SOSS Fusion 2024: Full Schedule

October 22-23, 2024 | Atlanta, Georgia USA
View More Details & Registration

The Sched app allows you to build your schedule but is separate from your event registration. You must be registered for SOSS Fusion 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Eastern Daylight Saving Time. To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

1:00pm EDT

OpenSSF Scorecard 2024 [Pre-Registration Required]

Monday October 21, 2024 1:00pm - 4:00pm EDT

Trammel Meeting Room

Registration Cost: $0, but pre-registration is required

The OpenSSF Scorecard workshop offers a valuable hands-on onboarding opportunity. Participants can engage directly with project maintainers and potentially submit their first PR to the OpenSSF Scorecard in real-time. The session starts with an overview of the project and its architecture, followed by tailored breakout discussions based on participant interests.

Add this workshop to your SOSS Fusion registration at no additional cost.

Agenda for OpenSSF Scorecard 2024

1:00 pm - Intro to OpenSSF Scorecard & Architecture (High level)
1:20 pm - Walk through Contribution Guidelines
1:30 pm - Present Work Ideas
1:45 pm - Questions / Split into Breakout Groups
2:30 pm - Break
2:45 pm - Continued Working Time
3:50 pm - Workshop Wrap-up

Scorecard Contributor Workshop SOSS Fusion pdf

Monday October 21, 2024 1:00pm - 4:00pm EDT
Trammel Meeting Room

Co-Located Events

Session Slides Attached yes

9:05am EDT

Keynote: Opening Remarks - Todd Moore, Senior Vice President of Community Operations, The Linux Foundation

Tuesday October 22, 2024 9:05am - 9:25am EDT

Salon 1

Speakers

Todd Moore

SVP Community Operations, The Linux Foundation

#2 TUE Todd OpenSSF Introduction pdf

Tuesday October 22, 2024 9:05am - 9:25am EDT
Salon 1

Keynote Sessions

Session Slides Attached yes

10:10am EDT

Keynote: There Is Just One Way to Do Open Source Security: Together - Marten Mickos, CEO, HackerOne

Tuesday October 22, 2024 10:10am - 10:25am EDT

Salon 1

The success of open source has always been in doing things together. This was true 20 years ago, it is true for open source security, and it is true for open source AI. Marten Mickos, CEO of HackerOne, will discuss how fragmentation and a lack of communication leave critical gaps in software security, and why by working collectively we can achieve results superior to any other method.

Speakers

Marten Mickos

CEO, HackerOne

Marten Mickos is the CEO of HackerOne, Inc. the leading vulnerability coordination and bug bounty platform. Previously Marten was the CEO of Eucalyptus Systems, acquired by Hewlett-Packard where he served as head of the cloud business. As the CEO of MySQL AB from 2001 to 2008, Marten... Read More →

SOSS Mickos 2024 FINAL pdf

Tuesday October 22, 2024 10:10am - 10:25am EDT
Salon 1

Keynote Sessions

Session Slides Attached yes

10:45am EDT

Keynote: Government's Continuing Path Contributing Towards a Secure Open Source Ecosystem - Timothy Pepper, Senior Technical Advisor, Open Source Software Security, US Cybersecurity and Infrastructure Security Agency (CISA)

Tuesday October 22, 2024 10:45am - 11:00am EDT

Salon 1

Throughout history governments have often played an enabling role in technology innovation. And the innovation value brought by open source software (OSS) is well known. And too the friction caused to innovation by cyber-insecurity is well known. But the intersection of these three topics has been less clear, until recently.
This talk will explore the emerging intersection of open source software, cybersecurity, and government by sharing: the four goals in the Open-Source Software Security Roadmap published in 2023 by the US Cybersecurity and Infrastructure Security Agency (CISA),
1) establishing CISA’s role in supporting the security of OSS,
2) understanding the prevalence of key open source dependencies
3) reducing risks to the federal government
4) hardening the broader OSS ecosystem
their alignment with the National Cybersecurity Strategy’s goal of a more resilient, equitable, and defensible cyberspace, ongoing progress across 2024 toward the four goals, and potential next opportunities for alignment and collaboration across industry, academia, open source, and government looking forward into 2025 and beyond.

Speakers

Timothy Pepper

Senior Technical Advisor, Open Source Software Security, Cybersecurity and Infrastructure Security Agency

Tim Pepper is an engineer with over 25 years in open source, with contributions to Kubernetes (emeritus Steering Committee elected member, emeritus Code of Conduct Committee elected member; past SIG Release co-chair and WG LTS co-organizer), open source security projects, Linux kernel/drivers/distributions... Read More →

2024 SOSS Fusion Tim Pepper pdf

Tuesday October 22, 2024 10:45am - 11:00am EDT
Salon 1

Keynote Sessions

Session Slides Attached yes

11:30am EDT

Artificial Intelligence Cyber Challenge (AIxCC): Overview and Releasing Research as Open Source Software - David A. Wheeler & Jeff Diecks, Linux Foundation

Tuesday October 22, 2024 11:30am - 12:10pm EDT

Salon 1

The Artificial Intelligence Cyber Challenge (AIxCC) is a two-year research competition sponsored by US DARPA in collaboration with ARPA-H. AIxCC asks competitors to design novel AI systems to secure critical code, specifically finding and fixing its vulnerabilities, and provides significant prizes for the top winners. This presentation will provide an introduction to AIxCC, including its strategies and approaches. It will especially focus on the approach of releasing research as open source software (OSS) to support technology transfer, as well as discussing in-progress results of AIxCC.

