Skip to main content

📩 Stay Updated! Follow us on LinkedIn and join our mailing list for the latest news!

All Posts By

OpenSSF

Case Study: Kusari’s Implementation of OpenSSF Tools and Services

By Blog, Case Studies

Challenge

For many years, the software supply chain has suffered from a lack of transparency and inefficient, unsustainable security management methods such as spreadsheets, emails, and word of mouth. The severity of these challenges was highlighted during incidents like Log4Shell, where the limitations of these approaches became evident — organizations struggled to identify where Log4J was used, and many applications continue to use vulnerable versions of this library years later. Meanwhile, the costs and regulatory requirements of attacks and vulnerabilities continue to increase. The founders of Kusari, driven by their passion and personal experiences with these problems, sought to create scalable and robust security solutions for their customers and users.

Solution

To address these challenges, Kusari created and co-developed the tool GUAC (Graph for Understanding Artifact Composition). GUAC integrates data from various OpenSSF tools and specifications to secure Kusari’s platform software and infrastructure. Kusari uses AllStar to enforce best practices for source code repositories and Scorecard to assess repositories for best practice adherence and highlight areas of concern. By adopting SLSA (Supply Chain Levels for Software Artifacts), Kusari follows Level 3 practices for building projects and generating provenance. OpenVEX is used to communicate the vulnerability status of software, while S2C2F (Supply-Chain Levels for Secure Commercial Facilities) ensures rules are followed for safely ingesting open source software. GUAC aggregates data from multiple sources like Scorecard, SLSA, OpenVEX, SBOM, OSV, and deps.dev to analyze supply chain risks and ensure compliance with S2C2F rules.

According to Parth Patel, Co-founder & Chief Product Officer at Kusari, “Working with OpenSSF projects is an invaluable part of building Kusari – both as a company and an enterprise platform. Participating in open source communities allows us to shape the future of software supply chain technology. The work we invest in OpenSSF communities pays off in having reliable software tools to build and integrate with the security ecosystem.”

Results

The implementation of these tools has significantly enhanced Kusari’s ability to manage and mitigate software supply chain risks. The adoption of open specifications like SLSA, S2C2F, and OpenVEX allows Kusari to generate and consume supply chain data that is broadly supported in the community. Tools like AllStar, Scorecard, and Sigstore help enforce best practices in code, build, and delivery processes. GUAC enables Kusari to ingest and analyze standardized metadata from multiple OpenSSF tools, providing a clear understanding of supply chain risks and facilitating quick responses to security incidents.

Engagement with OpenSSF Community

Kusari engages with the OpenSSF community in various capacities, including as maintainers and users of AllStar, GUAC, and SLSA, and as TAC sponsors for GitTUF, SBOMit, and S2C2F. This engagement is a way for us to innovate and give back within the open source community. Kusari is committed to helping shape and develop the future of software supply chain security. You can regularly find us in meetings with the Supply Chain Integrity Working Group; come join in. 

Benefits and Challenges

Open specifications and tools provide flexibility for integration and modification, ensuring better interoperability. Security has a long history of being closed and vendor-centric, but that’s changing. Collaboration is required to protect effectively against current and future threats. That’s why Kusari is passionate about being a creator, maintainer, contributor and user of open source security tools. 

Striking a balance between vendor support and community-driven efforts is crucial for sustainable success in open source projects. Arun Gupta, vice president and general manager of Open Ecosystem Initiatives at Intel and OpenSSF governing board chair emphasizes, “It’s vital that we foster collaboration between vendors and the open source community in a collaborative manner that respects the community. This balance is key to achieving a secure software ecosystem.”

Future Plans

Kusari plans to adopt additional OpenSSF tools such as GitTUF as they mature and looks forward to developments from SBOMit.

Conclusion

Kusari’s integration of OpenSSF tools and specifications has significantly bolstered its software supply chain security, providing scalable and efficient solutions for managing vulnerabilities. Through active participation in the OpenSSF community, Kusari continues to contribute to and benefit from the evolving landscape of open source security.

