SOSS Community Day Europe 2024

SOSS Community Day Europe 2024

19 September 2024
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for SOSS Community Day Europe 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Central Europe Summer Time (CEST). To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

The schedule is subject to change.

10:15 CEST

Security Initiatives in Community Driven Projects: Looking Ahead with Python and Rust - Deb Nicholson, Python Software Foundation & Rebecca Rumbul, Rust Foundation

Thursday September 19, 2024 10:15 - 10:35 CEST

This session will focus on the approaches taken by the Python Foundation and the Rust Foundation in developing their recent security initiatives and peer ahead into what the future might hold. Future initiatives will build on the lessons learned engaging their respective communities in embedding good security hygiene. The contrast between the bottom-up open source approach to development, vs the historic top down approach to security meant we had to strike our own paths. We will discuss the strategies we've already put in place a. Building consensus b. Transparent communications c. Responding to pushback and then we will take a look at the future of security work in SOSS. We'll cover the importance of sustained investment and collaboration across ecosystems and offer some ideas for how to align your project and community for the long haul.

Speakers

Deb Nicholson

Executive Director, Python Software Foundation

Deb Nicholson is an open source software policy expert and a passionate community advocate. She is the Executive Director at the Python Software Foundation which serves as the non-profit steward of the Python programming language. She serves on the Board of Directors for the Spritely... Read More →

Rebecca Rumbul

Executive Director, Rust Foundation

Rebecca is the Executive Director and CEO of the Rust Foundation. She holds a PhD in Politics and Governance, and has worked as a consultant and researcher with governments, parliaments and development agencies all over the world, advocating for openness and transparency, and developing... Read More →

Thursday September 19, 2024 10:15 - 10:35 CEST
Room 3.29-3.30

Breakout Sessions

10:15 CEST

We Know Security but How Do We Secure GenAI End-to-End? - Mihai Maruseac, Google

Thursday September 19, 2024 10:15 - 10:35 CEST

AI developers are experts at building AI models. Security people know how to secure traditional software. But how do we secure software that contains AI? This is not a theoretical question: We have executive orders for strengthening the supply chain and secure AI development, we have NIST SP 800-218A for secure usage of GenAI. What is lacking is a deep dive into how people can use OSS technologies to secure software using AI. This is what we are planning to do in this talk. We will present every possible step that can be taken to train models in a secure way. This will cover securing the data from ingestion to using it during training, and evaluation. It also covers fine-tuning foundational models and model quantization. It aims to be the most complete and comprehensive resource in securing AI powered application from the point of view of the software supply chain. Then, it will include items about securing AI outputs, securing AI deployments. This is really important to do, because we see the same security concerns from traditional software being repeated in AI world, but at an accelerated pace. As threat landscape evolves, we are should building on stable, secure foundations.

Speakers

Mihai Maruseac

Staff Software Engineer, Google

Mihai Maruseac is a member of Google Open Source Security team (GOSST), working on Supply Chain Security for ML and on GUAC. Before joining GOSST, Mihai created the TensorFlow Security team after joining Google, moving from a startup to incorporate Differential Privacy (DP) withing... Read More →

Thursday September 19, 2024 10:15 - 10:35 CEST
Room 3.16-3.17

Breakout Sessions

10:40 CEST

Finally! Automated End-to-End VEX Streams You Can Trust - Adolfo García Veytia, Stacklok

Thursday September 19, 2024 10:40 - 11:00 CEST

VEX, the Vulnerability Exploitability Exchange, is a communications channel that informs consumers about the impact of a vulnerability on a piece of software. Since its inception about two years ago, the SBOM/VEX community has been busy implementing the required pieces to enable VEX data to flow seamlessly from projects to security scanners. With the recent adoption of OpenVEX in the Go security tooling, we can finally generate automated VEX streams that don't involve human intervention and can be fully trusted as its statements are generated from reachability data from the compiler. It is a major milestone that marks a new phase in the OpenVEX ecosystem's maturity. Join us as we build a trusted end-to-end VEX stream, from code to scanner diving deep into a VEX document and we explore other highlights of the OpenVEX ecosystem.

