SOSS Community Day Europe 2024

Attending this event?

SOSS Community Day Europe 2024

19 September 2024
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for SOSS Community Day Europe 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Central Europe Summer Time (CEST). To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

The schedule is subject to change.

09:00 CEST

Welcome & Opening Remarks - Katherine Druckman, Open Source Security Evangelist, Intel Corporation

Thursday September 19, 2024 09:00 - 09:05 CEST

Speakers

Katherine Druckman

Open Source Evangelist, Intel

Katherine Druckman is an Open Source Evangelist at Intel where she enjoys sharing her passion for a variety of open source topics. She is a long-time open source advocate, developer, and podcaster, and is currently the host of Open at Intel and co-host of the FLOSS Weekly and Reality... Read More →

Thursday September 19, 2024 09:00 - 09:05 CEST
Room 3.29-3.30

Keynote Sessions

09:10 CEST

Application Security is a Community Effort - Fernando Diaz, Senior Developer Advocate, Security, GitLab

Thursday September 19, 2024 09:10 - 09:15 CEST

GitLab's mission is to enable everyone to contribute to and co-create the software that powers the world. That software must be secure.
Open source plays a crucial role in addressing security risk through transparency and community efforts. By having source code publicly available, a wider community from various different background can inspect, identify, and fix vulnerabilities in a timely manner.
Other open source practices help increase security, too. Things like:

Collaborative Verification
Security Auditing
Security tool Development
Contributions to security initiatives
Vulnerability Reporting and Resolution
Education and Best Practices

Using examples of these practices from GitLab and other open source projects, let's talk about how we can move open source security forward together.

Speakers

Fernando Diaz

Developer Advocate, GitLab

Fernando (Fern) Diaz is a Developer Advocate at GitLab. He focuses on showcasing the value of implementing DevSecOps, Governance, and Shifting-Left within the complete Software Development Life Cycle (SDLC).In the past, he worked as a Software Developer at IBM Cloud, where he focused... Read More →

Thursday September 19, 2024 09:10 - 09:15 CEST
Room 3.29-3.30

Keynote Sessions

09:20 CEST

Will eBPF Save Us From the Next Global Outage? - Liz Rice, Chief Open Source Officer, Isovalent @ Cisco

Thursday September 19, 2024 09:20 - 09:35 CEST

Only a few weeks ago we saw how dangerous kernel-level changes can be, as IT infrastructure around the world was brought down by an update to a widely-used security tool. Does this mean the kernel is too dangerous for vendors to be allowed to access? In this talk we’ll consider how eBPF and its open source provenance can enable powerful and high performance security tools, without exposing users to the same risk of kernel bugs and their consequent outages.

Speakers

Liz Rice

Chief Open Source Officer, Isovalent, now a part of Cisco

Liz Rice is Chief Open Source Officer at Isovalent, the creators of the Cilium project, and now part of Cisco. Currently on the boards of the CNCF and OpenUK, she was chair of the CNCF's Technical Oversight Committee 2019-2022, and Co-Chair of KubeCon + CloudNativeCon in 2018. She... Read More →

Thursday September 19, 2024 09:20 - 09:35 CEST
Room 3.29-3.30

Keynote Sessions

09:40 CEST

CISA Update - Aeva Black, Section Chief, Open Source Security, CISA

Thursday September 19, 2024 09:40 - 09:45 CEST

Speakers

Aeva Black

Section Chief, Open Source Security, CISA

Aeva Black is an open source hacker, advocate, and international public speaker with over 20 years of experience building digital infrastructure and leading open source projects at technology companies. She is the Section Chief for Open Source Security at CISA, and serves as the Secretary... Read More →

