SOSS Fusion 2024: Full Schedule

October 22-23, 2024 | Atlanta, Georgia USA
View More Details & Registration

The Sched app allows you to build your schedule but is separate from your event registration. You must be registered for SOSS Fusion 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Eastern Daylight Saving Time. To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

9:00am EDT

Welcome & Opening Remarks - Jim Zemlin, Executive Director, The Linux Foundation

Tuesday October 22, 2024 9:00am - 9:20am EDT

Skelton

Speakers

Jim Zemlin

Executive Director, Linux Foundation

Jim Zemlin’s career spans three of the largest technology trends to rise over the last decade: mobile computing, cloud computing, and open source software. Today, as executive director of The Linux Foundation, he uses this experience to accelerate innovation in technology through... Read More →

Tuesday October 22, 2024 9:00am - 9:20am EDT
Skelton

Keynote Sessions

9:20am EDT

Decoding the AI Revolution; Implications for Security and Society: AI Security Matters - Bruce Schneier, Renowned Security Technologist and Best-Selling Author

Tuesday October 22, 2024 9:20am - 10:05am EDT

Skelton

AI has transformed industries, economies, and societies and helped organizations reimagine what’s possible for their businesses. While AI presents countless opportunities for innovation and growth, we must still be cognizant of the challenges it poses to information security. In this keynote, Schneier unravels the intricate web of risks and opportunities that AI presents as he addresses issues related to its vulnerabilities, ethical considerations, and unpredictability while underscoring the skills anyone can tap into to build resilient systems that can withstand unforeseen challenges and effectively navigate the complexities of AI security.

Speakers

Bruce Schneier

Renowned Security Technologist and Best-Selling Author

When people want to understand the vulnerabilities of our increasingly digital world, and how to protect their privacy within it, they turn to Bruce Schneier. Dubbed a “security guru” by The Economist, Schneier is an internationally renowned security technologist and best-selling... Read More →

Tuesday October 22, 2024 9:20am - 10:05am EDT
Skelton

Keynote Sessions

10:10am EDT

Enshittification Was a Choice - Cory Doctorow, Science Fiction Author, Activist and Journalist

Tuesday October 22, 2024 10:10am - 10:25am EDT

Skelton

The internet's enshittification - its consolidation into gigantic platforms that trapped and then tormented end users and business customers alike - was a choice. Specific policies transformed the old, good internet into the enshitternet of "five giant websites filled with screenshots of the other four." We can build a new, good internet, but it's going to take more than good tech: it will require good *policies*.

Speakers

Cory Doctorow

Science Fiction Author, Activist and Journalist

Cory Doctorow (craphound.com) is a science fiction author, activist and journalist. He is the author of many books, most recently THE BEZZLE (a followup to RED TEAM BLUES) and THE LOST CAUSE, a solarpunk science fiction novel of hope amidst the climate emergency. His most recent nonfiction... Read More →

Tuesday October 22, 2024 10:10am - 10:25am EDT
Skelton

Keynote Sessions

10:30am EDT

Government's Continuing Path Contributing Towards a Secure Open Source Ecosystem - Timothy Pepper, Senior Technical Advisor, Open Source Software Security, US Cybersecurity and Infrastructure Security Agency (CISA)

Tuesday October 22, 2024 10:30am - 10:45am EDT

Skelton

Throughout history governments have often played an enabling role in technology innovation. And the innovation value brought by open source software (OSS) is well known. And too the friction caused to innovation by cyber-insecurity is well known. But the intersection of these three topics has been less clear, until recently.
This talk will explore the emerging intersection of open source software, cybersecurity, and government by sharing: the four goals in the Open-Source Software Security Roadmap published in 2023 by the US Cybersecurity and Infrastructure Security Agency (CISA),
1) establishing CISA’s role in supporting the security of OSS,
2) understanding the prevalence of key open source dependencies
3) reducing risks to the federal government
4) hardening the broader OSS ecosystem
their alignment with the National Cybersecurity Strategy’s goal of a more resilient, equitable, and defensible cyberspace, ongoing progress across 2024 toward the four goals, and potential next opportunities for alignment and collaboration across industry, academia, open source, and government looking forward into 2025 and beyond.

Speakers

Timothy Pepper

Senior Technical Advisor, Open Source Software Security, US Cybersecurity and Infrastructure Security Agency (CISA)

Tim Pepper is an engineer with over 25 years in open source, with contributions to Kubernetes (emeritus Steering Committee elected member, emeritus Code of Conduct Committee elected member; past SIG Release co-chair and WG LTS co-organizer), open source security projects, Linux kernel/drivers/distributions... Read More →

Tuesday October 22, 2024 10:30am - 10:45am EDT
Skelton

Keynote Sessions

10:45am EDT

Break + Networking

Tuesday October 22, 2024 10:45am - 11:15am EDT

Hagood Reception Room

Tuesday October 22, 2024 10:45am - 11:15am EDT
Hagood Reception Room

Breaks / Networking / Special Events

11:15am EDT

The Power Duo: How Maintainers and Contributors Enhance Open Source - Aishat Muibudeen, AsyncAPI Initiative

Tuesday October 22, 2024 11:15am - 11:25am EDT

Salon 1

My presentation aims to explain the crucial roles of maintainers and contributors in securing open-source software. The primary objective is to highlight how effective collaboration between these roles ensures open-source projects' quality, usability, and sustainability. The ultimate goal is to empower newcomers and seasoned contributors to take active roles in maintaining and improving the sustainability of open-source software. Drawing from my experiences within various open-source communities, I will emphasize the profound impact of collaborative efforts on project success.

Speakers

Aishat Muibudeen

Design Maintainer, Technical Steering Committee (TSC) & Code of Conduct Committee, AsyncAPI Initiative

Aishat is a skilled Product Designer and UX Researcher with about three years of experience in Open Source? She is also a Technical Steering Committee (TSC), Design Maintainer and part of the Code of Conduct Committee at the AsyncAPI Initiative, where she plays a crucial role in achieving... Read More →

Tuesday October 22, 2024 11:15am - 11:25am EDT
Salon 1

Maintainer / Contributor

11:15am EDT

Session To Be Announced - David Wheeler, The Linux Foundation

Tuesday October 22, 2024 11:15am - 11:55am EDT

Skelton

Speakers

David Wheeler

Director of Open Source Supply Chain Security, Linux Foundation

Dr. David A. Wheeler is an expert on open source software (OSS) and on developing secure software. His works on developing secure software include "Secure Programming HOWTO", the Open Source Security Foundation (OpenSSF) Secure Software Development Fundamentals Courses, and "Fully... Read More →

Tuesday October 22, 2024 11:15am - 11:55am EDT
Skelton

AI + Security

11:15am EDT

Building Developer Confidence in Software Security with the DevRel Community - Katherine Druckman, Intel Corporation; Lori Lorusso, Percona; Tabatha DiDomenico, G-Research

Tuesday October 22, 2024 11:15am - 11:55am EDT

Salon 4

Software is a complex system of tooling, processes, and, ultimately, humans. Ensuring the system's integrity and hardening our software supply chain requires careful configuration at countless steps along the pipeline. The OpenSSF is leading the open source security community to establish tools and best practices. Still, their discovery can be overwhelming and confusing to the developers and open source maintainers who stand to benefit. Join this panel of OpenSSF DevRel Community Volunteers to learn how to navigate the complex waters of the OpenSSF landscape as we work to connect projects and tools with the community. Walk away with a clearer understanding of developer relations and how to get involved.

Speakers

Tabatha DiDomenico

Open Source DevRel Engineer, G-Research

Tabatha is an OSS DevRel Engineer at G-Research bringing over two decades of experience in community development, IT, and cybersecurity to the role. She holds an MS in Cybersecurity from the University of South Florida and a BA in Interdisciplinary Studies from the University of Central... Read More →

Katherine Druckman

Open Source Evangelist, Intel

Katherine Druckman is an Open Source Evangelist at Intel where she enjoys sharing her passion for a variety of open source topics. She is a long-time open source advocate, developer, and podcaster, and is currently the host of Open at Intel and co-host of the FLOSS Weekly and Reality... Read More →

Lori Lorusso

Head of Community, Percona

Lori has a passion and enthusiasm for working with the developer and open source community. She is a CNCF Ambassador, former CNCF Marketing Committee Chair, former Chair of the CDF Outreach Marketing Committee, program chair of cdCon 2023, and is active in the OpenSSF devrel committee... Read More →

Tuesday October 22, 2024 11:15am - 11:55am EDT
Salon 4

Security Education

11:30am EDT

Continuous Assurance of Supply Chain Security Levels of Open Source Artifacts using SLSA 0.1 - Krithika Venugopal & Raj Krishnamurthy, ComplianceCow

Tuesday October 22, 2024 11:30am - 11:40am EDT

Salon 1

How end users can do a reasonable verification of the SLSA provenance produced by trusted build systems to protect against threats like build from modified source, compromised build process and downloading modified packages

Speakers

Raj Krishnamurthy

Product Architect, ComplianceCow

27+ years in software development, product engineering and product management building distributed, enterprise software at cloud scale.

