SOSS Community Day Europe 2024: Full Schedule

19 September 2024
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for SOSS Community Day Europe 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Central Europe Summer Time (CEST). To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

The schedule is subject to change.

08:00 CEST

Registration + Badge Pick-up

Thursday September 19, 2024 08:00 - 17:30 CEST

Entrance 1 (Level 0)

Thursday September 19, 2024 08:00 - 17:30 CEST
Entrance 1 (Level 0)

Registration / Breaks

09:00 CEST

Welcome & Opening Remarks - Katherine Druckman, Open Source Security Evangelist, Intel Corporation

Thursday September 19, 2024 09:00 - 09:05 CEST

Room 3.29-3.30

Speakers

Katherine Druckman

Open Source Security Evangelist, Intel Corporation

Katherine Druckman is an Open Source Evangelist at Intel where she enjoys sharing her passion for a variety of open source topics. She is a long-time open source advocate, developer, and podcaster, and is currently the host of Open at Intel and co-host of the FLOSS Weekly and Reality... Read More →

Thursday September 19, 2024 09:00 - 09:05 CEST
Room 3.29-3.30

Keynote Sessions

09:10 CEST

Application Security is a Community Effort - Fernando Diaz, Senior Developer Advocate, Security, GitLab

Thursday September 19, 2024 09:10 - 09:15 CEST

Room 3.29-3.30

GitLab's mission is to enable everyone to contribute to and co-create the software that powers the world. That software must be secure.
Open source plays a crucial role in addressing security risk through transparency and community efforts. By having source code publicly available, a wider community from various different background can inspect, identify, and fix vulnerabilities in a timely manner.
Other open source practices help increase security, too. Things like:

Collaborative Verification
Security Auditing
Security tool Development
Contributions to security initiatives
Vulnerability Reporting and Resolution
Education and Best Practices

Using examples of these practices from GitLab and other open source projects, let's talk about how we can move open source security forward together.

Speakers

Fernando Diaz

Senior Developer Advocate, Security, GitLab

Fernando (Fern) Diaz is a Senior Developer Advocate at GitLab. He focuses on showcasing the value of implementing DevSecOps, Governance, and Shifting-Left within the complete Software Development Life Cycle (SDLC).In the past, he worked as a Software Developer at IBM Cloud, where... Read More →

Thursday September 19, 2024 09:10 - 09:15 CEST
Room 3.29-3.30

Keynote Sessions

09:20 CEST

Will eBPF Save Us From the Next Global Outage? - Liz Rice, Chief Open Source Officer, Isovalent @ Cisco

Thursday September 19, 2024 09:20 - 09:35 CEST

Room 3.29-3.30

Only a few weeks ago we saw how dangerous kernel-level changes can be, as IT infrastructure around the world was brought down by an update to a widely-used security tool. Does this mean the kernel is too dangerous for vendors to be allowed to access? In this talk we’ll consider how eBPF and its open source provenance can enable powerful and high performance security tools, without exposing users to the same risk of kernel bugs and their consequent outages.

Speakers

Liz Rice

Chief Open Source Officer, Isovalent @ Cisco

Liz Rice is Chief Open Source Officer with eBPF specialists Isovalent, creators of the Cilium project. She was chair of the CNCF's Technical Oversight Committee 2019-2022, and Co-Chair of KubeCon + CloudNativeCon in 2018. She is also the author of Container Security, published by... Read More →

Thursday September 19, 2024 09:20 - 09:35 CEST
Room 3.29-3.30

Keynote Sessions

09:40 CEST

CISA Update - Aeva Black, Section Chief, Open Source Security, CISA

Thursday September 19, 2024 09:40 - 09:45 CEST

Room 3.29-3.30

Speakers

Aeva Black

Section Chief, Open Source Security, CISA

Aeva Black is an open source hacker, advocate, and international public speaker with over 20 years of experience building digital infrastructure and leading open source projects at technology companies. She is the Section Chief for Open Source Security at CISA, and serves as the Secretary... Read More →

Thursday September 19, 2024 09:40 - 09:45 CEST
Room 3.29-3.30

Keynote Sessions

09:50 CEST

Hitchhikers' Guide to the Vulniverse - CRob, Security Lorax, Intel

Thursday September 19, 2024 09:50 - 10:10 CEST

Room 3.29-3.30

DON’T PANIC! Grab your towel and come along for a tour of the crazy acronyms that makes up the Vulniverse! Finding, fixing, and sharing vulnerabilities is a challenge on the easiest of days. Mix in all of the standards, formats, channels, and personalities, it can feel like an insurmountable hill to climb every day. Don’t despair, the Vulniverse Alphabet Soup Guide is here to help make things a little less confusing! Learn about the foundational elements used within Coordinated Vulnerability Disclosure (CVD) by Product Security & Incident Response Teams (PSIRTs), Security Researchers, Computer Emergency Response Teams (CERTs), and Corporate Incident Response & Security Teams (CSIRTs) to help describe and communicate information about security vulnerabilities in hardware and software. Learn about how formats such as CVE (Common Vulnerability & Exposures CVE), CVSS (Common Vulnerability Scoring System), Common Weakness Enumeration (CWE), and newer items like Vulnerability EXchange (VEX) all have vital parts to play helping get information and fixes in the hands of software and hardware consumers! After this, YOU’LL be a Vulnerability Babblefish!