Speakers

Adolfo García Veytia

Staff Software Engineer, Stacklok

Adolfo García Veytia (@puerco) is a software engineer with Stacklok. He is one of the Kubernetes SIG Release Technical Leads, actively on the Release Engineering team. He specializes in improvements to automation behind the Kubernetes release process. He is also the creator OpenVEX... Read More →

Thursday September 19, 2024 10:40 - 11:00 CEST
Room 3.29-3.30

Breakout Sessions

10:40 CEST

Nation-State Threats in the Open-Source Software Supply Chain - Ross Bryant, Phylum

Thursday September 19, 2024 10:40 - 11:00 CEST

North Korea (DPRK) has been an active cyber threat since at least 2009. It is estimated that 90% of all DPRK cyber threat activity is attributable to a group under the Korean People's Army known as the Lazarus Group, which was responsible for the 2014 attack against Sony Pictures Entertainment. In June 2023, the Phylum Research Team discovered a series of suspicious packages published in the npm ecosystem. Upon installation, these packages facilitated the download of a malicious payload from a remote server. Later, GitHub published their independent findings, together with Microsoft Threat Intelligence and CISA, and confirmed that these packages were the work of the Lazarus Group. This campaign targeted software developers over three months. A new Lazarus Group campaign began in September 2023 with different and evolving tactics. Dozens of malicious packages were published during this time and were seen as recently as February 2024. The details in the code of these packages differ significantly, but a common motive between these two campaigns remains: stealing cryptocurrency from job-seeking software developers through social engineering.

Speakers

Ross Bryant

Chief of Research, Phylum

Ross is the Chief of Research at Phylum and has over a decade of threat-hunting research experience. Before joining Phylum, he worked as a researcher for the U.S. Department of Energy and as a research mathematician for the U.S. Department of Defense.

OSSF EU 2024 pdf

Thursday September 19, 2024 10:40 - 11:00 CEST
Room 3.16-3.17

Breakout Sessions

11:20 CEST

Enforcing Organization Policies with Enterprise Contract - Zoran Regvart, Red Hat

Thursday September 19, 2024 11:20 - 11:40 CEST

In today's rapidly evolving tech landscape, ensuring that container images comply with organizational policies is paramount for maintaining security. Join us for an insightful session on leveraging the open-source Enterprise Contract ecosystem to enforce these policies effectively within your organization. In this session, we will delve into how Enterprise Contract utilizes Sigstore signatures, in-toto attestations, and other tamper-proof sources to enforce organization policies. Although Enterprise Contract is a CI agnostic tool, we will focus on the Tekton ecosystem. Key points covered will include: 1. The critical role of ensuring container images meet organizational policies. 2. How Enterprise Contract enforces policies using secure and tamper-proof sources. 3. Configuring policies to validate specific Tekton Tasks, like code scanners, have been executed during the container image build process. This session is designed for attendees already familiar with the Sigstore community project, though true beginners are also encouraged to join. By the end of this session, participants will understand how to go beyond simple signature checks to validate their container images.

Speakers

Zoran Regvart

Software Engineer, Red Hat

Zoran Regvart is a Software Engineer at Red Hat and Apache Software Foundation member. He has been involved in various open source projects, including Apache Camel, Tekton and Open Policy Agent. More recently, he has worked with his team on building a mechanism to standardize the... Read More →

SOSS Community Day Europe Enforcing Organization Policies with Enterprise Contract Zoran Regvart pdf

Thursday September 19, 2024 11:20 - 11:40 CEST
Room 3.16-3.17

Breakout Sessions

11:20 CEST

German National Guideline on SOSS-Lifecycle: Community Outreach - Damian Ludwig & Andreas Neth, BSI

Thursday September 19, 2024 11:20 - 11:40 CEST

The German Federal Office for Information Security is developing a guideline for a secure software development lifecycle, specific to open source software. This guideline may in the near future be relevant to the OSS ecosystem in Germany, relating to the CRA. Therefore the Federal Office for Information Security wants to involve and reach out to the open source community early, in order to collect input on anticipated challenges, widely accepted goals and general ideas on how to make open source software secure while not putting unacceptable burden on the community.

