SOSS Fusion 2024

Software is a complex system of tooling, processes, and, ultimately, humans. Ensuring the system's integrity and hardening our software supply chain requires careful configuration at countless steps along the pipeline. The OpenSSF is leading the open source security community to establish tools and best practices. Still, their discovery can be overwhelming and confusing to the developers and open source maintainers who stand to benefit. Join this panel of OpenSSF DevRel Community Volunteers to learn how to navigate the complex waters of the OpenSSF landscape as we work to connect projects and tools with the community. Walk away with a clearer understanding of developer relations and how to get involved.

Outsiders looking in at government software delivery might imagine a cabal of crusty do-nothings plotting the next series of setbacks and delays to deliver to their unwitting users, or a scheming contractor masterfully extracting maximum payment for each feature delivered. Nothing could be further from the truth; in reality the civil service and the commercial ecosystem servicing the government are full of hard-working people navigating a labyrinthine series of financial, contractual, technical, and cybersecurity policies and standards. Open Source software and open technology can be a critical tool for successfully steering a project through that maze in order to deliver a capability to users. In this session, we give real-world examples of the challenges to value delivery in the government, discuss some of the common misperceptions around government use of Open Source, and discuss how the use of Open Source has lead to improved outcomes for users in the Department of Defense. Lastly, we discuss where we think the relationship between the private and public sector is going with respect to Open Source.

Security teams from Google to Firefox have taught the security industry a lot about isolating running programs from the broader system through sandboxing, which fundamentally changed the way hackers need to operate to inflict damage on systems. Threat actors today need to be significantly more sophisticated and build a chain of vulnerabilities to escape sandboxes & access critical system resources for exploitation. The consistently growing number of vulnerabilities in OSS packages, imposes an impossible pace of remediation & patching to stay ahead of zero-day threats evolving daily. Enter Open Source Sandboxing. In this talk we’ll present a first of its kind approach, built upon the powerful eBPF and KRSI technologies, that enables you to derive the very same security benefits of browser and web-based, as well as mobile - iOS & Android sandboxing - for any open source library you are running in your stacks. We’ll walk through a code example for how to identify and block exploits.

Systems today are primarily assemblies of reused components many of which are Open-Source software. The reuse of software has enabled faster fielding of systems since common components, but all software comes with vulnerabilities, and attackers have expanded their capabilities to exploit them in products that have broad use especially Open Source. How should an organization make appropriate trade-off choices among cost, schedule, and cybersecurity? Over the history of software engineering, we have learned that software metrics for both the process and the product are needed. We have also explored many aspects of cybersecurity measurement and determined that we must be able to measure the processes for developing and using software and how those measurement results affect the product’s cybersecurity. It is insufficient to measure only operational code, its vulnerabilities, and the attendant risk of successful hacks. Relying on the assumption that many eyeballs looking at the software ensures better security is of little value without an understanding of what was analyzed and how knowledgeable were those performing the analysis.

Over the last decade, enterprises have had to accelerate adoption of open source software for data science, machine learning, and AI. These numerically-intensive workloads posed unique new challenges for businesses and IT due to both technology and organizational dynamics.

As the creators of the PyData movement and as a foundational distributor of open source Python tools to millions of enterprise and individual users, Anaconda has had a front-row seat to these kinds of challenges. In this talk, we will draw upon data from our annual State of Data Science industry survey to understand the kinds of challenges that businesses face while trying to adopt even well-known OSS data & ML technology.

We’ll then look towards new deep-learning and AI workloads, and the new dimensions of the security challenges there. These include novel challenges posed by exotic hardware, just-in-time compilation, binary distribution, and data-oriented supply chain attacks.

The talk will conclude with some key principles to guide thinking about software and data supply chains in the new era of machine learning and AI software deployment.

OSS developers play a crucial role in shaping solutions that impact the public sector. This lightning talk will highlight practical steps maintainers can take to improve adoption and usage for governmental and public service organizations. Join us as we explore how relatively small changes can lead to significant improvements.

Explore how confidential computing is revolutionizing data security through Open Source projects within the Confidential Computing Consortium (CCC) at the Linux Foundation. This session will delve into the value that confidential computing brings to businesses by ensuring data protection even during processing. Highlighting key projects like COCONUT-SVM, Occlum, Islet, and others, we will showcase how these Open Source initiatives enhance privacy and security. Learn how integrating these projects can mitigate risks, improve compliance, and foster innovation. This talk is designed for decision-makers in compute security and compliance, particularly those interested in secure federated compute. We will cover real-world examples from finance to human trafficking to demonstrate the power and versatility of Confidential Computing. Join us to understand the future of secure data processing and the pivotal role of Confidential Computing in advancing Open Source solutions.

Software Bill of Materials (SBOMs) have become essential for ensuring transparency, security, and compliance. However, many end users find the current state of SBOMs challenging, with issues like inconsistent formats, lack of real-world guidance, and sparse tooling. The reality is that regulations requiring SBOMs can often be satisfied with an empty JSON file or a handwritten word document that the recipient doesn't really know what to do with. Despite these challenges, SBOMs hold significant promise for enhancing software security. This talk will highlight ongoing efforts to improve SBOM practices, emphasizing the importance of collaboration among specification designers, regulators, and developers. We'll explore how OpenSSF projects like Protobom and bomctl are attempting to provide a foundation for the tooling end users need. By focusing on these initiatives and promoting best practices, we can work towards a future where SBOMs are not just regulatory checkboxes, but powerful tools for software management and security.

