Open at Intel open.intel

In this episode, we dive deep into the concept of attestation as it relates to building trust in our software and systems. 
Marcela Melara and Vinnie Scarlata take us on a technical tour of both software and remote attestation and how these relate to ideas we've covered previously with software supply chain security and confidential computing. We talk trust and integrity, standards and projects, and share some best practices.
 
Guests:


Dr. Marcela Melara is a research scientist in the Security and Privacy Group at Intel Labs. Her current work focuses on developing solutions for high-integrity software supply chains and building trustworthy distributed systems. She has several publications and patents filed related to her research, and leads a number of internal, academic and open-source efforts on software supply chain security. Prior to joining Intel, she received her PhD in Computer Science from Princeton University and did her undergraduate studies at Hobart and William Smith Colleges. She is a Siebel Scholar, a member of Phi Beta Kappa, and her research on CONIKS was awarded the Caspar Bowden PET Award. Outside of work, Marcela is an avid gardener, bookworm, hiker, and gamer.



Vinnie Scarlata is a Principal Engineer in the Security & Privacy Research lab in Intel Labs. He is one of the architects for Intel® Software Guard Extensions and Trust Domain Extensions, and has 20+ years of research experience in various areas of security, e.g. Trusted Computing, Trusted Execution Environments (TEE), Attestation, Recoverable Platforms, Runtime Integrity, and Key Management. He has been granted 50+ patents and co-authored several papers. Vinnie received a MS in Information Security from Georgia Tech and a BS in Computer Science from the University of Massachusetts, Amherst.

Evaluating security risk associated with open source software projects can be a complex or even daunting task, but an Open Source Security Foundation project called OpenSSF Scorecard helps put some order and automation into the process.
In this episode, we chat with one of OpenSSF Scorecard's contributors, Brian Russell of Google, and Ryan Ware, Director of Open Source Security at Intel, about the problems Scorecard addresses, and how it might help improve the experience of developers and consumers of open source software. We'll take a deep dive into the automated security checks, how to use the data, and how to include Scorecards in a workflow.
Links
SCaLE 20x presentation: How do you trust your open source software?
Guests:


Brian Russell is a Product Manager on Google’s Open Source Security Team. He focuses on software supply chain security and is actively involved in the OpenSSF Scorecards project. In his spare time, Brian enjoys 3D printing and Atari video game programming.



Ryan Ware recently returned to Intel to focus on Open Source Software (OSS) security.  He is currently helping drive Intel’s efforts in the Open Source Security Foundation (OpenSSF). Ryan is an industry veteran who has always worked at the intersection of open source software and security, be it implementing security features in open source software stacks, using open source software to find security vulnerabilities in software and hardware, or helping teams utilize OSS in a secure way.

In this episode, we discuss best practices for evaluating and consuming open source software with Ryan Ware, director of open source security at Intel. Ryan will share his wisdom earned over decades working with open source software security.
Guest:


Ryan Ware recently returned to Intel to focus on Open Source Software (OSS) security.  He is currently helping drive Intel’s efforts in the Open Source Security Foundation (OpenSSF). Ryan is an industry veteran who has always worked at the intersection of open source software and security, be it implementing security features in open source software stacks, using open source software to find security vulnerabilities in software and hardware, or helping teams utilize OSS in a secure way.

This episode explores an open source software vulnerability scanner called CVE Binary Tool, which scans binaries and component lists in your project and reports back known vulnerabilities based on data from NIST’s National Vulnerability Database (NVD) list of Common Vulnerabilities and Exposures (CVEs).
My guest is Dr. Terry Oda, a security researcher at Intel and the lead maintainer of CVE Binary Tool, and co-host Chris Norman, Intel Open Source Evangelist joins us to explore the inner workings of the project and discuss contribution, community and the importance of developer-focused initiatives like Google Summer of Code.
Guest:


Terri Oda has a PhD in horribleness, assuming we can all agree that web security is kind of horrible.   She specializes in saying “no” and explaining things in varied roles as an open source security professional, a parent, and the volunteer coordinator of a summer mentoring program for Python.

This episode continues our confidential computing conversation from our previous episode. Mona Vij, principal engineer at Intel Labs, leads Intel's efforts on the Gramine project, which is a library OS that allows for running unmodified applications and, among other things, solves the problem of running applications out-of-the-box on Intel SGX-enabled hardware. We'll dive into Gramine, a Confidential Computing Consortium Project and discuss easing the path to running in a trusted execution environment.
Guest:


 Mona Vij is a Principal Engineer and Cloud and Data Center Security Research Manager at Intel Labs, where she focuses on Scalable Confidential Computing for end-to-end Cloud to Edge security. Mona received her Master’s degree in Computer Science from University of Delhi, India.
Mona leads the research engagements on Trusted execution with a number of universities. Her research has been featured in journals and conferences including USNIX OSDI, USENIX ATC and ACM ASPLOS, among others. Mona's research interests primarily include trusted computing, virtualization, device drivers and operating systems.

Dan Middleton, a principal engineer at Intel, and Dave Thaler, a software architect at Microsoft, share their work with Confidential Computing and their efforts to further this technology via the Confidential Computing Consortium. Learn about confidential computing, the problems it solves, and how you can get involved.