On May 10, 2023, we hosted OpenSSF Day at the Open Source Summit North America in Vancouver, BC. We had a full day of session presentations, panels, and lightning talks around the current state of open source security. If you weren’t able to attend, the videos are now available on our YouTube channel to view, and here are a few key takeaways from the day.
Opening Keynote Sessions
The day started with warm greeting from MC and Technical Advisory Council Chair, Christopher “CRob” Robinson, followed by Welcome & Opening Remarks from Brian Behlendorf CTO of the OpenSSF. Behlendorf gave a recap of major announcements and updates for OpenSSF throughout 2022, including recent events. He also welcomed Omkhar Arasaratnam as new General Manager at OpenSSF. Finally, Behlendorf discussed future guiding lights for 2023 and beyond, including better visualizing the OpenSSF community, working towards a common architecture for secure software development, and updating and re-iterating the OSS Mobilization Plan.
This was followed by a fireside chat with Jack Cable from the Cybersecurity and Infrastructure Security Agency (CISA) and Anjana Rajan from the Office of the National Cyber Director (ONCD): How Can Government and the OSS Community Work Together?. Cable and Ranjan discussed the US federal government’s approach to working with the open source community on security, with two primary goals: rebalancing the responsibility for software security on large technology companies and shifting incentives to encourage investment in long-term as opposed to short-term security fixes.
OpenSSF Day featured a panel discussion, What’s New in the World of SBOMs?, featuring Tracy Ragan, DeployHub, Inc; Adolfo Garcia Veytia, Chainguard; Gopi Rajbahadur, Huawei; Karen Bennett, IEEE; Guy Chernobrov, Scribe Security and moderated by Josh Bressers, Anchore. Panelists covered the importance of SBOMs and answered questions around new developments such as the development of SPDX 3.0.
Another panel focused on Alpha-Omega: Securing Open Source Software Through Direct Engagement and featured Mikael Barbero, Eclipse Foundation; Walter Pearce, Rust Foundation; Ram Iyengar, Cloud Foundry Foundation; and Munawar Hafiz, OpenRefactory. The panel was moderated by Yesenia Yser from the OpenSSF. Panelists discussed how the Alpha-Omega Project has supported major open source foundations through Alpha; work on vulnerability discovery and remediation of the long tail of open source projects through Omega; and ways to contribute and be involved, such as the project’s GitHub repository.
The final panel, Creative, Inclusive and Sustainable Cybersecurity – Getting it Done with DEI, comprised Christine Abernathy, f5; Amanda Brock, OpenUK; Anova Hou, University of British Columbia; and Eddie Knight, Sonatype and was moderated by Sal Kimmich, EscherCloud. The panelists discussed what diversity, equity, and inclusion efforts mean and how this translates to open source spaces, from efforts around education to outreach.
We also had several interesting talks like the one from Steve Taylor of DeployHub on: It’s Time to Harden the DevOps Pipeline with New Open-Source Security Tooling, where he discussed how you can use open source security tooling to harden the entire DevOps pipeline. This includes steps in the pre-build, build, SBOM generation, and publishing processes.
Andrew Aitken from Wipro spoke on the Trials, Tribulations and Triumphs, an End Users Perspective on Software Supply Chain Security, joined by Jonathan Meadows from Citi and Jacques Chester. They discussed the perspectives of end users who consume open source software and work done by the OpenSSF End User Working Group to address security concerns for OSS users.
Christopher “CRob” Robinson from Intel also gave a talk, Mobilizing for the Mobilization Plan, where he discussed the status of various initiatives in the ten-point Open Source Software Security Mobilization Plan and how you can contribute to and help with initiatives in the future.
We also had several lightning talks highlighting specific initiatives and areas of interest for the community:
- Hayden Blauzvern from Google gave a lightning talk about Getting Involved in Sigstore Research Projects and discussed areas where both industry practitioners and academic researchers can work on hard problems around signing and verification.
- Amit Montazery from the Open Source Technology Improvement Fund (OSTIF) gave a talk on Presenting the OSTIF Independent Security Audit Impact Report, outlining OSTIF’s efforts in making security audits and improvements to critical projects in the open source ecosystem.
- Elizabeth Wyss from the University of Kansas presented No Package is an Island: Looking at Context when Assessing Package Security, where she highlighted the importance of context and relational properties when analyzing the security of packages.
- Kris Kooi from Google gave a talk on SLSA Conformance: how build systems can meet SLSA requirements, how the conformance program works, and how consumers can verify provenance with SLSA verification.
- Adam Korczynski from Ada Logics discussed Fuzzing Rekor for Bugs and Vulnerabilities. He discussed insights gained when integrating a fuzzing suite for Rekor, Sigstore’s transparency log.
Finally, Behlendorf closed out the event with Closing Remarks. Overall, we are pleased to have had the opportunity to hear from the community about various efforts to secure to open source software. We thank everyone who came together to share, learn, and collaborate, making this an incredible event.
Be sure to save the date! We will host OpenSSF Day Europe on Monday, September 18th, 2023, during Open Source Summit EU in Bilbao, Spain. We look forward to continuing to collaborate with everyone to make the OSS ecosystem more secure for all.