By Aaron Blume, Andres Orbe, Glenda Garcia, and Saumya Navani
Introduction to the Mentorship Program
The Alpha-Omega Mentorship Program connects Senior Software Security Engineers for the Alpha-Omega OpenSSF project with newcomers to open source, software development, and security research. Guided by experienced mentors, the program provides entry-level contributors with the opportunity to help accelerate Omega’s mission in the Alpha-Omega project. Participants in the mentorship program gain unprecedented access to experts within our community while they explore software development, security research, and learn to take an active role in open-source collaboration. Meanwhile, mentors in the program are given the opportunity to take a leading role in building an inclusive and growing project community. We hope this blog unveils some insights and achievements from the graduates of our most recent mentor program, and further inspires others to get involved with the Alpha-Omega project.
Discovering the Mentorship Experience
Taking Chances: Aaron’s Journey
I discovered this mentorship program through a friend who suggested I might be a good fit for it. Given my growing interest in security, he led me to discover OpenSSF, and from there, I learned more about this mentorship opportunity. I read through the requirements and program details, and I was immediately intrigued and knew this would be an excellent learning experience for me. As my first mentorship and dedicated contribution to open-source software, I had nothing to compare it to. I definitely anticipated the potential for a steep learning curve and the opportunity to gain a lot of practical experience in software development. Unsurprisingly, both turned out to be true.
Nonetheless, by having a mentor and several others whom I could turn to for advice, I found myself learning more about the codebase and improving my development skills every day.
Expedition into the Unknowns of Security, Andres
With graduation coming nearer every passing day, I anticipated that I would miss doing all the security ‘chicanery’ that I was growing accustomed to at university. So, I decided that I wanted to explore and find groups focusing on security that could help me grow and help me keep an ear to the streets. At that time, I had one glaring question: how can we harden or audit the security posture of open source software or packages? Luckily, I wasn’t the first to think about this question; OpenSSF had some answers. I would hop from class or club meetings to online OpenSSF meetings, learning about supply-chain security, vulnerability disclosures, best practices, etc. After a couple of weeks of attending some meetings, I heard that the Alpha-Omega team was looking for mentees as part of their mentorship program. Wanting to dive further into the unknown, I jumped at the opportunity. As luck would have it, I would be selected as a mentee, and I currently work on beefing up the capabilities of the omega analyzer.
Glenda: Embracing Opportunities
I discovered the mentorship through a compelling LinkedIn post shared by one of the mentors. Intrigued by the program’s description, I eagerly applied, especially since I was just about to graduate, seeing it as the perfect opportunity to gain practical work experience, enhance my skills, and delve into the world of open-source code. What fascinated me the most was the chance to work with experienced professionals who offered guidance, support, and a wealth of knowledge from technical skills to career growth. The interview process was smooth and comfortable, and I received the exciting news of being accepted as a Security Engineer mentee a few days later. The mentors’ approachability and the seamless selection process reaffirmed my decision to participate in this mentorship program, making it a rewarding and enriching journey from start to finish.
Saumya: Cooking up Security Fixes
I heard about the Open Source Security Foundation through one of my professors at Purdue, and had been wanting to contribute to open source software in the software security/supply-chain areas. One day, Yesenia (one of our mentors) posted about this mentorship in the Slack channel for OpenSSF, and I thought it was the perfect opportunity for me to gain practical experience in software development and get started with open-source software. One of the most enticing aspects of this mentorship was the ability to work with experienced professionals like Jonathan and Yesenia, as well as gain a deeper understanding of software security in production. The interview process was extremely smooth, and I was able to make it through as a Security Research mentee. I anticipated a learning curve while getting acquainted with OpenRewrite and automating security fixes, partially because I did not have much experience with Java, but Jonathan took the time to ensure that I would improve in that aspect and be able to make meaningful contributions to the open-source security effort.
Individual Tasks
Omega Analyzer: Andres
The Omega Analyzer is a docker container (more a series of programs all being orchestrated in harmony with each other) that takes an open source package and runs 20+ security tools to see if it can identify anything malicious, then outputting results into one SARIF file (think of a SARIF file as an executive summary). The objective is to flesh out the analyzer capabilities, i.e, uploading to the triage portal (check Glenda’s section for more about the portal), designing and implementing strategies/systems on bulk and cadence scanning, increasing the variety of packages, making it easier to use and automate the boring stuff, etc. To tackle the challenges, I decided to take more of a lean startup methodology approach by trying to meet with stakeholders in the community to see what other capabilities might be useful to fully understand what the analyzer should be able to accomplish by the end of the mentorship. Most recent changes to the analyzer can be found here!
