By Jennifer Bly, OpenSSF
Open Source Summit Europe in Bilbao, Spain is only one week away! Open Source Summit is the premier event for open source developers, technologists, and community leaders to collaborate and further open source innovation, ensuring a sustainable open source ecosystem. During Open Source Summit, we will also be hosting OpenSSF Day Europe which is a full day of interesting session presentations, panels, and lightning talks.
OpenSSF Day Europe
We’ll be hosting OpenSSF Day Europe on Monday, September 18th and announced the agenda a few weeks ago. You can also view the full schedule on the event website which is full of talks on securing open source software. The day’s talks include:
- Welcome & Opening Remarks – Omkhar Arasaratnam, General Manager, OpenSSF
- Keynote Session: A Balancing Act: Collaboratively Developing Security in the Open – Rebecca Rumbul, Chief Executive Officer, Rust Foundation
- OSV and the Life of an Open Source Vulnerability – Andrew Pollock, Google
- A Beginner’s View of Public Instances – Evan Anderson, Stacklok
- Collaborating Along The Software Supply Chain – Nithya Ruff, Amazon
- Trusted Publishing: Lessons from PyPI – William Woodruff, Trail of Bits
- In Honk We Trust: Better Build Pipelines – Ram Iyengar, Cloud Foundry Foundation
- Exploring the Large Language Models Open-Source Security Landscape – Yotam Perkal, Rezilion
- Panel: Navigating Open Source, Open Standards & Government Directives for Better Cybersecurity – Jeffrey Borek, IBM, Sarah Evans, Dell Technologies, Christopher (CRob) Robinson, Intel, Sachiko Muto, OpenForum Europe & RISE, Moderated by Nithya Ruff, Amazon
- We Make Python Safer Than Ever – Cheuk Ting Ho & Seth Michael Larson, Python Software Foundation
- Unpacking Open Source Security in Public Repos & Registries – Ben Hirschberg, Armo
- The Journey of the Node.js Permission Model – Rafael Gonzaga dos Santos Silva, Nearform
- 5 Open Source Security Tools All Developers Should Know About – Raz Probstein, Jit
- I Drank What? (Or Intel’s Experiences Using OpenSSF Scorecard To Better Secure Our Software Portfolio) – Ryan Ware, Intel Corporation
- OpenVEX: Six Months of Progress as an OpenSSF Project – Adolfo García Veytia, Chainguard
Interested in catching all of these great sessions on-site in Bilbao or live from your device? Register now for OpenSSF Day Europe.
Open Source Summit Europe
While there are hundreds of amazing sessions on the schedule of the entire Open Source Summit Europe event, here are just a few of the great sessions, you won’t want to miss next week.
Panel Discussion: Ketchup, Mustard, and Relish of Software Supply Chain Security – Laura Seay, Red Hat; Arnaud J Le Hors, IBM; Jay White, Microsoft; Michael Lieberman, Kusari; Joshua Lock, Verizon
- 11:25 – 12:05 CEST
- Skip the sauerkraut and join the OpenSSF Supply Chain Integrity Working Group! This panel, composed of several of the leaders in the Working Group, will discuss how to improve and standardize your software supply chain security with the open source standards and tools: S2C2F, SLSA, and FRSCA. Attendees will have the opportunity to hear about these technologies, what they provide, and how they compare to one another, as well as get answers to their questions so that they know how to start leveraging these brand new technologies.
Implementing the OpenSSF Best Practices Badges & Scorecards Into Your Project – CRob, Intel & David A. Wheeler, Linux Foundation
- 14:30-15:10 CEST
- This talk will showcase the work of the OpenSSF through the lens of the software developer, illustrating tangible actions the foundation is taking to educate, inform, and encourage developers to adopt and use excellent security practices. We will focus on the OpenSSF Best Practices badge and Scorecards, with specific tips on common problems and how to address them in your project, as well as countering some misunderstandings. Attendees will come away with an understanding of how to work towards achieving the prestigious OpenSSF Best Practices Badge as well as how to integrate the OSSF Scorecards project to report on the security posture of their project.
Adventures in Securing an Open Source Project: From Repo Security Zero to Hero – Kara Olive & Pedro Nacht, Google
- 15:40 – 16:20 CEST
- There’s been a sharp increase in known attacks on open source projects in recent years. If you’re new to open source development, you might not be aware of free tools and techniques for protecting your project. As members of the Google Open Source Security Team (GOSST), we created a real project with all the worst security practices we could fit into a single repository and then scored it with the OpenSSF Scorecard tool (which evaluates a project’s use of security best practices and provides steps to remediate any weaknesses). We were able to bring the project’s score down to a 1.2/10 score, when just using GitHub’s default settings would give you a 4.5! We then used Scorecard to guide us through securing the project from end to end, raising its score into the top 1% of the 1M+ projects rated by Scorecard. All the tools we used are freely available to developers, and this talk will focus on those most accessible to beginners. We’ll share lessons we learned from this effort.