Speakers

David A. Wheeler

Director of Open Source Supply Chain Security, Linux Foundation

Dr. David A. Wheeler is an expert on open source software (OSS) and on developing secure software. His works on developing secure software include "Secure Programming HOWTO", the Open Source Security Foundation (OpenSSF) Secure Software Development Fundamentals Courses, and "Fully... Read More →

Jeff Diecks

Technical Project Manager, OpenSSF, Linux Foundation

Jeff has more than two decades of experience in technology and communications with a diverse background in operations, project management and executive leadership. A participant in open source since 1999, he’s delivered digital products and applications for universities, sports... Read More →

AIxCC Overview and Releasing Research as Open Source Software pdf

Tuesday October 22, 2024 11:30am - 12:10pm EDT
Salon 1

AI + Security

Session Slides Attached yes

11:43am EDT

Continuous Assurance of Supply Chain Security Levels of Open Source Artifacts using SLSA 0.1 - Krithika Venugopal & Raj Krishnamurthy, ComplianceCow

Tuesday October 22, 2024 11:43am - 11:55am EDT

Salon 2-3

How end users can do a reasonable verification of the SLSA provenance produced by trusted build systems to protect against threats like build from modified source, compromised build process and downloading modified packages

Speakers

Raj Krishnamurthy

Product Architect, ContiNube LLC

27+ years in software development, product engineering and product management building distributed, enterprise software at cloud scale.

Krithika Venugopal

Software Engineer, ComplianceCow

Software Engineer with 17 years of experience in .NET, Java, Go Python and security GRC middleware

Supply chain levels for Software Artifacts pdf

Tuesday October 22, 2024 11:43am - 11:55am EDT
Salon 2-3

OSS Consumption + End Users

Session Slides Attached yes

11:58am EDT

QEMU-Native Hooking Bridge for Binary Fuzzing - Subhojeet Mukherjee, Hitachi India Pvt. Ltd.

Tuesday October 22, 2024 11:58am - 12:10pm EDT

Salon 2-3

Fuzz testing of compiled binary code is imperative when source code is not available. AFLplusplus is a popular fuzzer, responsible for discovering several vulnerabilities in open/closed source software. While fuzzing, AFLplusplus acquires code coverage feedback by emulating the target binary in QEMU usermode, thereby supporting architecture neutral fuzzing as well. There is however no native instruction hooking and memory control support in QEMU. Albeit, having such ability can greatly benefit binary fuzz testing by patching/fixing roadblock locations that lead to long-running fuzzing campaigns. The current solution is a pythonic wrapper, UNICORN, on QEMU that is understandably slow and, more importantly, requires significant configuration to avail features that are enabled by default in AFLplusplus's raw QEMU mode. In this lightning talk, we will touch upon the QEMU native hooking bridge [https://github.com/AFLplusplus/AFLplusplus/tree/stable/qemu_mode/hooking_bridge]. We will briefly go over its design and implementation. We will then describe its usage with one or more examples. Furthermore, we will demonstrate its superiority over AFLplusplus's UNICORN mode.

Speakers

Subhojeet Mukherjee

Researcher, Hitachi India Pvt. Ltd.

Dr. Subhojeet Mukherjee is a researcher in embedded systems security. He received his PhD from Colorado State University, researching on security aspects of in-vehicle networks in medium and heavy-duty vehicles. Currently, at Hitachi India Pvt. Ltd., he researches efficient testing... Read More →

mukherjee qemu bridge hitachi pdf

Tuesday October 22, 2024 11:58am - 12:10pm EDT
Salon 2-3

SW Development + OSS

Session Slides Attached yes

12:15pm EDT

End-to-End Secure ML Development - Mihai Maruseac, Google

Tuesday October 22, 2024 12:15pm - 12:45pm EDT

Salon 1

We are seeing an increase in the number of AI powered applications. At the same time, we are seeing that AI software repeats the same security mistakes as traditional software, but at an accelerated time frame and with higher risks. In this talk -- planned as a tutorial --, we aim to show how AI applications can be developed in a safe way, starting with datasets and software dependencies, building a secure software supply chain, and only accepting models in production that have clear, untampered provenance (both SLSA but also analyzing the capabilities of the models to eliminate future risks). For example, we want to be able to trace back from a bad inference in production to the potential poisoned input in the training dataset. We will show how we can reduce cost of retraining models in the event of an ML framework compromise by analyzing the blast radius and only retraining impacted models. To keep the audience engaged, we will follow the development story of an ML model from data collection and training all the way to deploying the model in production. At each stage, we will go over the supply chain security risks and show how these can be mitigated.

Speakers

Mihai Maruseac

Staff SWE, Google

Mihai Maruseac is a member of Google Open Source Security team (GOSST), working on Supply Chain Security, mainly on GUAC. Before joining GOSST, Mihai created the TensorFlow Security team after joining Google, moving from a startup to incorporate Differential Privacy (DP) withing Machine... Read More →

[SOSS Fusion] E2E Secure ML development pdf

Tuesday October 22, 2024 12:15pm - 12:45pm EDT
Salon 1

AI + Security

Session Slides Attached yes

12:15pm EDT

An Inside and Outside Look at the Government’s Ongoing Journey with Open Source Tech - Austen Bryan, Defense Unicorns & Camdon Cady, US Air Force

Tuesday October 22, 2024 12:15pm - 12:45pm EDT

Salon 4-6

Outsiders looking in at government software delivery might imagine a cabal of crusty do-nothings plotting the next series of setbacks and delays to deliver to their unwitting users, or a scheming contractor masterfully extracting maximum payment for each feature delivered. Nothing could be further from the truth; in reality the civil service and the commercial ecosystem servicing the government are full of hard-working people navigating a labyrinthine series of financial, contractual, technical, and cybersecurity policies and standards. Open Source software and open technology can be a critical tool for successfully steering a project through that maze in order to deliver a capability to users. In this session, we give real-world examples of the challenges to value delivery in the government, discuss some of the common misperceptions around government use of Open Source, and discuss how the use of Open Source has lead to improved outcomes for users in the Department of Defense. Lastly, we discuss where we think the relationship between the private and public sector is going with respect to Open Source.