Speakers

Christopher (CRob) Robinson

Christopher Robinson (aka CRob) is Director of Security Communications at Intel Product Assurance and Security CRob is a 42nd level Dungeon Master and a 25th level Securityologist. CRob has been involved in upstream open source security for a decade, and spent 6 years helping lead... Read More →

Hitchhiker's Guide to the Vulniverse 2024 pdf

Thursday September 19, 2024 09:50 - 10:10 CEST
Room 3.29-3.30

Keynote Sessions

Session Slides Attached Yes

10:15 CEST

Security Initiatives in Community Driven Projects: Looking Ahead with Python and Rust - Deb Nicholson, Python Software Foundation & Rebecca Rumbul, Rust Foundation

Thursday September 19, 2024 10:15 - 10:35 CEST

Room 3.29-3.30

This session will focus on the approaches taken by the Python Foundation and the Rust Foundation in developing their recent security initiatives and peer ahead into what the future might hold. Future initiatives will build on the lessons learned engaging their respective communities in embedding good security hygiene. The contrast between the bottom-up open source approach to development, vs the historic top down approach to security meant we had to strike our own paths. We will discuss the strategies we've already put in place a. Building consensus b. Transparent communications c. Responding to pushback and then we will take a look at the future of security work in SOSS. We'll cover the importance of sustained investment and collaboration across ecosystems and offer some ideas for how to align your project and community for the long haul.

Speakers

Deb Nicholson

Executive Director, Python Software Foundation

Deb Nicholson is an open source software policy expert and a passionate community advocate. She is the Executive Director at the Python Software Foundation which serves as the non-profit steward of the Python programming language. She serves on the Board of Directors for the Spritely... Read More →

Rebecca Rumbul

Executive Director, Rust Foundation

Rebecca is the Executive Director and CEO of the Rust Foundation. She holds a PhD in Politics and Governance, and has worked as a consultant and researcher with governments, parliaments and development agencies all over the world, advocating for openness and transparency, and developing... Read More →

Thursday September 19, 2024 10:15 - 10:35 CEST
Room 3.29-3.30

Breakout Sessions

10:15 CEST

We Know Security but How Do We Secure GenAI End-to-End? - Mihai Maruseac, Google

Thursday September 19, 2024 10:15 - 10:35 CEST

Room 3.16-3.17

AI developers are experts at building AI models. Security people know how to secure traditional software. But how do we secure software that contains AI? This is not a theoretical question: We have executive orders for strengthening the supply chain and secure AI development, we have NIST SP 800-218A for secure usage of GenAI. What is lacking is a deep dive into how people can use OSS technologies to secure software using AI. This is what we are planning to do in this talk. We will present every possible step that can be taken to train models in a secure way. This will cover securing the data from ingestion to using it during training, and evaluation. It also covers fine-tuning foundational models and model quantization. It aims to be the most complete and comprehensive resource in securing AI powered application from the point of view of the software supply chain. Then, it will include items about securing AI outputs, securing AI deployments. This is really important to do, because we see the same security concerns from traditional software being repeated in AI world, but at an accelerated pace. As threat landscape evolves, we are should building on stable, secure foundations.

Speakers

Mihai Maruseac

Staff Software Engineer, Google

Mihai Maruseac is a member of Google Open Source Security team (GOSST), working on Supply Chain Security for ML and on GUAC. Before joining GOSST, Mihai created the TensorFlow Security team after joining Google, moving from a startup to incorporate Differential Privacy (DP) withing... Read More →

Thursday September 19, 2024 10:15 - 10:35 CEST
Room 3.16-3.17

Breakout Sessions

10:40 CEST

Finally! Automated End-to-End VEX Streams You Can Trust - Adolfo García Veytia, Stacklok

Thursday September 19, 2024 10:40 - 11:00 CEST

Room 3.29-3.30

VEX, the Vulnerability Exploitability Exchange, is a communications channel that informs consumers about the impact of a vulnerability on a piece of software. Since its inception about two years ago, the SBOM/VEX community has been busy implementing the required pieces to enable VEX data to flow seamlessly from projects to security scanners. With the recent adoption of OpenVEX in the Go security tooling, we can finally generate automated VEX streams that don't involve human intervention and can be fully trusted as its statements are generated from reachability data from the compiler. It is a major milestone that marks a new phase in the OpenVEX ecosystem's maturity. Join us as we build a trusted end-to-end VEX stream, from code to scanner diving deep into a VEX document and we explore other highlights of the OpenVEX ecosystem.