 

OpenSSF Newsletter – October 2024

By Newsletter

Welcome to the October 2024 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Join us in Tokyo for SOSS Community Day Japan on October 30, 2024, co-located with the Open Source Summit Japan (October 28-29)

Hosted by the OpenSSF, this event will bring together open source security enthusiasts to connect, collaborate, and share knowledge. Whether you’re an industry leader or a passionate technologist, this is your opportunity to dive deep into the latest open source security trends, learn from experts, and network with the vibrant open source community. Don’t miss out—register today and be part of the conversation on securing open source software! Learn more

Recap on SOSS Community Day EU

SOSSCommunity24EU
On September 19, the OpenSSF community gathered in Vienna for SOSS Community Day EU, held alongside Open Source Summit EU. Each summit and community day is a celebration of open source excellence, showcasing the collective efforts of passionate individuals committed to making the world a safer place. We extend a heartfelt thanks to our dedicated maintainers for their continuous efforts in advancing open source security!

Recordings and photos are now available. Relive the moment as we recap some of the exciting conversations from the event! Read more

2025 Virtual Tech Talk Call for Proposal (CFP)

We are excited to invite proposals for the 2025 Virtual Tech Talk Series, providing a platform for in-depth discussions on critical initiatives to secure open source software within the OpenSSF community. These tech talks are designed to foster knowledge sharing, highlight innovative technical projects, and showcase efforts driving the future of open source security.
Have a topic or expertise you’d like to share? Submit your Call for Proposals (CFP) by December 15, 2024, to ensure ample time for review and planning. This is your chance to contribute, connect with peers, and inspire others in the field.
Submit your CFP

OpenSSF Education Tech Talk Highlights & Future Opportunities

10-10TechTalk
The OpenSSF hosted a virtual Tech Talk titled Jumpstart Your Journey: Mastering OSS Security Development with the Linux Foundation Education. This session was designed for aspiring open source professionals and newcomers eager to dive into the world of open source software (OSS) security.  Read more

Developer Relations: The Human Connection Driving Open Source Security

DeveloperRelationsTheHumanConnectionDriving OpenSourceSecurity

Open source security isn’t just about technology—it’s about the people behind it. Developer Relations (DevRel) connects developers, maintainers, and contributors, ensuring that they have the tools and support to make open source software more secure and resilient. As Katherine Druckman, Open Source Evangelist at Intel, said in her recent episode of the What’s in the SOSS? podcast: “We solve technical problems with technical solutions, but there are also so many human problems that need human solutions.” This illustrates the heart of DevRel—bringing together people to drive progress in open source security. Read more

OpenSSF SOSS Fusion Conference Kicks off with Talks from Google and Cisco Executives

SOSS-Fusion-2024-OpenSSF-SOSS-Fusion-Conference-Kicks-off-with-Talks-from-Google-and-Cisco-Executives-

The Open Source Security Foundation (OpenSSF) announced the opening of the Secure Open Source Software (SOSS) Fusion Conference in North America in Atlanta, GA. This event unites a diverse community of professionals, including public sector leaders, software developers, security engineers, students, cybersecurity experts, CISOs, CIOs, founders, and tech pioneers. With a robust agenda covering AI security, critical open source security projects, public policy, and today’s most pressing security topics, SOSS Fusion offers a comprehensive look at OpenSSF’s initiatives that’s aimed at simplifying security for developers, and will help them prepare to shape a safer digital world in 2025 and beyond. Read more

Join us for SigstoreCon: Supply Chain Day at KubeCon NA 2024

SigstoreCon
Join us for SigstoreCon: Supply Chain Day at KubeCon NA 2024 in Salt Lake City on November 12! Attendees will explore the latest advancements in digital artifact signing, with sessions on Sigstore, SLSA, The Update Framework (TUF), and more.

Key Topics Include:

  • Case Studies: Real-world examples of how projects are leveraging Sigstore, SLSA, or TUF
  • Package Registry Adoption: Insights for maintainers adopting Sigstore/SLSA
  • Client Development: Learnings from building Sigstore clients
  • Technical Deep Dives/Research: Exploring transparency, privacy-preserving identities, and more

Don’t miss this opportunity to stay ahead in supply chain security​!

View agenda 

Register now

Empower Your Software Development with OpenSSF’s Free “Developing Secure Software” Course! 