Speakers

Andreas Neth

IT Security Architect, BSI

Andreas Neth is an IT Security Architect at the German Federal Office for Information Security. He’s been building Open Source based IT-systems for about 20 years. His background is both in network infrastructure and IT-Security and he has been teaching about IT-Security and advocating... Read More →

Damian Ludwig

Security Analyst, German Federal Office for Information Security

Damian Ludwig works as an IT-Security Analyst for the German Federal Office for Information Security, where he leads the development of a national guideline for a secure Open-Source-Software lifecycle. During his previous work in academics, he was researching and designing secure... Read More →

Thursday September 19, 2024 11:20 - 11:40 CEST
Room 3.29-3.30

Breakout Sessions

11:45 CEST

Exploring a Risk Approach to Software Supply Chain Security - Abdullah Garcia, J.P. Morgan

Thursday September 19, 2024 11:45 - 12:05 CEST

Throughout the presentation, I dive into software supply chain attacks and explain how they unfold incrementally. By understanding the latter, attendees will learn how to analyze their processes for software ingestion, integration, and testing to account for Supplier Risk. A particular emphasis is placed on open source software, highlighting both its benefits and vulnerabilities in the software supply chain. Attendees will also understand how the risk-based model can respond to software supply chain attacks even when they are not detected until later in the software supply chain, and gain critical insight into the kinds of changes needed in their processes and software tools, including open source solutions, to support this approach.

Speakers

Abdullah Garcia

Senior Lead Cybersecurity Architect, J.P. Morgan

Enthusiastic and driven security engineer and architect with over ten years of experience of successful design and delivery of high-quality solutions across a broad range of industry sectors. Strives to continue with self-development and on-going learning. Interested in security architecture... Read More →

Thursday September 19, 2024 11:45 - 12:05 CEST
Room 3.29-3.30

Breakout Sessions

11:45 CEST

Play, Learn, Secure: The Power of Gamification in Security Training - Julia Lamenza, Consultant

Thursday September 19, 2024 11:45 - 12:05 CEST

As cybersecurity threats continue to evolve, traditional security training can sometimes feel boring and often misses the mark in keeping people engaged or helping them retain key security concepts. This presentation explores how gamification can transform security training. By incorporating hands-on challenges, real-world scenarios, and instant feedback, gamified learning not only grabs attention but also helps the lessons stick in the long run.

Speakers

Julia Lamenza

SRE, Consultant

A knowledge-sharing enthusiast diving deeper into the DevOps and SRE worlds every day. Just a woman in infrastructure, making the cloud a bit fluffier. 😉

Play, Learn, Secure Gamification in Security Training pdf

Thursday September 19, 2024 11:45 - 12:05 CEST
Room 3.16-3.17

Breakout Sessions

12:10 CEST

Breaking Barriers: The Art of (Free) Gamified Security Training - Joseph Katsioloudes, GitHub

Thursday September 19, 2024 12:10 - 12:30 CEST

In a world where security training often feels like a mundane chore, discover the refreshing impact of gamification and turn learning into an enjoyable experience. Embark on an insightful journey as we unveil the success story of gh.io/securecodegame, an open-source game hosted on GitHub Skills, that attracted over 3,000 developers within the first 6 months. This session will provide you with an exclusive behind-the-scenes perspective, offering valuable insights and practical strategies to revolutionize various aspects of security training for your benefit. We’ll explore a case study from a tech startup that observed, among the developers who played the game, an increased sense of ownership for code security, improved communication with security teams, and a strong willingness to embrace further security training.