Speakers

Adolfo García Veytia

Staff Software Engineer, Stacklok

Adolfo García Veytia (@puerco) is a software engineer with Stacklok. He is one of the Kubernetes SIG Release Technical Leads, actively on the Release Engineering team. He specializes in improvements to automation behind the Kubernetes release process. He is also the creator OpenVEX... Read More →

Thursday September 19, 2024 10:40 - 11:00 CEST
Room 3.29-3.30

Breakout Sessions

10:40 CEST

Nation-State Threats in the Open-Source Software Supply Chain - Ross Bryant, Phylum

Thursday September 19, 2024 10:40 - 11:00 CEST

Room 3.16-3.17

North Korea (DPRK) has been an active cyber threat since at least 2009. It is estimated that 90% of all DPRK cyber threat activity is attributable to a group under the Korean People's Army known as the Lazarus Group, which was responsible for the 2014 attack against Sony Pictures Entertainment. In June 2023, the Phylum Research Team discovered a series of suspicious packages published in the npm ecosystem. Upon installation, these packages facilitated the download of a malicious payload from a remote server. Later, GitHub published their independent findings, together with Microsoft Threat Intelligence and CISA, and confirmed that these packages were the work of the Lazarus Group. This campaign targeted software developers over three months. A new Lazarus Group campaign began in September 2023 with different and evolving tactics. Dozens of malicious packages were published during this time and were seen as recently as February 2024. The details in the code of these packages differ significantly, but a common motive between these two campaigns remains: stealing cryptocurrency from job-seeking software developers through social engineering.

Speakers

Ross Bryant

Chief of Research, Phylum

Ross is the Chief of Research at Phylum and has over a decade of threat-hunting research experience. Before joining Phylum, he worked as a researcher for the U.S. Department of Energy and as a research mathematician for the U.S. Department of Defense.

Thursday September 19, 2024 10:40 - 11:00 CEST
Room 3.16-3.17

Breakout Sessions

11:00 CEST

Break & Networking

Thursday September 19, 2024 11:00 - 11:20 CEST

Foyer

AM Break
- Home-made marble cake
- Variety of potato chips: glutenfree and vegan
- Gluten-free madeleine
- Fruits

Thursday September 19, 2024 11:00 - 11:20 CEST
Foyer

Registration / Breaks

11:20 CEST

Enforcing Organization Policies with Enterprise Contract - Zoran Regvart, Red Hat

Thursday September 19, 2024 11:20 - 11:40 CEST

Room 3.16-3.17

In today's rapidly evolving tech landscape, ensuring that container images comply with organizational policies is paramount for maintaining security. Join us for an insightful session on leveraging the open-source Enterprise Contract ecosystem to enforce these policies effectively within your organization. In this session, we will delve into how Enterprise Contract utilizes Sigstore signatures, in-toto attestations, and other tamper-proof sources to enforce organization policies. Although Enterprise Contract is a CI agnostic tool, we will focus on the Tekton ecosystem. Key points covered will include: 1. The critical role of ensuring container images meet organizational policies. 2. How Enterprise Contract enforces policies using secure and tamper-proof sources. 3. Configuring policies to validate specific Tekton Tasks, like code scanners, have been executed during the container image build process. This session is designed for attendees already familiar with the Sigstore community project, though true beginners are also encouraged to join. By the end of this session, participants will understand how to go beyond simple signature checks to validate their container images.

Speakers

Zoran Regvart

Software Engineer, Red Hat

Zoran Regvart is a Software Engineer at Red Hat and Apache Software Foundation member. He has been involved in various open source projects, including Apache Camel, Tekton and Open Policy Agent. More recently, he has worked with his team on building a mechanism to standardize the... Read More →

SOSS Community Day Europe Enforcing Organization Policies with Enterprise Contract Zoran Regvart pdf

Thursday September 19, 2024 11:20 - 11:40 CEST
Room 3.16-3.17

Breakout Sessions

11:20 CEST

German National Guideline on SOSS-Lifecycle: Community Outreach - Damian Ludwig & Andreas Neth, BSI

Thursday September 19, 2024 11:20 - 11:40 CEST

Room 3.29-3.30

The German Federal Office for Information Security is developing a guideline for a secure software development lifecycle, specific to open source software. This guideline may in the near future be relevant to the OSS ecosystem in Germany, relating to the CRA. Therefore the Federal Office for Information Security wants to involve and reach out to the open source community early, in order to collect input on anticipated challenges, widely accepted goals and general ideas on how to make open source software secure while not putting unacceptable burden on the community.

Speakers

Andreas Neth

IT Security Architect, BSI

Andreas Neth is an IT Security Architect at the German Federal Office for Information Security. He’s been building Open Source based IT-systems for about 20 years. His background is both in network infrastructure and IT-Security and he has been teaching about IT-Security and advocating... Read More →

Damian Ludwig

Security Analyst, German Federal Office for Information Security

Damian Ludwig works as an IT-Security Analyst for the German Federal Office for Information Security, where he leads the development of a national guideline for a secure Open-Source-Software lifecycle. During his previous work in academics, he was researching and designing secure... Read More →

Thursday September 19, 2024 11:20 - 11:40 CEST
Room 3.29-3.30

Breakout Sessions

11:45 CEST

Exploring a Risk Approach to Software Supply Chain Security - Abdullah Garcia, J.P. Morgan

Thursday September 19, 2024 11:45 - 12:05 CEST

Room 3.29-3.30

Throughout the presentation, I dive into software supply chain attacks and explain how they unfold incrementally. By understanding the latter, attendees will learn how to analyze their processes for software ingestion, integration, and testing to account for Supplier Risk. A particular emphasis is placed on open source software, highlighting both its benefits and vulnerabilities in the software supply chain. Attendees will also understand how the risk-based model can respond to software supply chain attacks even when they are not detected until later in the software supply chain, and gain critical insight into the kinds of changes needed in their processes and software tools, including open source solutions, to support this approach.