Krithika Venugopal

Software Engineer, ComplianceCow

Software Engineer with 17 years of experience in .NET, Java, Go Python and security GRC middleware

Tuesday October 22, 2024 11:30am - 11:40am EDT
Salon 1

OSS Consumption + End Users

11:45am EDT

QEMU-Native Hooking Bridge for Binary Fuzzing - Subhojeet Mukherjee, Hitachi India Pvt. Ltd.

Tuesday October 22, 2024 11:45am - 11:55am EDT

Salon 1

Fuzz testing of compiled binary code is imperative when source code is not available. AFLplusplus is a popular fuzzer, responsible for discovering several vulnerabilities in open/closed source software. While fuzzing, AFLplusplus acquires code coverage feedback by emulating the target binary in QEMU usermode, thereby supporting architecture neutral fuzzing as well. There is however no native instruction hooking and memory control support in QEMU. Albeit, having such ability can greatly benefit binary fuzz testing by patching/fixing roadblock locations that lead to long-running fuzzing campaigns. The current solution is a pythonic wrapper, UNICORN, on QEMU that is understandably slow and, more importantly, requires significant configuration to avail features that are enabled by default in AFLplusplus's raw QEMU mode. In this lightning talk, we will touch upon the QEMU native hooking bridge [https://github.com/AFLplusplus/AFLplusplus/tree/stable/qemu_mode/hooking_bridge]. We will briefly go over its design and implementation. We will then describe its usage with one or more examples. Furthermore, we will demonstrate its superiority over AFLplusplus's UNICORN mode.

Speakers

Subhojeet Mukherjee

Researcher, Hitachi India Pvt. Ltd.

Dr. Subhojeet Mukherjee is a researcher in embedded systems security. He received his PhD from Colorado State University, researching on security aspects of in-vehicle networks in medium and heavy-duty vehicles. Currently, at Hitachi India Pvt. Ltd., he researches efficient testing... Read More →

Tuesday October 22, 2024 11:45am - 11:55am EDT
Salon 1

SW Development + OSS

12:00pm EDT

End-to-End Secure ML Development - Mihai Maruseac, Google

Tuesday October 22, 2024 12:00pm - 12:30pm EDT

Skelton

We are seeing an increase in the number of AI powered applications. At the same time, we are seeing that AI software repeats the same security mistakes as traditional software, but at an accelerated time frame and with higher risks. In this talk -- planned as a tutorial --, we aim to show how AI applications can be developed in a safe way, starting with datasets and software dependencies, building a secure software supply chain, and only accepting models in production that have clear, untampered provenance (both SLSA but also analyzing the capabilities of the models to eliminate future risks). For example, we want to be able to trace back from a bad inference in production to the potential poisoned input in the training dataset. We will show how we can reduce cost of retraining models in the event of an ML framework compromise by analyzing the blast radius and only retraining impacted models. To keep the audience engaged, we will follow the development story of an ML model from data collection and training all the way to deploying the model in production. At each stage, we will go over the supply chain security risks and show how these can be mitigated.

Speakers

Mihai Maruseac

Staff Software Engineer, Google

Mihai Maruseac is a member of Google Open Source Security team (GOSST), working on Supply Chain Security for ML and on GUAC. Before joining GOSST, Mihai created the TensorFlow Security team after joining Google, moving from a startup to incorporate Differential Privacy (DP) withing... Read More →

Tuesday October 22, 2024 12:00pm - 12:30pm EDT
Skelton

AI + Security

12:00pm EDT

An Inside and Outside Look at the Government’s Ongoing Journey with Open Source Tech - Austen Bryan, Defense Unicorns & Camdon Cady, US Air Force

Tuesday October 22, 2024 12:00pm - 12:30pm EDT

Salon 4

Outsiders looking in at government software delivery might imagine a cabal of crusty do-nothings plotting the next series of setbacks and delays to deliver to their unwitting users, or a scheming contractor masterfully extracting maximum payment for each feature delivered. Nothing could be further from the truth; in reality the civil service and the commercial ecosystem servicing the government are full of hard-working people navigating a labyrinthine series of financial, contractual, technical, and cybersecurity policies and standards. Open Source software and open technology can be a critical tool for successfully steering a project through that maze in order to deliver a capability to users. In this session, we give real-world examples of the challenges to value delivery in the government, discuss some of the common misperceptions around government use of Open Source, and discuss how the use of Open Source has lead to improved outcomes for users in the Department of Defense. Lastly, we discuss where we think the relationship between the private and public sector is going with respect to Open Source.

Speakers

Austen Bryan

VP of Product, Defense Unicorns, Defense Unicorns

Austen Bryan, a former Active Duty Air Force officer, has spent most of his career in the DoD’s software development sector. As the VP of Product at Defense Unicorns, he leverages his experience from co-founding LevelUp Code Works and serving as COO for DoD Platform One. Bryan’s... Read More →

Camdon Cady

Platform One CTO, US Air Force

Air Force Officer, long-time nerd, working to revolutionize software deliver for the DoD from the inside.

Tuesday October 22, 2024 12:00pm - 12:30pm EDT
Salon 4

OSS Consumption + End Users

12:00pm EDT

Innovate Fast, Operate Securely: AI-Powered Protection for Containerized Workloads - Rick Bosworth, SentinelOne

Tuesday October 22, 2024 12:00pm - 12:30pm EDT

Salon 1

Vulnerabilities hidden within open source libs raises risk for containerized workloads. Runtime protection is needed, even for ephemeral applications, because automated attacks spread in seconds. Join SentinelOne as we demonstrate AI-powered threat protection and discuss its place in a CNAPP strategy. By combining agentless insights spanning asset discovery, CSPM, vulnerability management, and more, with the stopping power of a runtime agent, multi-cloud organizations are best equipped to accelerate and secure innovation at scale.

Speakers

Rick Bosworth

Innovative Cloud Security Leader, SentinelOne

As a former product manager, Rick Bosworth brings an uncommon technical perspective to enterprise GTM strategy and execution. At SentinelOne, his cloud security focus spans cloud workload protection, CSPM, KSPM, and CNAPP. When he is not launching new products or working with customers... Read More →

Tuesday October 22, 2024 12:00pm - 12:30pm EDT
Salon 1

Security Education

12:30pm EDT

Lunch (Attendees on Own)

Tuesday October 22, 2024 12:30pm - 2:00pm EDT

Breaks / Networking / Special Events

2:00pm EDT

Is Diversity the Top Ingredient in Your SBOM? - Rao Lakkakula & Tunji Taiwo, JPMorgan Chase

Tuesday October 22, 2024 2:00pm - 2:30pm EDT

Salon 1

Diversity plays a pivotal role in enhancing the security of open-source software. By involving contributors from various backgrounds, infusing different cultures, educational paths, and professional experiences, the open-source community benefits from a broad spectrum of perspectives. This diversity leads to a more comprehensive identification of potential vulnerabilities, as contributors bring unique approaches to problem-solving and threat analysis. In this talk Rao Lakkakula and Tunji M Taiwo, go over how diversity fosters a more inclusive and collaborative environment, encouraging more individuals to participate and contribute. In essence, diversity in open-source software development is not just a matter of equity and representation; it is a critical factor in creating robust, secure, and resilient software systems while driving innovation and growth within the broader open-source ecosystem.

Speakers

Rao Lakkakula

Senior Director, JPMorgan Chase

Rao Lakkakula is Senior Director of Security Engineering at JPMorgan Chase with focus on developer security. Rao has 20+ years of expertise in security and software development with roles spanning from strategy, engineering, risk management, and business intelligence. His prior experience... Read More →

Tunji Taiwo

Executive Director, JPMorganChase

Tunji Taiwo is an Executive Director of cybersecurity Global Architecture & Engineering at JPMorganChase. With over 25+ years of IT experience and proven expertise in designing, building, and operating robust cybersecurity strategies to safeguard organizations from cyber threats... Read More →

Tuesday October 22, 2024 2:00pm - 2:30pm EDT
Salon 1

Diversity + Community Development

2:00pm EDT

Open & Secure: Novel Sandboxing Technique for Any Open Source Library - Gal Elbaz, Oligo Security

Tuesday October 22, 2024 2:00pm - 2:30pm EDT

Salon 4

Security teams from Google to Firefox have taught the security industry a lot about isolating running programs from the broader system through sandboxing, which fundamentally changed the way hackers need to operate to inflict damage on systems. Threat actors today need to be significantly more sophisticated and build a chain of vulnerabilities to escape sandboxes & access critical system resources for exploitation. The consistently growing number of vulnerabilities in OSS packages, imposes an impossible pace of remediation & patching to stay ahead of zero-day threats evolving daily. Enter Open Source Sandboxing. In this talk we’ll present a first of its kind approach, built upon the powerful eBPF and KRSI technologies, that enables you to derive the very same security benefits of browser and web-based, as well as mobile - iOS & Android sandboxing - for any open source library you are running in your stacks. We’ll walk through a code example for how to identify and block exploits.

