Open Source Summit North America in Vancouver, Canada is only one week away! Open Source Summit is the premier event for open source developers, technologists, and community leaders to collaborate and further open source innovation, ensuring a sustainable open source ecosystem. During Open Source Summit, we will also be hosting OpenSSF Day North America which is a full day of interesting session presentations, panels, and lightning talks.
OpenSSF Day North America
We’ll be hosting OpenSSF Day North America on Wednesday, May 10th and announced the complete agenda a few weeks ago. You can also view the entire schedule on the event website which is full of talks on securing the open source supply chain. The fireside chat and panel sessions include:
- Fireside Chat: How Can Government and the OSS Community Work Together?
- 11:30am – 12:00pm PDT
- This keynote fireside chat features Jack Cable, Senior Technical Advisor, Cybersecurity and Infrastructure Security Agency (CISA) and Anjana Rajan, Assistant National Cyber Director for Technology Security, Office of the National Cyber Director, The White House, and the discussion will be moderated by Brian Behlendorf, General Manager, Open Source Security Foundation (OpenSSF).
- What’s New in the World of SBOMs?
- 12:05pm – 12:35pm PDT
- This panel will take a look Software Bill of Materials (SBOMs) with panelists: Tracy Ragan, DeployHub, Inc; Adolfo Garcia Veytia, Chainguard; Gopi Rajbahadur, Huawei; Karen Bennett, IEEE; Guy Chernobrov, Scribe Security; and moderator Josh Bressers, Anchore.
- Alpha-Omega: Securing Open Source Software Through Direct Maintainer Engagement
- 2:20pm – 2:50pm PDT
- This panel will take a look at securing open source software through direct maintainer engagement through the Alpha-Omega Project with panelists: Mikael Barbero, Eclipse Foundation; Walter Pearce, Rust Foundation; Ram Iyengar, Cloud Foundry Foundation; Munawar Hafiz, OpenRefactory, and moderator Yesenia Yser, The Linux Foundation.
- Creative, Inclusive and Sustainable Cybersecurity – Getting it Done with DEI
- 4:35pm – 5:05pm PDT
- In this panel, we include representation for open source legal scholars, artists, developers, and directors. We’ll talk about our current efforts in outreach, education and career mobilization in cybersecurity, with a particular focus on non-traditional career pathways. Panelists include Christine Abernathy, F5; Amanda Brock, OpenUK; Anova Hou, University of British Columbia; and Eddie Knight, Sonatype. Moderator is Sal Kimmich, EscherCloud.
Open Source Summit North America
While there are hundreds of amazing sessions on the schedule of the entire Open Source Summit North America event, here are just a few of the great sessions, you won’t want to miss next week.
Wednesday, May 10
- Keynote: New Tools for Securing Open Source – Tracy Ragan, CEO & Co-founder, DeployHub
- 9:30am – 9:45am PDT
- Good news! The open source community has gone through a ‘security awakening’ that has created new tools and programs for making open source safer. Join this session to learn about tools and programs introduced over the last year to make securing the software you deliver to end users less complex.
- Keynote: All Aboard the Automation Train – Eric Brewer, Vice President of Infrastructure & Fellow, Google
- 10:05am – 10:20am PDT
- To simplify open source security for the long term, we will need some help from curation and automation. How can we – as an OSS community and industry – help enable this transition, without placing too much of the burden on maintainers? We’ll share our vision for the future, and a variety of solutions we can start implementing today to help us get there.
- Panel Discussion: Managing Open Source at Scale in an Era of Heighten Security Concerns – Jeffrey Borek, IBM; Nithya Ruff, Amazon; Rao Lakkakula, JPMorgan Chase; Andrew Aitken, Wipro
- 4:00pm – 4:40pm PDT
- Open source security is increasingly in the news and in policy conversations. What will policymakers likely do in the coming year, and how can we as leaders in the open source ecosystem help them make better decisions? This panel of OSPO and OSS ecosystem leaders will discuss how they are getting involved in educating, collaborating and driving OSS security work at their organizations.
Thursday, May 11
- Keynote: The Work’s Never Done: Open Source Software and Risk Management – Vincent Danen, Vice President of Product Security, Red Hat
- 9:50am – 9:55am PDT
- Every software company today has to balance creating value for their customers while also reducing risk — because risk can never be fully eliminated. This session will cover managing risk and vulnerabilities with open source software and how Red Hat works toward ensuring safer consumption of software for all of its customers.
- The Importance of Developer Tooling to Make Open Source More Secure by Default – Brian Behlendorf, Open Source Security Foundation (OpenSSF)
- 11:00am – 11:40am PDT
- One important aspect of the Open Source Software (OSS) community’s collective security response should be to create developer tooling. Such tooling makes it easier to write secure software by default and reduces the burden on maintainers. This session will discuss existing initiatives in this space and ideas for potential future directions of security tooling, as well as ways to get involved in these projects.
- Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and for All – Jonathan Leitschuh, Open Source Security Foundation/Linux Foundation
- 11:55am – 12:35pm PDT
- Hundreds of thousands of human hours are invested every year in finding security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new. We’ve known about them for years, but they’re everywhere! The scale of GitHub & tools like CodeQL (GitHub’s code query language) enable scanning of vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. This talk will cover a highly scalable solution – automated bulk pull request generation.