Speakers

Abdullah Garcia

Senior Lead Cybersecurity Architect, J.P. Morgan

Enthusiastic and driven security engineer and architect with over ten years of experience of successful design and delivery of high-quality solutions across a broad range of industry sectors. Strives to continue with self-development and on-going learning. Interested in security architecture... Read More →

Thursday September 19, 2024 11:45 - 12:05 CEST
Room 3.29-3.30

Breakout Sessions

11:45 CEST

Play, Learn, Secure: The Power of Gamification in Security Training - Julia Lamenza, Consultant

Thursday September 19, 2024 11:45 - 12:05 CEST

Room 3.16-3.17

As cybersecurity threats continue to evolve, traditional training methods often fall short in engaging learners and fostering long-term retention of security principles. This presentation explores how gamification—leveraging game design elements in non-game contexts—can revolutionize security education. By integrating interactive challenges, real-world scenarios, and immediate feedback, gamified training programs significantly enhance learner engagement, motivation, and knowledge retention.

Speakers

Julia Lamenza

SRE, Consultant

A knowledge-sharing enthusiast diving deeper into the DevOps and SRE worlds every day. Just a woman in infrastructure, making the cloud a bit fluffier. 😉

Thursday September 19, 2024 11:45 - 12:05 CEST
Room 3.16-3.17

Breakout Sessions

12:10 CEST

Breaking Barriers: The Art of (Free) Gamified Security Training - Joseph Katsioloudes, GitHub

Thursday September 19, 2024 12:10 - 12:30 CEST

Room 3.16-3.17

In a world where security training often feels like a mundane chore, discover the refreshing impact of gamification and turn learning into an enjoyable experience. Embark on an insightful journey as we unveil the success story of gh.io/securecodegame, an open-source game hosted on GitHub Skills, that attracted over 3,000 developers within the first 6 months. This session will provide you with an exclusive behind-the-scenes perspective, offering valuable insights and practical strategies to revolutionize various aspects of security training for your benefit. We’ll explore a case study from a tech startup that observed, among the developers who played the game, an increased sense of ownership for code security, improved communication with security teams, and a strong willingness to embrace further security training.

Speakers

Joseph Katsioloudes

Developer Advocate, GitHub

Joseph is a security expert who empowers developers to ship secure software through his research and education work at the GitHub Security Lab. His recent contributions include video content with combined 1M+ views packed with practical security tips, and the free game gh.io/securecodegame... Read More →

Thursday September 19, 2024 12:10 - 12:30 CEST
Room 3.16-3.17

Breakout Sessions

12:10 CEST

OSS Dependency Health: Towards Maturity and Sustainability Risk Assessment Model - Georg Link & Miguel Ángel Fernández Sánchez, Bitergia; Ana Jiménez Santamaría, Linux Foundation; Wietse Braam, ING BANK

Thursday September 19, 2024 12:10 - 12:30 CEST

Room 3.29-3.30

Organizations depend heavily on OSS libraries. Existing tools assess license compliance and code vulnerabilities in the short term, but there is a gap in tools to monitor long-term health and sustainability of OSS libraries. Enterprises especially face challenges in assessing these risks for large-scale deployments. In this panel, using Kubernetes as the sample, we show how the Risk Model we built together with ING can evaluate the health and sustainability of open source dependencies. This model is informed by the CHAOSS project (community health) and is complementary to the OpenSSF Scorecard. It goes beyond traditional SBOM analysis to assess ongoing maintenance activity. Attendees learn how this Risk Model can help ensure the health and sustainability of open source deployments. We will discuss varying security needs from the perspective of OSPOs who facilitate open source understanding and security assessments across business units. The attendees can ask questions directly to the Data Scientists that built the Risk Model on top of the open source CHAOSS GrimoireLab software.

Speakers

Wietse Braam

IT Area Lead, ING Bank

Senior manager coming from a developer background. Currently responsible for the team that develops the global CI/CD solution for ING.

Miguel Ángel Fernández

Data Analyst and Consultant, Bitergia

Data Scientist passionate about the open-source ecosystem & CHAOSS Contributor

Georg Link

Director of Sales, Bitergia

Georg’s mission is to make open source more professional by using community metrics and analytics. Georg cofounded the CHAOSS Project to advance analytics and metrics for open source project health. Georg is an active contributor to several projects and has often presents on open... Read More →

Ana Jiminéz Santamaria

Project Manager, Linux Foundation

Ana is the Project Manager at the Linux foundation TODO Group collaborative project, whose aim is to create and share knowledge on open source management and operations best practices. Formerly she worked at Bitergia, a Software Development Analytics firm, and she has finished her... Read More →

Thursday September 19, 2024 12:10 - 12:30 CEST
Room 3.29-3.30

Panel Sessions

12:35 CEST

Rules of Engagement for Forking a Dependency - Chris Swan, Atsign

Thursday September 19, 2024 12:35 - 12:45 CEST

Room 3.16-3.17

You got the CVE notification, but there's no fix yet. Customers GUACing your SBOMs are worried. Should you fork? This presentation will run through the rules of engagement we've used at Atsign when these situations arise, which aim to balance good community citizenship with making sure stuff gets fixed.