PyPI is the official package index for the Python programming language, and one of the largest OSS package indices, serving over 1.2 billion downloads of over 500,000 unique packages each day to millions of Python developers and hundreds of millions of downstream users. As the cornerstone of a massive and diverse language ecosystem, changes to PyPI's security posture (and security features offered) represent a significant operational challenge, one shared by indices of similar size and criticality (such as NPM, RubyGems, and Crates). This talk is about one such change in PyPI's security posture: the creation and (ongoing) implementation of PEP 740, or "Index support for digital attestations." This talk will go through the details of PEP 740, how it relates to (and integrates with) standards like Sigstore, in-toto, and SLSA, and how PyPI (and Python packaging more broadly) is using PEP 740 to "bootstrap" strong, maintainer digital provenance for Python packages on top of PyPI's pre-existing support for Trusted Publishing, without the traditional downsides of key and identity management, complex signing ceremonies, and so forth.

OSS underpins the digital infrastructure of our society, ensuring its security has never been more critical. This talk will delve into the intricate web of public policy initiatives aimed at enhancing the security of OSS. From the President’s EO on Cybersecurity in the US to the ambitious EU Cyber Resiliency Act, we will explore how these pivotal regulations are shaping the landscape of software security. We will also shed light on forward-thinking policy initiatives such as Secure by Design, SLSA, and Software Self Attestation, examining how they complement and reinforce existing legislation. By weaving together these diverse strands of policy, this session will provide a comprehensive overview of the current policy ecosystem, highlighting both the connectedness of these initiatives and uncovering potential gaps and areas where there is significant disconnect. As the world grapples with the complexities of building and securing OSS, understanding the global policy landscape becomes essential for developers, policymakers, and industry leaders alike. Join me to gain a clear perspective on how policy efforts are converging to create a more secure and resilient open source future.

Open source software isn’t just allowed in most enterprises—it’s often the go-to choice. Yet while procurement policies have evolved to embrace open source, risk acceptance frameworks haven’t kept pace. We tend to treat security concerns like monsters under the bed, wanting them to vanish, but there's a key difference between how we view open source vs. proprietary software. In fact, open source’s very strengths are often weaponized against it, creating a double standard. Join me as we explore the paradox of risk tolerance, security equity, and the overlooked biases shaping the conversation around open source and proprietary software. Let’s level the playing field and rethink how we define and manage risk.

In this age of open source in machine learning, ML practitioners increasingly rely on public model hubs for downloading foundation models to fine tune instead of creating models from scratch. However, compromised artifacts are very easy to share on these hubs. ML model files are vulnerable to Model Serialization Attacks (MSA), the injection of malicious code that will execute automatically when the file is deserialized. MSAs are the Trojan horses of ML, capable of turning a seemingly innocuous model into a backdoor to your system. So, what can you do about it? In this talk, we explore two strategies to use open-source tools to mitigate the risk of MSAs and other supply chain attacks on ML: model scanning with ModelScan by Protect AI and cryptographic signing with Sigstore by OpenSSF. Model scanning is our window into the black box model files. Cryptographic signatures link an artifact to a source’s identity, backed up by a trusted authority. Scanning and signing are both widely used defenses for traditional software artifacts, but they have not been widely adopted in AI yet. WWe will demonstrate how these tools can bridge the AI/ML security gap, and stop Trojan Horses at the gate.

The greatest challenge in open-source supply-chain security is how unrewarding it feels. Maintainers have to do the vast majority of the work necessary to improve a repository's supply-chain security. But – other than the satisfaction of a job well done – they get almost no benefit from it. Supply-chain security improvements don't add features, squash bugs, or improve performance, etc… Instead, the benefits fall entirely on the package's consumers, who can feel safe depending on that package. In 2023, the Google Open Source Security Team (GOSST) began work to help maintainers carry this burden. We approached ~200 open-source projects of critical importance to the ecosystem, hoping to help them improve their supply-chain security. This presentation will describe the philosophy behind the team's approach, our overall results (500+ contributions, 90% accepted!), and key lessons learned. We hope to inspire you – consumer, maintainer, or someone who's just interested in this sort of thing – to learn from our mistakes and outdo our successes. Help us help maintainers keep open-source secure.

Traditional role-based access control (RBAC) systems just don't cut it for modern, complex applications. In this talk, we'll dive into how Open FGA, an open-source fine-grained authorization solution, tackles these challenges head-on. We'll highlight the shortcomings of RBAC and show how Open FGA uses relationship-based access control (ReBAC) to offer a more flexible and detailed approach. You'll see how this tool can boost security, performance, and access management across various systems. If you’re curious to learn why the future of authorization is fine-grained and how Open FGA is paving the way, you don’t want to miss this session.