reversinglabs

Security Badging Open-Source Projects

In this episode of ConversingLabs, host Carolynn van Arsdale interviews Kadi McKean, Community Manager at ReversingLabs, to discuss a new initiative aimed at securing the open source software supply chain: the Spectra Assure Community Badge. Read Kadi's blog about the Badge here.

EPISODE TRANSCRIPT

Carolynn van Arsdale: [00:00:00] Hello everybody and welcome to the ConversingLabs podcast. My name is Carolynn van Arsdale. I'm gonna be your host for today. I manage all kinds of content here at ReversingLabs, and today I'm thrilled to welcome onto the show my colleague and friend Kadi McKean. Kadi is a super cool person who is really involved in the developer community,

she's passionate about DevOps, DevSecOps and has worked on the COBALT development stuff and worked at Mainframe [00:01:00] Solutions. In her role currently at ReversingLabs, she collaborates with all kinds of developers in the community, security researchers, to really educate the community about open source and about software supply chain security, and how those two things come together.

Kadi's also not shy when it comes to podcasts. She recently hosted the Wicked Good Development Show and now hosts 10x Insights, a podcast about the future of open source. Kadi, welcome to ConversingLabs. I'm so happy to have you here. 

Kadi McKean: Hey, Carolynn, thank you so much for having me. I'm loving this.

It's a little bit of a different experience for me today with the questions being thrown at me, but I'm ready for it and thanks for having me here. 

Carolynn van Arsdale: Yeah, of course. I'm sure it definitely feels weird to go back and forth. 

Kadi McKean: Yeah. 

Carolynn van Arsdale: Awesome. Yeah. Cool. We're so happy to have you. So Kadi, why don't you just go ahead and tell our listeners a little bit more about yourself and the work that you do at ReversingLabs.

Kadi McKean: Yeah, so that's always a good question. If you had told Kadi when [00:02:00] she was in college, like 15 years ago, that she'd be working in open source, with developers and in the technology space, I probably would've laughed in your face. Just because, I was in school for history and poli sci.

But actually like my first role in technology was working for a company called Microfocus, where they educated recent college grads on COBALT development and Mainframe solutions. So we're talking about technology that's 70, almost 80 years old now. Um, that is still out there in the wild in a lot of places.

So that was really where I got my first taste of technology, where I really just learned that I love solving the puzzle of how applications work, why they're different, how everything is unique. And so that's what got me started. But honestly, from there I moved into a little bit of an L&D role.

So it was educating sales folks and some technologists about how the product stacked worked especially when it came to a software supply chain security company. So I really got to know the technology inside and [00:03:00] out. And from there, I love teaching, but at the same time, updating spelling product features it's only so stimulating for me.

So I actually moved into being like, Hey, I'm an auditorial learner and we have the roll up your sleeves and do it exercises, and we also have the visuals, but what about doing a podcast? So I had pitched doing an internal podcast where it was like, let's break down these features of why we do it, and I forget how it actually panned out, but bottom line is they were like, Kadi, that's a great idea. We're gonna let you interview some people in the open source community. Let's talk about the different problems we're all facing, knowledge share, 'cause nobody should keep the secret. And that's actually how I moved into community advocacy.

And part of it was, sitting at a trade show, speaking with some of the DevRel folks and they were like, this stuff forwards and backwards. We dare you to come up with an idea for a talk and 24 hours later I did. You can also check it out on YouTube, but it was coming up with how software supply chain security equated [00:04:00] to my COVID-19 wedding experience.

So, that was how I got started into community and building programs. Fast forward to now, I'm here at ReversingLabs, still with the open source development community 'cause they're just in my heart and soul. And I'm building out an advocacy program here on our Spectra Assure Community.

So, we have this really great free tool that's a really good hidden secret and I don't think it should be. So, my whole job is to be a little agent of change, brand awareness and telling everybody about the richness of this tool. So, there's a bunch of different tools out there that you can be using to look up these different libraries, but nobody really has the strength or the quality of the data that we're making publicly available to folks.

