CypherCon 2024

Open source security is bigger than you can imagine

Josh Bressers


Did you know the VAST majority of open source projects have one maintainer? And nearly every open source project depends on at least one single maintainer project? We can’t use old ways of managing risk and vulnerabilities to solve today’s open source problems. To borrow a concept from game theory, open source is an infinite game. It has no end, we cannot win, we can only play. Yet many of our ideas focus on an end state.

The size of the open source landscape is bigger than we can imagine. Collectively we have seen unimaginable growth over the last decade. The risk associated with our open source, especially open source vulnerabilities, has been top of mind for the last few years. But we are woefully uninformed about how big open source really is.

The size of ecosystems is growing exponentially, our use of open source is growing faster than we can track it. There’s work happening in the OpenSSF community, but we need more. In this session, Josh Bressers will demonstrate the size of the problem using data to help attendees grasp its magnitude. If we don’t first understand the size of the problem, we can’t create realistic solutions.

Josh Bressers

How big is open source?!

Josh Bressers is the Vice President of Security at Anchore. Josh has helped build and manage product security teams for open source projects as well as several organizations. Josh co-chairs the SBOM Everywhere OpenSSF SIG and co-hosts the Open Source Security Podcast and the Hacker History Podcast. He also is the co-founder of the Global Security Database project to bring vulnerability identification into the modern age.