Learn secure software fundamentals at your own pace and earn a recognized certificate. Plus, we’ve just added new optional labs in LFD121! These hands-on exercises will help you practice countering attacks with real-world scenarios and helpful hints. Enroll here

In the News

Meet OpenSSF at These Upcoming Events!

Get Involved in OpenSSF

You’re invited to…

See You Next Month

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

 

SOSS-Fusion-2024-OpenSSF-SOSS-Fusion-Conference-Kicks-off-with-Talks-from-Google-and-Cisco-Executives-

OpenSSF SOSS Fusion Conference Kicks off with Talks from Google and Cisco Executives

By Blog, Press Release

Event aims to create a more secure open source future by covering high-priority topics and offering workshops and industry expert insights

WASHINGTON — October 22, 2024 — The Open Source Security Foundation (OpenSSF) announced the opening of the Secure Open Source Software (SOSS) Fusion Conference in North America in Atlanta, GA, today. This event unites a diverse community of professionals, including public sector leaders, software developers, security engineers, students, cybersecurity experts, CISOs, CIOs, founders, and tech pioneers. With a robust agenda covering AI security, critical open source security projects, public policy, and today’s most pressing security topics, SOSS Fusion offers a comprehensive look at OpenSSF’s initiatives that’s aimed at simplifying security for developers, and will help them prepare to shape a safer digital world in 2025 and beyond. 

The OpenSSF supports a vibrant, active community developing tools and best practices to aid developers on their security journey. With 7,500-plus projects in the OpenSSF Best Practices Badge program, the foundation remains committed to educating and influencing the broader community through thought leadership in open source security. This year, OpenSSF staff and community members have presented at over 30 meaningful events, such as VulnCon, OSPOs for Good, OECD Global Forum on Digital Security for Prosperity, and Grace Hopper Celebration, among others.

This event aims to strengthen the community by bringing together industry leaders, developers, project maintainers, students, and security researchers. Together, they will exchange actionable insights and introduce state-of-the-art tools to improve the security of open source software for everyone. Participants will stay informed about the latest advancements in open source security.

“When I look at the lineup of topics at SOSS Fusion and speakers I am reminded of our amazing community. I see an excellent mixture of our seasoned members and projects alongside new and exciting voices joining us for the first time,” said CRob, chief security architect at OpenSSF. “The sessions cover important key topics ranging from AI and machine learning security, to some of our newest projects, like Zarf. This event will be valuable to attendees and will showcase the most innovative ideas and initiatives the open source community has to offer.”

Along with notable keynote sessions and workshops, the agenda will highlight key themes from Cisco, Google, Kusari, and Linux Foundation executives including:

Recorded sessions will be available on demand approximately two weeks after the event. Sign up for the OpenSSF newsletter to receive notifications about the recorded sessions, and visit the website to learn more about becoming an OpenSSF member.

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaborating and working upstream and with existing communities to advance open source security. For more information, please visit us at openssf.org.

Media Contact:

Jennifer Tanner
Look Left Marketing
openssf@lookleftmarketing.com

What’s in the SOSS? Podcast #17 – Intel’s Katherine Druckman and the Impact of Developer Relations

By Podcast

Summary

In this episode, CRob discusses the finer points of developer relations (DevRel) with Katherine Druckman, Open Source Evangelist at Intel and co-chair of the OpenSSF Marketing Advisory Council and DevRel Community. Katherine enjoys sharing her passion for a variety of open source topics and is a long-time open source advocate, developer and podcaster. She’s currently the host of Open at Intel and co-host of the FLOSS Weekly and Reality 2.0 podcasts. She spent over a decade at Linux Journal. A passionate Drupalist since she first downloaded a tarball in 2005, she has also been a Drupal contributor and engineer.

Additionally, Katherine will be a featured speaker at SOSS Fusion/24 in Atlanta on Oct. 22-23. SOSS Fusion/24 is a collaborative and forward-thinking initiative dedicated to securing open source software. This event will bring together a diverse community of professionals from the public sector, software developers, security engineers to cybersecurity experts, CISOs, CIOs, Founders and tech pioneers.