Most people, it's all about vulnerabilities, and you can screen scrape that off NIST or some other databases, but here what we're doing with our research team, is truly remarkable in that we're able to show the malware, [00:05:00] hardening, tampering, licensing scores. And that's something you haven't really seen in the industry because, we're all squawking about CVEs, but if you have malware in there, I think that trumps CVEs, right?

Or vulnerability, so that's what I'm doing here. And we're talking about community and just, making sure people are aware that it's available to use. 

Carolynn van Arsdale: There's so many things I wanna comment on there. The first being, I actually didn't realize how similar you and I are because I, long time ago, if you said to me like, Carolynn, you're gonna work in cybersecurity, I would've looked at you with three heads.

Kadi McKean: Yeah. 

Carolynn van Arsdale: Because I actually studied political science and religion, which is super similar to history. 

Kadi McKean: See? There you go. 

Carolynn van Arsdale: So, no wonder we're such great friends, 

Kadi McKean: Probably.

Carolynn van Arsdale: To comment on everything regarding the current threat landscape and you rightfully point out this heavy focus on vulnerabilities.

I think that what Spectra Assure Community offers, and I'm so excited to have you here today 'cause we're definitely gonna dive more into this open source, free community platform that developers really should be relying [00:06:00] on because why not, given all that rich data. But at ReversingLabs, we have a really talented team of threat researchers that have made some incredible discoveries the past several years, but especially this year, the discoveries that they're seeing on open source platforms like npm, like the Python Package Index, these discoveries are mostly about malware, right? Finding malware on these repositories. And a lot of them are becoming much more sophisticated attacks than we've seen recently. So advocating for this free resource is more important than ever. I think that you're almost a cheerleader, I think is the best way to say it.

Kadi McKean: I think that is, and the funny thing is I did grow up, I got four sisters and I am like a competitive cheerleader my whole life. So I think like my early sporting background and also having that history/poli sci background, you're also a good storyteller. So I think those skills I've gotten along the way has helped make me, part of who I am and in my approach to community management in general.[00:07:00] 

Carolynn van Arsdale: Nice. Yeah, that, that sounds totally right to me. So I guess to dive in more into the landscape and before we get into what Spectra Assure Community is and the topic of today's episode, which is security badging open source projects as a way to foster software supply chain security in the open source community.

Before we get into all that, I do wanna set the stage with the current threat landscape. I know we just talked a little bit about it, but can you talk about what some of the most pressing threats are right now to these platforms and to developers? 

Kadi McKean: Yeah, so right now there's a bit of a mix, right? Like for a long time we've talked about people like hijacking packages and things like that.

But now we're starting to see threat actors becoming more and more sophisticated with how they exploit open source platforms. And we're seeing a lot of it, like you mentioned earlier in PyPI and npm, right? So traditional tactics like typosquatting, posing malware from fake accounts, they're definitely still in play, don't get me wrong.

But now we're seeing more of a high [00:08:00] touch, long-term strategies emerging. That's people, have you heard of sock puppets? Not for kids, but we're seeing-

Carolynn van Arsdale: But the incident, yeah.

Kadi McKean: Yeah.

So we've seen a lot more stuff like that where it's like social engineering type hacking, where you get into a project and maybe you make a few good commits, but then you start actually injecting that malware into these projects, right?

Or you're taking someone's keys. So for instance, some malicious packages when they're initially uploaded begin as benign. It's functional code to gain trust in that adoption, like I was talking about before. And then after they've done that, they build up a user base and attackers quietly push those updates with malicious payloads.

So like crypto stealing tools or info stealers is very common in what we're seeing right now. A good example of one that recently happened was in, Aiocpa, I think is how it's pronounced. It's A-I-O-C-P-A. A Python package which looked like a legitimate crypto client before being weaponized in a later release.

So it's stuff like that we're [00:09:00] seeing where, okay, it looks trustworthy, but then all of a sudden it's not. Additionally, we're also seeing attackers are targeting popular projects and infrastructures directly. So with that, we saw campaigns again on both PyPI and npm that exploited maintainers accounts and abused GitHub features to leak secrets, implant back doors or hijack update mechanisms, which is extremely dangerous.