Speakers

Gal Elbaz

CTO & Co-Founder, Oligo Security

Co-founder & CTO at Oligo Security with 10+ years of experience in vulnerability research and practical hacking. He previously worked as a Security Researcher at CheckPoint and served in the IDF Intelligence. In his free time, he enjoys playing CTFs.

Tuesday October 22, 2024 2:00pm - 2:30pm EDT
Salon 4

Security Education

2:00pm EDT

Solving Air-Gap Problems the Cloud Native Way with Zarf - Austin Abro, Defense Unicorns

Tuesday October 22, 2024 2:00pm - 2:30pm EDT

Skelton

In this talk, we'll explore how disconnected environments, while beneficial for security, increase the complexity of Kubernetes deployments. You’ll learn the challenges encountered when bringing images, Helm charts, and Git repositories into environments lacking access to Git servers or container registries. We'll then delve into how Zarf, an OpenSSF sandbox project, enables cluster operators to package everything needed for their workloads into a single, declarative, OCI artifact to be deployed onto an air-gapped cluster. Finally, we’ll discuss how Zarf helps operators maintain visibility over their supply chain with automated SBOM, Software Bill of Materials, and creation.

Speakers

Austin Abro

Zarf Maintainer, Defense Unicorns

Austin Abro is a full-time maintainer of Zarf at Defense Unicorns, a tool built to enable declarative creation & distribution of software into air-gapped/constrained environments. Previously, he worked at Fiat Chrysler as a full stack Java developer before being promoted to technical... Read More →

Tuesday October 22, 2024 2:00pm - 2:30pm EDT
Skelton

SW Development + OSS

2:35pm EDT

5 Steps to VEX Success: Managing the End-to-End Workflow - Cortez Frazier Jr., FOSSA

Tuesday October 22, 2024 2:35pm - 3:05pm EDT

Skelton

If you work in vulnerability management, you’re probably familiar with the painful condition known as CVE overload. Each year, tens of thousands of new vulnerabilities are reported, and these potential risks overwhelm security teams tasked with confirming risks and remediating them. A proposed solution is VEX (Vulnerability Exploitability eXchange): a set of formats that communicates vulnerability impact status, whether a vulnerability is exploitable in its deployed context, and mitigation steps. In theory, VEX (when used alongside other prioritization inputs) makes it possible for downstream security teams to remediate more efficiently. But as with most security frameworks, efficacy depends on proper implementation. This talk will cover five steps to leveraging VEX throughout the vulnerability remediation lifecycle, from the time a vulnerability is disclosed to the time you publish and distribute a VEX statement. We’ll cover the tools and workflows security practitioners need to know to effectively use VEX in their organizations.

Speakers

Cortez Frazier Jr

Principal Product Manager, FOSSA

Cortez Frazier Jr. is a Principal Product Manager at FOSSA. He leads development for the company’s SBOM (software bill of materials) and vulnerability management solutions. Before joining FOSSA, Cortez served as product lead for all of Puppet’s SaaS-based products, primarily within... Read More →

Tuesday October 22, 2024 2:35pm - 3:05pm EDT
Skelton

OSS Consumption + End Users

2:35pm EDT

Open Source Software (OSS) Transparency for Acquisition - Carol Woody, SEI

Tuesday October 22, 2024 2:35pm - 3:05pm EDT

Salon 4

Systems today are primarily assemblies of reused components many of which are Open-Source software. The reuse of software has enabled faster fielding of systems since common components, but all software comes with vulnerabilities, and attackers have expanded their capabilities to exploit them in products that have broad use especially Open Source. How should an organization make appropriate trade-off choices among cost, schedule, and cybersecurity? Over the history of software engineering, we have learned that software metrics for both the process and the product are needed. We have also explored many aspects of cybersecurity measurement and determined that we must be able to measure the processes for developing and using software and how those measurement results affect the product’s cybersecurity. It is insufficient to measure only operational code, its vulnerabilities, and the attendant risk of successful hacks. Relying on the assumption that many eyeballs looking at the software ensures better security is of little value without an understanding of what was analyzed and how knowledgeable were those performing the analysis.

Speakers

Carol Woody

Principal Researcher, SEI

Dr. Carol Woody is principal researcher for the CERT division of the Software Engineering Institute. She focuses on cybersecurity engineering for building capabilities and competencies to measure, manage, and sustain cybersecurity and software assurance for highly complex software-reliant... Read More →

Tuesday October 22, 2024 2:35pm - 3:05pm EDT
Salon 4

SW Development + OSS

3:10pm EDT

Living with and Leveraging GCC - James Lowden & Bob Dubner, Symas Corporation

Tuesday October 22, 2024 3:10pm - 3:40pm EDT

Salon 1

The GCC steering committee has accepted our project to add COBOL to GCC. This is our story of learning how to interact with a hoary, established project and (we hope) make a significant contribution.

Speakers

Bob Dubner

Software Architect, Symas Corporation

Started programming 57 years ago. FORTRAN on supercomputers; assembly on minicomputers; machine language on embedded processors; electrical engineering degree; video graphics hardware for broadcast television; C device drivers for same; strong crypto in casino slot machines; USB gadgetry... Read More →

James Lowden

Senior Architect, Symas Corporation

James spent the first 30 years of his career on Wall Street in application programming, database design, and quantitative research. Now he's in pure technology, building compilers and systems for other programmers. After decades in Manhattan, his work life is now fully virtual, and... Read More →

Tuesday October 22, 2024 3:10pm - 3:40pm EDT
Salon 1

Maintainer / Contributor

3:10pm EDT

Episode AI: The Phantom (Dependency) Menace - Darren Meyer, Endor Labs

Tuesday October 22, 2024 3:10pm - 3:40pm EDT

Skelton

OSS dependencies don't always come from carefully-managed manfiests and lockfiles -- sometimes they're phantoms. This pattern is especially common for AI and ML projects. If you're to manage these dependencies (for ops, for compliance/accurate SBOMs, for vuln management, etc.) then you need to understand how they enter your environment, and how to find them.
This presentation discusses why and how phantom dependencies are used, why they're so much more common in AI and ML projects, and vendor-neutral tactics for identifying and associating them correctly to your applications.

Speakers

Darren Meyer

Staff Research Engineer, Endor Labs

Darren has over 18 years in AppSec as a practitioner, researcher, developer-champion, and leader. He brings his passion for resiliency in socio-technical systems to the AppSec ecosystem for work, and obsesses over coffee for play.

Tuesday October 22, 2024 3:10pm - 3:40pm EDT
Skelton

SW Development + OSS

3:40pm EDT

Break + Networking

Tuesday October 22, 2024 3:40pm - 4:10pm EDT

Hagood Reception Room

Tuesday October 22, 2024 3:40pm - 4:10pm EDT
Hagood Reception Room

Breaks / Networking / Special Events

4:10pm EDT

The Future of Secure Open Source Software Starts in K-12 - Rao Lakkakula, JPMorgan Chase

Tuesday October 22, 2024 4:10pm - 4:25pm EDT

Salon 4

The future of secure open-source software lies in education, particularly from K-12 and beyond. Imagine a world where students, from their earliest years, are introduced to the principles of open-source collaboration, coding, and cybersecurity. By embedding these skills early, we are not only preparing them for future careers but also cultivating a new generation of developers and innovators who prioritize security. In this talk, Rao and Tunji, would go over how High school and college students can engage in real-world open-source projects, learning the importance of secure coding practices and contributing to global software solutions. Integrating security-focused open-source education fosters a culture of collaboration and shared responsibility. This not only strengthens the software we rely on but also builds a more inclusive, diverse developer community. It's about creating a future where secure, reliable software is the norm, driven by a well-educated, passionate generation committed to making a difference. By investing in education today, we are securing the open-source software of tomorrow. Let's inspire our youth to be the champions of a safer digital future

Speakers

Rao Lakkakula

Senior Director, JPMorgan Chase

Tuesday October 22, 2024 4:10pm - 4:25pm EDT
Salon 4

Security Education

4:10pm EDT

From Cosign to an Ecosystem: The Evolution of Sigstore - Cody Soyland, GitHub

Tuesday October 22, 2024 4:10pm - 4:40pm EDT

Skelton

Sigstore promises to democratize software signatures and attestations, providing a secure foundation for FOSS supply chains. By offering a free public certificate authority (Fulcio), a transparency log (Rekor), and a signing tool (Cosign), Sigstore has lowered the barrier of entry for developers to adopt secure software distribution practices. Moving forward, Sigstore is evolving to serve new use cases with a plethora of language integrations and new capabilities. In this talk, we will explore the evolution of Sigstore from a single CLI tool to a rich ecosystem of tools and services. We will start with a basic introduction to Sigstore, covering its core components. We will discuss the role of the Sigstore Bundle format in enabling simple interoperability for detached attestations, and how libraries like sigstore-js and sigstore-python are enabling new use cases in package managers, CI workflows, and policy enforcement tools.