Speakers

Chris Swan

Engineer, Atsign

Chris Swan is an Engineer at Atsign, building the atPlatform, a technology that is putting people in control of their data and removing the frictions and surveillance associated with today’s Internet. He was previously a Fellow at DXC Technology where he held various CTO roles... Read More →

Thursday September 19, 2024 12:35 - 12:45 CEST
Room 3.16-3.17

Lightning Talks

12:35 CEST

The Current State of Open Source Security Compliance Tooling Is … Well, Sad. - Philippe Ombredanne, AboutCode

Thursday September 19, 2024 12:35 - 12:45 CEST

Room 3.29-3.30

There's an explosion of proprietary tools promising to resolve each and every software supply chain issue. But, none of these provide practical, reasonable, or affordable solutions to 1) massively improve the security posture of software teams and 2) comply with regulatory requirements. Software teams of all sizes continue to struggle navigating the complex network of tools and databases claiming to fix everything, especially with the explosion of reported CVEs and corresponding meltdown of processing these CVEs in the NVD. Open source tools are lagging and as an open source community, we can do better. In this talk, Philippe will present practical approaches to do something that works - using readily available OpenSSF projects, open source tools, and open data - to make compliance obtainable and automated with robust software supply chain security processes.

Speakers

Philippe Ombredanne

Lead maintainer, AboutCode

Philippe Ombredanne is a FOSS hacker passionate about enabling easier and safer reuse of open source code. He is the lead maintainer of the AboutCode stack of open source tools for Software Composition Analysis and license and security compliance, including the industry-leading ScanCode... Read More →

Thursday September 19, 2024 12:35 - 12:45 CEST
Room 3.29-3.30

Lightning Talks

12:45 CEST

Lunch (Attendees on Own)

Thursday September 19, 2024 12:45 - 14:15 CEST

Registration / Breaks

14:15 CEST

ML Model Signing: Cryptographically Paving the Way to Provenance in Machine Learning Models - Mihai Maruseac, Google

Thursday September 19, 2024 14:15 - 14:35 CEST

Room 3.29-3.30

How do I know where my machine learning model came from, and how can I prove it? This question has remained largely unanswered as adoption of machine learning and artificial intelligence has skyrocketed, with over 600,000 ML models freely available on model repositories like Hugging Face. Current cryptographic signing mechanisms are not designed with ML models in mind, nor are they fit for purpose largely due to one simple fact: models are not just a singular file. There are a number of disparate files in one directory (often several hundred gigabytes or more), comprising many bespoke formats only seen in the machine learning context.

We present an open-source specification and implementation to cryptographically sign an arbitrary collection of files which comprise an ML model, to create a mechanism to verify the integrity of a machine learning model to ensure trust between the model producer and end-user. By implementing model signing, we are paving the way for model provenance which helps strengthen the AI supply chain. With provenance, one could see who has trained the model, what training framework has been used, what datasets were used, and much other useful information.

Speakers

Mihai Maruseac

Staff Software Engineer, Google

Thursday September 19, 2024 14:15 - 14:35 CEST
Room 3.29-3.30

Breakout Sessions

14:15 CEST

Prioritisation of SCA Findings in Software Dependencies Using Static Reachability Analysis - Joseph Hejderup, Endor Labs

Thursday September 19, 2024 14:15 - 14:35 CEST

Room 3.16-3.17

A new day brings a new CVE alert for a third-party library, prompting urgent questions: Are we using this library? How many projects are affected? What’s our quick remediation plan? Traditional tools that analyze build manifests often fail to provide timely insights into these security vulnerabilities because they overlook actual code usage. In this talk, we'll demonstrate how static and reachability analyses offer a more effective approach by examining real dependency usage, enhancing prioritization and understanding of necessary updates for vulnerable libraries. Using real-world examples, we'll show how these analyses help developers better prioritize updates and understand dependency changes, aiding in informed decision-making. Our goal is to provide strategies for using these analyses to manage dependencies more effectively, uncover vulnerabilities, and enhance security and productivity in software development workflows.

Speakers

Joseph Hejderup

Member of Technical Staff, Endor Labs

Joseph Hejderup, a part-time developer and PhD student, is also a full-time enthusiast in enhancing package management systems. At Endor Labs and Delft University of Technology, he applies program analysis to improve the use of third-party components and assess their security and... Read More →

Thursday September 19, 2024 14:15 - 14:35 CEST
Room 3.16-3.17

Breakout Sessions

14:40 CEST

Managing Vulnerabilities in Open-Source Dependencies - Eva Sarafianou, Mattermost

Thursday September 19, 2024 14:40 - 15:00 CEST

Room 3.16-3.17

In today’s software development landscape, products are often an intricate blend of in-house code and open-source third-party dependencies. While many organizations have robust procedures to secure their own codebase, the strategies to safeguard against vulnerabilities in open-source components are not as well-developed. In this session, we will navigate the complexities of implementing an effective process to manage vulnerabilities within open-source dependencies. Our discussion will cover key considerations for evaluating software composition analysis tools and detail the steps necessary for a successful tool rollout. We will delve into effective strategies for triaging findings and shifting from a reactive to a proactive security posture. You will leave the session equipped with a foundational but adaptable process, ready to enhance the security of your products that depend on open-source dependencies.

