced. And I figured let's just start there. What are the main reasons why people in the business level and business owners should be thinking about open-source in their business?

[00:01:58] That's a great question. And I would say that horse is out of the barn because of any given commercial web application or application, 90% of it is built on top of open-source libraries. There's a famous XKCD cartoon that shows up at every open-source conference. That's the

[00:02:17] big Jenga of huge boulders and blocks and a little tiny toothpick of some guy in Nebraska maintaining the open-source library that holds the rest of it up. So you already need open-source. You may not be leveraging it effectively or securing it effectively.

[00:02:32] So let's dive into that a little bit. Let's put on our caps right now of being the end user organization that's thinking about that. Why is this something that needs to be of concern to them as just the consumer of software? Shouldn't they just consume good software?

[00:02:49] Yeah. And that is the key, the good software in the past five years, if you looked at any given software product or application, you might've had 500 dependencies. And now if you look at those package dependencies, it's into the thousands. So it's very tricky to

[00:03:07] manage the dependencies on an open-source package that itself has many, many dependencies. And who knows where those dependencies came from? I would say people are really starting to come around to this topic lately with some of the open-source as an attack vector for social

[00:03:26] engineering. So there's new ways people are looking at all those dependencies on open-source software, either leveraging it to get more money from people who depend on it or as attack vectors. Now, if I'm a typical small business owner, what I'm going to immediately then do is I'm

[00:03:44] going to turn to my IT services provider or my managed service provider and I'm going to go, Hey, this is your problem. Make recommendations for me of good software. So what are you advising those technical organizations? What do they need to be doing then to manage this?

[00:03:59] Yep. I would not have palpitations over it because you've been operating this way for a long time. You may not have realized the depth of the dependencies, but get involved with an organization that stewards the open-source that you're most dependent on for your customer

[00:04:18] facing assets, which largely JavaScript websites, it's your customer facing assets. The OpenJS foundation is a great start. I served before there. There's all sorts of organizations, Tidelift, HeroDevs that have a services business around helping people support and secure their

[00:04:41] open-source dependencies. And I would say learn more about those organizations. So tease a little bit then. What are two of the first things people learn when they reach out to things that they need to be doing better at?

[00:04:58] Just understanding the packages that you depend on today. It's awareness. I have a little talk about the Zen of open-source and these phases of enlightenment. And the first step is just awareness. And I wouldn't go crazy and hunt down every package throughout your organization,

[00:05:17] but do a little threat modeling. What are the customer facing sites that you really want to make sure are in good shape? There's a nice campaign from the OpenJS foundation called Healthy Web and it's healthyweb.org. You can plug in any website and it'll say, you know what,

[00:05:36] your jQuery is out of date and that's a concern. You might want to update that. So I would just say start in a particular direction. Customer facing websites is great. And then learn more about how people are shoring up their defenses on those assets.

[00:05:54] Now this sounds thematically like very much like what we talk about generally in security, right? The advice you've given right now is generally the good stuff. Know what you're running, manage it. What makes open-source different?

[00:06:09] That is a great question. And it goes back to the Jenga diagram and the guy in Nebraska maintaining that one library. I would say most recently in the last few years, I've wondered

[00:06:22] who is looking at that cartoon and saying, you know that guy in Nebraska, he's an attack vector for social engineering. And we had recent instances of people doing social engineering on open-source contributors. They're doing this largely out of their own time and because of

[00:06:41] their passion for tech and social engineering is getting in and saying, you know, I want to be a contributor as well. And then you get malicious code contributed to open-source libraries. So that's one way maybe the darker side of the force is looking at that Jenga diagram.