Thursday September 19, 2024 09:40 - 09:45 CEST
Room 3.29-3.30

Keynote Sessions

09:50 CEST

Hitchhikers' Guide to the Vulniverse - CRob, Security Lorax, Intel

Thursday September 19, 2024 09:50 - 10:10 CEST

DON’T PANIC! Grab your towel and come along for a tour of the crazy acronyms that makes up the Vulniverse! Finding, fixing, and sharing vulnerabilities is a challenge on the easiest of days. Mix in all of the standards, formats, channels, and personalities, it can feel like an insurmountable hill to climb every day. Don’t despair, the Vulniverse Alphabet Soup Guide is here to help make things a little less confusing! Learn about the foundational elements used within Coordinated Vulnerability Disclosure (CVD) by Product Security & Incident Response Teams (PSIRTs), Security Researchers, Computer Emergency Response Teams (CERTs), and Corporate Incident Response & Security Teams (CSIRTs) to help describe and communicate information about security vulnerabilities in hardware and software. Learn about how formats such as CVE (Common Vulnerability & Exposures CVE), CVSS (Common Vulnerability Scoring System), Common Weakness Enumeration (CWE), and newer items like Vulnerability EXchange (VEX) all have vital parts to play helping get information and fixes in the hands of software and hardware consumers! After this, YOU’LL be a Vulnerability Babblefish!

Speakers

Christopher (CRob) Robinson

Christopher Robinson (aka CRob) is Director of Security Communications at Intel Product Assurance and Security CRob is a 42nd level Dungeon Master and a 25th level Securityologist. CRob has been involved in upstream open source security for a decade, and spent 6 years helping lead... Read More →

Hitchhiker's Guide to the Vulniverse 2024 pdf

Thursday September 19, 2024 09:50 - 10:10 CEST
Room 3.29-3.30

Keynote Sessions

Session Slides Attached Yes

10:15 CEST

Security Initiatives in Community Driven Projects: Looking Ahead with Python and Rust - Deb Nicholson, Python Software Foundation & Rebecca Rumbul, Rust Foundation

Thursday September 19, 2024 10:15 - 10:35 CEST

This session will focus on the approaches taken by the Python Foundation and the Rust Foundation in developing their recent security initiatives and peer ahead into what the future might hold. Future initiatives will build on the lessons learned engaging their respective communities in embedding good security hygiene. The contrast between the bottom-up open source approach to development, vs the historic top down approach to security meant we had to strike our own paths. We will discuss the strategies we've already put in place a. Building consensus b. Transparent communications c. Responding to pushback and then we will take a look at the future of security work in SOSS. We'll cover the importance of sustained investment and collaboration across ecosystems and offer some ideas for how to align your project and community for the long haul.

Speakers

Deb Nicholson

Executive Director, Python Software Foundation

Deb Nicholson is an open source software policy expert and a passionate community advocate. She is the Executive Director at the Python Software Foundation which serves as the non-profit steward of the Python programming language. She serves on the Board of Directors for the Spritely... Read More →

Rebecca Rumbul

Executive Director, Rust Foundation

Rebecca is the Executive Director and CEO of the Rust Foundation. She holds a PhD in Politics and Governance, and has worked as a consultant and researcher with governments, parliaments and development agencies all over the world, advocating for openness and transparency, and developing... Read More →

Thursday September 19, 2024 10:15 - 10:35 CEST
Room 3.29-3.30

Breakout Sessions

10:40 CEST

Finally! Automated End-to-End VEX Streams You Can Trust - Adolfo García Veytia, Stacklok

Thursday September 19, 2024 10:40 - 11:00 CEST

VEX, the Vulnerability Exploitability Exchange, is a communications channel that informs consumers about the impact of a vulnerability on a piece of software. Since its inception about two years ago, the SBOM/VEX community has been busy implementing the required pieces to enable VEX data to flow seamlessly from projects to security scanners. With the recent adoption of OpenVEX in the Go security tooling, we can finally generate automated VEX streams that don't involve human intervention and can be fully trusted as its statements are generated from reachability data from the compiler. It is a major milestone that marks a new phase in the OpenVEX ecosystem's maturity. Join us as we build a trusted end-to-end VEX stream, from code to scanner diving deep into a VEX document and we explore other highlights of the OpenVEX ecosystem.