Speakers

Austen Bryan

VP of Product, Defense Unicorns, Defense Unicorns

Austen Bryan, a former Active Duty Air Force officer, has spent most of his career in the DoD’s software development sector. As the VP of Product at Defense Unicorns, he leverages his experience from co-founding LevelUp Code Works and serving as COO for DoD Platform One. Bryan’s... Read More →

Camdon Cady

Platform One CTO, US Air Force

Air Force Officer, long-time nerd, working to revolutionize software deliver for the DoD from the inside.

SOSS Fusion 2024 Slides pdf

Tuesday October 22, 2024 12:15pm - 12:45pm EDT
Salon 4-6

OSS Consumption + End Users

Session Slides Attached yes

2:15pm EDT

Crash Course on AI Risk Management Framework - Andrew Staton, Dell Technologies

Tuesday October 22, 2024 2:15pm - 2:45pm EDT

Salon 2-3

Over the past year, AI has been talk of the town in terms of emerging technology. There is a lot of discussion around how AI technology and capabilities will be utilized both for the betterment and the detriment of our world and those around us. One of the first attempts to manage these risks from a regulatory perspective is the AI Risk Management Framework from NIST. This session will be a crash course on that standard and some preliminary analysis/dialogue around how effective the standard will be.

Speakers

Andrew Staton

Cyber Security Advisor, Dell Technologies

Andrew Staton works as a Cybersecurity Advisor at Dell Technologies. His background entails working with and for companies of all shapes and sizes to implement and stand up a Secure CyberSecurity program and enhance their existing practices. He is active within the North Alabama Chapter... Read More →

NIST AI RMF Crash Course SOSS Fusion 2024 pdf

Tuesday October 22, 2024 2:15pm - 2:45pm EDT
Salon 2-3

Public Policy

Session Slides Attached yes

2:15pm EDT

Open & Secure: Novel Sandboxing Technique for Any Open Source Library - Gal Elbaz, Oligo Security

Tuesday October 22, 2024 2:15pm - 2:45pm EDT

Salon 4-6

Security teams from Google to Firefox have taught the security industry a lot about isolating running programs from the broader system through sandboxing, which fundamentally changed the way hackers need to operate to inflict damage on systems. Threat actors today need to be significantly more sophisticated and build a chain of vulnerabilities to escape sandboxes & access critical system resources for exploitation. The consistently growing number of vulnerabilities in OSS packages, imposes an impossible pace of remediation & patching to stay ahead of zero-day threats evolving daily. Enter Open Source Sandboxing. In this talk we’ll present a first of its kind approach, built upon the powerful eBPF and KRSI technologies, that enables you to derive the very same security benefits of browser and web-based, as well as mobile - iOS & Android sandboxing - for any open source library you are running in your stacks. We’ll walk through a code example for how to identify and block exploits.

Speakers

Gal Elbaz

CTO & Co-Founder, Oligo Security

Co-founder & CTO at Oligo Security with 10+ years of experience in vulnerability research and practical hacking. He previously worked as a Security Researcher at CheckPoint and served in the IDF Intelligence. In his free time, he enjoys playing CTFs.

Novel Sandboxing Technique for Any Open Source pdf

Tuesday October 22, 2024 2:15pm - 2:45pm EDT
Salon 4-6

Security Education

Session Slides Attached yes

2:50pm EDT

What Is Going On In Your Source Code? Understanding SCA In Plain Language - Dwayne McDaniel, GitGuardian

Tuesday October 22, 2024 2:50pm - 3:20pm EDT

Salon 1

Over the last few years, terms like SBOM, VEX, SLSA, and GUAC have crept into our supply chain security discussions. While we all agree from the surface that knowing what is in our code is likely a good idea, for a lot of teams, this feels like another set of boxes to check when filing security compliance paperwork. But what is really going on here, and what is driving us into this acronym soup?

In this session, we will explore multiple terms and the deeper questions of what they are trying to answer. You will walk away with a more holistic understanding of where we need to go as an industry to protect ourselves from the current and future waves of threats on the horizon. Before you throw another security tool at the problem or throw your hand up in despair, let's explore why better understanding these ideas means being able to better protect your organization.

Speakers

Dwayne McDaniel

Senior Developer Advocate, GitGuardian

Dwayne has been working as a Developer Relations professional since 2015 and has been involved in tech communities since 2005. He loves sharing his knowledge, and he has done so by giving talks at over a hundred events worldwide. Dwayne currently lives in Chicago. Outside of tech... Read More →

What Is Going On In Your Source Code SOSS Fusion 2024 (1) pdf

Tuesday October 22, 2024 2:50pm - 3:20pm EDT
Salon 1

Security Education

Session Slides Attached yes

2:50pm EDT

Open Source Software (OSS) Transparency for Acquisition - Scott Hissam, Carnegie Mellon Software Engineering Institute

Tuesday October 22, 2024 2:50pm - 3:20pm EDT

Salon 4-6

Systems today are primarily assemblies of reused components many of which are Open-Source software. The reuse of software has enabled faster fielding of systems since common components, but all software comes with vulnerabilities, and attackers have expanded their capabilities to exploit them in products that have broad use especially Open Source. How should an organization make appropriate trade-off choices among cost, schedule, and cybersecurity? Over the history of software engineering, we have learned that software metrics for both the process and the product are needed. We have also explored many aspects of cybersecurity measurement and determined that we must be able to measure the processes for developing and using software and how those measurement results affect the product’s cybersecurity. It is insufficient to measure only operational code, its vulnerabilities, and the attendant risk of successful hacks. Relying on the assumption that many eyeballs looking at the software ensures better security is of little value without an understanding of what was analyzed and how knowledgeable were those performing the analysis.

