By Ashwin Ramaswami
On December 5th during Open Source Summit Japan, the Open Source Security Foundation (OpenSSF) hosted OpenSSF Day Japan 2022, a half-day event dedicated to exploring ongoing efforts to improve the security of open source software (OSS). Throughout the day, contributors and thought leaders shared their ideas and experiences with OSS security through sessions on subjects like security best practices, vulnerability discovery, securing critical projects, and the future of OSS security.
The event opened with a presentation by Brian Behlendorf, General Manager of OpenSSF. Behlendorf described the values, mission, and purpose of the OpenSSF. OpenSSF is committed to collaboration with both industry and open source communities to advance open source security for all. The OpenSSF envisions an open source ecosystem where participants can share high quality and secure software, easily learn and implement secure development practices, and disclose and remediate vulnerabilities in a timely fashion.
David A. Wheeler, Director of Open Source Supply Chain Security at the Linux Foundation, discussed general principles involving software security and open source software. These included secure coding practices, vulnerability management, and supply chain security for OSS. He particularly focused on the work of the OpenSSF’s Best Practices Working Group, both to show what they have been doing and as an example of what the OpenSSF has been doing. The working group aims to identify, educate, and help software developers adopt recommendations on best practices for developing and evaluating open source software.
Bob Callaway, technical lead and manager of the supply chain integrity group in Google’s Open Source Security Team, presented Sigstore. Sigstore provides a way to sign, verify, and protect software by using transparent digital ledger technology. By simplifying and automating the digital signing process, Sigstore helps open source software users and developers secure the software supply chain. Fumiko Satoh and Yuji Watanabe, Senior Technical Staff Members at IBM Research, then discussed various aspects of software supply chain security. Satoh presented efforts at IBM regarding securing the software supply chain, while Watanabe described techniques for assuring the integrity of Kubernetes resource manifests during the end-to-end software development life cycle.
Then, Muuhh Ikeda from Cybertrust Japan discussed recent efforts to address open source security in Japan, such as the Open Source Software Security Summit in Japan in August 2022 and the launch of a new OpenSSF Japan chapter. He detailed Cybertrust’s engagement with various initiatives along the ten streams outlined in the OSS Security Mobilization Plan. Finally, Cybozu’s Takua Yoshikawa discussed the challenges with introducing concepts such as “SBOM Everywhere” or supply chain management to cloud service providers in Japan. He spoke further about how SBOMs could be better integrated into Japanese certification programs, such as ISMAP, in the future. The day ended with closing remarks from Behlendorf.
View the playlist from OpenSSF Day Japan:
Kicking off Open Source Summit, Noriaki Fukuyasu, the Linux Foundation’s VP of Japan Operations announced that the free Developing Secure Software training course from OpenSSF is now available in Japanese, allowing many more developers to access high-quality training material on the fundamentals of developing secure software. Moreover, at the start of the summit, the OpenSSF welcomed over a dozen new members, bringing the total membership to over 100.
Companies, universities, and developers in Japan play a crucial role in sustaining the global open source software ecosystem. OpenSSF Day Japan demonstrates the OpenSSF’s commitment to working with partners in Japan to secure open source software. The OpenSSF plans to continue engagement both with OpenSSF members in Japan – such as Cybertrust Japan, Cybozu, and Renesas Electronics – and other organizations in both Japan and other parts of the world. It is important to work with those who maintain and use open source software from around the world in order to best secure the digital infrastructure that we all rely on.