From Manager to Open Source Security Pioneer: Kate Stewart's Journey Through SBOM, Safety, and the Zephyr Project

Show Notes

In this episode of What’s in the SOSS, CRob has an inspiring conversation with Kate Stewart, a Linux Foundation veteran who took an unconventional path into open source as a manager rather than a developer, navigating complex legal challenges to get Motorola's contributions upstream. Now a decade into her tenure at the Linux Foundation, Kate leads critical initiatives in safety-critical open source software, including the Zephyr RTOS project and ELISA, while being instrumental in the evolution of SPDX and Software Bill of Materials (SBOM). She breaks down the different types of SBOMs, explains how the Zephyr project became a security exemplar with gold-level OpenSSF badging, and shares practical insights on navigating the European Union's Cyber Resilience Act (CRA). Whether you're interested in embedded systems, security best practices, or the evolving regulatory landscape for open source, this episode offers valuable perspectives from someone who's been shaping these conversations for years.

Episode Chapters:

• 00:00 - Intro Music & Promo Clip
• 00:00- Introduction and Welcome
• 00:42- Kate's Current Work at Linux Foundation
• 02:18- Origin Story: From Motorola Manager to Open Source Advocate
• 06:38- Building Global Open Source Teams and SPDX Beginnings
• 09:45- The Variety of Open Source Contributors
• 10:57- Deep Dive: What is an SBOM and Why It Matters
• 17:05- The Evolution of SBOM Types and Academic Understanding
• 19:21- Cyber Resilience Act and Zephyr as a Security Exemplar
• 26:46- Zephyr's Security Journey: From Badging to CNA Status
• 31:05- Rapid Fire Questions
• 32:19- Advice for Newcomers and Closing Thoughts

Episode links:

• Kate Stewart LinkedIn page
• Zephyr Project
• SPDX (Software Package Data Exchange)
• ELISA Project
• Get involved with the OpenSSF
• Subscribe to the OpenSSF newsletter
• Follow the OpenSSF on LinkedIn