Speakers

Adolfo García Veytia

Staff Software Engineer, Stacklok

Adolfo García Veytia (@puerco) is a software engineer with Stacklok. He is one of the Kubernetes SIG Release Technical Leads, actively on the Release Engineering team. He specializes in improvements to automation behind the Kubernetes release process. He is also the creator OpenVEX... Read More →

Thursday September 19, 2024 10:40 - 11:00 CEST
Room 3.29-3.30

Breakout Sessions

11:20 CEST

German National Guideline on SOSS-Lifecycle: Community Outreach - Damian Ludwig & Andreas Neth, BSI

Thursday September 19, 2024 11:20 - 11:40 CEST

The German Federal Office for Information Security is developing a guideline for a secure software development lifecycle, specific to open source software. This guideline may in the near future be relevant to the OSS ecosystem in Germany, relating to the CRA. Therefore the Federal Office for Information Security wants to involve and reach out to the open source community early, in order to collect input on anticipated challenges, widely accepted goals and general ideas on how to make open source software secure while not putting unacceptable burden on the community.

Speakers

Andreas Neth

IT Security Architect, BSI

Andreas Neth is an IT Security Architect at the German Federal Office for Information Security. He’s been building Open Source based IT-systems for about 20 years. His background is both in network infrastructure and IT-Security and he has been teaching about IT-Security and advocating... Read More →

Damian Ludwig

Security Analyst, German Federal Office for Information Security

Damian Ludwig works as an IT-Security Analyst for the German Federal Office for Information Security, where he leads the development of a national guideline for a secure Open-Source-Software lifecycle. During his previous work in academics, he was researching and designing secure... Read More →

Thursday September 19, 2024 11:20 - 11:40 CEST
Room 3.29-3.30

Breakout Sessions

11:45 CEST

Exploring a Risk Approach to Software Supply Chain Security - Abdullah Garcia, J.P. Morgan

Thursday September 19, 2024 11:45 - 12:05 CEST

Throughout the presentation, I dive into software supply chain attacks and explain how they unfold incrementally. By understanding the latter, attendees will learn how to analyze their processes for software ingestion, integration, and testing to account for Supplier Risk. A particular emphasis is placed on open source software, highlighting both its benefits and vulnerabilities in the software supply chain. Attendees will also understand how the risk-based model can respond to software supply chain attacks even when they are not detected until later in the software supply chain, and gain critical insight into the kinds of changes needed in their processes and software tools, including open source solutions, to support this approach.

Speakers

Abdullah Garcia

Senior Lead Cybersecurity Architect, J.P. Morgan

Enthusiastic and driven security engineer and architect with over ten years of experience of successful design and delivery of high-quality solutions across a broad range of industry sectors. Strives to continue with self-development and on-going learning. Interested in security architecture... Read More →

Thursday September 19, 2024 11:45 - 12:05 CEST
Room 3.29-3.30

Breakout Sessions

12:10 CEST

OSS Dependency Health: Towards Maturity and Sustainability Risk Assessment Model - Georg Link & Miguel Ángel Fernández Sánchez, Bitergia; Ana Jiménez Santamaría, Linux Foundation; Wietse Braam, ING BANK

Thursday September 19, 2024 12:10 - 12:30 CEST

Organizations depend heavily on OSS libraries. Existing tools assess license compliance and code vulnerabilities in the short term, but there is a gap in tools to monitor long-term health and sustainability of OSS libraries. Enterprises especially face challenges in assessing these risks for large-scale deployments. In this panel, using Kubernetes as the sample, we show how the Risk Model we built together with ING can evaluate the health and sustainability of open source dependencies. This model is informed by the CHAOSS project (community health) and is complementary to the OpenSSF Scorecard. It goes beyond traditional SBOM analysis to assess ongoing maintenance activity. Attendees learn how this Risk Model can help ensure the health and sustainability of open source deployments. We will discuss varying security needs from the perspective of OSPOs who facilitate open source understanding and security assessments across business units. The attendees can ask questions directly to the Data Scientists that built the Risk Model on top of the open source CHAOSS GrimoireLab software.

Speakers

Wietse Braam

IT Area Lead, ING Bank

Senior manager coming from a developer background. Currently responsible for the team that develops the global CI/CD solution for ING.