Speakers

Eva Sarafianou

Product Security Engineering Lead, Mattermost

Eva is the Product Security Engineering Lead at Mattermost overseeing the Product Security function. Previously she was a Principal Product Security Engineer at Auth0/Okta. Passionate about creating secure applications, Eva is dedicated to building a robust product security program... Read More →

Thursday September 19, 2024 14:40 - 15:00 CEST
Room 3.16-3.17

Breakout Sessions

14:40 CEST

Securing Content Distribution with RSTUF, an Incubating OpenSSF Project - Kairo De Araujo, TestifySec & Martin Vrachev, Open Source Contributor

Thursday September 19, 2024 14:40 - 15:00 CEST

Room 3.29-3.30

As part of OpenSSF, led by the Securing Software Repositories Working Group, one of the goals has been securing content distribution. The Update Framework (TUF) has been a prime reference for secure content delivery and updates for many years. Despite its popularity, integrating with existing repositories remains challenging. Repository Service for TUF (RSTUF) is the first project to implement a generic TUF application to make general TUF adoption easier for any content repository. Lately, as a recognition of the progress, RSTUF was promoted as an "incubating" project. In this talk, we will present RSTUF and update you with all the latest news about the project and how to secure content distribution by sharing use cases: - How PyPI and RubyGens are adopting RSTUF to secure their package repositories - RSTUF securing private repositories - Archivista, a storage for in-toto attestation secured by RSTUF

Speakers

Kairo De Araujo

Senior Software Engineer - Open Source, TestifySec

Kairo is a Senior Open Source Engineer at TestifySec. Kairo contributed to python-tuf and is the author of Repository Service for TUF (RSTUF). Past roles include Senior Open Source Software Engineer at VMware OSPO, Senior Software Engineer at IBM, ING, Forescout, and a former System... Read More →

Martin Vrachev

Open Source Contributor

Martin Vrachev is an Open Source contributor. He was part of the VMware Open Source Program Office on the Security Supply Chain team. His contributions include multiple Open Source security projects solving a variety of problems. His latest work is focused on secure software supply... Read More →

Thursday September 19, 2024 14:40 - 15:00 CEST
Room 3.29-3.30

Breakout Sessions

15:05 CEST

Secure Coding Guide for Python - David Mather & Bart Karas, Ericsson

Thursday September 19, 2024 15:05 - 15:15 CEST

Room 3.16-3.17

Python is an incredibly popular programming language and the language of choice for countless open source projects, ranging from hobbyist projects, via entire cloud virtualization frameworks (e.g. OpenStack), to being a key enabler for a large portion of AI and ML tooling (e.g. PyTorch). Helping these Python developers to securely master their programming challenges has a concrete benefit to the security of this vibrant open source ecosystem. The OpenSSF Best Practices Working Group has recently adopted a new initiative which aims to create a Secure Coding Guide for Python. Structured around Mitre's CWE framework, the guide provides tangible advice for a wide range of programming challenges, including executable code examples. These code snippets aim to allow developers to build a better understanding by enabling experimentation with concrete implementations while also constituting a proving ground for tool-based detection of weaknesses and vulnerabilities. In this brief presentation, Georg and Helge will provide an overview of the guide, its current state and its roadmap. We explicitly aim to solicit feedback from the Python community to further improve the guide.

Speakers

David Mather

Engineer, Ericsson

David Mather is a Software Engineer and Lead Product Owner at Ericsson, where they specialize in designing and developing cutting-edge telecommunications software solutions. He has a master’s degree in cybersecurity, a bachelor’s degree in computer science and several years of... Read More →

Bartlomiej Karas

Software Engineer, Ericsson

Bartlomiej Karas is a Software Engineer based in Ericsson, Athlone in Ireland where he works on the Ericsson Network Manager on Cloud deployments. During his time at Ericsson, Bart has gained knowledge of a wide variety of concepts and technologies including Kubernetes, microservices... Read More →

Thursday September 19, 2024 15:05 - 15:15 CEST
Room 3.16-3.17

Lightning Talks

15:05 CEST

Web Developer Security: Best Practices & Beyond - Daniel Appelquist, Samsung

Thursday September 19, 2024 15:05 - 15:15 CEST

Room 3.29-3.30

Last year I co-chaired a workshop called "Secure the Web Forward" that brought together web and security professionals to “drive developer awareness and adoption of Web security standards & practices.” This session will overview the latest developments in web developer security, including new activities spawned by that workshop. We'll cover latest security-related technologies in the platform as well as work happening in new W3C community and interest groups in conjunction with the OpenSSF Best Practices working group.