Speakers

Cody Soyland

Senior Software Engineer, GitHub

Cody Soyland is a software engineer at GitHub, where he works on GitHub Artifact Attestations and contributes to the Sigstore project. He is a maintainer of the Sigstore public good instance, author of sigstore-go, and a member of the Sigstore Security Response Committee. Cody has... Read More →

Tuesday October 22, 2024 4:10pm - 4:40pm EDT
Skelton

Maintainer / Contributor

4:10pm EDT

Exploiting Trust: The Dark Side of Git - Neil Naveen

Tuesday October 22, 2024 4:10pm - 4:40pm EDT

Salon 1

Most of us trust Git’s security features—signed commits and tags, strict access controls, and robust verification processes—to protect our codebases, even if the Git host is compromised. We rely on practices like ensuring merge commits are signed by trusted authorities, requiring feature branch commits to come from a single user, and having multiple users with appropriate authority levels verify each merge.

But what if I told you that a malicious attacker could still introduce harmful code into a repository, manipulate signed tags, and roll back patches—all without breaking a single signature or triggering any alarms?

In this talk, we will demonstrate how easily an attacker can execute these malicious actions, bypassing all the supposed security measures. You’ll witness firsthand how undetectable these changes can be, highlighting a critical and often overlooked vulnerability in Git.

We will also introduce gittuf, an up-and-coming tool from the OpenSSF project that can mitigate these risks with a decentralized key management permission-based verification system.

Speakers

Neil Naveen

Highschool, Highschool

Neil Naveen is an 9th grader in the US who is passionate about jiu-jitsu, solving Leetcode problems, a book author, and an active contributor to supply chain security projects. https://leetcode.com/neilnaveen/ https://github.com/neilnaveen/

Tuesday October 22, 2024 4:10pm - 4:40pm EDT
Salon 1

SW Development + OSS

4:25pm EDT

5 Things OSS Can Do To Make Life Easier For The Public Sector - Eddie Zaneski, Defense Unicorns

Tuesday October 22, 2024 4:25pm - 4:40pm EDT

Salon 4

OSS developers play a crucial role in shaping solutions that impact the public sector. This lightning talk will highlight practical steps maintainers can take to improve adoption and usage for governmental and public service organizations. Join us as we explore how relatively small changes can lead to significant improvements.

Speakers

Eddie Zaneski

Staff OSS Engineer, Defense Unicorns

Eddie lives in Denver, CO with his wife and dog. He loves open source and works on the Kubernetes project. When not hacking on random things you'll most likely find him climbing rocks somewhere.

Tuesday October 22, 2024 4:25pm - 4:40pm EDT
Salon 4

Public Policy

4:45pm EDT

How to Scale InnerSource Adoption in Regulated Industries - Joseph Zang, Fannie Mae

Tuesday October 22, 2024 4:45pm - 5:00pm EDT

Skelton

Join me, Joseph Zang, on a journey through the complexities, pitfalls, and triumphs of scaling InnerSource adoption in the highly regulated Industry. As the InnerSource Community Lead Advocate, I've navigated the intricate landscape of regulatory constraints and organizational resistance to nurture a culture of collaboration leading to innovation and program maturity. In this session, I'll share my experiences (the good and not so good), and relay my insights on how to effectively implement InnerSource practices within regulated environments. Here's what to expect: Starting the InnerSource Journey Jumping Regulatory Hurdles Cultural Transformation Building the Right Infrastructure InnerSource in Practice This session is a candid glimpse at the challenges and rewards of championing InnerSource adoption in a regulated FinTech environment. Observe the practical strategies that worked for us, the obstacles we overcame (the ones we didn’t), and the hacks we discovered along the way as our InnerSource initiative matures.

Speakers

Joseph Zang

Lead Associate for InnerSource Advocacy, Fannie Mae

Joseph Zang is currently the InnerSource Lead Associate at Fannie Mae, where he champions innovation and enhances the developer experience. Passionate about the collaborative and equitable aspects of Open Source and InnerSource, Joe is dedicated to impactful, empathetic engineering... Read More →

Tuesday October 22, 2024 4:45pm - 5:00pm EDT
Skelton

OSPOs + Security

4:45pm EDT

The Current State of SBOMs for End Users - Eddie Zaneski, Defense Unicorns

Tuesday October 22, 2024 4:45pm - 5:15pm EDT

Salon 4

Software Bill of Materials (SBOMs) have become essential for ensuring transparency, security, and compliance. However, many end users find the current state of SBOMs challenging, with issues like inconsistent formats, lack of real-world guidance, and sparse tooling. The reality is that regulations requiring SBOMs can often be satisfied with an empty JSON file or a handwritten word document that the recipient doesn't really know what to do with. Despite these challenges, SBOMs hold significant promise for enhancing software security. This talk will highlight ongoing efforts to improve SBOM practices, emphasizing the importance of collaboration among specification designers, regulators, and developers. We'll explore how OpenSSF projects like Protobom and bomctl are attempting to provide a foundation for the tooling end users need. By focusing on these initiatives and promoting best practices, we can work towards a future where SBOMs are not just regulatory checkboxes, but powerful tools for software management and security.

Speakers

Eddie Zaneski

Staff OSS Engineer, Defense Unicorns

Eddie lives in Denver, CO with his wife and dog. He loves open source and works on the Kubernetes project. When not hacking on random things you'll most likely find him climbing rocks somewhere.

Tuesday October 22, 2024 4:45pm - 5:15pm EDT
Salon 4

OSS Consumption + End Users

4:45pm EDT

Credentials 201: Demystifying Identity Federation - Billy Lynch, Chainguard

Tuesday October 22, 2024 4:45pm - 5:15pm EDT

Salon 1

OIDC, STS, Workload Identity, Identity Federation. These concepts are often pointed to as best practices for managing CI/CD and other machine identities. They allow you to reduce the risks of long lived credentials by moving to short lived, workload specific identities. But how do they work? In this talk, we'll do a deep dive into each of these topics and how they relate to each other. We'll walk through the practical steps of using identity federation in your own workloads - how tokens are constructed, how they are verified, how they can be exchanged to be compatible across different hosted services, and what policies you may want to enforce on identity federation to keep your resources secure. You'll come away from this talk with a deeper understanding of identity federation and how it works, and hopefully with some ideas for how you can use it in your own environments to improve your security!

Speakers

Billy Lynch

Staff Software Engineer, Chainguard

Billy is a staff software engineer at Chainguard, working on developer tools and securing software supply chains for everyone! He is an active contributor and maintainer to the Sigstore, Tekton, and gittuf projects, and is the creator of Sigstore Gitsign.

Tuesday October 22, 2024 4:45pm - 5:15pm EDT
Salon 1

SW Development + OSS

5:00pm EDT

Fortify Your Code: Secure Your Supply Chain with Scorecard - Aditya Soni, Forrester

Tuesday October 22, 2024 5:00pm - 5:15pm EDT

Skelton

In the complex landscape of software development, managing open-source software (OSS) components' security and integrity always seems complex but wait! This lightning talk is all about solution of the same problem similar with Scorecard, a robust solution designed to assess and mitigate risks associated with OSS projects. By leveraging Scorecard, organizations can gain insights into the security posture of their dependencies, identify potential vulnerabilities, and implement best practices to fortify their supply chain. Attendees will learn real-world use cases, demonstrating the effectiveness of Scorecard in countering source code level problems, subverted source code control systems, and compromised build systems.

Speakers

Aditya Soni

DevOps Engineer ll, CNCF Ambassador, Forrester

Aditya Soni is a DevOps/SRE tech professional He worked with Product and Service based companies including Red Hat, Searce, and is currently positioned at Forrester Research as a DevOps Engineer II. He holds AWS, GCP, Azure, RedHat, and Kubernetes Certifications.He is a CNCF Ambassador... Read More →

Tuesday October 22, 2024 5:00pm - 5:15pm EDT
Skelton

SW Development + OSS

5:20pm EDT

Securing Nationally Critical Air-Gapped Infrastructure: Open-Source Code Signing and Beyond - Dr. Kanchan Panta, Raytheon | An RTX Business

Tuesday October 22, 2024 5:20pm - 5:50pm EDT

Skelton

With the exponential rise of cyber-attacks, the importance of using an air-gapped system for nationally critical infrastructure is growing as an air-gapped system is an effective barrier against various cyberattacks. One of the measures adopted to secure nationally critical air-gapped infrastructure is implementing Open-Source code signing in the environment, the most straightforward approach. However, if the code-signing processes and tools are not deployed properly, the infrastructure will not achieve the benefit of code signing leaving the infrastructure vulnerable to various code-signing system threats. This session will discuss lessons-learned working in an air-gapped system, including: • The challenges of Open-Source code-signing in an air-gapped infrastructure to achieve improved security and customer confidence in code authenticity and integrity. • Significant threats to the code-signing system and the best practices to mitigate the risks. • Recommendations for improving the security of the software supply chain during the air-gapped infrastructure software life cycle. • Security controls to implement when code-signing is not feasible for some air-gapped infrastructure.

