OpenSSF Community Day Japan returned to Tokyo for its third consecutive year in 2025, bringing together a diverse group of developers, researchers, government representatives, and industry experts to focus on securing the open source ecosystem.
The full-day event featured a mix of keynotes, lightning talks, technical deep dives, and a live table-top exercise, all centered around advancing collaboration, tool adoption, and real-world implementation of secure development practices.
Opening with Global Vision, Local Insight
The day opened with remarks from Steve Fernandez, General Manager of OpenSSF, who welcomed attendees and acknowledged the growing impact of OpenSSF tools and practices across regions and industries.
Two keynote speakers set the stage:
- Lin Sun (Solo.io) shared reflections on the past decade of open source security, highlighting the evolving relationship between cloud-native platforms, open collaboration, and supply chain integrity.
- Kazuki Imamura (IPA – Information-technology Promotion Agency, Japan) offered a government perspective on open source strategy, speaking to Japan’s national approach to software assurance and open ecosystem development.
Local community leaders Taku Shimosawa (Hitachi) and Muuhh Ikeda (Cybertrust Japan) followed with updates on Japan-based engagement with OpenSSF initiatives and working groups.
Spotlight on Security-in-Practice
Tools in Action
Throughout the day, speakers showcased how OpenSSF projects are being adopted and extended to meet practical needs:
- Whitney Lee (Datadog) and Puja Abbassi (Giant Swarm) used a role-playing game—Ozzie & Nova—to walk attendees through real-world supply chain security scenarios using tools like OpenSSF Scorecard, Sigstore, and GUAC.
- Adolfo (puerco) GarcĂa Veytia (Carabiner Systems) dove into “unforgeable compliance,” exploring why reproducibility and evidence-based builds matter.
- Yonggil Choi (TikTok) shared how confidential computing can strengthen build and runtime integrity.
Developer-Centric Workflows
Several sessions emphasized developer experience and practical security enablement:
- Takashi Ninjouji (Honda) demonstrated SBOM generation directly from binary-level artifacts in large-scale embedded systems.
- Arpit Jain (Independent) walked through common GitHub misconfigurations that lead to secret exposure, and how to mitigate them with open source tooling.
- Kuniyasu Suzaki (IISEC) presented a remote attestation flow using Arm TrustZone, OP-TEE, and Veraison—targeting IoT devices.
- Isaac Dawson (GitLab) showed how behavior-based dependency analysis can reduce risk when adopting third-party packages.
AI, PQC, and Resilience through Simulation
The late sessions explored the future of software security:
- Arpit Jain (Independent) returned to address security considerations specific to AI models, from poisoned training data to compromised weights.
- Tony Chen (Keyfactor) introduced post-quantum cryptography and its impact on existing cryptographic systems, signing infrastructure, and SBOM verification workflows.
The day concluded with a Table-Top Exercise (TTX), bringing together panelists from Cybertrust Japan, IPA, SIOS Technology, Carabiner Systems, and others. Attendees worked through a simulated supply chain compromise and incident response scenario, emphasizing the importance of readiness, coordination, and clear roles during security incidents.
Resources Available
Missed a session or want to share it with your team?
Thank You to the Community
We’re grateful to all the speakers, attendees, and contributors who made this event possible—including: IPA, Hitachi, Cybertrust Japan, Solo.io, Honda, TikTok, GitLab, IISEC, Datadog, Giant Swarm, Keyfactor, SIOS Technology, Carabiner Systems, and many others.