Omega Triage Portal: Glenda
The Omega Triage Portal is a web-application that plays a pivotal role in managing automated vulnerability reports. It is a crucial space for trusted security researchers to review tool findings from the Omega Analyzer and perform relevant actions to run automated fix campaigns. The primary objective of this project is to establish a functionality that supports the seamless upload of a single SARIF file via an API Endpoint. The current file upload approach requires manual intervention to process and store the SARIF file data, leading to inefficiencies and potential delays in the vulnerability management process (Link of demo before implementation). The proposed solution involves implementing an API Endpoint using GraphQL with Graphene and Django. This will enable seamless data transfer between the Omega Analyzer and the Triage Portal, ensuring secure and trusted submissions through user authentication and authorization mechanisms.
Multi-file Data Flow Analysis: Aaron
In the Alpha-Omega Mentorship program, my end goal was to add support for multi-file data flow analysis in OpenRewrite. There were many stepping stones along the way, including researching and understanding the codebase and CodeQL; expanding taint flow analysis for method arguments; integrating specially-made nodes for data flow; enhancing these nodes to support parameters; adding new traits inspired from CodeQL’s logic; and enabling multi-method and multi-file data flow analysis in OpenRewrite. By working towards the end goal of multi-file data flow analysis, I learned about taint flow integration in OpenRewrite, the one-to-one relationship between OpenRewrite and CodeQL, how data flow and control flow are used together, and ultimately good practices for writing long-lasting and maintainable code. With all of this new knowledge, I was able to improve my skills in reading and understanding code as well as visualizing different concepts and patterns in data flow!
XML XXE Vulnerability Recipe: Saumya
In the mentorship program, my focus was crafting a recipe to improve the handling of XML XXE Vulnerabilities in open-source repositories. Implementing fixes for vulnerabilities at scale is a challenge most open-source developers face, and OpenRewrite’s recipes provide the framework to do exactly that. These recipes are sets of instructions that define code transformations, allowing for automation, consistency, and customization in code refactoring. My work involved working with the XML Parser XXE Vulnerability Recipe to create custom ‘allow-lists’ to resolve any external entities or Doctype Declarations in the XML document. This allows OpenRewrite to successfully walk the thin line between security and functionality, leading to secure, robust code generation capabilities. Furthermore, it addressed a significant security concern (XXE is part of the OWASP Top 10) and allowed me to get involved with open source software and learn more about software security practices in the industry.
Words of Wisdom for Future Mentees
As we reflect on our mentorship journey, we have gathered valuable advice and learned insightful lessons that we would like to share with future mentees who may embark on a similar program. Here are some key insights and recommendations:
Glenda’s Tip: Embrace a growth mindset by approaching the mentorship program with an open mind and a willingness to learn.
Be receptive to feedback and view challenges as opportunities for growth. Actively seek guidance by not hesitating to ask questions and seek valuable insights from your mentor, engaging in meaningful discussions, and leveraging their experiences to enhance your own learning. Finally, reflect and document your journey by regularly documenting your progress, key learnings, achievements, and challenges. This documentation will serve as a valuable resource for personal reflection and future reference, enhancing the overall mentorship experience.
Andres’s Tip: “Premature Optimization is the root of all evil” – Donald Knuth.
Upon losing 38+ hours worth of work, I decided then and there to design with resilience in mind. In an attempt to architect a program that was slightly optimized to be faster, I decided to omit saving critical files to a shortlist until after all the packages completed their execution. An error within the volume during the mounting of the container was enough to wipe all the data that had been generated. With new resilience mechanisms, I would have still lost the results, but the critical files would have been saved to a shortlist (and would have saved me from the pain of that massive blunder.)
Aaron’s Tip: In all honesty, if an opportunity interests you, then jump on it. Don’t let it slip away even if you do not think you have every qualification for it.
I started this program with limited-to-no experience with abstract syntax trees, yet I wanted to partake in this mentorship, because I had an excellent experience in a formal languages class that I took in college. I knew that this position would be perfectly suited to my interests, despite being relatively new to the concept. So, as I said before, if something interests you, apply yourself to dive deeper into that interest and you might end up finding a new opportunity or people to guide you throughout your journey.
Saumya’s Tip: “Red, Green, Refactor.” Open-source code can take a long time to understand and work on, but there is a trick to ‘fast-track’ the onboarding process.
I started this program with next to no experience in open source development and initially found it difficult to start working on my implementation without spending hours trying to understand how recipes in OpenRewrite worked. This is when my mentor, Jonathan, introduced me to the concept of Test Driven Development’s three essential phases: Red, Green, Refactor. Simply put, this method starts with writing test cases that we know will fail, then adding the least amount of functionality to make these unit tests pass. The last step would be to refactor this implementation and build in more complex functionality. This allowed me to understand exactly how the recipe worked and become comfortable with the codebase. Thus, Red, Green, Refactor was definitely one of the most helpful tips I could have gotten during this mentorship.
About the Linux Foundation Mentorship Program
If you are interested in being a mentee for an open source project, check out the The Linux Foundation Mentorship Program for open and upcoming applications for open source mentorships.