Speakers

Dr. Kanchan Panta

Sr. Principal Cyber Engineer, Raytheon | An RTX Business

Accomplished Information System Security Professional with proven experience developing, integrating, and sustaining information security programs ranging from $30 million to $500 million multi-year sustainment contracts supporting nationally critical missile warning, missile defense... Read More →

Tuesday October 22, 2024 5:20pm - 5:50pm EDT
Skelton

Maintainer / Contributor

5:20pm EDT

Mastering Dependency Management in C/C++ with Vcpkg: Secure and Simplified OSS Integration - Pablo Rodriguez Avila, Microsoft

Tuesday October 22, 2024 5:20pm - 5:50pm EDT

Salon 4

During this session, I will introduce Vcpkg, a powerful tool for consuming open-source software (OSS) in C and C++ applications. Vcpkg allows you to integrate your favorite libraries in a secure, compliant, and straightforward manner. This open-source project is backed by both the community and Microsoft, ensuring robust support and continuous improvement. I will demonstrate how Vcpkg enhances the security of your Software Supply Chain and discuss the key advantages of using it. Additionally, I will provide a short tutorial on using Vcpkg to install a C++ library and integrate it into your C++ project with CMake. Vcpkg supports and encourages the consumption of popular OSS libraries such as OpenTelemetry, gRPC, OpenSSL, and many more. Thanks to Vcpkg, you can access hundreds of libraries, including your favorite CNCF projects!

Speakers

Pablo Rodriguez Avila

Pablo Rodriguez, Software Engineer at Microsoft, Microsoft

Hello! My name is Pablo, and I am currently a Software Engineer at Microsoft. I have always been passionate about writing software, and in the past few years, my focus has shifted towards Observability. Currently, I work on Azure Monitoring at Microsoft, where I help organizations... Read More →

Tuesday October 22, 2024 5:20pm - 5:50pm EDT
Salon 4

OSS Consumption + End Users

5:20pm EDT

Validating Validations - Who's Watching the Watcher? - Megan Wolf, Defense Unicorns

Tuesday October 22, 2024 5:20pm - 5:50pm EDT

Salon 1

This session will focus on the validation of kubernetes webhook controllers. Currently, testing of these types of controllers is largely the onus of the developers. While the standard unit and end-to-end tests may be sufficient for rolling out a product, the other half of the responsibility lays on the user to independently validate these controllers in their environment. The intent is to lay out a framework that supports how end-users may interrogate these controllers to validate their behaviors, particularly with respect to how that behavior satisfies various controls, e.g., regulated standards or best practices. Our framework looks at using an open source tool, Lula, to add cluster resources, measure the response of the controller, and output a validation of the controller's behavior. The result is a repeatable and scalable evaluation of webhook controllers. This evaluation becomes more critical as environments scale and more complex admission/mutation is introduced. These controllers are often performing critical security functions in the environment and should be continually monitored and evaluated for their efficacy, particularly as the system they exist in evolves.

Speakers

Megan Wolf

Software Engineer, Defense Unicorns

Megan is a software engineer at Defense Unicorns, focused on helping solve software challenges for the DoD. Her primary role is a developer on the Lula open source tool which enables faster and more robust evaluation of system compliance to various controls and standards.

Tuesday October 22, 2024 5:20pm - 5:50pm EDT
Salon 1

SW Development + OSS

9:00am EDT

Keynote Sessions: To Be Announced

Wednesday October 23, 2024 9:00am - 9:50am EDT

Skelton

Wednesday October 23, 2024 9:00am - 9:50am EDT
Skelton

Keynote Sessions

9:50am EDT

Setting the Standard - Safely Operationalizing OSS Contributions - Brenton Stevens, Open Source Compliance Manager, Fannie Mae

Wednesday October 23, 2024 9:50am - 10:05am EDT

Skelton

This session provides a view into how OSPOs can balance good corporate citizenship while maintaining security in a highly regulated, low risk fintech organization. This involves strategies for effective partnering with DevSecOps stakeholders and the internal developer community.

Speakers

Brenton Stevens

Open Source Compliance Manager, Fannie Mae

Technology and organizational change management expert spanning public and private sector industries. Currently the Open Source Compliance Lead at Fannie Mae responsible for the development and implementation of an enterprise Open Source Standard.

Wednesday October 23, 2024 9:50am - 10:05am EDT
Skelton

Keynote Sessions

10:05am EDT

Break + Networking

Wednesday October 23, 2024 10:05am - 10:35am EDT

Hagood Reception Room

Wednesday October 23, 2024 10:05am - 10:35am EDT
Hagood Reception Room

Breaks / Networking / Special Events

10:35am EDT

Scorecard at Scale: Old and New Possibilities for Lifting Security on All Repositories - Jeff Mendoza, Kusari & Stephen Augustus, Cisco Systems, Inc.

Wednesday October 23, 2024 10:35am - 11:05am EDT

Skelton

OpenSSF Scorecard assesses the security posture of a git repository and produces an overall score. This has proven useful for organizations to improve the security of their many repositories overall. However, this task is not a small undertaking. The act of running Scorecard, collecting the result, and interpreting the results is complex and can be done in different ways. This presentation covers multiple strategies for accomplishing Scorecard at Scale, including some new possibilities from the Scorecard team. Options include the Scorecard API, Scorecard Action, Scorecard Monitor, and Allstar. We will explore setup, execution, and results format for these options, then dig into extracting actionable insights from results as well.

Speakers

Stephen Augustus

Head of Open Source, Cisco Systems, Inc.

Stephen is the Head of Open Source at Cisco, working within the Strategy, Incubation, & Applications (SIA) organization. Across the wider LF (Linux Foundation) ecosystem, Stephen has the pleasure of serving as a member of the OpenSSF Governing Board, the OpenAPI Initiative Business... Read More →

Jeff Mendoza

Software Engineer, Kusari

Jeff is an OpenSSF Scorecard Steering Committee member, and a maintainer on both the Allstar and GUAC projects. He also Co-Chairs the OpenSSF Securing Critical Projects Working Group. Jeff is a software engineer at Kusari, focused on Open Source, Cloud Native, and Supply Chain Security... Read More →

Wednesday October 23, 2024 10:35am - 11:05am EDT
Skelton

OSPOs + Security

10:35am EDT

Assessing Open Source Software Projects in the Software Supply Chain - Scott Hissam, Carnegie Mellon Software Engineering Institute & Joshua "CoCo" Crisp, Unified Platform (USCYBERCOM)

Wednesday October 23, 2024 10:35am - 11:05am EDT

Salon 1

The US Department of Defense, like many industrial, academic, and government institutions across the world, are intricately dependent on open source software and seek concrete means to objectively assess the trustworthiness of not only the products of the OSS ecosystem but also the processes enacted by projects to produce that software. One such DoD project, Unified Platform, is developing techniques to evaluate publicly available information from OSS projects to determine the risk levels associated with using the open source software, both now and in the future. Current efforts are concentrating on evaluating a project’s processes, policies, and practices. This includes leveraging tools such as MITRE’s Hipcheck, the Open Source Security Foundation’s Scorecard, and other sources to support Unified Platform's Software Approval Process and Software Supply Chain Practices. This presentation will cover how these techniques are providing the insight needed by this DoD project to address emerging DoD guidance in the use of open source software.

Speakers

Joshua Crisp

Chief Information Security Officer, Unified Platform (USCYBERCOM)

Unified Platform Chief Information Security Officer supporting USCYBERCOM and JCWA. I've spent a little over 5 years supporting Unified Platform capabilities for cybersecurity, cloud infrastructure, cybersecurity for Air Force's Platform One program (IronBank, BigBang, PartyBus... Read More →

Scott Hissam

Senior Member of the Technical Staff, Carnegie Mellon Software Engineering Institute

Based in San Antonio, TX where I manage and coordinate local staff and technical activities in support of and DoD organizations. I am also a technical lead/program manager, leading research to practice in software engineer and software technology for acquisition and sustainment of... Read More →

Wednesday October 23, 2024 10:35am - 11:05am EDT
Salon 1

OSS Consumption + End Users

11:10am EDT

Ace of Base: Meeting the OpenSSF Security Baseline with Minder - Adolfo García Veytia, Stacklok

Wednesday October 23, 2024 11:10am - 11:40am EDT

Skelton

The OpenSSL Security Baseline proposes a framework for a common security posture across open source projects. The baseline requirements are designed to match the OpenSSF's project lifecycle: each level has been designed to provide increasing levels of protection with as little effort as possible. They range from secure repository configuration to the production of security metadata such as SBOMs and SLSA attestations. These requirements may sound daunting but the path forward is bright! The OpenSSF community has been working hard to create tools, specifications, and libraries to help harden the global software supply chain. While we have built amazing tooling to automate compliance, orchestration can still be challenging. Understanding at scale which resources are falling short of the baseline expectations needs coordination and remediation. Luckily this is where Minder comes in! Minder is an open source platform that monitors your repositories, builds, and artifacts to ensure they match a declared security posture. In contrast to other tools, it reconciles the state of your resources to match your desired state. Join Puerco for a live demo of meeting baseline compliance!

