SOSS Fusion 2024

Software is a complex system of tooling, processes, and, ultimately, humans. Ensuring the system's integrity and hardening our software supply chain requires careful configuration at countless steps along the pipeline. The OpenSSF is leading the open source security community to establish tools and best practices. Still, their discovery can be overwhelming and confusing to the developers and open source maintainers who stand to benefit. Join this panel of OpenSSF DevRel Community Volunteers to learn how to navigate the complex waters of the OpenSSF landscape as we work to connect projects and tools with the community. Walk away with a clearer understanding of developer relations and how to get involved.

Outsiders looking in at government software delivery might imagine a cabal of crusty do-nothings plotting the next series of setbacks and delays to deliver to their unwitting users, or a scheming contractor masterfully extracting maximum payment for each feature delivered. Nothing could be further from the truth; in reality the civil service and the commercial ecosystem servicing the government are full of hard-working people navigating a labyrinthine series of financial, contractual, technical, and cybersecurity policies and standards. Open Source software and open technology can be a critical tool for successfully steering a project through that maze in order to deliver a capability to users. In this session, we give real-world examples of the challenges to value delivery in the government, discuss some of the common misperceptions around government use of Open Source, and discuss how the use of Open Source has lead to improved outcomes for users in the Department of Defense. Lastly, we discuss where we think the relationship between the private and public sector is going with respect to Open Source.

Security teams from Google to Firefox have taught the security industry a lot about isolating running programs from the broader system through sandboxing, which fundamentally changed the way hackers need to operate to inflict damage on systems. Threat actors today need to be significantly more sophisticated and build a chain of vulnerabilities to escape sandboxes & access critical system resources for exploitation. The consistently growing number of vulnerabilities in OSS packages, imposes an impossible pace of remediation & patching to stay ahead of zero-day threats evolving daily. Enter Open Source Sandboxing. In this talk we’ll present a first of its kind approach, built upon the powerful eBPF and KRSI technologies, that enables you to derive the very same security benefits of browser and web-based, as well as mobile - iOS & Android sandboxing - for any open source library you are running in your stacks. We’ll walk through a code example for how to identify and block exploits.

Systems today are primarily assemblies of reused components many of which are Open-Source software. The reuse of software has enabled faster fielding of systems since common components, but all software comes with vulnerabilities, and attackers have expanded their capabilities to exploit them in products that have broad use especially Open Source. How should an organization make appropriate trade-off choices among cost, schedule, and cybersecurity? Over the history of software engineering, we have learned that software metrics for both the process and the product are needed. We have also explored many aspects of cybersecurity measurement and determined that we must be able to measure the processes for developing and using software and how those measurement results affect the product’s cybersecurity. It is insufficient to measure only operational code, its vulnerabilities, and the attendant risk of successful hacks. Relying on the assumption that many eyeballs looking at the software ensures better security is of little value without an understanding of what was analyzed and how knowledgeable were those performing the analysis.

The future of secure open-source software lies in education, particularly from K-12 and beyond. Imagine a world where students, from their earliest years, are introduced to the principles of open-source collaboration, coding, and cybersecurity. By embedding these skills early, we are not only preparing them for future careers but also cultivating a new generation of developers and innovators who prioritize security. In this talk, Rao and Tunji, would go over how High school and college students can engage in real-world open-source projects, learning the importance of secure coding practices and contributing to global software solutions. Integrating security-focused open-source education fosters a culture of collaboration and shared responsibility. This not only strengthens the software we rely on but also builds a more inclusive, diverse developer community. It's about creating a future where secure, reliable software is the norm, driven by a well-educated, passionate generation committed to making a difference. By investing in education today, we are securing the open-source software of tomorrow. Let's inspire our youth to be the champions of a safer digital future

OSS developers play a crucial role in shaping solutions that impact the public sector. This lightning talk will highlight practical steps maintainers can take to improve adoption and usage for governmental and public service organizations. Join us as we explore how relatively small changes can lead to significant improvements.

Software Bill of Materials (SBOMs) have become essential for ensuring transparency, security, and compliance. However, many end users find the current state of SBOMs challenging, with issues like inconsistent formats, lack of real-world guidance, and sparse tooling. The reality is that regulations requiring SBOMs can often be satisfied with an empty JSON file or a handwritten word document that the recipient doesn't really know what to do with. Despite these challenges, SBOMs hold significant promise for enhancing software security. This talk will highlight ongoing efforts to improve SBOM practices, emphasizing the importance of collaboration among specification designers, regulators, and developers. We'll explore how OpenSSF projects like Protobom and bomctl are attempting to provide a foundation for the tooling end users need. By focusing on these initiatives and promoting best practices, we can work towards a future where SBOMs are not just regulatory checkboxes, but powerful tools for software management and security.

During this session, I will introduce Vcpkg, a powerful tool for consuming open-source software (OSS) in C and C++ applications. Vcpkg allows you to integrate your favorite libraries in a secure, compliant, and straightforward manner. This open-source project is backed by both the community and Microsoft, ensuring robust support and continuous improvement. I will demonstrate how Vcpkg enhances the security of your Software Supply Chain and discuss the key advantages of using it. Additionally, I will provide a short tutorial on using Vcpkg to install a C++ library and integrate it into your C++ project with CMake. Vcpkg supports and encourages the consumption of popular OSS libraries such as OpenTelemetry, gRPC, OpenSSL, and many more. Thanks to Vcpkg, you can access hundreds of libraries, including your favorite CNCF projects!