Speakers

Scott Hissam

Senior Member of the Technical Staff, Software Engineering Institute | Carnegie Mellon University

Based in San Antonio, TX where I manage and coordinate local staff and technical activities in support of and DoD organizations. I am also a technical lead/program manager, leading research to practice in software engineer and software technology for acquisition and sustainment of... Read More →

SEI Cwoody Hissam FUSION 2024 Final++ pdf

Tuesday October 22, 2024 2:50pm - 3:20pm EDT
Salon 4-6

SW Development + OSS

Session Slides Attached yes

3:25pm EDT

Living with and Leveraging GCC - James Lowden & Bob Dubner, Symas Corporation

Tuesday October 22, 2024 3:25pm - 3:55pm EDT

Salon 2-3

The GCC steering committee has accepted our project to add COBOL to GCC. This is our story of learning how to interact with a hoary, established project and (we hope) make a significant contribution.

Speakers

James Lowden

Senior Architect, Cobolworx

James spent the first 30 years of his career on Wall Street in application programming, database design, and quantitative research. Now he's in pure technology, building compilers and systems for other programmers. After decades in Manhattan, his work life is now fully virtual, and... Read More →

leveraging gcc pdf

Tuesday October 22, 2024 3:25pm - 3:55pm EDT
Salon 2-3

Maintainer / Contributor

Session Slides Attached yes

4:25pm EDT

5 Things OSS Can Do To Make Life Easier For The Public Sector - Eddie Zaneski, Defense Unicorns

Tuesday October 22, 2024 4:25pm - 4:40pm EDT

Salon 4-6

OSS developers play a crucial role in shaping solutions that impact the public sector. This lightning talk will highlight practical steps maintainers can take to improve adoption and usage for governmental and public service organizations. Join us as we explore how relatively small changes can lead to significant improvements.

Speakers

Eddie Zaneski

Tech Lead - Open Source, Defense Unicorns

Eddie lives in Denver, CO with his wife and dog. He loves open source and works on the Kubernetes project. When not hacking on random things you'll most likely find him climbing rocks somewhere.

SOSS Fusion 2024 Open Source For Public Sector.pptx pdf

Tuesday October 22, 2024 4:25pm - 4:40pm EDT
Salon 4-6

Public Policy

Session Slides Attached yes

4:25pm EDT

From Cosign to an Ecosystem: The Evolution of Sigstore - Cody Soyland, GitHub

Tuesday October 22, 2024 4:25pm - 4:55pm EDT

Salon 1

Sigstore promises to democratize software signatures and attestations, providing a secure foundation for FOSS supply chains. By offering a free public certificate authority (Fulcio), a transparency log (Rekor), and a signing tool (Cosign), Sigstore has lowered the barrier of entry for developers to adopt secure software distribution practices. Moving forward, Sigstore is evolving to serve new use cases with a plethora of language integrations and new capabilities. In this talk, we will explore the evolution of Sigstore from a single CLI tool to a rich ecosystem of tools and services. We will start with a basic introduction to Sigstore, covering its core components. We will discuss the role of the Sigstore Bundle format in enabling simple interoperability for detached attestations, and how libraries like sigstore-js and sigstore-python are enabling new use cases in package managers, CI workflows, and policy enforcement tools.

Speakers

Cody Soyland

Senior Software Engineer, GitHub

Cody Soyland is a software engineer at GitHub, where he works on GitHub Artifact Attestations and contributes to the Sigstore project. He is a maintainer of the Sigstore public good instance, author of sigstore-go, and a member of the Sigstore Security Response Committee. Cody has... Read More →

From Cosign to an ecosystem The evolution of Sigstore pdf

Tuesday October 22, 2024 4:25pm - 4:55pm EDT
Salon 1

Maintainer / Contributor

Session Slides Attached yes

4:25pm EDT

Validating Validations - Who's Watching the Watcher? - Megan Wolf, Defense Unicorns

Tuesday October 22, 2024 4:25pm - 4:55pm EDT

Salon 2-3

This session will focus on the validation of kubernetes webhook controllers. Currently, testing of these types of controllers is largely the onus of the developers. While the standard unit and end-to-end tests may be sufficient for rolling out a product, the other half of the responsibility lays on the user to independently validate these controllers in their environment. The intent is to lay out a framework that supports how end-users may interrogate these controllers to validate their behaviors, particularly with respect to how that behavior satisfies various controls, e.g., regulated standards or best practices. Our framework looks at using an open source tool, Lula, to add cluster resources, measure the response of the controller, and output a validation of the controller's behavior. The result is a repeatable and scalable evaluation of webhook controllers. This evaluation becomes more critical as environments scale and more complex admission/mutation is introduced. These controllers are often performing critical security functions in the environment and should be continually monitored and evaluated for their efficacy, particularly as the system they exist in evolves.

Speakers

Megan Wolf

Software Engineer, Defense Unicorns

Megan is a software engineer at Defense Unicorns, focused on helping solve software challenges for the DoD. Her primary role is a developer on the Lula open source tool which enables faster and more robust evaluation of system compliance to various controls and standards.

Validating Validations who's watching the watcher pdf

Tuesday October 22, 2024 4:25pm - 4:55pm EDT
Salon 2-3

SW Development + OSS

Session Slides Attached yes

5:00pm EDT

Secure AI Orchestration: Mitigate Model-centric Attacks with Flyte - Niels Bantilan, Union.ai

Tuesday October 22, 2024 5:00pm - 5:30pm EDT

Salon 2-3

In recent years, major progress in machine learning (ML) has led to a corresponding boom in the broader artificial intelligence (AI) space, opening up commercial applications in text, image, audio, and video generation. However, data scientists and ML engineers still face many security issues that may lead to arbitrary code execution even in the space of "classical" ML, which often involves classification or regression on tabular data.