Katherine will be an active participant at SOSS Fusion/24 and will share her insight at the following presentations:

  • Roundtable: Building Developer Confidence in Software Security with the DevRel Community, with Lori Lorusso, Percona; Tabatha DiDomenico, G-Research. Oct 22, 11:30 a.m.
  • Keynote: Fireside Chat with Window Snyder, Founder & CEO, Thistle Technologies, Oct. 23, 9:30 a.m.
  • Keynote: Back to Security Basics: Evaluating, Consuming, and Contributing Open Source Software, Oct. 23, 9:55 a.m.

Check out the full schedule for SOSS Fusion/24.

Conversation Highlights

  • 01:42 Katherine shares her non-traditional journey into open source
  • 03:30 DevRel’s definition varies, depending on the organization
  • 06:11 Tips for making connections with developers
  • 08:23 How DevRel professionals can help integrate security practices and tooling into everyday maintainer activities
  • 09:38 Katherine answers CRob’s rapid-fire questions
  • 11:05 Katherine’s belief that all knowledge can be relevant — even if it’s outside of your field
  • 12:23 Developers and security folks should be working together

Transcript

Announcer (00:01)
Today’s guest on What’s in the SOOS? is Katherine Druckman, Open Source Evangelist at Intel. Katherine will be a featured speaker at SOSS Fusion/24 in Atlanta, October 22nd and 23rd. SOSS Fusion is a collaborative and forward-thinking initiative dedicated to securing open source software. The event will bring together a diverse community of professionals from the public sector, software developers, security engineers to cybersecurity experts, CISOs, CIOs, founders and tech pioneers. To learn more, to register and to see the full schedule visit openssf.org.

Katherin Druckman soundbite (00:36)
We solve technical problems with technical solutions, but there are also so many human problems with so many human solutions. And I think step one to effective engagement with open source maintainers is taking notes, find out what they really, really need and then try to connect the dots.

CRob (00:54)
Hello, everybody. Welcome to What’s in the SOSS? I’m CRob. I do security stuff on the internet and I do a lot of work with the Open Source Security Foundation. I work on the Technical Advisory Committee, the governing board and a bunch of the technical groups. And one of the great things I get to do is co-host What’s in the SOSS? — our podcast about learning more about interesting topics and people within the open source ecosystem. And today we have a real treat. We have my friend from work, real work, not fun upstream work Katherine Druckman from Intel. How are you doing today, Katherine?

Katherine Druckman (01:29)
I am doing well, thank you. I appreciate you having me. This is gonna be fun.

CRob (01:34)
It’s gonna be great. So for our listeners who may not get the opportunity to work with you all the time, could you maybe give us your open source origin story?

Katherine Druckman (01:42)
Oh yeah, sure. Wow, that’s a long time ago. (Laughter) Yeah, so this is funny. I like to talk about that I have a non-traditional background. Actually, I went to my, I have an art degree and then my graduate studies were in decorative arts history. It makes total sense why I would end up here, right? So at some point in there, I was doing some — let’s call them art things and art and antiques and decorative things — and I decided I needed a website for these things.

And I had a lot of nerd friends who were very involved in some tech startup at the time. And this was in, gosh, I don’t know, around 2002 to 2004 maybe. And I was always kind of a nerd, to be honest. Like I had dabbled in a little Linux before that. So I asked one of my nerd friends and I said, hey I heard there’s such a thing as an open source content management system. What’s that and can you recommend one? (Laughter) And he said, oh, here’s a few. I tried a few. I settled on Drupal to build a website. And then I started building other websites and then I started learning more and more. And anyway, long story short, I ended up at Linux Journal because I learned the Drupal. So that’s the short-ish version of my origin story. And then I had a lot of adventures along the way and somehow all of them led me here.

CRob (03:03)
I’m going to have to do a session sometime because there are a lot of us that come from non-traditional backgrounds that work and live in here in high tech. So that’s interesting to hear. So let’s talk about kind of what you do with the Open Source Security Foundation. And this is really introduced me to a very interesting concept. So for our audience, could you maybe explain what DevRel is and why it’s important?

Katherine Druckman (03:30)
Sure, yeah, yeah, yeah. So I co-chair the Marketing Advisory Council, is I believe what we’re calling it today. Apologies if I got that wrong. And as part of that, we created an initiative and created a DevRel community to do developer relations on behalf of the OpenSSF. And what that means, developer relations type work has a lot of names, right? Some people call it developer advocacy, evangelism and it really kind of depends on the organization where you’re doing it.