OSS underpins the digital infrastructure of our society, ensuring its security has never been more critical. This talk will delve into the intricate web of public policy initiatives aimed at enhancing the security of OSS. From the President’s EO on Cybersecurity in the US to the ambitious EU Cyber Resiliency Act, we will explore how these pivotal regulations are shaping the landscape of software security. We will also shed light on forward-thinking policy initiatives such as Secure by Design, SLSA, and Software Self Attestation, examining how they complement and reinforce existing legislation. By weaving together these diverse strands of policy, this session will provide a comprehensive overview of the current policy ecosystem, highlighting both the connectedness of these initiatives and uncovering potential gaps and areas where there is significant disconnect. As the world grapples with the complexities of building and securing OSS, understanding the global policy landscape becomes essential for developers, policymakers, and industry leaders alike. Join me to gain a clear perspective on how policy efforts are converging to create a more secure and resilient open source future.

Over the last 50 years, technology has evolved to become critical and indispensable to industries and communities around the globe. Security practices have changed in reaction to these evolutions, yet not to the same degree. Security continues to play catchup in a number of areas and we continue to hang onto old and demonstrably inefficient practices in some areas, such as vulnerability (or patch) management. How do we reconcile the need to reduce risk while investing in future technology innovations and how do we ensure finite resources target real, and not perceived, threats?

One of the common themes in new regulations related to software bill of materials (SBOMs) is the need to go beyond inventorying only software packages and their known vulnerabilities. The FDA, for example, requires end-of-life (EOL) and level-of-support information for all components. PCI DSS 4.0 requires component inventories to be used to “facilitate” vulnerability management, which is another area where understanding package health can be useful. But getting EOL and level-of-support information can be challenging for open source components. How do you determine the EOL date for a project maintained by a scattered network of developers? How do you assess support level? How do you proactively plan refactor efforts for software packages that haven’t been updated for years? This session will explore tangential risk indicators beyond CVEs, data sources for obtaining support status in open source components, strategies for proactive application refactors, and how to communicate these health signals in your SBOMs.

In today's fast-paced world of software development, building a product might be straightforward, but ensuring its security is a distinct challenge.

Dive into the world of "Policy as Code" and uncover the transformative power of integrating an authorization layer directly into your codebase.

From highlighting the significance of security (with a nod to the OWASP Top Ten) to delving into the nuances of access control models like ABAC, RBAC, and REBAC, this talk offers a comprehensive look at the landscape of policy-driven security. Furthermore, attendees will gain insights into the capabilities and distinctions of leading policy engines, including OPA, AWS Cedar, and OpenFGA.

In our modern era of application development, policies aren't just a choice—they are a mandate.

Discover how you can seamlessly embed them into your workflow and bolster your stack's security.

 Join me and elevate your security game to the next level!

PyPI is the official package index for the Python programming language, and one of the largest OSS package indices, serving over 1.2 billion downloads of over 500,000 unique packages each day to millions of Python developers and hundreds of millions of downstream users. As the cornerstone of a massive and diverse language ecosystem, changes to PyPI's security posture (and security features offered) represent a significant operational challenge, one shared by indices of similar size and criticality (such as NPM, RubyGems, and Crates). This talk is about one such change in PyPI's security posture: the creation and (ongoing) implementation of PEP 740, or "Index support for digital attestations." This talk will go through the details of PEP 740, how it relates to (and integrates with) standards like Sigstore, in-toto, and SLSA, and how PyPI (and Python packaging more broadly) is using PEP 740 to "bootstrap" strong, maintainer digital provenance for Python packages on top of PyPI's pre-existing support for Trusted Publishing, without the traditional downsides of key and identity management, complex signing ceremonies, and so forth.

The greatest challenge in open-source supply-chain security is how unrewarding it feels. Maintainers have to do the vast majority of the work necessary to improve a repository's supply-chain security. But – other than the satisfaction of a job well done – they get almost no benefit from it. Supply-chain security improvements don't add features, squash bugs, or improve performance, etc… Instead, the benefits fall entirely on the package's consumers, who can feel safe depending on that package. In 2023, the Google Open Source Security Team (GOSST) began work to help maintainers carry this burden. We approached ~200 open-source projects of critical importance to the ecosystem, hoping to help them improve their supply-chain security. This presentation will describe the philosophy behind the team's approach, our overall results (500+ contributions, 90% accepted!), and key lessons learned. We hope to inspire you – consumer, maintainer, or someone who's just interested in this sort of thing – to learn from our mistakes and outdo our successes. Help us help maintainers keep open-source secure.

Traditional role-based access control (RBAC) systems just don't cut it for modern, complex applications. In this talk, we'll dive into how Open FGA, an open-source fine-grained authorization solution, tackles these challenges head-on. We'll highlight the shortcomings of RBAC and show how Open FGA uses relationship-based access control (ReBAC) to offer a more flexible and detailed approach. You'll see how this tool can boost security, performance, and access management across various systems. If you’re curious to learn why the future of authorization is fine-grained and how Open FGA is paving the way, you don’t want to miss this session.