This talk will outline some of the model-centric attacks that you should be aware of and hone in on two types of attacks: malicious code injection on pickled model files, and malicious code written and executed by an LLM. We'll create a basic setup for these two attacks and see how Flyte, an open source ML orchestrator, can help mitigate some of the risks associated with these two attacks.

Finally, we'll analyze the limitations of the solutions provided by Flyte, abstract some of the ideas out in an orchestrator-agnostic way, and cover other open source tools, like `safetensors` and `onnx`, which we can leverage on top of Flyte to reduce these risks even further.

Speakers

Niels Bantilan

Chief Machine Learning Engineer, union.ai

Niels is the Chief Machine Learning Engineer at Union.ai, and core maintainer of Flyte, an open source workflow orchestration tool, author of UnionML, an MLOps framework for machine learning microservices, and creator of Pandera, a statistical typing and data testing tool for scientific... Read More →

2024 SOSS Fusion Secure AI Orchestration pdf

Tuesday October 22, 2024 5:00pm - 5:30pm EDT
Salon 2-3

AI + Security

Session Slides Attached yes

5:00pm EDT

The Current State of SBOMs for End Users - Eddie Zaneski, Defense Unicorns

Tuesday October 22, 2024 5:00pm - 5:30pm EDT

Salon 4-6

Software Bill of Materials (SBOMs) have become essential for ensuring transparency, security, and compliance. However, many end users find the current state of SBOMs challenging, with issues like inconsistent formats, lack of real-world guidance, and sparse tooling. The reality is that regulations requiring SBOMs can often be satisfied with an empty JSON file or a handwritten word document that the recipient doesn't really know what to do with. Despite these challenges, SBOMs hold significant promise for enhancing software security. This talk will highlight ongoing efforts to improve SBOM practices, emphasizing the importance of collaboration among specification designers, regulators, and developers. We'll explore how OpenSSF projects like Protobom and bomctl are attempting to provide a foundation for the tooling end users need. By focusing on these initiatives and promoting best practices, we can work towards a future where SBOMs are not just regulatory checkboxes, but powerful tools for software management and security.

Speakers

Eddie Zaneski

Tech Lead - Open Source, Defense Unicorns

Eddie lives in Denver, CO with his wife and dog. He loves open source and works on the Kubernetes project. When not hacking on random things you'll most likely find him climbing rocks somewhere.

SOSS Fusion 2024 SBOMs for End Users.pptx pdf

Tuesday October 22, 2024 5:00pm - 5:30pm EDT
Salon 4-6

OSS Consumption + End Users

Session Slides Attached yes

5:15pm EDT

Fortify Your Code: Secure Your Supply Chain with Scorecard - Aditya Soni, Forrester

Tuesday October 22, 2024 5:15pm - 5:30pm EDT

Salon 1

In the complex landscape of software development, managing open-source software (OSS) components' security and integrity always seems complex but wait! This lightning talk is all about solution of the same problem similar with Scorecard, a robust solution designed to assess and mitigate risks associated with OSS projects. By leveraging Scorecard, organizations can gain insights into the security posture of their dependencies, identify potential vulnerabilities, and implement best practices to fortify their supply chain. Attendees will learn real-world use cases, demonstrating the effectiveness of Scorecard in countering source code level problems, subverted source code control systems, and compromised build systems.

Speakers

Aditya Soni

CNCF Ambassador, DevOps Engineer II, Forrester

Aditya Soni is a DevOps/SRE tech professional He worked with Product and Service based companies including Red Hat, Searce, and is currently positioned at Forrester Research as a DevOps Engineer II. He holds AWS, GCP, Azure, RedHat, and Kubernetes Certifications.He is a CNCF Ambassador... Read More →

ssf (1) pptx

Tuesday October 22, 2024 5:15pm - 5:30pm EDT
Salon 1

SW Development + OSS

Session Slides Attached yes

9:35am EDT

Keynote: Stop Peeing in the Pool! - Dan Lorenc, CEO and Co-Founder, Chainguard

Wednesday October 23, 2024 9:35am - 9:50am EDT

Salon 1

Open Source is everywhere today, but it’s easy to forget that this wasn’t always the case and that today’s ubiquity is the result of lots of hard work over the last several decades. Outside of the obvious maintenance and development, a tremendous amount of work has gone into crafting, reviewing, and approving licenses that align with the Open Source Definition itself to promote interoperability, openness, and the exchange of ideas. Today, we’re unfortunately seeing a rise in new licenses that don’t comply with the requirements, definition, or philosophy of Open Source itself. While every business needs to do what it must to survive, many of these efforts are misinformed, short-sighted, and fail to consider the impact these “faux-pen” source licenses will have on the sustainability of the broader ecosystem.

Speakers

Dan Lorenc

CEO and Co-Founder, Chainguard

Dan Lorenc is co-founder and CEO of Chainguard, a leading software supply chain security company. He started projects like Minikube, Skaffold, and Kaniko to make containers easy and fun, then got so worried about the state of OSS supply-chains he helped found the Tekton and Sigstore... Read More →

#3 WED Dan Lorenc SOSS Fusion Keynote1 v4.pptx pdf

Wednesday October 23, 2024 9:35am - 9:50am EDT
Salon 1

Keynote Sessions

Session Slides Attached yes

9:55am EDT

Keynote: Back to Security Basics: Evaluating, Consuming, and Contributing Open Source Software - Katherine Druckman, Open Source Evangelist, Intel Corporation

Wednesday October 23, 2024 9:55am - 10:10am EDT

Salon 1

We won! Open source software is everywhere... so now what? Shifting left starts at the beginning – ensuring the security of open source software requires careful evaluation, use, and contribution. This talk will cover some important challenges in securely consuming open source software. Attendees will learn to evaluate projects based on active maintenance, patch cycles, and vulnerability management. We will explore the role of project documentation, code contribution expectations, and community involvement in project maturity and code quality, as well as tools and community guidance. Walk away with the beginnings of a practical framework and checklist that you can mold to your own needs.