- Navigating Open Source and Open Standards for Better Cybersecurity – Jeffrey Borek & Jochen Friedrich, IBM
- 2:00pm – 2:40pm PDT
- What is the right balance between open source and open standards today? Concerns about the security of the modern software supply chain add new complexity to this complex equation. Please join this session for an up-to-the-minute look at how both the open source community and standards organizations are working to improve cybersecurity.
- Panel Discussion: Ketchup, Mustard, and Relish of Software Supply Chain Security – Arnaud Le Hors & Melba Lopez, IBM; Jay White, Microsoft; Michael Lieberman, Kusari
- 2:55pm – 3:35pm PDT
- Skip the sauerkraut and join the OpenSSF Supply Chain Integrity Working Group! This panel, composed of several of the leaders in the Working Group, will discuss how to improve and standardize your software supply chain security with the open source standards and tools: S2C2F, SLSA, and FRSCA.
- Simplifying Coordinating Vulnerabilities & Disclosures in Open Source Projects – CRob, Intel & Madison Oliver, GitHub
- 4:05pm – 4:45pm PDT
- Handling vulnerabilities can be some of the most stressful and unknown areas a developer might have to work with throughout their careers. The Open Source Security Foundation’s (OpenSSF) Vulnerability Disclosures Working Group is here to help! Come learn about tools, templates, and best practices to make these interactions less stressful and more frictionless. So no matter what hat you like, the Vuln Disclosure working group has one that fits you!
- A Guide to Securing GitHub Based on Lessons Learned – Christine Abernathy, F5, Inc.
- 4:05pm – 4:45pm PDT
- As an Open Source Program Office (or OSPO) you typically have projects hosted on a platform like GitHub or GitLab. The key question is, how do you manage the organizations, members and repositories in a way that is secure and encourages collaboration? F5’s fledgling OSPO took on a project to standardize how their GitHub assets were organized. Sharing the lessons learned from that standardization work is the focus of Christine’s talk.
- Configuration as a Code: Managing Hundreds of GitHub Organizations to Streamline Supply Chain Security – Mikaël Barbero, Eclipse Foundation
- 4:05pm – 4:45pm PDT
- This story starts when the OpenSSF Alpha-Omega initiative has enabled the Eclipse Foundation to invest in improving the software security chain for its projects. We ran the OpenSSF Scorecard project and identified some recurrent misconfigurations. This evaluation with Scorecard shows an urgent need for a tool to effectively manage and rectify misconfigurations in our 1000+ repositories. Participants will learn about the tools and techniques we employed in our organization and how they can be adapted for their own purposes.
- Improving the Security of a Large Open Source Project One Step at a Time – Michael Dawson, Red Hat & Paula Paul, NearForm
- 6:00pm – 6:45pm PDT
- Join us for an in-depth exploration of the vital role of security in the Node.js project. Led by the Node.js security working group and supported by the OpenSSF, we’re on a mission to enhance the security of the entire ecosystem. From groundbreaking new features to crucial fixes and streamlined development processes, we’ll share our key initiatives and achievements. Discover how to apply our learnings to your own development process and learn how you can become an active member of the Node.js community.
Friday, May 12
- Verifying the Validity of Crowd-Sourced Results in the Open Source Community: The Scorecard GitHub Action and Sigstore – Naveen Srinivasan, Independent & Spencer Schrock, Google
- 11:00am – 11:40am PDT
- This talk will provide a comprehensive overview of how the Scorecard GitHub Action uses Sigstore (cosign, fulcio, and rekor) to build a remote attestation mechanism. Using diagrams and code examples, we will uncover the workflow for validating rekor results and provide practical guidance for attendees.
- Panel Discussion: How Web Developers are Changing Web Standards – Jory Burson, The Linux Foundation; Jordan Harband, OpenSSF; Joe Sepi, IBM
- 11:55am – 12:35pm PDT
- This panel focuses on how web developers are changing web standards.
- Lightning Talk: Criticality Scores Unveiled: A High Schooler’s Journey with OpenSSF – Nathan Naveen, Student
- 12:05pm – 12:12pm PDT
- Learn from Nathan, a 16-year-old high school sophomore contributing to this Criticality Score project, on a journey to discover the critical dependencies in open-source software projects and how to use criticality scores to identify the most critical dependencies. By the end of this talk, you’ll have the power to easily find your most critical dependencies.
- Implementing the OSSF Best Practices Badges & Scorecards Into Your Project – CRob, Intel & David A. Wheeler, The Linux Foundation
- 3:10pm – 3:50pm PDT
- This talk will showcase the work of the OpenSSF through the lens of the software developer, illustrating tangible actions the foundation is taking to educate, inform, and encourage developers to adopt and use excellent security practices. We will focus on the OpenSSF Best Practices Badge and Scorecard, with specific tips on common problems and how to address them in your project, as well as countering some misunderstandings.
- SLSA with Us: The Dance of AppSec – Michael Lieberman, Kusari
- 4:05pm – 4:45pm PDT
- Want to see SLSA in action? Join the OpenSSF SLSA group for a live hands-on demonstration of how to secure your software supply chain and obtain a SLSA compliant build using a sample repo. The SLSA Tooling Special Interest Group (SIG) will showcase the tooling they’ve been developing to meet the SLSA 1.0 Build Specification.
We hope to see you there, either virtually or in person!