Speakers

Joseph Katsioloudes

Developer Advocate, GitHub

Joseph is a security expert who empowers developers to ship secure software through his research and education work at the GitHub Security Lab. His recent contributions include video content with combined 1M+ views packed with practical security tips, and the free game gh.io/securecodegame... Read More →

Thursday September 19, 2024 12:10 - 12:30 CEST
Room 3.16-3.17

Breakout Sessions

14:15 CEST

ML Model Signing: Cryptographically Paving the Way to Provenance in Machine Learning Models - Mihai Maruseac, Google

Thursday September 19, 2024 14:15 - 14:35 CEST

How do I know where my machine learning model came from, and how can I prove it? This question has remained largely unanswered as adoption of machine learning and artificial intelligence has skyrocketed, with over 600,000 ML models freely available on model repositories like Hugging Face. Current cryptographic signing mechanisms are not designed with ML models in mind, nor are they fit for purpose largely due to one simple fact: models are not just a singular file. There are a number of disparate files in one directory (often several hundred gigabytes or more), comprising many bespoke formats only seen in the machine learning context.

We present an open-source specification and implementation to cryptographically sign an arbitrary collection of files which comprise an ML model, to create a mechanism to verify the integrity of a machine learning model to ensure trust between the model producer and end-user. By implementing model signing, we are paving the way for model provenance which helps strengthen the AI supply chain. With provenance, one could see who has trained the model, what training framework has been used, what datasets were used, and much other useful information.

Speakers

Mihai Maruseac

Staff Software Engineer, Google

Mihai Maruseac is a member of Google Open Source Security team (GOSST), working on Supply Chain Security for ML and on GUAC. Before joining GOSST, Mihai created the TensorFlow Security team after joining Google, moving from a startup to incorporate Differential Privacy (DP) withing... Read More →

Thursday September 19, 2024 14:15 - 14:35 CEST
Room 3.29-3.30

Breakout Sessions

14:15 CEST

Prioritisation of SCA Findings in Software Dependencies Using Static Reachability Analysis - Joseph Hejderup, Endor Labs

Thursday September 19, 2024 14:15 - 14:35 CEST

A new day brings a new CVE alert for a third-party library, prompting urgent questions: Are we using this library? How many projects are affected? What’s our quick remediation plan? Traditional tools that analyze build manifests often fail to provide timely insights into these security vulnerabilities because they overlook actual code usage. In this talk, we'll demonstrate how static and reachability analyses offer a more effective approach by examining real dependency usage, enhancing prioritization and understanding of necessary updates for vulnerable libraries. Using real-world examples, we'll show how these analyses help developers better prioritize updates and understand dependency changes, aiding in informed decision-making. Our goal is to provide strategies for using these analyses to manage dependencies more effectively, uncover vulnerabilities, and enhance security and productivity in software development workflows.

Speakers

Joseph Hejderup

Member of Technical Staff, Endor Labs

Joseph Hejderup, a part-time developer and PhD student, is also a full-time enthusiast in enhancing package management systems. At Endor Labs and Delft University of Technology, he applies program analysis to improve the use of third-party components and assess their security and... Read More →

Thursday September 19, 2024 14:15 - 14:35 CEST
Room 3.16-3.17

Breakout Sessions

14:40 CEST

Managing Vulnerabilities in Open-Source Dependencies - Eva Sarafianou, Mattermost

Thursday September 19, 2024 14:40 - 15:00 CEST

In today’s software development landscape, products are often an intricate blend of in-house code and open-source third-party dependencies. While many organizations have robust procedures to secure their own codebase, the strategies to safeguard against vulnerabilities in open-source components are not as well-developed. In this session, we will navigate the complexities of implementing an effective process to manage vulnerabilities within open-source dependencies. Our discussion will cover key considerations for evaluating software composition analysis tools and detail the steps necessary for a successful tool rollout. We will delve into effective strategies for triaging findings and shifting from a reactive to a proactive security posture. You will leave the session equipped with a foundational but adaptable process, ready to enhance the security of your products that depend on open-source dependencies.