Speakers

Katherine Druckman

Open Source Evangelist, Intel

Katherine Druckman is an Open Source Evangelist at Intel where she enjoys sharing her passion for a variety of open source topics. She is a long-time open source advocate, developer, and podcaster, and is currently the host of Open at Intel and co-host of the FLOSS Weekly and Reality... Read More →

#4 WED Katherine SOSS Fusion 24 Keynote v2 pdf

Wednesday October 23, 2024 9:55am - 10:10am EDT
Salon 1

Keynote Sessions

Session Slides Attached yes

10:55am EDT

Scorecard at Scale: Old and New Possibilities for Lifting Security on All Repositories - Jeff Mendoza, Kusari & Stephen Augustus, Cisco Systems, Inc.

Wednesday October 23, 2024 10:55am - 11:25am EDT

Salon 1

OpenSSF Scorecard assesses the security posture of a git repository and produces an overall score. This has proven useful for organizations to improve the security of their many repositories overall. However, this task is not a small undertaking. The act of running Scorecard, collecting the result, and interpreting the results is complex and can be done in different ways. This presentation covers multiple strategies for accomplishing Scorecard at Scale, including some new possibilities from the Scorecard team. Options include the Scorecard API, Scorecard Action, Scorecard Monitor, and Allstar. We will explore setup, execution, and results format for these options, then dig into extracting actionable insights from results as well.

Speakers

Stephen Augustus

Head of Open Source, Cisco Systems, Inc.

Stephen is the Head of Open Source at Cisco, working within the Strategy, Incubation, & Applications (SIA) organization. Across the wider LF (Linux Foundation) ecosystem, Stephen has the pleasure of serving as a member of the OpenSSF Governing Board, the OpenAPI Initiative Business... Read More →

Jeff Mendoza

Software Engineer, Kusari

Jeff is an OpenSSF Scorecard Steering Committee member, and a maintainer on both the Allstar and GUAC projects. He also Co-Chairs the OpenSSF Securing Critical Projects Working Group. Jeff is a software engineer at Kusari, focused on Open Source, Cloud Native, and Supply Chain Security... Read More →

Scorecard at Scale pdf

Wednesday October 23, 2024 10:55am - 11:25am EDT
Salon 1

OSPOs + Security

Session Slides Attached yes

10:55am EDT

Assessing Open Source Software Projects in the Software Supply Chain - Scott Hissam, Carnegie Mellon Software Engineering Institute & Joshua "CoCo" Crisp, Unified Platform (USCYBERCOM)

Wednesday October 23, 2024 10:55am - 11:25am EDT

Salon 2-3

The US Department of Defense, like many industrial, academic, and government institutions across the world, are intricately dependent on open source software and seek concrete means to objectively assess the trustworthiness of not only the products of the OSS ecosystem but also the processes enacted by projects to produce that software. One such DoD project, Unified Platform, is developing techniques to evaluate publicly available information from OSS projects to determine the risk levels associated with using the open source software, both now and in the future. Current efforts are concentrating on evaluating a project’s processes, policies, and practices. This includes leveraging tools such as MITRE’s Hipcheck, the Open Source Security Foundation’s Scorecard, and other sources to support Unified Platform's Software Approval Process and Software Supply Chain Practices. This presentation will cover how these techniques are providing the insight needed by this DoD project to address emerging DoD guidance in the use of open source software.

Speakers

Joshua Crisp

Chief Information Security Officer, Unified Platform (USCYBERCOM)

Unified Platform Chief Information Security Officer supporting USCYBERCOM and JCWA. I've spent a little over 5 years supporting Unified Platform capabilities for cybersecurity, cloud infrastructure, cybersecurity for Air Force's Platform One program (IronBank, BigBang, PartyBus... Read More →

Scott Hissam

Senior Member of the Technical Staff, Software Engineering Institute | Carnegie Mellon University

Crisp Hissam FUSION 2024 Final pdf

Wednesday October 23, 2024 10:55am - 11:25am EDT
Salon 2-3

OSS Consumption + End Users

Session Slides Attached yes

10:55am EDT

PEP 740 and PyPI: Bootstrapping Provenance for the Python Ecosystem - William Woodruff, Trail of Bits

Wednesday October 23, 2024 10:55am - 11:25am EDT

Salon 4-6

PyPI is the official package index for the Python programming language, and one of the largest OSS package indices, serving over 1.2 billion downloads of over 500,000 unique packages each day to millions of Python developers and hundreds of millions of downstream users. As the cornerstone of a massive and diverse language ecosystem, changes to PyPI's security posture (and security features offered) represent a significant operational challenge, one shared by indices of similar size and criticality (such as NPM, RubyGems, and Crates). This talk is about one such change in PyPI's security posture: the creation and (ongoing) implementation of PEP 740, or "Index support for digital attestations." This talk will go through the details of PEP 740, how it relates to (and integrates with) standards like Sigstore, in-toto, and SLSA, and how PyPI (and Python packaging more broadly) is using PEP 740 to "bootstrap" strong, maintainer digital provenance for Python packages on top of PyPI's pre-existing support for Trusted Publishing, without the traditional downsides of key and identity management, complex signing ceremonies, and so forth.