For the OpenSSF specifically, really we’re there to raise awareness where hopefully the mission is to connect developers and users and consumers of open source software and then in particular maintainers of open source software to all of the wonderful tools that brilliant people like you and all of our buddies are working on at the OpenSSF. So I got involved because, frankly, I was really into the mission of the OpenSSF even before I was at Intel.

When I heard about the formation of the OpenSSF, I was kind of following it because one of the things I do in my small amounts of free time is I occasionally co-host, and at the time I was co-hosting Floss Weekly, another podcast. And when we’re looking for news stories in the open source space, I came up with, oh look at this! There’s this new foundation. They’re doing work. It was always a source of insecurity slash curiosity for me. I never felt, when I was a software engineer, like I was fully prepared from a security perspective. So it was something that I pursued. So that’s where I jumped in.

But going back to the original question, which is, what is DevRel? The funny thing is if you asked 20 different DevRel-type people, they would probably all give you a slightly different answer. Because at the end of the day, you really kind of need to connect the goals with the specific organization with the work that you do. Because it can vary. Generally speaking, it’s whatever serves the needs of your organization. And it can be education. It can be being a catalyst between end users and a product. You might work with product teams, but you might be more educational and community focused like I am. The meaning varies depending on the organization. Yeah, and it’s just, it’s not an obvious answer, I don’t think.

CRob (05:49)
That makes sense. As you know, it’s very hard to quantify what the open source is. There’s so many different permutations, so I get that. Thinking about the role of DevRel and maybe in particular with the OpenSSF, from your perspective, what have you seen that works with trying to help get engaged with maintainers and then keeping them engaged?

Katherine Druckman (06:11)
I guess I’ve seen a lot (Laughter). So back to the thing about, you know, it varies, right? I think ultimately, developer advocates and developer relations people are there to identify with and advocate for the needs of developers, because we are them. Most people that are in the DevRel space were developers, were software engineers. And we’re kind of, we’re drawing on that on our personal experiences. And I think what works, if you want to engage, especially with open source maintainers, developers and maintainers just want to get things done. We’re ultimately, we’re makers, right? We’re makers and we’re creators. And I think we all crave resources to help with that.

Sometimes it’s education, sometimes it’s tools. Sometimes it’s just, being heard, I think. So something that’s resonated for me: I’ve started having some conversations recently about maintainer burnout that have gone unexpectedly well. And I did this, I think, for a lot of reasons, right? I like to talk to smart people about anything and everything. So any excuse to talk to a lot of really interesting open source maintainers, I’m all over. But this was a topic, I think, on my mind and on the minds of a lot of people on my team.

So I started talking to more and more people. And I think these conversations have resonated even more than I expected. And I, my suspicion is just because people feel heard and understood and listened to. And it’s, so, you know, I think if, if you want to engage with software maintainers, step one is listening to them. You know, forming those human connections, you know, I think, you know, we get bogged down in the world of software and it’s a very, we, we solve technical problems with technical solutions, but there are also so many human problems with very human solutions. And I think step one to effective engagement with open source maintainers is listening. Listening, taking notes, find out what they really, really need, and then try to connect the dots.

CRob (08:12)
Well, I’m going to put my listening ears on right now. From your perspective, how do you think DevRel can help get security practices and tooling better integrated into maintainer daily workflows?

Katherine Druckman (08:23)
Yeah, that’s such a good question and a complicated one to answer, but I’m going to give it a shot. I think it goes back to listening, right? I keep saying that, but I think with things like connecting tooling, it’s figuring out all the spots along the development lifecycle where maintainers and developers are stuck, right? Where in the process are things most difficult and where do they need the tools to unblock them along the process? I think so that’s part of it. Connecting people to the things that really, really help.

Tools that smooth processes and resources really of any kind, frankly that let them kind of unplug and sleep well at night, you know (Laughter). I also feel like I would caution people to not try and focus too much on ticking boxes that don’t necessarily help the developers and maintainers. I think when you’re on one side or other of a conversation, sometimes if you’re, let’s say, a tool creator, you kind of get in the mindset of ticking the boxes that you think that people need to solve. But it’s really important to make sure that you’re pursuing the right things that really do have a direct impact on just making developers and maintainers’ lives easier.

