In Henri Salo’s words, time allocation is an art.
Between work, a social life, working out and even going on the occasional “security exercise,” it’s difficult to see how the programmer has time to do anything else.
“My average day is work, friends, running, hiking and listening and creating music,” He said in an email. At the time, the Finland-based security specialist was too preoccupied for a phone interview.
“I try to focus on the moment and do important tasks first in case I have a lot to do.”
And yet, somehow, Salo manages to sneak in some open source coding.
On GitHub, the open-source community forums and Google’s first result for “Henri Salo”, the hacker is listed under the user name “fgeek”.
His 19 followers would lead one to believe that Salo’s presence in the community is small. And yet, in the past year alone, he made 845 contributions – over two or so per day. As of writing, his contribution streak has lasted only two days, but his longest one – between the lead up to new year’s and the early weeks of January – lasted almost two weeks.
Salo chalks his contributions to a sense of payback.
“I have been using open-source for a long time now and I like to give back to the community with my security know-how, which has been a great learning experience for me,” he wrote. “I have a hacker way of thinking so I feel improving security as fun most of the time.”
It’s not inconceivable that, for a security professional, this type of extracurricular activity yields some benefits, in fact, Salo admits that it is partly for his personal needs.
But the point of open source, he said, is that everyone gets the benefits.
“You don’t have some people winning and some people losing,” said Josh Bressers, product security team lead at Red Hat. He added that the idea that open source is less secure than proprietary code is a misconception.
“You have an amplification effect of having different people working together for the common good,” he said.
For a company like Red Hat, which relies on open source, working with community members like Salo is crucial, but not always easy.
There’s a “delicate dance” that involves staying up to date on the latest developments in various communities and taking on or doling out new projects, depending on the situation, although Bressers said that Red Hat tries very hard to “not be pushy in any way.”
Part of the challenge is also knowing how to approach communities that are different from one another. Some are loose collectives while others, like GitHub, of which Salo is a member, are more structured. At times it comes down to working together on the same project.
One more area that Bressers sees an advantage to closed-source code is that the message – what needed fixing, what got fixed, what didn’t – is controlled by the company, and is usually “razor sharp,” since a company doesn’t need to disclose everything.
Nevertheless, with more and more vendors shipping open source software, Bressers said open source has matured.
To Salo, chipping in his time may allow him to reach more users than through his day job alone at Finland-based security consulting firm Nixu Corp. At the end of the day, he said, it doesn’t have to be an either-or.
“I don’t think of security as a state, but more like continuous process,” he said. “All IT systems have faults and people make mistakes all the time, but at least we can try to improve.”