Speakers

William Woodruff

Engineering Director, Trail of Bits

William Woodruff is an Engineering Director at Trail of Bits, a NYC-based consultancy. He splits his time between OSS engineering and running the Ecosystem Security group, which is responsible for contributing security and usability improvements to a wide range of OSS tools and services... Read More →

soss fusion 2024 pdf

Wednesday October 23, 2024 10:55am - 11:25am EDT
Salon 4-6

SW Development + OSS

Session Slides Attached yes

12:05pm EDT

A Glimpse Into OSS Vulnerability Disclosure Practices - Jessy Ayala, UC Irvine

Wednesday October 23, 2024 12:05pm - 12:35pm EDT

Salon 1

In open-source software (OSS), software vulnerabilities are at an all-time high. We conduct a study focusing on security advisories and bug bounty reports as perspectives for exploring OSS vulnerability disclosure practices. In addition, we interviewed 17 OSS maintainers and reached out to MITRE to further raise awareness and resolve bottlenecked CVEs we identified. Our findings reveal struggles in conducting efficient vulnerability review, the absence of CVEs in the National Vulnerability Database for Critical vulnerabilities, and ranked OSS maintainer vulnerability management challenges. Such findings reveal gaps that hinder the spread of alerts to affected projects. We offer actionable recommendations to enhance OSS project security, improve review rates, and promote robust vulnerability disclosure practices. Overall, we reveal gaps in the current OSS security landscape to provide valuable insights for OSS maintainers and contributors, vulnerability database maintainers, and the broader OSS community.

Speakers

Jessy Ayala

PhD Student, University of California, Irvine

Jessy is a PhD student at UC Irvine studying problems where software engineering meets security. In particular, Jessy is interested in investigating and addressing software supply chain security concerns from various angles. In his free time, Jessy enjoys writing music and training... Read More →

SOSS FUSION 24 JessyAyala pdf

Wednesday October 23, 2024 12:05pm - 12:35pm EDT
Salon 1

Maintainer / Contributor

Session Slides Attached yes

12:05pm EDT

Project Copacetic: Directly Patch Container Image Vulnerabilities - Ashna Mehrotra, Microsoft

Wednesday October 23, 2024 12:05pm - 12:35pm EDT

Salon 2-3

Software supply chain security is more important than ever. Yet maintaining secure container images is challenging, because patch options can be limited: wait impatiently for third-party image updates to be released, especially for images with multi-publisher dependencies, or perform your own full image rebuild, a time and resource-intensive process. Project Copacetic (Copa) reduces turnaround time and complexity for image patching. Copa integrates into existing build infrastructure, giving users greater control over their patching timeline while reducing costs. Using image scanners like Trivy, Copa generates a vulnerability report and identifies necessary OS-level package updates. Copa then updates your target image using Buildkit (Docker’s default builder) by creating a new patch layer on the original image. Copa can even patch distroless images. We’ll demo Copa, including how to integrate it into pipelines, extend its functionality with scanner formats, and exclude scanners to update all outdated packages. You’ll leave ready to keep your images secure. As a newly accepted CNCF sandbox project, Copa invites you to join the community and advance your software security!

Speakers

Ashna Mehrotra

Software Engineer, Microsoft

Ashna Mehrotra is a software engineer on the Upstream Security team, working on cloud-native open source security projects at Microsoft.

SOSS FUSION 24 Copa pdf

Wednesday October 23, 2024 12:05pm - 12:35pm EDT
Salon 2-3

OSS Consumption + End Users

Session Slides Attached yes

12:05pm EDT

The Open Source Paradox: Unpacking Risk, Equity, and Acceptance - Vincent Danen, Red Hat

Wednesday October 23, 2024 12:05pm - 12:35pm EDT

Salon 4-6

Open source software isn’t just allowed in most enterprises—it’s often the go-to choice. Yet while procurement policies have evolved to embrace open source, risk acceptance frameworks haven’t kept pace. We tend to treat security concerns like monsters under the bed, wanting them to vanish, but there's a key difference between how we view open source vs. proprietary software. In fact, open source’s very strengths are often weaponized against it, creating a double standard. Join me as we explore the paradox of risk tolerance, security equity, and the overlooked biases shaping the conversation around open source and proprietary software. Let’s level the playing field and rethink how we define and manage risk.

Speakers

Vincent Danen

Vice President, Product Security, Red Hat

Vincent Danen lives in Canada and is the Vice President of Product Security at Red Hat. He joined Red Hat in 2009 and has been working in the security field, specifically around Linux, operating security and vulnerability management, for over 20 years.

The Open Source Paradox Unpacking Risk, Equity, and Acceptance 2024 SOSS Fusion pdf

Wednesday October 23, 2024 12:05pm - 12:35pm EDT
Salon 4-6

Public Policy

Session Slides Attached yes

2:05pm EDT

Unpaid Maintainers: The Security Threat No One Is Talking About (yet) - Lauren Hanford, Tidelift

Wednesday October 23, 2024 2:05pm - 2:35pm EDT

Salon 1

It’s hard to be an open source maintainer in 2024. Despite increasing demands, 60% maintainers still don’t get paid for their work and 58% have considered quitting or already quit maintaining their projects. Earlier this year, the xz utils scare brought to light the very real implications of what could happen when maintainers are not supported. While this particular attack was caught, the bottom line is most maintainers are unpaid hobbyists who do not receive both the financial or societal (community, mental health, training, time) support needed to ensure the security and resilience of the open source software we all rely on. Overworked and underappreciated maintainers are a huge problem that leads directly to organizational security risk. So what can you do about it? This session will share maintainer perspective on xz and how it has affected the way they approach their work. We'll discuss a set of tips security-conscious leaders can take away to decrease their security risk from under-maintained open source packages. Finally, we'll look at some benefits that downstream consumers receive when maintainers are paid to ensure their projects remain secure and healthy.

Speakers

Lauren Hanford

VP of Product, Tidelift

Lauren Hanford is VP of Product at Tidelift, working alongside maintainers to deliver secure software outcomes. At her heart, she is a UX researcher and approaches technology from a user-centered place. Lauren created the TACOS framework for open source secure development practices... Read More →

LaurenSOSS Fusion Presentation 10.22.24 final pdf

Wednesday October 23, 2024 2:05pm - 2:35pm EDT
Salon 1

Maintainer / Contributor

Session Slides Attached yes

2:20pm EDT

How to Use CNCF’s Falco to Protect Yourself from the New SCARLETEEL Attack! - Parthi Srinivasan, Sysdig

Wednesday October 23, 2024 2:20pm - 2:35pm EDT

Salon 2-3

Recently found SCARLETEEL, a new attack pattern starts from a compromised Kubernetes container and spreads to the victim’s AWS account. Let us see how OSS Falco and new plug-in approach can detect this kind of threat in cloud runtime!