Speakers

Daniel Appelquist

Open Source Strategist, Samsung

Dan Appelquist is Open Source Strategist at Samsung Open Source Group. He is a web & mobile industry veteran and long-time participant and leader in open source and open standards. He has been co-chair of the W3C Technical Architecture Group for the last ten years. He was an early... Read More →

Thursday September 19, 2024 15:05 - 15:15 CEST
Room 3.29-3.30

Lightning Talks

15:20 CEST

Exploring Some Essential Security Checks for Any Open Source Go Project - Cosmin Cojocar, Google

Thursday September 19, 2024 15:20 - 15:40 CEST

Room 3.16-3.17

Code security analysis, dependencies vulnerability scanning and supply chain security should be part of any open source Go project. In this talk, we will explore some open source tools such as gosec, govulncheck and sigstore/cosign which make it easy for any maintainer to enhance the security of her project. We will show real examples from gosec project where these tools are used to keep the security of the project at bay when constantly releasing new versions.

Speakers

Cosmin Cojocar

Senior Security Engineer, Google

Cosmin is a Senior Security Engineer at Google working on cloud security, before that he was with Adobe and Microsoft Azure. He is involved in open source software for almost two decades as a contributor and maintainer of several projects such as gosec (a static security analyser... Read More →

Thursday September 19, 2024 15:20 - 15:40 CEST
Room 3.16-3.17

Breakout Sessions

15:20 CEST

Userspace CNI - Developing in the Open with Remaining Secure - Michael O'Reilly, Intel

Thursday September 19, 2024 15:20 - 15:40 CEST

Room 3.29-3.30

In this presentation, Michael will discuss how we took an unmaintained repository and applied the openssf scorecard to improve how we developed and re-developed an open source Kubernetes networking CNI. The userspace CNI repository had been left unmaintained and was no longer building. At the request of another team in Intel, we set about updating all of the out of date dependencies, fixing broken API calls and getting the codebase working again. We decided to use this process to improve the security of the repo using the openssf scorecard. Michael will discuss the lessons we learned, how those lessons are being applied across our wider team within Intel and how you can apply our learnings to your own codebase. We stress the need to implement CI early to your project in order for tools such as dependabot to be useful.

Speakers

Michael O'Reilly

Software Architect, Intel

Michael OReilly has worked for Intel for over 20 years. He is currently a software architect in Intel networking business unit. Has has worked on networking within Kubernetes and is currently developing Intel's Tiber(tm) Edge Networking platform.

Thursday September 19, 2024 15:20 - 15:40 CEST
Room 3.29-3.30

Breakout Sessions

15:40 CEST

Break & Networking

Thursday September 19, 2024 15:40 - 16:00 CEST

Foyer

PM Break
- Organic bread slice | grilled halloumi, pea chili cream | chili coriander pesto
- Organic bread slice purple carrot hummus | roasted mushrooms | crunchy buckwheat (gluten free and vegan)
- Homemade apple crumble cake
- Vegan muffin
- Gluten-free madeleine
- Fruits

Thursday September 19, 2024 15:40 - 16:00 CEST
Foyer

Registration / Breaks

16:00 CEST

Let Devs Be Devs Without Sacrificing Security - Andrew McNamara, Red Hat

Thursday September 19, 2024 16:00 - 16:20 CEST

Room 3.29-3.30

Proof of concept code doesn't need to meet the same requirements as production quality critical infrastructure applications. If the requirements are the same, however, you probably have a long line of devs frustrated and angry they can't innovate or get their code tested. But maintaining (and auditing) multiple pipelines to achieve various levels of hardening is not realistic. Detailed SLSA provenance and policy enforcement can work together to create flexible and adaptive pipelines for all your software security needs. Join us and learn how we've combined Tekton, Tekton Chains, and Enterprise Contract within our production CI to build out a secure, flexible framework. This combination lays down a secure foundation to freely build a variety of artifacts and apply risk-based policies to prevent unacceptable software from getting into your systems. Want to use the same pipeline to build software for dev and prod? No problem – just make sure that there is an appropriate policy for each!

Speakers

Andrew McNamara

Senior Principal Software Engineer, Red Hat

Andrew McNamara is passionate about usable CI/CD, security, and DevSecOps, drawing from his experience of building and shipping containerized software at IBM and Red Hat. As a SLSA maintainer, Andrew is helping people identify how to approach and understand supply chain security... Read More →

Thursday September 19, 2024 16:00 - 16:20 CEST
Room 3.29-3.30

Breakout Sessions

16:00 CEST

TTX Session - Daniel Appelquist, Samsung; Kairo De Araujo, TestifySec; Georg Kunz, Ericsson; & Moderated by Katherine Druckman, Intel Corporation

Thursday September 19, 2024 16:00 - 17:15 CEST

Room 3.16-3.17

In light of the upcoming new EU software regulations, OpenSSF will host a 90-minute interactive session to simulate a security incident response to achieve a few goals:

Provide a playbook for maintainers, contributors, and open source consumers to adopt and customize to start running their own TTX and improve their incident response and overall security posture.
Provide education for developers who are learning security
Demonstrate how current OpenSSF technologies may be helpful during a security incident

Session attendees will actively engage in the exercise by bringing their expertise in open software security ranging from open source production, distribution, consumption, vulnerability disclosure and management to incident response.
Note: This session will not be recorded

