Keeping Open Source Software Secure with Eddie Zaneski

This week on, Defense Unicorns Podcast we welcome Eddie Zaneski, the tech lead for open source here at Defense Unicorns, who takes us through his fascinating career journey from aspiring math teacher to a key player in the tech industry. Eddie shares his experiences transitioning into computer science, his passion for developer relations, and his significant contributions to the Kubernetes project. We dive into the evolution of software deployment, from bare metal servers to virtual machines and containers, and how Kubernetes has become essential in managing large-scale containerized applications. Eddie also reflects on his time at DigitalOcean, Amazon, and ChainGuard, highlighting his work on software supply chain security projects like Protobomb and Sigstore.

Our conversation then turns to the security of open-source communities, challenging the misconception that open-source software is less secure than its closed-source counterparts. Eddie discusses the advantages of transparency in open source, using the XZ library's recent security breach as a case study to emphasize the importance of trust and identity verification. We also explore the potential for similar vulnerabilities in closed-source projects and the growing importance of supply chain security measures, including building integrity and software bills of materials (SBOM). The episode concludes with a thought-provoking discussion on the benefits of transparency in open source and whether proprietary software incidents would be as openly shared or understood.

Eddie shares his enthusiasm for leveraging government funding to support open-source projects. He expresses his excitement about engaging with soldiers, airmen, and guardians to understand their challenges and explore open-source solutions. We also touch on innovative tools for air-gapped environments, like Zarf, and their applications across various industries. Listen in as Eddie recounts his experiences at Bravo hackathons, the unique challenges faced by developers in constrained environments, and offers valuable career advice for those passionate about open source and software development.

Key Quote

“There's lots of misconceptions and I'm sure you and I can talk about all of them. One of the big ones is, just. It's less secure, right? that's a massive myth. Open source security is less secure because all the code is in the open and everyone can go find the holes and generally quite the opposite actually, because the code is in the open, everyone can do their own audits and everyone can see what's happening under the covers of the magic box that you usually can't peer into with proprietary software. We have entire teams of like security. So the Kubernetes project is divided up into special interest groups or SIGs. So we have SIGs for security, we have a product security council and committee that is the incident response people for when there is a new CVE or a bug found, and all sorts of different types of things that are just tailored around security.”

-Eddie Zaneski

Time Stamps:

(00:02) Kubernetes and Open Source Evolution

(08:17) Security in Open Source Communities

(20:43) Software Bill of Materials for Cybersecurity

(24:04) Exploring Defense Unicorns and Open Source

(31:43) Navigating Careers in Open Source

(42:25) Breaking Barriers in Defense Innovation

(46:42) Collaborating for Defense Open Source

Links

Connect with Eddie