The fact that someone could, leak a secret is what keeps me up at night or, hijacking passwords and just those back doors in general. Perhaps what's even more worrying is the old unpatched code though that are still widely used in packages or abandoned wear that's just not being maintained.

Like you mentioned earlier, we have a really good research team and we recently released a report where we found that the average package on a 30 project sample had 27 vulnerabilities with two critical flaws per package. And I'm just reading this, don't get me wrong, but I wanna make sure I'm giving the accurate [00:10:00] details.

But each had two critical flaws per package- critical. So that's like doomsday. You need to move. Now, this isn't like a you can wait type thing, and some popular PyPI projects had over 130 vulnerabilities. And many of those, it's okay if you have a vulnerability as long as it's non exploitable, but many of these were known exploits and that's where the problem lies.

So that's an open door for any attacker to walk through and do, who knows what, which kindly, to be honest, freaks me out. And I think the last part I wanna get to is getting back to those leak secrets, like private keys and API tokens. We saw that those rose 12% last year across repositories, which just adds more fuel to the fire, right?

So platforms like PyPI and npm, they're getting better at implementing controls, like two-factor authentication. But then again, just as quickly as you're trying to improve the process, there's a whole team of bad guys who are just working as hard, if not harder, to get into [00:11:00] your stuff. So, threats like that are continuing to evolve just as quickly as we're putting best practices in place.

Carolynn van Arsdale: Definitely. Yeah, and I think everything that you just covered really highlights this overall problem with software supply chain security. I think that, I often write about a lot, talk about a lot when I'm creating content is there are multiple areas of risk that we really need to pay attention to, right, when it comes to software supply chain security. As you rightfully pointed out, like the vulnerability problem is huge when it comes to open source packages, but secrets leaks like file rot, malware, tampering. Thinking about a collection of these risks and looking at them holistically is really what you covered and what developers I think really need to pay attention to in addition to the level of sophistication that attackers now have because we've been seeing discoveries on these open source software [00:12:00] platforms where, attackers are doing these typosquatting attacks and they're uploading malicious packages.

Oftentimes not so sneakily. And they're really easy to detect right away. ReversingLabs has been reporting on these for several years now, but it's this year that we're really seeing that these packages and the packages that are being uploaded are designed specifically to evade detection.

There have been certain instances that's happened this year as well. So overall I think you really did a good job painting that threat landscape, and another reason why Spectra Assure Community is so powerful. 

Kadi McKean: Yeah, and I think the other one that I might've missed was dev tooling, right?

VS Code, right? That's a huge plugin extension that many people are using, but we're also seeing attackers get in through those extensions now before you even download it or start to see if you wanna use it, we can actually scan that too, so we can give you that SAFE report to let you know has this been tampered with?

Is there malware in this extension code? Just to make sure you have that extra like warm hug, but it's also that extra security check to make [00:13:00] sure the tools you're using are safe to use. 

Carolynn van Arsdale: The infrastructure- actually yeah, that's a really good point. I believe it was last week ReversingLabs researchers discovered the compromise of a legitimate VS Code extension. 

Kadi McKean: Yeah. 

Carolynn van Arsdale: Which is very interesting, that happened as a result of a GitHub pull request that actually the human maintainers of the general project of the extension reviewed it and they missed it. Thought, didn't see anything malicious. And then I believe the GitHub Copilot reviewer also took a look at the pull request and did not find anything malicious as well.

It wasn't until, Spectra Assure, which is ReversingLabs software supply chain security platform, was actually able to identify it. But, using Spectra Assure Community, we're using all of that great information from Spectra Assure to kind of highlight why this extension went so wrong?

Yeah. And developers can rely on that. 

Kadi McKean: And it's not only just the [00:14:00] information, but it's the combo factor, right? So we have people like Karlo Zanki, who is reviewing this manually. Robert's looking at it, Lucia's looking at it. It's people, with two eyes who are physically looking at this and know where to look to check the code that they're reviewing.