Miguel Ángel Fernández

Data Analyst and Consultant, Bitergia

Miguel Ángel is a Data Analyst and Consultant at Bitergia. He is a MSc Data Scientist passionate about the open-source ecosystem, and his thesis was focused on using Machine Learning techniques to identify bot accounts in open-source projects.

Georg Link

Open Source Strategist and Director of Sales, Bitergia

Georg’s mission is to make open source more professional by using community metrics and analytics. Georg cofounded the CHAOSS Project to advance analytics and metrics for open source project health. Georg is an active contributor to several projects and has often presents on open... Read More →

Ana Jiminéz Santamaria

Project Manager, Linux Foundation

Ana is the Project Manager at the Linux foundation TODO Group collaborative project, whose aim is to create and share knowledge on open source management and operations best practices. Formerly she worked at Bitergia, a Software Development Analytics firm, and she has finished her... Read More →

Thursday September 19, 2024 12:10 - 12:30 CEST
Room 3.29-3.30

Panel Sessions

12:35 CEST

The Current State of Open Source Security Compliance Tooling Is … Well, Sad. - Philippe Ombredanne, AboutCode

Thursday September 19, 2024 12:35 - 12:45 CEST

There's an explosion of proprietary tools promising to resolve each and every software supply chain issue. But, none of these provide practical, reasonable, or affordable solutions to 1) massively improve the security posture of software teams and 2) comply with regulatory requirements. Software teams of all sizes continue to struggle navigating the complex network of tools and databases claiming to fix everything, especially with the explosion of reported CVEs and corresponding meltdown of processing these CVEs in the NVD. Open source tools are lagging and as an open source community, we can do better. In this talk, Philippe will present practical approaches to do something that works - using readily available OpenSSF projects, open source tools, and open data - to make compliance obtainable and automated with robust software supply chain security processes.

Speakers

Philippe Ombredanne

ScanCode maintainer and CTO, nexB Inc., AboutCode.org and nexB Inc.

Philippe Ombredanne is a FOSS hacker passionate about enabling easier and safer reuse of open source code. He is the lead maintainer of the AboutCode stack of open source tools for Software Composition Analysis and license and security compliance, including the industry-leading ScanCode... Read More →

Thursday September 19, 2024 12:35 - 12:45 CEST
Room 3.29-3.30

Lightning Talks

14:15 CEST

ML Model Signing: Cryptographically Paving the Way to Provenance in Machine Learning Models - Mihai Maruseac, Google

Thursday September 19, 2024 14:15 - 14:35 CEST

How do I know where my machine learning model came from, and how can I prove it? This question has remained largely unanswered as adoption of machine learning and artificial intelligence has skyrocketed, with over 600,000 ML models freely available on model repositories like Hugging Face. Current cryptographic signing mechanisms are not designed with ML models in mind, nor are they fit for purpose largely due to one simple fact: models are not just a singular file. There are a number of disparate files in one directory (often several hundred gigabytes or more), comprising many bespoke formats only seen in the machine learning context.

We present an open-source specification and implementation to cryptographically sign an arbitrary collection of files which comprise an ML model, to create a mechanism to verify the integrity of a machine learning model to ensure trust between the model producer and end-user. By implementing model signing, we are paving the way for model provenance which helps strengthen the AI supply chain. With provenance, one could see who has trained the model, what training framework has been used, what datasets were used, and much other useful information.

Speakers

Mihai Maruseac

Staff Software Engineer, Google

Mihai Maruseac is a member of Google Open Source Security team (GOSST), working on Supply Chain Security for ML and on GUAC. Before joining GOSST, Mihai created the TensorFlow Security team after joining Google, moving from a startup to incorporate Differential Privacy (DP) withing... Read More →

Thursday September 19, 2024 14:15 - 14:35 CEST
Room 3.29-3.30

Breakout Sessions

14:40 CEST

Securing Content Distribution with RSTUF, an Incubating OpenSSF Project - Kairo De Araujo, TestifySec & Martin Vrachev, Open Source Contributor