Speakers

Adolfo García Veytia

Staff Software Engineer, Stacklok

Adolfo García Veytia (@puerco) is a software engineer with Stacklok. He is one of the Kubernetes SIG Release Technical Leads, actively on the Release Engineering team. He specializes in improvements to automation behind the Kubernetes release process. He is also the creator OpenVEX... Read More →

Wednesday October 23, 2024 11:10am - 11:40am EDT
Skelton

OSPOs + Security

11:10am EDT

ClearlyDefined: A Crowdsourced Database of Licensing Metadata - Nick Vidal, Open Source Initiative & Lynette Rayle, GitHub

Wednesday October 23, 2024 11:10am - 11:40am EDT

Salon 1

ClearlyDefined is a free service and open source project from the Open Source Initiative (OSI) that helps organizations ensure supply chain compliance and security. Generating SBOMs at scale for each stage on the supply chain, for every build or release, has proven to be a real challenge. And fixing the same missing or wrongly identified licensing metadata over and over again has been a redundant pain for everyone. This is where ClearlyDefined shines, as it makes it really easy for organizations to fetch a cached copy of licensing metadata for each component through a simple API and fix any issues, which is always up-to-date thanks to its crowdsourced database. In this session, we'll provide an introduction to ClearlyDefined and discuss the latest developments. We'll provide case studies of how organizations like GitHub, SAP, Microsoft, and Bloomberg are leveraging ClearlyDefined not only for their own needs internally, but for the benefit of all.

Speakers

Lynette Rayle

Senior Software Engineer, GitHub

Lynette Rayle is a Senior Software Engineer at GitHub working on license compliance solutions. She is the technical lead for internal work to accurately identify licenses and attributions for dependencies and has worked on all systems related to the license compliance process. She... Read More →

Nick Vidal

Community Manager, Open Source Initiative

Nick Vidal is Community Manager at the Open Source Inititiave and Outreach Chair at the Confidential Computing Consortium from the Linux Foundation. Previously, he was the Director of Community and Business Development at the Open Source Initiative and Director of Americas at the... Read More →

Wednesday October 23, 2024 11:10am - 11:40am EDT
Salon 1

OSS Consumption + End Users

11:10am EDT

Navigating the Open Source Policy Labyrinth: Unraveling Global Policy Efforts for a Secure Future - Dan Lorenc, Chainguard

Wednesday October 23, 2024 11:10am - 11:40am EDT

Salon 4

OSS underpins the digital infrastructure of our society, ensuring its security has never been more critical. This talk will delve into the intricate web of public policy initiatives aimed at enhancing the security of OSS. From the President’s EO on Cybersecurity in the US to the ambitious EU Cyber Resiliency Act, we will explore how these pivotal regulations are shaping the landscape of software security. We will also shed light on forward-thinking policy initiatives such as Secure by Design, SLSA, and Software Self Attestation, examining how they complement and reinforce existing legislation. By weaving together these diverse strands of policy, this session will provide a comprehensive overview of the current policy ecosystem, highlighting both the connectedness of these initiatives and uncovering potential gaps and areas where there is significant disconnect. As the world grapples with the complexities of building and securing OSS, understanding the global policy landscape becomes essential for developers, policymakers, and industry leaders alike. Join me to gain a clear perspective on how policy efforts are converging to create a more secure and resilient open source future.

Speakers

Dan Lorenc

CEO and Co-Founder, Chainguard

Dan Lorenc is co-founder and CEO of Chainguard, a leading software supply chain security company. He started projects like Minikube, Skaffold, and Kaniko to make containers easy and fun, then got so worried about the state of OSS supply-chains he helped found the Tekton and Sigstore... Read More →

Wednesday October 23, 2024 11:10am - 11:40am EDT
Salon 4

Public Policy

11:45am EDT

Project Copacetic: Directly Patch Container Image Vulnerabilities - Ashna Mehrotra, Microsoft

Wednesday October 23, 2024 11:45am - 12:15pm EDT

Salon 1

Software supply chain security is more important than ever. Yet maintaining secure container images is challenging, because patch options can be limited: wait impatiently for third-party image updates to be released, especially for images with multi-publisher dependencies, or perform your own full image rebuild, a time and resource-intensive process. Project Copacetic (Copa) reduces turnaround time and complexity for image patching. Copa integrates into existing build infrastructure, giving users greater control over their patching timeline while reducing costs. Using image scanners like Trivy, Copa generates a vulnerability report and identifies necessary OS-level package updates. Copa then updates your target image using Buildkit (Docker’s default builder) by creating a new patch layer on the original image. Copa can even patch distroless images. We’ll demo Copa, including how to integrate it into pipelines, extend its functionality with scanner formats, and exclude scanners to update all outdated packages. You’ll leave ready to keep your images secure. As a newly accepted CNCF sandbox project, Copa invites you to join the community and advance your software security!

Speakers

Ashna Mehrotra

Software Engineer, Microsoft

Ashna Mehrotra is a software engineer on the Upstream Security team, working on cloud-native open source security projects at Microsoft.

Wednesday October 23, 2024 11:45am - 12:15pm EDT
Salon 1

OSS Consumption + End Users

11:45am EDT

Evolution of Risk-Management in Software - Vincent Danen, Red Hat

Wednesday October 23, 2024 11:45am - 12:15pm EDT

Salon 4

Over the last 50 years, technology has evolved to become critical and indispensable to industries and communities around the globe. Security practices have changed in reaction to these evolutions, yet not to the same degree. Security continues to play catchup in a number of areas and we continue to hang onto old and demonstrably inefficient practices in some areas, such as vulnerability (or patch) management. How do we reconcile the need to reduce risk while investing in future technology innovations and how do we ensure finite resources target real, and not perceived, threats?

Speakers

Vincent Danen

Vice President, Red Hat Product Security, Red Hat

Vincent Danen lives in Canada and is the Vice President of Product Security at Red Hat. He joined Red Hat in 2009 and has been working in the security field, specifically around Linux, operating security and vulnerability management, for over 20 years.

Wednesday October 23, 2024 11:45am - 12:15pm EDT
Salon 4

Public Policy

12:15pm EDT

Lunch (Attendees on Own)

Wednesday October 23, 2024 12:15pm - 1:45pm EDT

Breaks / Networking / Special Events

1:45pm EDT

A Glimpse Into OSS Vulnerability Disclosure Practices - Jessy Ayala, UC Irvine

Wednesday October 23, 2024 1:45pm - 2:15pm EDT

Skelton

In open-source software (OSS), software vulnerabilities are at an all-time high. We conduct a study focusing on security advisories and bug bounty reports as perspectives for exploring OSS vulnerability disclosure practices. In addition, we interviewed 17 OSS maintainers and reached out to MITRE to further raise awareness and resolve bottlenecked CVEs we identified. Our findings reveal struggles in conducting efficient vulnerability review, the absence of CVEs in the National Vulnerability Database for Critical vulnerabilities, and ranked OSS maintainer vulnerability management challenges. Such findings reveal gaps that hinder the spread of alerts to affected projects. We offer actionable recommendations to enhance OSS project security, improve review rates, and promote robust vulnerability disclosure practices. Overall, we reveal gaps in the current OSS security landscape to provide valuable insights for OSS maintainers and contributors, vulnerability database maintainers, and the broader OSS community.

Speakers

Jessy Ayala

PhD Student, UC Irvine

Jessy is a PhD student at UC Irvine studying problems where software engineering meets security. In particular, Jessy is interested in investigating and addressing software supply chain security concerns from various angles. In his free time, Jessy enjoys writing music and training... Read More →

Wednesday October 23, 2024 1:45pm - 2:15pm EDT
Skelton

Maintainer / Contributor

1:45pm EDT

Beyond the CVE: Operationalizing SBOMs for Risk-Based Component Analysis - Cortez Frazier Jr., FOSSA

Wednesday October 23, 2024 1:45pm - 2:15pm EDT

Salon 4

One of the common themes in new regulations related to software bill of materials (SBOMs) is the need to go beyond inventorying only software packages and their known vulnerabilities. The FDA, for example, requires end-of-life (EOL) and level-of-support information for all components. PCI DSS 4.0 requires component inventories to be used to “facilitate” vulnerability management, which is another area where understanding package health can be useful. But getting EOL and level-of-support information can be challenging for open source components. How do you determine the EOL date for a project maintained by a scattered network of developers? How do you assess support level? How do you proactively plan refactor efforts for software packages that haven’t been updated for years? This session will explore tangential risk indicators beyond CVEs, data sources for obtaining support status in open source components, strategies for proactive application refactors, and how to communicate these health signals in your SBOMs.

Speakers

Cortez Frazier Jr

Principal Product Manager, FOSSA

Wednesday October 23, 2024 1:45pm - 2:15pm EDT
Salon 4

Public Policy

2:20pm EDT

Why Is My Software on Fire? - Laurent Goderre, Docker

Wednesday October 23, 2024 2:20pm - 2:30pm EDT

Salon 1

Product recalls and Supply Chain Management have been used for decades with great success to help identify the source of unexpected hazards in products (from exploding batteries to spider attracting fuel lines) and protect consumers from these hazards. While developing software can be considerably different than developing and manufacturing physical products, there are lessons to be learned about the importance of properly identifying all the components that are included in a product. In this session, we will cover the importance of versioning both as a consumer and a producer of open source software and its impact on security.