So I think it's a combo factor because like you said, AI Copilot is gonna miss it. So you have to know what you're looking for. 

Carolynn van Arsdale: Yeah. And with that, I know that we've already talked a little bit about what Spectra Assure Community is, but I wanted to give you the platform now to just give a good 101 and a few sentences.

What is Spectra Assure Community? 

Kadi McKean: Yeah, so as I've been dancing around this, maybe I'm a ballerina today. But yeah, so Spectra Assure Community is our free offering here. We have this massive 27 petabyte data lake of all this scary malware, all these different behaviors that we're seeing involved in these different types of attacks.

So what we've done with it is we've aggregated that data and we're making it available to folks because we've indexed certain packages and libraries that are [00:15:00] commonly used. What I'm talking about is packages or libraries in PyPI, npm, RubyGems, NuGet, and now VS Code, where we can actually give you those different categories and give you a score on these packages is it's safe to use.

And again, safe to use could be different based off your risk tolerance, right? So my safe level could be different than yours, Carolynn. Based off how you have your environment set up or whatever protocols you have in place, but that's for you to decide. So what we've done is we have based off SLSA different framework and other best practices in the space, we've made these assessments on these different open source libraries and given that assessment for you to review on your own. The categories we're basing off this assessment is secrets, licensing, malware, vulnerability, tampering, and hardening. And maybe you'll have only one category that lights up, right?

But that's for you to review and see, hey, is my risk tolerance up to snuff for this? [00:16:00] And maybe it's not. And if you have something that has, everything's going off. Say maybe a request package right from PyPI. That has a lot going on, I was just looking at it today. It's got a lot going on with it.

There might be some licensing, some secrets, some tampering. So the question becomes how do you triage it and what makes the most sense to look at, that's if you wanna use it. And they typically go by a great rule that Andy Lewis actually taught me, former Marine, he just knows his stuff.

But it's a great rule of thumb and that's the rule of threes. So when you're looking at all this stuff, you think about it this way, I can live three minutes without air, I can live maybe three days without water. But I can only live three weeks without food.

So you have to triage thinking like that what's my air? What's my water, what's my food? So you have to look at it that way to see which fire, realistically, is burning the most. And that's for you to decide, or any organization to decide. What we're doing though is giving you all of the information that we can so you can make those decisions as [00:17:00] to what works best for you.

Carolynn van Arsdale: Because every organization is going to have a different risk tolerance. And do you think that a lot of that is also dependent on, the team makeup of an organization, right? Like how many security folks are actually able to work with the dev folks to be able to triage this stuff.

Kadi McKean: Yeah, and we see that a lot, right? So there's a whole talk about DevSecOps culture and pushing for it. There's been tons of studies done on it. Google, Meta, a bunch of them actually have injected like operations or security folks within their dev teams. But not everybody's there, right?

Those are the big guys who are doing it. So we are starting to see more teams, putting at least one security person if you can afford it, and we know there's less security people than developers, right? But even having one person on the team can help give visibility, or at least that voice as to why things are the way they are or why it's being gated, or why it doesn't meet the criteria to be brought into their environment.

It is still fairly siloed, but there has been [00:18:00] progress made. And what I personally like is we're starting to see more of the companies who've made that shift, sharing why it works for them, and helping educate other, companies as to why this is a really good framework that works.

And they've seen like not only productivity improvement, but they've also seen, team happiness score. I know that sounds like something you wouldn't think, but if you look at some of the DORA metrics, not the DORA, the legislation over in Europe, but DORA Metrics here.

Carolynn van Arsdale: I was gonna say. 

Kadi McKean: Yeah, there's a few, everybody knows one. But if you look up DORA metrics, there's a lot of interesting stuff on there too for how to get that collaboration between the three groups who really are pivotal in some of these decisions. 