Thursday September 19, 2024 14:40 - 15:00 CEST

As part of OpenSSF, led by the Securing Software Repositories Working Group, one of the goals has been securing content distribution. The Update Framework (TUF) has been a prime reference for secure content delivery and updates for many years. Despite its popularity, integrating with existing repositories remains challenging. Repository Service for TUF (RSTUF) is the first project to implement a generic TUF application to make general TUF adoption easier for any content repository. Lately, as a recognition of the progress, RSTUF was promoted as an "incubating" project. In this talk, we will present RSTUF and update you with all the latest news about the project and how to secure content distribution by sharing use cases: - How PyPI and RubyGens are adopting RSTUF to secure their package repositories - RSTUF securing private repositories - Archivista, a storage for in-toto attestation secured by RSTUF

Speakers

Kairo De Araujo

Senior Software Engineer - Open Source, TestifySec

Kairo is a Senior Open Source Engineer at TestifySec. Kairo contributed to python-tuf and is the author of Repository Service for TUF (RSTUF). Past roles include Senior Open Source Software Engineer at VMware OSPO, Senior Software Engineer at IBM, ING, Forescout, and a former System... Read More →

Martin Vrachev

Senior Python Developer, Consensus

Martin Vrachev is an Open Source contributor. He was part of the VMware Open Source Program Office on the Security Supply Chain team. His contributions include multiple Open Source security projects solving a variety of problems. His latest work is focused on secure software supply... Read More →

Thursday September 19, 2024 14:40 - 15:00 CEST
Room 3.29-3.30

Breakout Sessions

15:05 CEST

Web Developer Security: Best Practices & Beyond - Daniel Appelquist, Samsung

Thursday September 19, 2024 15:05 - 15:15 CEST

Last year I co-chaired a workshop called "Secure the Web Forward" that brought together web and security professionals to “drive developer awareness and adoption of Web security standards & practices.” This session will overview the latest developments in web developer security, including new activities spawned by that workshop. We'll cover latest security-related technologies in the platform as well as work happening in new W3C community and interest groups in conjunction with the OpenSSF Best Practices working group.

Speakers

Daniel Appelquist

Open Source Strategist, Samsung

Dan Appelquist is Open Source Strategist at Samsung Open Source Group. He is a web & mobile industry veteran and long-time participant and leader in open source and open standards. He has been co-chair of the W3C Technical Architecture Group for the last ten years. He was an early... Read More →

Thursday September 19, 2024 15:05 - 15:15 CEST
Room 3.29-3.30

Lightning Talks

15:20 CEST

Userspace CNI - Developing in the Open with Remaining Secure - Michael O'Reilly, Intel

Thursday September 19, 2024 15:20 - 15:40 CEST

In this presentation, Michael will discuss how we took an unmaintained repository and applied the openssf scorecard to improve how we developed and re-developed an open source Kubernetes networking CNI. The userspace CNI repository had been left unmaintained and was no longer building. At the request of another team in Intel, we set about updating all of the out of date dependencies, fixing broken API calls and getting the codebase working again. We decided to use this process to improve the security of the repo using the openssf scorecard. Michael will discuss the lessons we learned, how those lessons are being applied across our wider team within Intel and how you can apply our learnings to your own codebase. We stress the need to implement CI early to your project in order for tools such as dependabot to be useful.

Speakers

Michael OReilly

Cloud Native Software Architect, Intel

Michael OReilly has worked for Intel for over 20 years. He is currently a software architect in Intel networking business unit. Has has worked on networking within Kubernetes and is currently developing Intel's Tiber(tm) Edge Networking platform.

Thursday September 19, 2024 15:20 - 15:40 CEST
Room 3.29-3.30

Breakout Sessions

16:00 CEST

Let Devs Be Devs Without Sacrificing Security - Andrew McNamara, Red Hat

Thursday September 19, 2024 16:00 - 16:20 CEST

Proof of concept code doesn't need to meet the same requirements as production quality critical infrastructure applications. If the requirements are the same for these targets, however, you probably have a long line of devs frustrated and angry they can't innovate or get their code tested. Maintaining (and auditing) multiple pipelines to achieve various levels of hardening is not realistic. Detailed SLSA provenance and policy enforcement can work together to create flexible and adaptive pipelines for all your software security needs. Join us and learn how we've combined Tekton, Tekton Chains, and Enterprise Contract within our production CI to build out a secure, flexible framework. This combination lays down a secure foundation to freely build a variety of artifacts and apply risk-based policies to prevent unacceptable software from getting into your systems. Want to use the same pipeline to build software for dev and prod? No problem – just make sure that there is an appropriate policy for each!

