On April 15, 2024, Secure Open Source Software (SOSS) Community Day North America (NA) brought together the open source community in Seattle to delve into discussions surrounding the challenges, overarching solutions, ongoing initiatives, and triumphs in fortifying the open source software (OSS) supply chain. Alongside dedicated SOSS contributors and thought leaders, we embarked on an in-depth exploration of topics such as security best practices, vulnerability discovery, securing critical projects, and the evolving landscape of OSS security.
This year’s event featured two tracks for the first time, allowing attendees with different preferences to engage fully. The event also included a Tabletop Exercise (TTX) and co-located workshops, adding an extra layer of interactivity and learning to the conference. Here’s a recap of what we addressed during the event:
Keynote Sessions
At the SOSS Community Day NA, Omkhar Arasaratnam, General Manager of OpenSSF, extended a warm welcome to attendees in his opening remarks. Omkhar’s address included announcements of new members, recognition of the Golden Egg Awards winner, the “What’s in the SOSS?” podcast launch, and community updates.
Following this, Kate Stewart, VP of Dependable Embedded Systems at The Linux Foundation, delivered a keynote discussing the prevalence of Software Bill of Materials (SBOMs) across industries titled “SBOMs Everywhere: Work in Progress & Challenges Ahead.” In her talk, Kate highlighted the importance of SBOMs in enhancing software security and transparency.
Track 1
A diverse array of speakers and panels delved into critical topics shaping the open source landscape in Track 1 at the SOSS Community Day NA. Katherine Druckman from Intel Corporation, along with Lori Lorusso, Angie Byron from Aiven, and Tabatha DiDomenico from G-Research, explored the mission of OpenSSF’s DevRel (Developer Relations) community, emphasizing community contributions in developing standards, tools, and education to fortify the software supply chain and bridge the gap between code and communication. Jeff Mendoza from Kusari led a session on determining the criticality of open source projects within the OpenSSF Securing Critical Projects Working Group, discussing the factors considered when evaluating projects and the impact of security bugs or compromises. Seth Larson from the Python Software Foundation discussed securing open source ecosystems, focusing on fixing vulnerabilities such as the widely exploited libwebp vulnerability across the Python ecosystem and the interactions between software security standards and open source maintainers. Katherine Druckman and Ryan Ware from Intel Corporation engaged in a critical conversation about consuming open source securely, covering topics such as evaluating projects, addressing CVEs, project maturity, governance, and using tooling to enhance software integrity. Justin Cappos from NYU talked about starting the journey to secure the software supply chain, sharing experiences, stumbling blocks, good practices, and a general road map to making software more secure. Georg Kunz from Ericsson discussed compiler options hardening for C and C++, highlighting the OpenSSF Compiler Options Hardening Guide and techniques for improving the security of C and C++ programs against prevalent software defects. Jeffrey Borek from IBM, Sarah Evans from Dell Technologies, and Rao Lakkakula from JPMorgan Chase led a panel on mitigating security risks in OSS utilization, sharing insights on best practices for secure coding, dependency management, community collaboration, and fostering a culture of security awareness among developers.
In the afternoon sessions, Michael Lieberman from Kusari discussed the complexities of securing OSS, emphasizing the need for tools and practices such as SLSA, SPDX, Sigstore, and OpenVEX. Adolfo García Veytia from Stacklok provided insights into the evolving foundations of SBOMs within the OpenSSF community, highlighting ongoing projects aimed at standardizing SBOM handling, trust, verification, and CLI operations. Brittany Istenes from Fannie Mae presented the Clean Dependency Project, addressing the need for proactive vulnerability management in response to incidents such as log4shell. Mo McElaney from IBM, John Kjell from TestifySec, Jay White from Microsoft, Chan Voong from Comcast, and Marcela Melara from Intel Corporation joined forces for a panel discussion on diversity, equity, and inclusion (DEI) within the OpenSSF community, exploring various aspects of DEI and the ongoing journey toward a more diverse and inclusive open source security landscape.
Track 2
In Track 2 of the SOSS Community Day NA, a series of sessions delved into critical aspects of open source security and management. Jack Cable from CISA and Zach Steindler from GitHub discussed driving security at scale through “Principles for Package Repository Security,” a voluntary framework designed to evaluate and improve security capabilities in package repositories. Hayden Blauzvern from Google explored the evolution of Sigstore and its road map for 2024, emphasizing collaboration with package repositories and enhancing verification processes. Chad Coleman from Lockheed Martin shared insights into leveraging Sigstore capabilities in a local environment, while Mark Esler from Canonical Ltd. discussed improving FOSS security through integrating open source solutions such as Sigstore. Joe Sweeney from Trail of Bits presented lessons learned from implementing build provenance for the Homebrew package manager, offering insights into challenges and achievements. Rex Pan and Holly Gong from Google unraveled the nuances of dependency security, highlighting strategies for effective vulnerability management beyond simple updates. Lastly, Amir Montazery from the Open Source Technology Improvement Fund, Inc., discussed the role of security audits in improving the posture of critical OSS projects, sharing insights from past audits and lessons learned to enhance security practices.
In the afternoon sessions, the Eclipse Foundation’s Michael Winser and Marta Rybczynska discussed effective vulnerability management across the Foundation’s vast array of projects, aiming to standardize practices for better security at scale. Chujiao Ma from Comcast addressed the security challenges posed by third-party open source libraries and proposed an open source bug bounty process to proactively investigate and secure these components. François Proulx and Benoît Côte-Jodoin from BoostSecurity.io highlighted the often overlooked vulnerabilities in the build pipelines of OSS packages, sharing insights on discovering zero-days and prioritizing risky scenarios for mitigation. Rebecca Rumbul from the Rust Foundation and Deb Nicholson from the Python Software Foundation delved into community engagement and security initiatives, emphasizing the importance of consensus-building, transparent communication, and collaboration across ecosystems for embedding good security practices within open source communities.
Co-Located Workshops and Tabletop Exercise
OpenSSF conducted workshops on the Supply-chain Levels for Software Artifacts (SLSA) framework and the OpenSSF Scorecard for new contributors. The SLSA workshop guided participants in utilizing the SLSA framework to enhance the Software Development Life Cycle of deployed code. The Scorecard Workshop offered hands-on onboarding opportunities, allowing participants to engage with project maintainers and potentially submit their first pull request to the OpenSSF Scorecard during the session.
As the event concluded with a closing remark, we also hosted our first-ever TTX, marking a step forward in proactive engagement and collaboration within the OpenSSF community. The TTX was a significant highlight, featuring 12 panelists and six contributors who shared their expertise, discussed security gaps, and provided insights into improving current capabilities across the community. This engaging discussion utilized the TTX planning tool curated by the OpenSSF Vulnerability Disclosures Working Group. The TTX was a successful engagement, proactively identifying opportunities to enhance existing supply chain security processes and technologies or develop new ones to support incident response.
Looking Ahead: A Heartfelt Thanks and Future Events
As we conclude the SOSS Community Day NA 2024, a heartfelt thank you goes out to everyone who participated. Your dedication and contributions are shaping a more secure future for OSS. Let’s keep the momentum going as we look forward to SOSS Community Day Europe (EU) and SOSS Fusion Conference. Together, we’ll continue to collaborate and build a more resilient and robust OSS security ecosystem.