Carolynn van Arsdale: Really interesting. Yeah. I guess that kind of leads us into, what, we're talking about today, which is the security badging of open source projects. This is an initiative that ReversingLabs has decided to take on with Spectra Assure Community. So I wanted to just give you the platform, Kadi, to really talk about what the Spectra Assure [00:19:00] Community Badge is and explain it for our listeners.

Kadi McKean: I really appreciate this opportunity. For many of you at home, how many of you looked at a GitHub README file? There's really good README files where it has tons of details in it, but oftentimes I find myself looking at those badges real quick in the readme, right? Is a CI/CD passing, is it failing?

What version of this? Is it SLSA compliant? Is it, OpenSSF Scorecard? What is that? So a lot of these are quick little visual indicators that can tell, is this a package I wanna use or not? So that's where our badge comes into place, and we're doing that based off our scoring and running it through Spectra Assure Community.

So for maintainers, this all really started with maintainers because I'd love to pay you, but realistically, like that's just not something I can do. There's too many maintainers and I just, I don't have the budget for it. I always think of two, that little XKCD cartoon where it's this big contraption. I always think it's like a grain feed or something like that from [00:20:00] farming, but I know it's not. It's some crazy contraption, and it's like digital infrastructure, right? And then it points to this one little tiny piece at the bottom, and it's being held up by some random person in Nebraska.

And that's where this idea came from, is that it shouldn't be just one person in Nebraska who's like having to worry about the weight of the world on their shoulders or some piece of equipment without it coming down. And what makes the cartoon even more funny is people can't even decide what made this cartoon.

Is it the Copy Left incident? Is it the OpenSSL incident? So there's a few where people talk about, but that just proves why the cartoon's funny and why we need to help folks like that random person in Nebraska. 

Carolynn van Arsdale: So, funny but also actually pretty serious. 

Kadi McKean: Yeah. It's pretty poignant, right?

Like at first it made me giggle and then when I sat there talking about it with a few folks, they were like, I thought it was based off this, and I was like, I think the cartoon came out before that. So then we just went down a rabbit hole to see who was right and really there was no right answer.

It could fit [00:21:00] for anything. Really any of these incidents. Heartbleed, I think was in another one someone threw it and they were like, I think it was just two guys in Maryland. And I was like, I don't know, let's look. But back to the badging, right? So worrying about those, maybe it's two Steves or the person in Nebraska, that's a lot to carry and a lot of companies rely on these packages, so imagine the amount of pull requests or, problems that they're submitting.

And it's one person who I'm pretty sure has a day job, a nine to five, and they're probably doing this on their off hours. They probably have a family they'd like to see, but they're here, at night, till 2:00 AM on the weekends, fixing things, merging things, approving requests, and they're doing that all because they just want to do good in the world.

And that should be something we reward. So what we're doing here is for folks who are open source maintainers, we're actually gonna give away our full commercial product to you. Why? Because we wanna make sure that you have the best security in place to [00:22:00] make sure that you're pushing out good code for these people so you're not getting as many requests or you're not pushing out malware.

'Cause nobody wants you to do it, we get your name's on the line. And if that's something we can do to help you, I think that's just another way to do goodwill in the world. If we're not expecting anything in return, we just really want you to have a good package and make sure it's secure for folks to use.

So that's what we're doing with the badge. We just ask you to put a little badge on there. And it is actually a dynamic badge, right? So it's not like I'm gonna scan this once, maybe fix a few things based off the report. It's actually a dynamic badge, so we scan continuously so the badge will actually update because, let's be honest it's not a matter of if, 

It's a matter of when someone might get a new vulnerability or inject malware. You need to know in real time if that package is safe to use. So it is dynamically updated based off scanning. 

Carolynn van Arsdale: Definitely. And I think that, in talking about the open source community, you bring up a really [00:23:00] good point, which is, I remember when I first, started reporting on

open source software supply chain attacks, and learning more about the open source community and thinking to myself, wow. Like these maintainers are severely underrated. Yeah. They do so much for the cybersecurity community, for the developer community and learning that for a lot of them it's basically like volunteering, when it comes to maintaining these different repositories, these libraries, it's very impressive. So giving them the tools that they need to succeed and giving the community the tools that they need to succeed, is one way in which we can say thank you, but also make sure that everybody stays safe and that, big organizations relying on these packages can also do their part.

