SOSS Community Day Europe 2024

You got the CVE notification, but there's no fix yet. Customers GUACing your SBOMs are worried. Should you fork? This presentation will run through the rules of engagement we've used at Atsign when these situations arise, which aim to balance good community citizenship with making sure stuff gets fixed.

There's an explosion of proprietary tools promising to resolve each and every software supply chain issue. But, none of these provide practical, reasonable, or affordable solutions to 1) massively improve the security posture of software teams and 2) comply with regulatory requirements. Software teams of all sizes continue to struggle navigating the complex network of tools and databases claiming to fix everything, especially with the explosion of reported CVEs and corresponding meltdown of processing these CVEs in the NVD. Open source tools are lagging and as an open source community, we can do better. In this talk, Philippe will present practical approaches to do something that works - using readily available OpenSSF projects, open source tools, and open data - to make compliance obtainable and automated with robust software supply chain security processes.

Python is an incredibly popular programming language and the language of choice for countless open source projects, ranging from hobbyist projects, via entire cloud virtualization frameworks (e.g. OpenStack), to being a key enabler for a large portion of AI and ML tooling (e.g. PyTorch). Helping these Python developers to securely master their programming challenges has a concrete benefit to the security of this vibrant open source ecosystem. The OpenSSF Best Practices Working Group has recently adopted a new initiative which aims to create a Secure Coding Guide for Python. Structured around Mitre's CWE framework, the guide provides tangible advice for a wide range of programming challenges, including executable code examples. These code snippets aim to allow developers to build a better understanding by enabling experimentation with concrete implementations while also constituting a proving ground for tool-based detection of weaknesses and vulnerabilities. In this brief presentation, Georg and Helge will provide an overview of the guide, its current state and its roadmap. We explicitly aim to solicit feedback from the Python community to further improve the guide.

Last year I co-chaired a workshop called "Secure the Web Forward" that brought together web and security professionals to “drive developer awareness and adoption of Web security standards & practices.” This session will overview the latest developments in web developer security, including new activities spawned by that workshop. We'll cover latest security-related technologies in the platform as well as work happening in new W3C community and interest groups in conjunction with the OpenSSF Best Practices working group.