Speakers

Laurent Goderre

Software Engineer, Docker

Laurent is a software engineer with over 20 years of experience in software development in the private and public sectors with extensive experience contributing to open source software. Since 2016, he has built and maintained Docker Official Images before joining Docker in 2023 to... Read More →

Wednesday October 23, 2024 2:20pm - 2:30pm EDT
Salon 1

OSS Consumption + End Users

2:20pm EDT

Policy as Code: Access Control Security Done Right - Raz Cohen, Permit.io

Wednesday October 23, 2024 2:20pm - 2:50pm EDT

Salon 4

In today's fast-paced world of software development, building a product might be straightforward, but ensuring its security is a distinct challenge.

Dive into the world of "Policy as Code" and uncover the transformative power of integrating an authorization layer directly into your codebase.

From highlighting the significance of security (with a nod to the OWASP Top Ten) to delving into the nuances of access control models like ABAC, RBAC, and REBAC, this talk offers a comprehensive look at the landscape of policy-driven security. Furthermore, attendees will gain insights into the capabilities and distinctions of leading policy engines, including OPA, AWS Cedar, and OpenFGA.

In our modern era of application development, policies aren't just a choice—they are a mandate.

Discover how you can seamlessly embed them into your workflow and bolster your stack's security.

Join me and elevate your security game to the next level!

Speakers

Raz Cohen

Core Tech Lead, Permit.io

I'm Raz Cohen, Head of Platform at Permit.io. With over eight years in Kubernetes, cloud-native solutions, open-source projects, Python, and Golang, I've become a specialist in Developer Tools. I've spoken at tech events like KubeCon EU Paris 2024 Cloud Native London, OpenSecurity... Read More →

Wednesday October 23, 2024 2:20pm - 2:50pm EDT
Salon 4

AI + Security

2:20pm EDT

Unpaid Maintainers: The Security Threat No One Is Talking About (yet) - Lauren Hanford, Tidelift

Wednesday October 23, 2024 2:20pm - 2:50pm EDT

Skelton

It’s hard to be an open source maintainer in 2024. Despite increasing demands, 60% maintainers still don’t get paid for their work and 58% have considered quitting or already quit maintaining their projects. Earlier this year, the xz utils scare brought to light the very real implications of what could happen when maintainers are not supported. While this particular attack was caught, the bottom line is most maintainers are unpaid hobbyists who do not receive both the financial or societal (community, mental health, training, time) support needed to ensure the security and resilience of the open source software we all rely on. Overworked and underappreciated maintainers are a huge problem that leads directly to organizational security risk. So what can you do about it? This session will share maintainer perspective on xz and how it has affected the way they approach their work. We'll discuss a set of tips security-conscious leaders can take away to decrease their security risk from under-maintained open source packages. Finally, we'll look at some benefits that downstream consumers receive when maintainers are paid to ensure their projects remain secure and healthy.

Speakers

Lauren Hanford

VP of Product, Tidelift, Tidelift

Lauren Hanford is VP of Product at Tidelift, working alongside maintainers to deliver secure software outcomes. At her heart, she is a UX researcher and approaches technology from a user-centered place. Lauren created the TACOS framework for open source secure development practices... Read More →

Wednesday October 23, 2024 2:20pm - 2:50pm EDT
Skelton

Maintainer / Contributor

2:35pm EDT

How to Use CNCF’s Falco to Protect Yourself from the New SCARLETEEL Attack! - Parthi Srinivasan & Marat Salakhutdinov, Sysdig

Wednesday October 23, 2024 2:35pm - 2:45pm EDT

Salon 1

Recently found SCARLETEEL, a new attack pattern starts from a compromised Kubernetes container and spreads to the victim’s AWS account. Luckily, we have OSS Falco and new plug-in approach can detect this kind of threat in cloud runtime!

Speakers

Marat Salakhutdinov

Senior Customer Solutions Architect, Sysdig

Marat has more than 15 years of tech and internet industry experience. Currently, he is a Senior Customer Solutions Engineer devoted to helping customers secure their cloud native platforms and applications. Before joining Sysdig, he was working as a DevOps consultant and delivering... Read More →

Parthiban Srinivasan

Senior customer success solution architect, Sysdig.com

I specialize in runtime threat detection, delivering impactful strategies and solutions that fortify Fortune 500 companies against evolving security challenges

Wednesday October 23, 2024 2:35pm - 2:45pm EDT
Salon 1

OSS Consumption + End Users

2:50pm EDT

Trojan Model Hubs: Hacking the ML Supply Chain & Defending Yourself from Threats - Sam Washko & William Armiros, Protect AI

Wednesday October 23, 2024 2:50pm - 3:20pm EDT

Salon 1

In this age of open source in machine learning, ML practitioners increasingly rely on public model hubs for downloading foundation models to fine tune instead of creating models from scratch. However, compromised artifacts are very easy to share on these hubs. ML model files are vulnerable to Model Serialization Attacks (MSA), the injection of malicious code that will execute automatically when the file is deserialized. MSAs are the Trojan horses of ML, capable of turning a seemingly innocuous model into a backdoor to your system. So, what can you do about it? In this talk, we explore two strategies to use open-source tools to mitigate the risk of MSAs and other supply chain attacks on ML: model scanning with ModelScan by Protect AI and cryptographic signing with Sigstore by OpenSSF. Model scanning is our window into the black box model files. Cryptographic signatures link an artifact to a source’s identity, backed up by a trusted authority. Scanning and signing are both widely used defenses for traditional software artifacts, but they have not been widely adopted in AI yet. WWe will demonstrate how these tools can bridge the AI/ML security gap, and stop Trojan Horses at the gate.

Speakers

William Armiros

Senior Software Engineer, Protect AI

William is a Senior Software Engineer at Protect AI, where he is building systems to help ML engineers and data scientists introduce security into their MLOps workflows effortlessly. Previously, he led a team at AWS working on application observability and distributed tracing. During... Read More →

Sam Washko

Senior Software Engineer, Protect AI

Sam Washko is a senior software engineer passionate about the intersection of security and software development. She works for Protect AI developing tools for making machine learning systems more secure. She holds a BS in Computer Science from Duke University, and prior to joining... Read More →

Wednesday October 23, 2024 2:50pm - 3:20pm EDT
Salon 1

AI + Security

2:50pm EDT

Easier, Faster, and Safer Open Source Consumption Governance - Brando Himes & Brian Greenwood, The Vanguard Group

Wednesday October 23, 2024 2:50pm - 3:20pm EDT

Skelton

This talk will follow one organization's journey to enable and automate open source consumption while providing guardrails for the legal and security issues that can result. By sharing our journey, we hope to spark discussion about our decisions and learn how others have addressed these same challenges. Our goal is to make governing open source consumption easier, faster, and safer for all.

Speakers

Brian Greenwood

Technical Lead, The Vanguard Group

Brian is currently a technical lead on the Developer Experience (DevEx) team at Vanguard. In his 6 years, he has supported the company's ETF management system, managed cloud infrastructure for data scientists and analysts, maintained a serverless developer platform, and helped further... Read More →

Brando Himes

Architect, The Vanguard Group

In Brando's 15 years at Vanguard, he has been a technical lead on several retirement plan experience releases, contributed to the architecture of CD pipelines, supported the developer toolchain, incubated innovation projects, and most recently focused in on improving the environments... Read More →

Wednesday October 23, 2024 2:50pm - 3:20pm EDT
Skelton

OSS Consumption + End Users

2:50pm EDT

PEP 740 and PyPI: Bootstrapping Provenance for the Python Ecosystem - William Woodruff, Trail of Bits

Wednesday October 23, 2024 2:50pm - 3:20pm EDT

Salon 4

PyPI is the official package index for the Python programming language, and one of the largest OSS package indices, serving over 1.2 billion downloads of over 500,000 unique packages each day to millions of Python developers and hundreds of millions of downstream users. As the cornerstone of a massive and diverse language ecosystem, changes to PyPI's security posture (and security features offered) represent a significant operational challenge, one shared by indices of similar size and criticality (such as NPM, RubyGems, and Crates). This talk is about one such change in PyPI's security posture: the creation and (ongoing) implementation of PEP 740, or "Index support for digital attestations." This talk will go through the details of PEP 740, how it relates to (and integrates with) standards like Sigstore, in-toto, and SLSA, and how PyPI (and Python packaging more broadly) is using PEP 740 to "bootstrap" strong, maintainer digital provenance for Python packages on top of PyPI's pre-existing support for Trusted Publishing, without the traditional downsides of key and identity management, complex signing ceremonies, and so forth.

Speakers

William Woodruff

Engineering Director, Trail of Bits

William Woodruff is an Engineering Director at Trail of Bits, a NYC-based consultancy. He splits his time between OSS engineering and running the Ecosystem Security group, which is responsible for contributing security and usability improvements to a wide range of OSS tools and services... Read More →

Wednesday October 23, 2024 2:50pm - 3:20pm EDT
Salon 4

SW Development + OSS

3:20pm EDT

Break + Networking

Wednesday October 23, 2024 3:20pm - 3:50pm EDT

Hagood Reception Room

Wednesday October 23, 2024 3:20pm - 3:50pm EDT
Hagood Reception Room

Breaks / Networking / Special Events

3:55pm EDT

The Simple, Yet Lethal, Anatomy of a Software Supply Chain Attack - Erez Yalon, Checkmarx

Wednesday October 23, 2024 3:55pm - 4:25pm EDT

Salon 1

While commercial supply chain attacks are becoming more manageable, security teams have a much harder time with open-source software supply chains. This session will provide an attacker's perspective of open-source flows and flaws and dive into several unique supply chain weaknesses. Demos will show the ease of conducting different attacks and provide a perspective on defeating them as defenders.