Which is what ReversingLabs believes in for sure. 

Kadi McKean: It's a team sport, right? Yeah. Like many of us have done sports as kids, or maybe you're on a softball team now or whatever. But when it comes to open source security, it really is a team sport and everybody needs to do their part. And if this is one small piece that we can [00:24:00] do to help improving the security of open source in general, we're happy to do it.

And we're happy to get that feedback to be like, this is all right. Really, we need more info on this. It's a collaboration between the maintainers and vendors and academia as well, because I know they're reporting on this. So it's really a team sport, and that's how we look at it, because we all want the same end goal, and that's to have secure applications.

Carolynn van Arsdale: And why the word community is so important. It carries a lot of meaning, I think. But I also love the team sport too. It's great. Yeah. I haven't been in a team sport in a while, but I do understand. So you actually wrote a really great blog post, Kadi I believe like just about a month ago when we were talking a lot about security badging here at ReversingLabs.

And in that blog post, which if you're watching the live stream, we'll go ahead and link it in the comments wherever you're watching it on social but later on we'll definitely include it in the show notes of this podcast episode once it airs for ConversingLabs, be sure to check it out. But in that blog [00:25:00] post, you specifically wrote that this new badge really is a trust signal for the developer community and for the security community.

Can you elaborate on that really powerful label? 

Kadi McKean: Yeah, and that's something I firmly believe by. So there's a lot of fodder out there, right? So you have to, and people are constantly getting inundated with alerts, and you have to really reach through those tons of thousands of signals to figure out like, hey, is this actually a problem or not?

And it goes back to again, okay, maybe you have a vulnerability, but is it exploitable? If not, okay cool, we're moving on. So a little bit of that, but also when you're looking at these different packages, you wanna make sure that they're verified and by good people. From good people, they're putting the best security practices and coding practices in place.

So by having a badge, the Spectra Assure Community badge, you're really signaling to the community that like, hey, this has been vetted by industry experts whose heart and soul, previous history [00:26:00] has been in malware, binary based analysis. They know what they're talking about. So when it comes to security and you see that badge, you're like, all right I can sleep tonight.

I know that I can trust the results that we're seeing there. And they're giving us good, clear advice as to how to improve maybe the posture, and that way, not only for the maintainer can they believe in that advice, but also for the community, it's, I trust I can use that package.

And you don't feel like you're getting the wool put over your eyes. So, for me it's a bit about a trusted industry expert being able to tell you like, yes this has been vetted not only by our database, but also we've had people physically look at this so you can trust to use it, and I know that it will be updated if something happens.

And when it happens, I will know when that is. Right. Because that's the key thing nowadays is when is it? 

Carolynn van Arsdale: Yeah, and that perfectly ties into my next question, which, obviously the work that you're doing right now and why we're having this episode today and [00:27:00] inviting you on is to educate people on what this security badging system is and what Spectra Assure Community is.

And really, in terms of this badge becoming effective for the open source community, it really needs to have collective trust and collective recognition of what this badge can do. As manager of Community, what is your approach to building this further trust and awareness around this new initiative in the months to come?

Kadi McKean: Yeah, 

so that's a great question. So we're in a building mode, right? So it's talking to a lot of different maintainers, I wanna hear your story, what are the problems that keep you up at night? What are those problems that you're looking to solve? Or maybe if I had a magic wand, what is something you wish for?

So it's part of that, just getting people's stories, getting their feedback, but it's also going out and educating people on what we can do and really talking about the strength of software supply chain security and why that's a problem that people need to better understand. Yes, our badge can help [00:28:00] solve that problem, but people still haven't fully come around to understanding

exactly, the industry gets it now, it's part of the Gartner Magic Quadrant, but there are still some laggards out there who haven't fully adopted best practices when it comes to this. So it's, meetups, it's presentations, but it's also doing education, right? So I actually run a webinar, monthly webinar, Tuesdays at 11 Eastern folks.