CRob (09:38)
Let’s move on to our rapid-fire section of the interview. (Sound effect “Rapid fire!”). I’ve got a couple questions for you. Are you ready?

Katherine Druckman (09:46)
Oh, I, sure.

CRob (09:48)
Do you like spicy or mild food?

Katherine Druckman (09:51)
Oh, I like spicy, but my stomach prefers mild.

CRob (09:54)
(Laughter) Fair. What’s your favorite cocktail?

Katherine Druckman (0958)
Oh, gosh, lately a Paloma.

CRob (10:01)
Vi or Emacs?

Katherine Druckman (10:02)
Vi.

CRob (10:04)
Oh, thank you. Yay. There are no wrong answers, but Vi is always right. Being that you’re a fellow podcaster, what’s your favorite type of microphone?

Katherine Druckman (10:14)
Ahhh, ohhh. That’s a…I like Shure. I have a couple really good Shure mics.

CRob (10:19)
I love it too. So last question, rapid-fire, tabs or spaces?

Katherine Druckman (10:24)
Oh, God. Spaces. But I’m probably gonna get…

CRob (10:28)
(Laughter) This is very controversial.

Katherine Druckman (10:29)
I know. I’m probably gonna get yelled at for that, but I know I’m supposed to…I feel like I’m supposed to say tabs, but if I’m being honest, I’m probably gonna say spaces.

CRob (10:39)
That’s fair. Again there are no wrong answers. It all goes up to personal style and especially working with developers. No two developers do their work the exact same way.

Katherine Druckman (10:48)
Fair.

CRob (10:49)
Thank you for those amazing insights. So as we wind down here and close out, what advice do you have for somebody that’s interested in starting a career, whether it’s as an open source developer or getting into like cybersecurity or anything? What advice do you have to the new next generation?

Katherine Druckman (11:05)
Sure, yeah. Well, as I mentioned when we first started, I have a very non-traditional path, right? And I would say don’t be afraid of that. Learn all the things because you would be surprised at what sort of obscure piece of knowledge you might dig up from all of your experiences that might help you. Something from another field. I really like kind of interdisciplinary thinking. The example I use a lot, probably too much, is ergonomics and design, German kitchens of the 1930s. Yeah, it’s a whole thing. That’s what happens when you go to grad school for design history. But it’s a thing.

And every now and then, I think back to it. And I think about just the effectiveness and the simplicity and the amount of attention to detail that people put into the evolution of the modern kitchen. And it comes out in unexpected ways. And that’s, you know, it’s kind of a random and possibly silly example, we are a whole people and we draw from our, from all of our experiences. So I would just recommend learn all the things. Nothing is, nothing is not relevant.

CRob (12:11)
Awesome advice and I really like the idea of kind of connecting your background to your passions. As our final question, what call to action do you have for our listeners? Is there anything you want to inspire them to go do?

Katherine Druckman (12:23)
Yeah, come join our OpenSSF DevRel community. That’s the biggest one. Yeah, we have office hours, we have meetings, this is open to anyone. We would love to see more developers and maintainers help get this thing off the ground. Have a really effective meeting of the security folks and the developers because I feel like sometimes we’re seen as almost like opposite sides, which doesn’t make sense to me because to me, I don’t think of it that way. I never have.

I’ve always been a developer who wanted to do the right thing from a security perspective. So I feel like we should all just be like me. (Laughter) But seriously, come to our meetings, come join us. You might have some fun. We’re solving important problems. And yeah, I look forward to seeing everyone. The other last piece of advice I would have is I just got a refrigerator that has a freezer that makes craft ice and it makes these balls, because we’re talking about cocktails, it makes spherical ice. So yeah, that’s my other piece of advice. Get your hands on one of those because it’s really cool. The cocktail question reminded me and I feel like I needed to mention that.

CRob (13:29)
(Sound effect: “That’s saucy!”) That’s awesome. Thank you so much, Katherine. I really appreciate our conversation and everything you do to help get developers engaged and help get them empowered to continue the amazing work they do. So thanks for joining us on What’s in the SOSS? And we look forward to seeing you next time. Thank you.