Speakers

Eva Sarafianou

Product Security Engineering Lead, Mattermost

Eva is the Product Security Engineering Lead at Mattermost overseeing the Product Security function. Previously she was a Principal Product Security Engineer at Auth0/Okta. Passionate about creating secure applications, Eva is dedicated to building a robust product security program... Read More →

Managing Vulnerabilities in Open Source Dependencies pdf

Thursday September 19, 2024 14:40 - 15:00 CEST
Room 3.16-3.17

Breakout Sessions

14:40 CEST

Securing Content Distribution with RSTUF, an Incubating OpenSSF Project - Kairo De Araujo, TestifySec & Martin Vrachev, Open Source Contributor

Thursday September 19, 2024 14:40 - 15:00 CEST

As part of OpenSSF, led by the Securing Software Repositories Working Group, one of the goals has been securing content distribution. The Update Framework (TUF) has been a prime reference for secure content delivery and updates for many years. Despite its popularity, integrating with existing repositories remains challenging. Repository Service for TUF (RSTUF) is the first project to implement a generic TUF application to make general TUF adoption easier for any content repository. Lately, as a recognition of the progress, RSTUF was promoted as an "incubating" project. In this talk, we will present RSTUF and update you with all the latest news about the project and how to secure content distribution by sharing use cases: - How PyPI and RubyGens are adopting RSTUF to secure their package repositories - RSTUF securing private repositories - Archivista, a storage for in-toto attestation secured by RSTUF

Speakers

Kairo De Araujo

Senior Software Engineer - Open Source, TestifySec

Kairo is a Senior Open Source Engineer at TestifySec. Kairo contributed to python-tuf and is the author of Repository Service for TUF (RSTUF). Past roles include Senior Open Source Software Engineer at VMware OSPO, Senior Software Engineer at IBM, ING, Forescout, and a former System... Read More →

Martin Vrachev

Senior Python Developer, Consensus

Martin Vrachev is an Open Source contributor. He was part of the VMware Open Source Program Office on the Security Supply Chain team. His contributions include multiple Open Source security projects solving a variety of problems. His latest work is focused on secure software supply... Read More →

Thursday September 19, 2024 14:40 - 15:00 CEST
Room 3.29-3.30

Breakout Sessions

15:20 CEST

Exploring Some Essential Security Checks for Any Open Source Go Project - Cosmin Cojocar, Google

Thursday September 19, 2024 15:20 - 15:40 CEST

Code security analysis, dependencies vulnerability scanning and supply chain security should be part of any open source Go project. In this talk, we will explore some open source tools such as gosec, govulncheck and sigstore/cosign which make it easy for any maintainer to enhance the security of her project. We will show real examples from gosec project where these tools are used to keep the security of the project at bay when constantly releasing new versions.

Speakers

Cosmin Cojocar

Senior Security Engineer, Google

Cosmin is a Senior Security Engineer at Google working on cloud security, before that he was with Adobe and Microsoft Azure. He is involved in open source software for almost two decades as a contributor and maintainer of several projects such as gosec (a static security analyser... Read More →

Thursday September 19, 2024 15:20 - 15:40 CEST
Room 3.16-3.17

Breakout Sessions

15:20 CEST

Userspace CNI - Developing in the Open with Remaining Secure - Michael O'Reilly, Intel

Thursday September 19, 2024 15:20 - 15:40 CEST

In this presentation, Michael will discuss how we took an unmaintained repository and applied the openssf scorecard to improve how we developed and re-developed an open source Kubernetes networking CNI. The userspace CNI repository had been left unmaintained and was no longer building. At the request of another team in Intel, we set about updating all of the out of date dependencies, fixing broken API calls and getting the codebase working again. We decided to use this process to improve the security of the repo using the openssf scorecard. Michael will discuss the lessons we learned, how those lessons are being applied across our wider team within Intel and how you can apply our learnings to your own codebase. We stress the need to implement CI early to your project in order for tools such as dependabot to be useful.

Speakers

Michael OReilly

Cloud Native Software Architect, Intel

Michael OReilly has worked for Intel for over 20 years. He is currently a software architect in Intel networking business unit. Has has worked on networking within Kubernetes and is currently developing Intel's Tiber(tm) Edge Networking platform.

