SOSS Community Day Europe 2024

AI developers are experts at building AI models. Security people know how to secure traditional software. But how do we secure software that contains AI? This is not a theoretical question: We have executive orders for strengthening the supply chain and secure AI development, we have NIST SP 800-218A for secure usage of GenAI. What is lacking is a deep dive into how people can use OSS technologies to secure software using AI. This is what we are planning to do in this talk. We will present every possible step that can be taken to train models in a secure way. This will cover securing the data from ingestion to using it during training, and evaluation. It also covers fine-tuning foundational models and model quantization. It aims to be the most complete and comprehensive resource in securing AI powered application from the point of view of the software supply chain. Then, it will include items about securing AI outputs, securing AI deployments. This is really important to do, because we see the same security concerns from traditional software being repeated in AI world, but at an accelerated pace. As threat landscape evolves, we are should building on stable, secure foundations.

North Korea (DPRK) has been an active cyber threat since at least 2009. It is estimated that 90% of all DPRK cyber threat activity is attributable to a group under the Korean People's Army known as the Lazarus Group, which was responsible for the 2014 attack against Sony Pictures Entertainment. In June 2023, the Phylum Research Team discovered a series of suspicious packages published in the npm ecosystem. Upon installation, these packages facilitated the download of a malicious payload from a remote server. Later, GitHub published their independent findings, together with Microsoft Threat Intelligence and CISA, and confirmed that these packages were the work of the Lazarus Group. This campaign targeted software developers over three months. A new Lazarus Group campaign began in September 2023 with different and evolving tactics. Dozens of malicious packages were published during this time and were seen as recently as February 2024. The details in the code of these packages differ significantly, but a common motive between these two campaigns remains: stealing cryptocurrency from job-seeking software developers through social engineering.

In today's rapidly evolving tech landscape, ensuring that container images comply with organizational policies is paramount for maintaining security. Join us for an insightful session on leveraging the open-source Enterprise Contract ecosystem to enforce these policies effectively within your organization. In this session, we will delve into how Enterprise Contract utilizes Sigstore signatures, in-toto attestations, and other tamper-proof sources to enforce organization policies. Although Enterprise Contract is a CI agnostic tool, we will focus on the Tekton ecosystem. Key points covered will include: 1. The critical role of ensuring container images meet organizational policies. 2. How Enterprise Contract enforces policies using secure and tamper-proof sources. 3. Configuring policies to validate specific Tekton Tasks, like code scanners, have been executed during the container image build process. This session is designed for attendees already familiar with the Sigstore community project, though true beginners are also encouraged to join. By the end of this session, participants will understand how to go beyond simple signature checks to validate their container images.

As cybersecurity threats continue to evolve, traditional security training can sometimes feel boring and often misses the mark in keeping people engaged or helping them retain key security concepts. This presentation explores how gamification can transform security training. By incorporating hands-on challenges, real-world scenarios, and instant feedback, gamified learning not only grabs attention but also helps the lessons stick in the long run.

In a world where security training often feels like a mundane chore, discover the refreshing impact of gamification and turn learning into an enjoyable experience. Embark on an insightful journey as we unveil the success story of gh.io/securecodegame, an open-source game hosted on GitHub Skills, that attracted over 3,000 developers within the first 6 months. This session will provide you with an exclusive behind-the-scenes perspective, offering valuable insights and practical strategies to revolutionize various aspects of security training for your benefit. We’ll explore a case study from a tech startup that observed, among the developers who played the game, an increased sense of ownership for code security, improved communication with security teams, and a strong willingness to embrace further security training.

You got the CVE notification, but there's no fix yet. Customers GUACing your SBOMs are worried. Should you fork? This presentation will run through the rules of engagement we've used at Atsign when these situations arise, which aim to balance good community citizenship with making sure stuff gets fixed.

A new day brings a new CVE alert for a third-party library, prompting urgent questions: Are we using this library? How many projects are affected? What’s our quick remediation plan? Traditional tools that analyze build manifests often fail to provide timely insights into these security vulnerabilities because they overlook actual code usage. In this talk, we'll demonstrate how static and reachability analyses offer a more effective approach by examining real dependency usage, enhancing prioritization and understanding of necessary updates for vulnerable libraries. Using real-world examples, we'll show how these analyses help developers better prioritize updates and understand dependency changes, aiding in informed decision-making. Our goal is to provide strategies for using these analyses to manage dependencies more effectively, uncover vulnerabilities, and enhance security and productivity in software development workflows.

In today’s software development landscape, products are often an intricate blend of in-house code and open-source third-party dependencies. While many organizations have robust procedures to secure their own codebase, the strategies to safeguard against vulnerabilities in open-source components are not as well-developed. In this session, we will navigate the complexities of implementing an effective process to manage vulnerabilities within open-source dependencies. Our discussion will cover key considerations for evaluating software composition analysis tools and detail the steps necessary for a successful tool rollout. We will delve into effective strategies for triaging findings and shifting from a reactive to a proactive security posture. You will leave the session equipped with a foundational but adaptable process, ready to enhance the security of your products that depend on open-source dependencies.

Python is an incredibly popular programming language and the language of choice for countless open source projects, ranging from hobbyist projects, via entire cloud virtualization frameworks (e.g. OpenStack), to being a key enabler for a large portion of AI and ML tooling (e.g. PyTorch). Helping these Python developers to securely master their programming challenges has a concrete benefit to the security of this vibrant open source ecosystem. The OpenSSF Best Practices Working Group has recently adopted a new initiative which aims to create a Secure Coding Guide for Python. Structured around Mitre's CWE framework, the guide provides tangible advice for a wide range of programming challenges, including executable code examples. These code snippets aim to allow developers to build a better understanding by enabling experimentation with concrete implementations while also constituting a proving ground for tool-based detection of weaknesses and vulnerabilities. In this brief presentation, Georg and Helge will provide an overview of the guide, its current state and its roadmap. We explicitly aim to solicit feedback from the Python community to further improve the guide.

Code security analysis, dependencies vulnerability scanning and supply chain security should be part of any open source Go project. In this talk, we will explore some open source tools such as gosec, govulncheck and sigstore/cosign which make it easy for any maintainer to enhance the security of her project. We will show real examples from gosec project where these tools are used to keep the security of the project at bay when constantly releasing new versions.

In light of the upcoming new EU software regulations, OpenSSF will host a 90-minute interactive session to simulate a security incident response to achieve a few goals:

• Provide a playbook for maintainers, contributors, and open source consumers to adopt and customize to start running their own TTX and improve their incident response and overall security posture.
• Provide education for developers who are learning security
• Demonstrate how current OpenSSF technologies may be helpful during a security incident

Session attendees will actively engage in the exercise by bringing their expertise in open software security ranging from open source production, distribution, consumption, vulnerability disclosure and management to incident response.
Note: This session will not be recorded