Speakers

Andrew McNamara

Senior Principal Software Engineer, Red Hat

Andrew McNamara is passionate about usable CI/CD, security, and DevSecOps, drawing from his experience of building and shipping containerized software at IBM and Red Hat. As a SLSA maintainer, Andrew is helping people identify how to approach and understand supply chain security... Read More →

SOSS EU 2024 let devs be devs pdf

Thursday September 19, 2024 16:00 - 16:20 CEST
Room 3.29-3.30

Breakout Sessions

16:25 CEST

Navigating the Quantum Readiness Journey: Open-Source Cryptography, PKI and Signing Tools - Mike Agrenius Kushner, Keyfactor

Thursday September 19, 2024 16:25 - 16:35 CEST

Join us in exploring the Quantum Readiness journey, focusing on cybersecurity preparations. Dive into securing IoT, containers, and software supply chains using open-source FIPS-certified cryptographic APIs: bouncycastle.org, the open-source Public Key Infrastructure software: ejbca.org, and signserver.org for signing. Cryptography is a cornerstone of cybersecurity and is essential for everyone. We want to empower every engineer and security expert with hands-on insights into quantum-resistant cryptography to navigate the quantum readiness journey. Security is a collective effort; community collaboration is vital for high-quality, interoperable cryptographic solutions. We will also talk about standardization progress in Europe and the US.

Speakers

Mike Agrenius Kushner

Senior Product Architect, Keyfactor

I've been very happily working for the last few years with PKI at PrimeKey Solutions and Keyfactor, and the area of cryptography and open-source fits my work ethic like a glove.

Mike Agrenius Kushner SOSS Commuity Day Vienna pdf

Thursday September 19, 2024 16:25 - 16:35 CEST
Room 3.29-3.30

Breakout Sessions

16:40 CEST

Run GenAI Projects at Scale Securely: From the Operating System to the MLOps Platform - Michelle Tabirao, Canonical

Thursday September 19, 2024 16:40 - 17:00 CEST

GenAI is defining a new industry. It uses different types of data to generate new content. It requires access to large volumes of data and generates even more data. Organisations are eager to adopt genAI projects due to their clear benefits and many use cases. GenAI initiatives often work with sensitive data such as sales data or customer behaviour patterns. Professionals working on these projects need many access points to organisations’ infrastructure, which can easily become a risk. Whether we’re thinking of the infrastructure where models are built or optimised or we focus on the edge devices where they run, there is a need to ensure the security of the entire stack. Open source tooling is widely used in AI projects due to its scalability and portability. Securing the entire stack will enable organisations to focus on genAI projects, without worrying about the security risks. This talk will walk the audience through all the layers of the stack, from the operating system to the MLOps platform, covering data centres where models are built and edge devices. It will present key considerations for security, best practices and opportunities for highly regulated industries.

Speakers

Michelle Tabirao

Data Solutions Product Manager, Canonical

Michelle Tabirao is a Data Solutions Product Manager at Canonical and has been working for Charmed OpenSearch innovations. She also advocates for open source, inclusive tech, and digital literacy through her non-profit organization - www.ulap.org... Read More →

Thursday September 19, 2024 16:40 - 17:00 CEST
Room 3.29-3.30

Breakout Sessions

17:15 CEST

Closing Remarks - Katherine Druckman, Open Source Security Evangelist

Thursday September 19, 2024 17:15 - 17:20 CEST

Speakers

Katherine Druckman

Open Source Evangelist, Intel

Katherine Druckman is an Open Source Evangelist at Intel where she enjoys sharing her passion for a variety of open source topics. She is a long-time open source advocate, developer, and podcaster, and is currently the host of Open at Intel and co-host of the FLOSS Weekly and Reality... Read More →

Thursday September 19, 2024 17:15 - 17:20 CEST
Room 3.29-3.30

Keynote Sessions