Speakers

Katherine Druckman

Open Source Security Evangelist, Intel Corporation

Georg Kunz

Open Source Program Manager, Ericsson

Georg is an Open Source advocate and a long-term contributor to a wide range of open source communities and projects in LF Networking and beyond, such as OpenStack, OPNFV/Anuket, and OpenSSF. He served for multiple terms on the Anuket Technical Steering Committee and currently serves... Read More →

Daniel Appelquist

Open Source Strategist, Samsung

Kairo De Araujo

Senior Software Engineer - Open Source, TestifySec

Thursday September 19, 2024 16:00 - 17:15 CEST
Room 3.16-3.17

TTX Sessions

16:25 CEST

Security Lessons Learned from Scanning Thousands of Repos - Aviram Shmueli, Jit

Thursday September 19, 2024 16:25 - 16:45 CEST

Room 3.29-3.30

Modern cloud native and DevOps practices have placed repositories at the heart of application development, storing our business critical code & config data. One unique benefit of providing a SaaS security platform are the sheer volumes of insights that can be derived to level up industry-wide security. In this talk we'll share real telemetry data from thousands of scanned repositories highlighting some of the worst of security in practice even in the most evolved engineering organizations. We'll share real world examples of some of the most prevalent application security anti-patterns, including secrets & other most common misconfigurations and bad practices across code, cloud and the CI/CD pipeline itself – join us on a voyeuristic journey that perhaps will also provide some therapeutic validation that you are not alone in some of these bad decisions. Understanding these threats will help equip your developers and security teams with the knowledge to avoid common mistakes.

Speakers

Aviram Shmueli

Chief Research & Innovation Officer and Co-Founder, Jit

As the Chief Research & Innovation Officer and Co-Founder of Jit, the Continuous Security Platform for Developers, Aviram combines his passion for creating innovative products with deep expertise in security. With over 20 years of hands-on experience, he has held senior roles in research... Read More →

Thursday September 19, 2024 16:25 - 16:45 CEST
Room 3.29-3.30

Breakout Sessions

16:50 CEST

Navigating the Quantum Readiness Journey: Open-Source Cryptography, PKI and Signing Tools - Mike Agrenius Kushner, Keyfactor

Thursday September 19, 2024 16:50 - 17:00 CEST

Room 3.29-3.30

Join us in exploring the Quantum Readiness journey, focusing on cybersecurity preparations. Dive into securing IoT, containers, and software supply chains using open-source FIPS-certified cryptographic APIs: bouncycastle.org, the open-source Public Key Infrastructure software: ejbca.org, and signserver.org for signing. Cryptography is a cornerstone of cybersecurity and is essential for everyone. We want to empower every engineer and security expert with hands-on insights into quantum-resistant cryptography to navigate the quantum readiness journey. Security is a collective effort; community collaboration is vital for high-quality, interoperable cryptographic solutions. We will also talk about standardization progress in Europe and the US.

Speakers

Mike Agrenius Kushner

Senior Product Architect, Keyfactor

I've been very happily working for the last few years with PKI at PrimeKey Solutions and Keyfactor, and the area of cryptography and open-source fits my work ethic like a glove.

Thursday September 19, 2024 16:50 - 17:00 CEST
Room 3.29-3.30

Breakout Sessions

17:05 CEST

Run GenAI Projects at Scale Securely: From the Operating System to the MLOps Platform - Michelle Tabirao, Canonical

Thursday September 19, 2024 17:05 - 17:25 CEST

Room 3.29-3.30

GenAI is defining a new industry. It uses different types of data to generate new content. It requires access to large volumes of data and generates even more data. Organisations are eager to adopt genAI projects due to their clear benefits and many use cases. GenAI initiatives often work with sensitive data such as sales data or customer behaviour patterns. Professionals working on these projects need many access points to organisations’ infrastructure, which can easily become a risk. Whether we’re thinking of the infrastructure where models are built or optimised or we focus on the edge devices where they run, there is a need to ensure the security of the entire stack. Open source tooling is widely used in AI projects due to its scalability and portability. Securing the entire stack will enable organisations to focus on genAI projects, without worrying about the security risks. This talk will walk the audience through all the layers of the stack, from the operating system to the MLOps platform, covering data centres where models are built and edge devices. It will present key considerations for security, best practices and opportunities for highly regulated industries.

Speakers

Michelle Tabirao

Data Solutions Product Manager, Canonical

Michelle Tabirao is a Data Solutions Product Manager at Canonical and has been working for Charmed OpenSearch innovations. She also advocates for open source, inclusive tech, and digital literacy through her non-profit organization - www.ulap.org... Read More →

Thursday September 19, 2024 17:05 - 17:25 CEST
Room 3.29-3.30

Breakout Sessions

17:30 CEST

Closing Remarks - Katherine Druckman, Open Source Security Evangelist

Thursday September 19, 2024 17:30 - 17:35 CEST

Room 3.29-3.30

Speakers

Katherine Druckman

Open Source Security Evangelist, Intel Corporation

Thursday September 19, 2024 17:30 - 17:35 CEST
Room 3.29-3.30

Keynote Sessions