Third Tuesday of the month, where we bring in community folks. It is not a commercial for ReversingLabs. We are talking with industry experts about different topics that matter to developers and security professionals alike. Because everybody's gonna have a little bit of a different opinion, but it's a great place for development to meet security and talk about these issues, to see where are both of our end goals?

Where do they meet in the middle? What is that ground where we can work together on these things? So that's kind of it. And then slowly we're, we're improving the UI, which is really exciting. And we'll be rolling out some new features in the fall here, [00:29:00] but I don't think I'm allowed to give them away or spill the tea on that yet.

So I'll let you know or report back when I can spill that tea. 

Carolynn van Arsdale: We might need to do a part two on how, Oh please. 

Everything's going. But yeah, and just to give a shout out too to this wonderful series that Kadi has put together, if you aren't already, you should definitely follow ReversingLabs on X/Twitter and LinkedIn because there we're gonna post updates about these really great sessions that Kadi does with experts.

And at these sessions too, you can ask your questions directly to these experts and get that feedback that you're looking for. And the topics are really great, all about developer education, security education, so it's a really great series. I definitely want folks to check it out. 

Kadi McKean: Yeah, how many times can you say for example, this week we were on with Robert Hurlbut and John Taylor, both industry leading experts, blown away by far the masters of their craft and threat modeling.

We had them on this week to just chat for 30 minutes. We wanna [00:30:00] learn a little bit more about what this is, and we had people in the chat just asking questions that was relevant to them. So, check it out, treat it as a great place to meet other people. Ask your questions. Don't be afraid.

And if maybe someone has a question, answer it. The whole thing with community is just sharing the knowledge you have and being able to learn from other folks. 

Carolynn van Arsdale: Definitely, building community, all good stuff. And I definitely wanted to ask you too, because you do, in your job with ReversingLabs, being the manager of community, you work with a lot of maintainers and you're constantly looking to work with new maintainers.

So if there is a maintainer listening right now, or watching us right now, how can they get involved? How can they reach out to you? How can they contribute to Spectra Assure Community?

Kadi McKean: In the words of Kim Possible back in the day, call me, beep me, tweet me, if you wanna reach me. 

Carolynn van Arsdale: Amazing reference.

Kadi McKean: I don't think you can beep someone anymore unless you're a doctor. I don't know. But thank you for getting it. So what [00:31:00] you can do is email community@reversinglabs.com and we'd love to chat with you, if that doesn't work I am on Twitter and Bluesky. Also there's trusty old LinkedIn, so I'm there too, but feel free to reach out to me.

We also have reference to it on our website. So if you find that badging blog that Carolynn's gonna link here, it'll actually tell you at the bottom of how to get a hold of me. So I'm looking forward to people who wanna reach out and learn more about this, and I'm excited to work with you. 

Carolynn van Arsdale: Definitely yes. And also too, the DMs are always open on the ReversingLab socials, so if you wanna reach out on LinkedIn or X, we are also on Bluesky. Feel free to reach out to us, that way we can connect you with Kadi. So Kadi, I think we wrapped up for today, but I did wanna just ask you if there's anything else you would like to chat about with me before we close out today.

Kadi McKean: I feel like I did my talking for the day and I'm just really excited and I hope people can go discover the magic of secure.software. So, that's where our community lives, it's super easy to remember because why? You want secure software, [00:32:00] right? So remember secure.software, tell us what you think and if you're a maintainer, give us a call. 

Carolynn van Arsdale: Awesome. Kadi McKean, community manager at ReversingLabs. Thank you so much for joining us today. For those listening, for those watching, make sure you stay tuned to the ConversingLabs podcast. You can subscribe to the podcast anywhere that you listen to your favorite shows, it's also available on the ReversingLabs' website. And if you're curious about Spectra Assure Community, all you have to do is put into your search bar secure.software, and it'll take you right there. Kadi, thanks again, have a great day. Bye everybody. 

Kadi McKean: Thanks, Carolynn.