[00:06:59] And then the other side is saying, oh, that's an open-source license that if I, as a large corporation can somehow control, I could change licensing and maybe squeeze some more revenue out of people who depend on that because there are already so many dependencies on

[00:07:16] it. Those are two areas of open-source that now I feel are a little more concerning as people looking at it for gain versus community and contribution. Well, so it literally led to my next question because the promise of open-source has always

[00:07:37] been, oh, there's this massive community of developers and they're going to all work on your problem and light will shine on security instance. But then the flip side is most open-source projects are one guy, girl, person maintaining toiling for no money.

[00:07:55] And there would be a solid business argument of that's a pretty big risk and I can't hold an organization accountable for that. Thus, I shouldn't use open-source. Give me the counter argument there when looking at this saying like, well,

[00:08:14] this seems like a really risky play. What's the counter argument? I would say the only reason that the recent social engineering attack was uncovered was specifically because it was an open-source project. Whereas let's just say that that

[00:08:29] particular body of code was owned by a large player and I won't name names. But that could have been introduced by someone working internally in that organization doing social engineering or getting on the team or just having personal issues. And it might've taken years before

[00:08:51] a closed-source contribution was uncovered and dealt with the way that a lot of organizations work. If you use commercial software, you often pay say 20% or 18% a year in maintenance fees.

[00:09:05] And that does not give you any say over how those funds are applied to the problems that matter to you. You might wait for years for a bug to be fixed. Whereas with open-source, you could go

[00:09:18] to like a HeroDevs or an organization that specializes in open-source contribution services, service industry, and say, I really need to have this fixed. Here's some money, go do it. And I think that the open-source model is more robust because it uses the community network

[00:09:40] rather than a scale up corporation that has to grow, grow, grow in order to address every bug. But doesn't it also allow an organization to just use it and never contribute? And we see

[00:09:54] a lot of that. So the counter argument also is that there is just a group of organizations that build on top of it, get all the benefits, make all the money and are not contributing

[00:10:05] because without that requirement. And at the same time, they are trading some risk there. They don't necessarily get the ability to hold someone accountable for it in the end. How do you

[00:10:18] see that dynamic? I mean, are we at the right balance or does there need to be more, you know, does there need to be a shift here to come more in the middle?

[00:10:27] I think that we need a shift. And if I say we're not talking about software here, let's talk about like natural resources, like forests. If a company harvested all of the forests and they made

[00:10:40] products out of it and sold it, and then we had no forests, people would say there needs to be some balance here. So I do think that the open source ecosystem is a natural resource. It's a people

[00:10:53] driven resource. And it's something that I think we should all be very proud of. And I do think organizations, foundations like the Linux Foundation, the OpenJS Foundation, Finos, which is open source and financial services, do a lot to preserve that natural resource.

[00:11:13] And I would say, you know, get involved. If your company is making a ton of money building on top of open source, and you're not supporting preservation of that natural resource, yeah, maybe I'll say shame on you. Well, it's interesting, but I want to talk

[00:11:31] then a little bit about the motivations because this is one area where I love your comparison, because thinking about it as a natural resource makes a lot of sense. But in order to preserve it, we created the National Park Service and put laws in place to protect it.

[00:11:45] That's, I mean, on their own, private property ownership would consume that space, and it took regulation. But the open source community is saying, well, we have foundations and volunteers and shame are the motivators. I'm curious to say, like, you know, how do you

[00:12:06] balance that difference in the messaging to corporate players who don't have to do anything else? Yeah, I would say at the end of the day, I know we're not going to get into AI. At the end

[00:12:20] of the day, software is about people. People write software, they find bugs, they maintain software. And people will not go to work for companies that are not supporting the preservation of natural resources. If, you know, I'm interviewing and I'm a top-notch comp sci grad, sure, companies can

[00:12:45] throw money at me, but I'm seeing more and more people that are mission aligned. And I do think that this makes a difference in a company, that if you can hire good people and you have a mission,

[00:12:59] you know, Red Hat recently said they want to become the best open source company. And I think that attracting talent, retaining talent, people won't stay at a company if they're not given the opportunity to work on something that's interesting or contribution to an open

