Emilia Torino shares what goes into keeping Ubuntu secure

Canonical is the company behind Ubuntu, but who are the people behind Canonical? In this blog series, we get to know some of the different employees that make up our company.

Emilia Torino is a Security Generalist at Canonical, and she has over 10 years of experience working in software engineering at an enterprise level. In this interview, we spoke to Emilia about what it means to keep Ubuntu secure, and what it’s like to play such a key role in the wider Linux security community.

What’s your background in software engineering?

I’m from Argentina, and I did my undergrad in software engineering here. I worked for Intel in Argentina for six years – first as an intern and then as a fully-fledged software engineer. Then I received a Fulbright scholarship to do my master’s degree at Carnegie Mellon University in the United States. After finishing my Masters, I went back to Intel and then McAfee for a few more years, and then joined Canonical in 2019 as a Security Generalist.

What was it that made you want to join Canonical and make the leap from software engineer to security specialist?

I was looking for a new challenge. Even though I had more than ten years of industry experience and had been involved in security activities, the prospect of working for the team that makes Ubuntu secure was more than exciting! What’s more, I hadn’t previously been that deeply involved in open source projects. I knew that joining Canonical would offer different learning and career opportunities.

Could you tell us more about those opportunities? What skills have you developed while working at Canonical?

I’ve gained a much greater understanding of the Linux security model, and what the phrase “Security is at the heart of Ubuntu” really means. Every day, the Ubuntu security team provides multiple security updates for software packages, and the most important ones are released within 24 hours. Backporting (applying a software patch or update to an older version of software than the update was initially intended for) and publishing security updates across all affected Ubuntu distributions is way more complex than it sounds. When I was working on my first patch, I created a 15-page wiki article out of all the instructions and advice that my colleagues gave me! 

Outside of patching, the other projects I work on frequently give me the chance to learn new skills. During this cycle, for example, I’ve started helping with the snap store revision process, which is giving me a deeper understanding of the snaps ecosystem and how snaps work in general. 

What does being a Security Generalist entail?

It’s our job to keep Ubuntu and all the applications that we officially maintain secure. As security vulnerabilities occur, we spend a significant amount of our time triaging, patching and validating those that affect Ubuntu packages or the Linux kernel. Sometimes we even coordinate security fixes with other Linux distributions, making sure we contribute to the wider Linux ecosystem. 

As new Ubuntu releases are planned, we participate in internal discussions and design reviews to enhance default Ubuntu installations, working on new capabilities or improving existing features to harden the OS security. Some members of the team collaborate with various external agencies to generate security hardening guides, containing configuration parameters for the OS and applications that assist in mitigating the damage a computer attack can do. 

We also work closely with other teams at Canonical to jointly think like attackers and help them detect and manage security risks proactively. When describing these activities, I always like to recall a phrase from The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles”.

These are just a few examples of our responsibilities. Members of our team also cover snaps, the Robot Operating System (ROS), source code auditing for promoting packages from universe (community-maintained) to main (Canonical officially supported), and more. It’s a role with an extremely wide scope.

How does working in open source differ from your experience in the proprietary space?

Working for a company that makes an operating system that’s freely available for anyone to use and share however they want is just amazing. I really feel like I’m part of something that makes a difference for millions of humans. I love the open source attitude that anyone can participate in making something better, and everyone benefits from each other’s contributions – honoring the meaning of Ubuntu: “humanity to others”.

The community aspect of open source isn’t something you see so much in proprietary software engineering. At Canonical, knowledge sharing doesn’t just happen internally; we interact extensively with the community as well. The security team is always answering emails and participating on IRC channels and forums, and one of our team members even does a weekly podcast to share what we’ve been working on or what’s happening in the industry. And the community contributes back to us in turn. People will message us privately to flag up potential vulnerabilities, or they’ll develop their own fixes which we sponsor. We all work together to make Ubuntu better every day. 

What do you think the future holds for open source?

I think that open source is only going to keep gaining traction. Companies are increasingly using open source technology in one way or another, and businesses are beginning to see the benefits of not just consuming open source, but contributing back to it. 

Open source is changing how a lot of organisations define their way of working, and I honestly wouldn’t be surprised to see the open source philosophy start being applied to areas outside of software. 

For new software engineers joining the industry, why should they consider working in open source?

Working in open source is immensely exciting from a motivation perspective. In this field, you can clearly see how your small, personal contributions can lead to major benefits for a large number of people. There are few things more encouraging than seeing a tangible impact from your work.

Newcomers to the open source community will quickly develop the attitude that whenever they see something, they can help make it better. That outlook will push them to learn and improve continuously, and it will serve them well in everything they do.