SOSS Fusion 2024

Software is a complex system of tooling, processes, and, ultimately, humans. Ensuring the system's integrity and hardening our software supply chain requires careful configuration at countless steps along the pipeline. The OpenSSF is leading the open source security community to establish tools and best practices. Still, their discovery can be overwhelming and confusing to the developers and open source maintainers who stand to benefit. Join this panel of OpenSSF DevRel Community Volunteers to learn how to navigate the complex waters of the OpenSSF landscape as we work to connect projects and tools with the community. Walk away with a clearer understanding of developer relations and how to get involved.

Vulnerabilities hidden within open source libs raises risk for containerized workloads. Runtime protection is needed, even for ephemeral applications, because automated attacks spread in seconds. Join SentinelOne as we demonstrate AI-powered threat protection and discuss its place in a CNAPP strategy. By combining agentless insights spanning asset discovery, CSPM, vulnerability management, and more, with the stopping power of a runtime agent, multi-cloud organizations are best equipped to accelerate and secure innovation at scale.

Security teams from Google to Firefox have taught the security industry a lot about isolating running programs from the broader system through sandboxing, which fundamentally changed the way hackers need to operate to inflict damage on systems. Threat actors today need to be significantly more sophisticated and build a chain of vulnerabilities to escape sandboxes & access critical system resources for exploitation. The consistently growing number of vulnerabilities in OSS packages, imposes an impossible pace of remediation & patching to stay ahead of zero-day threats evolving daily. Enter Open Source Sandboxing. In this talk we’ll present a first of its kind approach, built upon the powerful eBPF and KRSI technologies, that enables you to derive the very same security benefits of browser and web-based, as well as mobile - iOS & Android sandboxing - for any open source library you are running in your stacks. We’ll walk through a code example for how to identify and block exploits.

Over the last few years, terms like SBOM, VEX, SLSA, and GUAC have crept into our supply chain security discussions. While we all agree from the surface that knowing what is in our code is likely a good idea, for a lot of teams, this feels like another set of boxes to check when filing security compliance paperwork. But what is really going on here, and what is driving us into this acronym soup?

In this session, we will explore multiple terms and the deeper questions of what they are trying to answer. You will walk away with a more holistic understanding of where we need to go as an industry to protect ourselves from the current and future waves of threats on the horizon. Before you throw another security tool at the problem or throw your hand up in despair, let's explore why better understanding these ideas means being able to better protect your organization.

Explore how confidential computing is revolutionizing data security through Open Source projects within the Confidential Computing Consortium (CCC) at the Linux Foundation. This session will delve into the value that confidential computing brings to businesses by ensuring data protection even during processing. Highlighting key projects like COCONUT-SVM, Occlum, Islet, and others, we will showcase how these Open Source initiatives enhance privacy and security. Learn how integrating these projects can mitigate risks, improve compliance, and foster innovation. This talk is designed for decision-makers in compute security and compliance, particularly those interested in secure federated compute. We will cover real-world examples from finance to human trafficking to demonstrate the power and versatility of Confidential Computing. Join us to understand the future of secure data processing and the pivotal role of Confidential Computing in advancing Open Source solutions.

Cryptography is a fundamental cornerstone of cybersecurity, omnipresent for every engineer. As quantum computing advances rapidly and NIST standardizes new algorithms, the urgency of preparing for its impact on cybersecurity grows. Join our educational journey into Crypto Agility and Quantum Readiness. This presentation empowers engineers and security experts with tools to understand and navigate quantum-resistant cryptography, and conduct hands-on experiments tailored to your use cases. Our talk addresses: "What is the quantum computing threat, and what can I do about it?" We will explore the landscape of quantum-ready security and different migration scenarios, emphasizing the need for crypto agility. This includes reassessing and updating standard protocols and security mechanisms such as mTLS and x.509 certificates. We will provide an overview of current standardization efforts, including European and American initiatives. Emphasizing the importance of community collaboration, we aim to achieve high-quality, interoperable cryptographic implementations.