Announcer (13:48)
Thank you for listening to this episode of What’s In the SOSS? an OpenSSF Podcast. As a reminder, Katherine Druckman will be a featured speaker at SOSS Fusion/24 in Atlanta, October 22nd and 23rd. To learn more, to register and to see the full schedule, visit open ssf dot org. And to subscribe to our series of conversations on Spotify, Apple Podcasts, Overcast, Pocketcasts or wherever you get your podcasts. We’ll talk to you next time on What’s in the SOSS?

OpenSSF Announces Key Themes of AI Security, Diversity and Open Source Public Policy at SOSS Fusion Conference

By Blog, Press Release

Engaging Sessions Led by Industry Experts Will Empower Attendees With the Knowledge, Tools, and Connections to Drive Innovation and Enhance Security in the Open Source Ecosystem

WASHINGTON — September 26, 2024 — The Open Source Security Foundation (OpenSSF) is pleased to announce the agenda for its inaugural Secure Open Source Software (SOSS) Fusion Conference, which will take place October 22-23, 2024, in Atlanta, Ga. Featuring presentations covering a variety of high-priority topics, including AI security, diversity, OSS consumption and public policy, the conference will bring together a diverse group of professionals from both the public and private sectors — software developers, security engineers, cybersecurity experts and leaders, founders, tech pioneers and policymakers — to collaborate on creating a more secure open source future. 

In the wake of recent high-profile incidents including XZ Utils, there has been an industry-wide pivot to focus on creating and implementing programs and best practices to bolster open source security. SOSS Fusion will unite key stakeholders for discussions, training and community-building opportunities to advance a more secure digital future. The program will feature keynotes from industry leaders, including:

  • Decoding the AI Revolution; Implications for Security and Society: AI Security Matters: Bruce Schneier, renowned security technologist and best-selling author
  • Window Snyder, founder and CEO at Thistle Technologies (session details forthcoming)
  • Enshittification Was a Choice: Cory Doctorow, science fiction author, activist and journalist
  • Government’s Continuing Path Contributing Towards a Secure Open Source Ecosystem: Timothy Pepper, senior technical advisor, open source software security, U.S. Cybersecurity and Infrastructure Security Agency (CISA)
  • Setting the Standard — Safely Operationalizing OSS Contributions: Brenton Stevens, open source compliance manager, Fannie Mae
  • There Is Just One Way to Do Open Source Security: Together: Marten Mickos, CEO, HackerOne

“Security in the open source world is not just about technology; it’s about building a culture of collaboration and trust,” said Arun Gupta, vice president and general manager of Open Ecosystem Initiatives at Intel and OpenSSF governing board chair. “At SOSS Fusion, we’re bringing together the best minds in the industry to address the pressing challenges of our time, from AI security to diversity and public policy. This conference is an essential step towards creating a safer, more inclusive digital future.”

It will also showcase workshops on the latest security technologies, panel discussions on emerging cyber threats, and networking opportunities with peers and industry leaders. Agenda highlights include:

  • Building Developer Confidence in Software Security With the DevRel Community [Panel]: Katherine Druckman, Intel Corporation; Tabatha DiDomenico, G-Research; Lori Lorusso, Percona
  • Assessing Open Source Software Projects in the Software Supply Chain: Scott Hissam, Carnegie Mellon Software Engineering Institute, and Joshua “CoCo” Crisp, Unified Platform (USCYBERCOM)
  • Trojan Model Hubs: Hacking the ML Supply Chain and Defending Yourself from Threats: Sam Washko and William Armiros, Protect AI
  • Navigating the Quantum Readiness Journey: Hands-on Guidance for Starting Your Migration: Eric Mizell, Keyfactor
  • Is Diversity the Top Ingredient in Your SBOM?: Rao Lakkakula and Tunji Taiwo, JPMorgan Chase

Registration for SOSS Fusion 2024 is now open. To learn more about the event, including sponsorship opportunities, please visit the event website.

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaborating and working upstream and with existing communities to advance open source security. For more information, please visit us at openssf.org.

Media Contact:

Jennifer Tanner
Look Left Marketing
openssf@lookleftmarketing.com