Speakers

Erez Yalon

VP of Security Research, Checkmarx

Erez Yalon is the VP of Security Research at Checkmarx, the Founder of the DEF CON's AppSec Village, and the founder and co-leader of the OWASP API Security Project. Over the years, Erez has been invited to speak at prominent events, including RSAC, Black Hat, DEF CON, and OWASP’s... Read More →

Wednesday October 23, 2024 3:55pm - 4:25pm EDT
Salon 1

OSS Consumption + End Users

3:55pm EDT

Navigating the Quantum Readiness Journey: Hands-on Guidance for Starting Your Migration - Eric Mizell, Keyfactor

Wednesday October 23, 2024 3:55pm - 4:25pm EDT

Skelton

Cryptography is a fundamental cornerstone of cybersecurity, omnipresent for every engineer. As quantum computing advances rapidly and NIST standardizes new algorithms, the urgency of preparing for its impact on cybersecurity grows. Join our educational journey into Crypto Agility and Quantum Readiness. This presentation empowers engineers and security experts with tools to understand and navigate quantum-resistant cryptography, and conduct hands-on experiments tailored to your use cases. Our talk addresses: "What is the quantum computing threat, and what can I do about it?" We will explore the landscape of quantum-ready security and different migration scenarios, emphasizing the need for crypto agility. This includes reassessing and updating standard protocols and security mechanisms such as mTLS and x.509 certificates. We will provide an overview of current standardization efforts, including European and American initiatives. Emphasizing the importance of community collaboration, we aim to achieve high-quality, interoperable cryptographic implementations.

Speakers

Eric Mizell

Field CTO, Keyfactor

Eric Mizell is a developer turned security expert. Beginning his career in engineering and leadership roles at Hortonworks and OverOps, Eric then shifted his focus to security, having seen first-hand the security gaps in many DevOps environments. As Field CTO at Keyfactor, Eric works... Read More →

Wednesday October 23, 2024 3:55pm - 4:25pm EDT
Skelton

Security Education

3:55pm EDT

Supply-Chain Security, Outside in: What Helping ~200 Projects Improve Their Security Looks Like - Pedro Nacht & Diogo Teles Sant'Anna, Google

Wednesday October 23, 2024 3:55pm - 4:25pm EDT

Salon 4

The greatest challenge in open-source supply-chain security is how unrewarding it feels. Maintainers have to do the vast majority of the work necessary to improve a repository's supply-chain security. But – other than the satisfaction of a job well done – they get almost no benefit from it. Supply-chain security improvements don't add features, squash bugs, or improve performance, etc… Instead, the benefits fall entirely on the package's consumers, who can feel safe depending on that package. In 2023, the Google Open Source Security Team (GOSST) began work to help maintainers carry this burden. We approached ~200 open-source projects of critical importance to the ecosystem, hoping to help them improve their supply-chain security. This presentation will describe the philosophy behind the team's approach, our overall results (500+ contributions, 90% accepted!), and key lessons learned. We hope to inspire you – consumer, maintainer, or someone who's just interested in this sort of thing – to learn from our mistakes and outdo our successes. Help us help maintainers keep open-source secure.

Speakers

Pedro Nacht

Software Engineer, Google

Professionally... I've been around. A structural engineer by training, I quickly moved to writing engineering software. After completing an MBA, I became a financial data analyst. Hoping to make more of an impact, I joined Google's Open Source Security Team (GOSST). In GOSST's Upstream... Read More →

Diogo Teles Sant'Anna

Software Engineer at Google, Google

Passionate about technology, I began my studies on Computer Engineering in 2016 at University of Campinas(UNICAMP, Brazil), and now I'm working as a Software Engineer at Google. Since 2022, I work at Google Open Source Security Team(GOSST).

Wednesday October 23, 2024 3:55pm - 4:25pm EDT
Salon 4

SW Development + OSS

4:30pm EDT

Back to Security Basics: Evaluating, Consuming, and Contributing Open Source Software - Katherine Druckman, Intel Corporation

Wednesday October 23, 2024 4:30pm - 4:40pm EDT

Skelton

We won! Open source software is everywhere... so now what? Shifting left starts at the beginning – ensuring the security of open source software requires careful evaluation, use, and contribution. This talk will cover some important challenges in securely consuming open source software. Attendees will learn to evaluate projects based on active maintenance, patch cycles, and vulnerability management. We will explore the role of project documentation, code contribution expectations, and community involvement in project maturity and code quality, as well as tools and community guidance. Walk away with the beginnings of a practical framework and checklist that you can mold to your own needs.

Speakers

Katherine Druckman

Open Source Evangelist, Intel

Wednesday October 23, 2024 4:30pm - 4:40pm EDT
Skelton

Security Education

4:30pm EDT

Future-Proof Your Security Posture: Automating Security Patches and Managing Dependencies with Bots - Nilekh Chaudhari, Microsoft

Wednesday October 23, 2024 4:30pm - 5:00pm EDT

Salon 1

As software products and services increasingly rely on third-party or open-source components, ensuring the security and currency of these dependencies becomes paramount. Development teams must stay ahead of security issues, promptly update dependencies, and be alerted when new vulnerabilities arise. To save time and mitigate risk, it’s crucial to automate the process of updating dependencies with the latest functionality and security patches. Automated pull requests can streamline the process, allowing developers to focus on critical tasks while retaining control over the final merge and production rollout. But how do we achieve this? Enter Dependabot! In this session, Nilekh will demonstrate how to leverage Dependabot (and others like Renovate Bot) to automatically manage Docker image dependencies for Helm charts and native Kubernetes YAML resource files.

Speakers

Nilekh Chaudhari

Software Engineer, Microsoft

Nilekh is a Software Engineer at Microsoft, specializing in Kubernetes. He actively contributes to SIG Auth and SIG API Machinery and is a core maintainer of the Secrets Store CSI Driver, the Azure Provider for the Secrets Store CSI Driver, and the Gatekeeper Library project.

Wednesday October 23, 2024 4:30pm - 5:00pm EDT
Salon 1

OSS Consumption + End Users

4:30pm EDT

Role-Based Access Is so Yesterday: Revolutionizing Authorization with Open FGA - Kiah Imani, Auth0 by Okta

Wednesday October 23, 2024 4:30pm - 5:00pm EDT

Salon 4

Traditional role-based access control (RBAC) systems just don't cut it for modern, complex applications. In this talk, we'll dive into how Open FGA, an open-source fine-grained authorization solution, tackles these challenges head-on. We'll highlight the shortcomings of RBAC and show how Open FGA uses relationship-based access control (ReBAC) to offer a more flexible and detailed approach. You'll see how this tool can boost security, performance, and access management across various systems. If you’re curious to learn why the future of authorization is fine-grained and how Open FGA is paving the way, you don’t want to miss this session.

Speakers

Kiah Imani

Sr. Developer Advocate, Auth0 by Okta

Kiah is a developer who advocates for all things identity at Auth0. She is a public speaker who regularly presents at conferences and is a self-proclaimed opinionated knowledge seeker. Kiah has 13 years of experience covering both engineering and business roles and prides herself... Read More →

Wednesday October 23, 2024 4:30pm - 5:00pm EDT
Salon 4

SW Development + OSS

4:45pm EDT

The Power of Confidential Computing: Exploring Open Source Projects - Sal Kimmich, Confidential Computing Consortium, Linux Foundation

Wednesday October 23, 2024 4:45pm - 4:55pm EDT

Skelton

Explore how confidential computing is revolutionizing data security through Open Source projects within the Confidential Computing Consortium (CCC) at the Linux Foundation. This session will delve into the value that confidential computing brings to businesses by ensuring data protection even during processing. Highlighting key projects like COCONUT-SVM, Occlum, Islet, and others, we will showcase how these Open Source initiatives enhance privacy and security. Learn how integrating these projects can mitigate risks, improve compliance, and foster innovation. This talk is designed for decision-makers in compute security and compliance, particularly those interested in secure federated compute. We will cover real-world examples from finance to human trafficking to demonstrate the power and versatility of Confidential Computing. Join us to understand the future of secure data processing and the pivotal role of Confidential Computing in advancing Open Source solutions.

Speakers

Sal Kimmich

Technical Community Architect, Confidential Computing Consortium, Linux Foundation

Sal is an advocate for open source, passionate about helping engineers, ethical hackers, and digital enthusiasts navigate modern software development. With over a decade of experience building cloud-native machine learning pipelines in healthcare and tech for good sectors, Sal now... Read More →

Wednesday October 23, 2024 4:45pm - 4:55pm EDT
Skelton

Security Education