Thursday September 19, 2024 15:20 - 15:40 CEST
Room 3.29-3.30

Breakout Sessions

16:00 CEST

Let Devs Be Devs Without Sacrificing Security - Andrew McNamara, Red Hat

Thursday September 19, 2024 16:00 - 16:20 CEST

Proof of concept code doesn't need to meet the same requirements as production quality critical infrastructure applications. If the requirements are the same for these targets, however, you probably have a long line of devs frustrated and angry they can't innovate or get their code tested. Maintaining (and auditing) multiple pipelines to achieve various levels of hardening is not realistic. Detailed SLSA provenance and policy enforcement can work together to create flexible and adaptive pipelines for all your software security needs. Join us and learn how we've combined Tekton, Tekton Chains, and Enterprise Contract within our production CI to build out a secure, flexible framework. This combination lays down a secure foundation to freely build a variety of artifacts and apply risk-based policies to prevent unacceptable software from getting into your systems. Want to use the same pipeline to build software for dev and prod? No problem – just make sure that there is an appropriate policy for each!

Speakers

Andrew McNamara

Senior Principal Software Engineer, Red Hat

Andrew McNamara is passionate about usable CI/CD, security, and DevSecOps, drawing from his experience of building and shipping containerized software at IBM and Red Hat. As a SLSA maintainer, Andrew is helping people identify how to approach and understand supply chain security... Read More →

SOSS EU 2024 let devs be devs pdf

Thursday September 19, 2024 16:00 - 16:20 CEST
Room 3.29-3.30

Breakout Sessions

16:25 CEST

Navigating the Quantum Readiness Journey: Open-Source Cryptography, PKI and Signing Tools - Mike Agrenius Kushner, Keyfactor

Thursday September 19, 2024 16:25 - 16:35 CEST

Join us in exploring the Quantum Readiness journey, focusing on cybersecurity preparations. Dive into securing IoT, containers, and software supply chains using open-source FIPS-certified cryptographic APIs: bouncycastle.org, the open-source Public Key Infrastructure software: ejbca.org, and signserver.org for signing. Cryptography is a cornerstone of cybersecurity and is essential for everyone. We want to empower every engineer and security expert with hands-on insights into quantum-resistant cryptography to navigate the quantum readiness journey. Security is a collective effort; community collaboration is vital for high-quality, interoperable cryptographic solutions. We will also talk about standardization progress in Europe and the US.

Speakers

Mike Agrenius Kushner

Senior Product Architect, Keyfactor

I've been very happily working for the last few years with PKI at PrimeKey Solutions and Keyfactor, and the area of cryptography and open-source fits my work ethic like a glove.

Mike Agrenius Kushner SOSS Commuity Day Vienna pdf

Thursday September 19, 2024 16:25 - 16:35 CEST
Room 3.29-3.30

Breakout Sessions

16:40 CEST

Run GenAI Projects at Scale Securely: From the Operating System to the MLOps Platform - Michelle Tabirao, Canonical

Thursday September 19, 2024 16:40 - 17:00 CEST

GenAI is defining a new industry. It uses different types of data to generate new content. It requires access to large volumes of data and generates even more data. Organisations are eager to adopt genAI projects due to their clear benefits and many use cases. GenAI initiatives often work with sensitive data such as sales data or customer behaviour patterns. Professionals working on these projects need many access points to organisations’ infrastructure, which can easily become a risk. Whether we’re thinking of the infrastructure where models are built or optimised or we focus on the edge devices where they run, there is a need to ensure the security of the entire stack. Open source tooling is widely used in AI projects due to its scalability and portability. Securing the entire stack will enable organisations to focus on genAI projects, without worrying about the security risks. This talk will walk the audience through all the layers of the stack, from the operating system to the MLOps platform, covering data centres where models are built and edge devices. It will present key considerations for security, best practices and opportunities for highly regulated industries.

Speakers

Michelle Tabirao

Data Solutions Product Manager, Canonical

Michelle Tabirao is a Data Solutions Product Manager at Canonical and has been working for Charmed OpenSearch innovations. She also advocates for open source, inclusive tech, and digital literacy through her non-profit organization - www.ulap.org... Read More →

Thursday September 19, 2024 16:40 - 17:00 CEST
Room 3.29-3.30

Breakout Sessions