SOSS Fusion 2024

Join me, Joseph Zang, on a journey through the complexities, pitfalls, and triumphs of scaling InnerSource adoption in the highly regulated Industry. As the InnerSource Community Lead Advocate, I've navigated the intricate landscape of regulatory constraints and organizational resistance to nurture a culture of collaboration leading to innovation and program maturity. In this session, I'll share my experiences (the good and not so good), and relay my insights on how to effectively implement InnerSource practices within regulated environments. Here's what to expect: Starting the InnerSource Journey Jumping Regulatory Hurdles Cultural Transformation Building the Right Infrastructure InnerSource in Practice This session is a candid glimpse at the challenges and rewards of championing InnerSource adoption in a regulated FinTech environment. Observe the practical strategies that worked for us, the obstacles we overcame (the ones we didn’t), and the hacks we discovered along the way as our InnerSource initiative matures.

OpenSSF Scorecard assesses the security posture of a git repository and produces an overall score. This has proven useful for organizations to improve the security of their many repositories overall. However, this task is not a small undertaking. The act of running Scorecard, collecting the result, and interpreting the results is complex and can be done in different ways. This presentation covers multiple strategies for accomplishing Scorecard at Scale, including some new possibilities from the Scorecard team. Options include the Scorecard API, Scorecard Action, Scorecard Monitor, and Allstar. We will explore setup, execution, and results format for these options, then dig into extracting actionable insights from results as well.

The OpenSSL Security Baseline proposes a framework for a common security posture across open source projects. The baseline requirements are designed to match the OpenSSF's project lifecycle: each level has been designed to provide increasing levels of protection with as little effort as possible. They range from secure repository configuration to the production of security metadata such as SBOMs and SLSA attestations. These requirements may sound daunting but the path forward is bright! The OpenSSF community has been working hard to create tools, specifications, and libraries to help harden the global software supply chain. While we have built amazing tooling to automate compliance, orchestration can still be challenging. Understanding at scale which resources are falling short of the baseline expectations needs coordination and remediation. Luckily this is where Minder comes in! Minder is an open source platform that monitors your repositories, builds, and artifacts to ensure they match a declared security posture. In contrast to other tools, it reconciles the state of your resources to match your desired state. Join Puerco for a live demo of meeting baseline compliance!