Speakers

Parthiban Srinivasan

Senior customer success solution architect, Sysdig

I specialize in runtime threat detection, delivering impactful strategies and solutions that fortify Fortune 500 companies against evolving security challenges

SOSS FUSION '24 How to Use CNCF’s Falco to Protect Yourself From the New SCARLETEEL Attack pdf

PODCAST SCARLETEEL Attack FALCO OSS to Rescue pdf

Wednesday October 23, 2024 2:20pm - 2:35pm EDT
Salon 2-3

OSS Consumption + End Users

Session Slides Attached yes

2:40pm EDT

Easier, Faster, and Safer Open Source Consumption Governance - Brando Himes & Brian Greenwood, The Vanguard Group

Wednesday October 23, 2024 2:40pm - 3:10pm EDT

Salon 1

This talk will follow one organization's journey to enable and automate open source consumption while providing guardrails for the legal and security issues that can result. By sharing our journey, we hope to spark discussion about our decisions and learn how others have addressed these same challenges. Our goal is to make governing open source consumption easier, faster, and safer for all.

Speakers

Brian Greenwood

Technical Lead, The Vanguard Group

Brian is currently a technical lead on the Developer Experience (DevEx) team at Vanguard. In his 6 years, he has supported the company's ETF management system, managed cloud infrastructure for data scientists and analysts, maintained a serverless developer platform, and helped further... Read More →

Brando Himes

Architect, The Vanguard Group

In Brando's 15 years at Vanguard, he has been a technical lead on several retirement plan experience releases, contributed to the architecture of CD pipelines, supported the developer toolchain, incubated innovation projects, and most recently focused in on improving the environments... Read More →

SOSS FUSION 24 Easier Faster Safer pdf

Wednesday October 23, 2024 2:40pm - 3:10pm EDT
Salon 1

OSS Consumption + End Users

Session Slides Attached yes

2:40pm EDT

Supply-Chain Security, Outside in: What Helping ~200 Projects Improve Their Security Looks Like - Pedro Nacht & Diogo Teles Sant'Anna, Google

Wednesday October 23, 2024 2:40pm - 3:10pm EDT

Salon 4-6

The greatest challenge in open-source supply-chain security is how unrewarding it feels. Maintainers have to do the vast majority of the work necessary to improve a repository's supply-chain security. But – other than the satisfaction of a job well done – they get almost no benefit from it. Supply-chain security improvements don't add features, squash bugs, or improve performance, etc… Instead, the benefits fall entirely on the package's consumers, who can feel safe depending on that package. In 2023, the Google Open Source Security Team (GOSST) began work to help maintainers carry this burden. We approached ~200 open-source projects of critical importance to the ecosystem, hoping to help them improve their supply-chain security. This presentation will describe the philosophy behind the team's approach, our overall results (500+ contributions, 90% accepted!), and key lessons learned. We hope to inspire you – consumer, maintainer, or someone who's just interested in this sort of thing – to learn from our mistakes and outdo our successes. Help us help maintainers keep open-source secure.

Speakers

Pedro Nacht

Software Engineer, Google

Professionally... I've been around. A structural engineer by training, I quickly moved to writing engineering software. After completing an MBA, I became a financial data analyst. Hoping to make more of an impact, I joined Google's Open Source Security Team (GOSST). In GOSST's Upstream... Read More →

Diogo Teles Sant'Anna

Software Engineer at Google, Google

Passionate about technology, I began my studies on Computer Engineering in 2016 at University of Campinas(UNICAMP, Brazil), and now I'm working as a Software Engineer at Google. Since 2022, I work at Google Open Source Security Team(GOSST).

Supply Chain Security, Outside In (SOSS Fusion) pdf

Wednesday October 23, 2024 2:40pm - 3:10pm EDT
Salon 4-6

SW Development + OSS

Session Slides Attached yes

3:40pm EDT

Navigating the Quantum Readiness Journey: Hands-on Guidance for Starting Your Migration - Eric Mizell, Keyfactor

Wednesday October 23, 2024 3:40pm - 4:10pm EDT

Salon 1

Cryptography is a fundamental cornerstone of cybersecurity, omnipresent for every engineer. As quantum computing advances rapidly and NIST standardizes new algorithms, the urgency of preparing for its impact on cybersecurity grows. Join our educational journey into Crypto Agility and Quantum Readiness. This presentation empowers engineers and security experts with tools to understand and navigate quantum-resistant cryptography, and conduct hands-on experiments tailored to your use cases. Our talk addresses: "What is the quantum computing threat, and what can I do about it?" We will explore the landscape of quantum-ready security and different migration scenarios, emphasizing the need for crypto agility. This includes reassessing and updating standard protocols and security mechanisms such as mTLS and x.509 certificates. We will provide an overview of current standardization efforts, including European and American initiatives. Emphasizing the importance of community collaboration, we aim to achieve high-quality, interoperable cryptographic implementations.

Speakers

Eric Mizell

Field CTO, Keyfactor

Eric Mizell is a developer turned security expert. Beginning his career in engineering and leadership roles at Hortonworks and OverOps, Eric then shifted his focus to security, having seen first-hand the security gaps in many DevOps environments. As Field CTO at Keyfactor, Eric works... Read More →

SOSS Navigating the Quantum Readiness Journey pdf

Wednesday October 23, 2024 3:40pm - 4:10pm EDT
Salon 1

Security Education

Session Slides Attached yes