[00:13:16] source project that they enjoy. Giving people open source days is like a big thing now, it's a great perk. But I think it's about the people angle. You could always, you know, capitalism, free market,

[00:13:29] I'm all for that. But you can't really win at the end of the day sustainably without people. Gotcha. So what are the best moves for people that are services organizations that are not necessarily the ones that are right? They're not writing code, they're not employing R&D

[00:13:45] developers, they're small to midsize services organizations. What are the best ways that they can both contribute and leverage open source? I have personal stories there because I really care deeply about accessible software, that everybody should be able to use my software,

[00:14:05] whether you have low vision or any other ability that you require accommodation. So I support an open source project called the Accessibility Theme Builder that's part of Phenos, open source and financial services. And I love those people. They're all wonderful people,

[00:14:23] and we're building wonderful software. But it also provides opportunity. So if you're in the services industry, you could say, hey, you know, your website is not the WCAG 3 compliant, I can help you with that. So there are services opportunities related to almost any kind of

[00:14:41] open source solution. AI is, you know, ballooning in this area and making sure that we have open and non biased models. It's another area. I would start by just getting involved with open source foundations that are that have projects that are interesting in your line of service.

[00:15:06] Now you alluded to it, I'm going to ask, what do you see happening in the collision of AI and open source? You know, we're almost seeing that play out now. Where do you think this is going

[00:15:14] from from that collision? Yeah, yeah, I think that is a great question. One of them, you know, the core use cases that are sort of maturing right now are explaining things and summarizing things.

[00:15:27] So you could take a body of legacy code and have an AI help you understand what it's actually doing. You could also explain older open source projects, writing good test cases, some open source

[00:15:43] projects lack in testing. So I do think that there's a real place to leverage AI as a tool. I think it has to be done. I've taken some courses through Google, I really like their AI platform.

[00:15:59] And one of the instructors said that whenever you're getting these results from a model, you still need a human being the expert at the end to make sure that the answer makes sense.

[00:16:12] So I do think that you're still a people business, you're just adding some more sophisticated tools. So Paula, people were looking particularly service organizations to sort of get involved in leveraging open source more effectively, where would you point them to start?

[00:16:27] If you're in the JavaScript ecosystem, common and look at the projects in the Open JS Foundation. If you're targeting potential customers in financial services, look at Phenos. If you're a DevOps kind of services organization, cloud native computing foundation CNCF. So I wouldn't

[00:16:48] even just take a little tour through the Linux Foundation foundations, there's open SSF is security, which is hugely important. LFAI and data, I could name more or just ping me on LinkedIn or something and I'll point you in the right direction. Paula, we learned a lot. Thanks for

[00:17:08] joining me today. Thank you for having me. With as many breaches and security concerns as I report in this show, it should be obvious that cybersecurity is not just about technology, but also the human expertise needed to interpret and respond to complex threats.

[00:17:26] Huntress is focused on elevating SMBs and MSPs around the world. Huntress has a suite of fully managed cybersecurity solutions, powered by a 24 by 7 human led SOC dedicated to continuous monitoring, expert investigation and rapid response. And the proof is the execution.

[00:17:46] Huntress is the number one rated EDR for SMBs on G2. Want to know more about the platform? Visit huntress.com slash MSP radio to learn more. The Business of Tech is written and produced by me, Dave Sobel under ethics guidelines,

[00:18:05] posted at businessof.tech. If you like the content, please make sure to hit that like button and follow or subscribe. It's free and easy and the best way to support the show and help us grow.

[00:18:18] You can also check out our Patreon where you can join the Business of Tech community at patreon.com slash MSP radio or buy our Why Do We Care merch at businessof.tech. Finally, if you're interested in advertising on the show, visit mspradio.com slash engage.

[00:18:38] Once again, thanks for listening to me. I will talk to you again on our next episode of the Business of Tech. Part of the MSP radio network.