SOSS Fusion 2024

Over the past year, AI has been talk of the town in terms of emerging technology. There is a lot of discussion around how AI technology and capabilities will be utilized both for the betterment and the detriment of our world and those around us. One of the first attempts to manage these risks from a regulatory perspective is the AI Risk Management Framework from NIST. This session will be a crash course on that standard and some preliminary analysis/dialogue around how effective the standard will be.

OSS developers play a crucial role in shaping solutions that impact the public sector. This lightning talk will highlight practical steps maintainers can take to improve adoption and usage for governmental and public service organizations. Join us as we explore how relatively small changes can lead to significant improvements.

OSS underpins the digital infrastructure of our society, ensuring its security has never been more critical. This talk will delve into the intricate web of public policy initiatives aimed at enhancing the security of OSS. From the President’s EO on Cybersecurity in the US to the ambitious EU Cyber Resiliency Act, we will explore how these pivotal regulations are shaping the landscape of software security. We will also shed light on forward-thinking policy initiatives such as Secure by Design, SLSA, and Software Self Attestation, examining how they complement and reinforce existing legislation. By weaving together these diverse strands of policy, this session will provide a comprehensive overview of the current policy ecosystem, highlighting both the connectedness of these initiatives and uncovering potential gaps and areas where there is significant disconnect. As the world grapples with the complexities of building and securing OSS, understanding the global policy landscape becomes essential for developers, policymakers, and industry leaders alike. Join me to gain a clear perspective on how policy efforts are converging to create a more secure and resilient open source future.

Open source software isn’t just allowed in most enterprises—it’s often the go-to choice. Yet while procurement policies have evolved to embrace open source, risk acceptance frameworks haven’t kept pace. We tend to treat security concerns like monsters under the bed, wanting them to vanish, but there's a key difference between how we view open source vs. proprietary software. In fact, open source’s very strengths are often weaponized against it, creating a double standard. Join me as we explore the paradox of risk tolerance, security equity, and the overlooked biases shaping the conversation around open source and proprietary software. Let’s level the playing field and rethink how we define and manage risk.