Security Research with Open Source Software: Vol. Omega – Yesenia Yser, The Linux Foundation
- 12:20 – 13:00 CEST
- When the galaxy is threatened with security breaches and exploits, it’s up to the A-O Guardians to clean up the mess with the Benatar targeting top 10,000 critical open source projects. Grab your quad blasters and join the OpenSSF Alpha-Omega team to explore the opportunities of software development, software security, and vulnerability research in the open source software (OSS) ecosystem. The Omega engineering team will illuminate the OSS security threats, share the mission of producing automated security patches, and converse on solution to solve global security concerns through open source tools, such as Omega analyzer, the Omega Assertion Framework, Triage Portal, and Campaign client via an automated vulnerability disclosure process and open source patching.
Improving the Security of a Large Open Source Project One Step at a Time – Michael Dawson, Red Hat & Rafael Gonzaga, NearForm
- 14:40 – 15:20 CEST
- Join us for an in-depth exploration of the vital role of security in the Node.js project. Led by the Node.js security working group and supported by the OpenSSF, we’re on a mission to enhance the security of the entire ecosystem. From groundbreaking new features to crucial fixes and streamlined development processes, we’ll share our key initiatives and achievements. Discover how to apply our learnings to your own development process and learn how you can become an active member of the Node.js community. Plus, get a behind-the-scenes look at real-world vulnerabilities that have affected Node.js and learn how they were identified, assessed, and resolved. Don’t miss this opportunity to elevate your understanding of Node.js security and become a key player in safeguarding the future of the project
SEAPATH: A LF Energy Project for Critical Infrastructure with an Emphasis on Software Supply Chain Security – Eloi Bail & Mathieu Dupré, Savoir-faire Linux
- 16:50 – 17:30 CEST
- SEAPATH, an innovative LFEnergy project, brings virtualization of electrical grid substations to enhance their adaptability and increase their interconnections. By aggregating third-party OSS components, SEAPATH provides a robust solution for critical infrastructure, which necessitates high levels of reliability and cybersecurity protection. SEAPATH graduates to Early Adoption Phase in April 2023 with a 781% increase of individuals contributing and achievement of the OpenSSF Silver Best Practices Badge. This presentation will present two approaches used in SEAPATH : pre-build Linux distribution (Debian based) and a custom Linux distribution (Yocto project based) with a long-term support prism. We will present benefits and drawbacks of those solutions regarding community involvement, supply chain security & SBOM and customization.
Enabling VEX and Full SBOM Coverage with Wolfi Based Containers – Adolfo García Veytia, Chainguard
- 15:55 – 16:35 CEST
- When assessing a container image, a software bill of materials (SBOM) can help identify vulnerable dependencies, unexpected or modified files, expired data, or licensing issues. Linking the SBOM data with VEX information (Vulnerability Exploitability eXchange) decreases the burden of vulnerability management by reducing the noise produced by security scanners. The powerful promise of the SBOM+VEX combo can only be achieved when the SBOM is comprehensive and properly structured while, on the other hand, making sure VEX information is flowing from the appropriate sources. In this talk, we’ll understand how images based on Wolfi (an open source container optimized Linux distro) achieve total SBOM coverage by starting to account for components from each package source code. We will analyze the SBOM, how it gets built, and learn how to verify an image against it. We’ll also go into how the wolfi tooling can generate OpenVEX documents automatically when a new CVE is disclosed which can be used by scanners to cancel false positives. We’ll close with a live demo demonstrating how to build a cloud native app in an image that ships with a complete SBOM and VEX data.
Scaling the Security Researcher to Eliminate OSS Security Vulnerabilities Once and for All – Jonathan Leitschuh, Open Source Security Foundation
- 11:55 – 12:35 CEST
- Hundreds of thousands of human hours are invested every year in finding security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new. We’ve known about them for years, but they’re everywhere! The scale of GitHub & tools like CodeQL (GitHub’s code query language) enable scanning of vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn’t useful, and would be a burden on volunteer OSS maintainers. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request. When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution – automated bulk pull request generation.
Insights from the Cloud Native Security Slam – Eddie Knight, Sonatype
- 15:55 – 16:35 CEST
- In 2022, the Cloud Native Computing Foundation (CNCF) hosted the Security Slam, a collaborative event in which 13 CNCF projects worked to improve their security posture. Using the CLOMonitor, participating projects streamlined their visibility into key security metrics, including measurements by the OpenSSF Scorecard. In this session, we will share the lessons learned from the Security Slam, explore best practices for securing the software supply chain at the source, and hear about what gaps still remain to be addressed in the 2023 Security Slam!
Growing the Chain: Trusting Build Provenance from Userspace – Billy Lynch, Chainguard
- 15:55 – 16:35 CEST
- Many tools like Cosign, npm, Goreleaser, and more are adding capabilities to make it easier to sign packages and artifacts in CI/CD workflows. However, generating provenance and attestations from user pipelines can be a source of risk – how do we trust that jobs configured by users are producing accurate information? In this talk, we’ll look at how we can build a chain of trust that links artifacts, to CI configuration, to the build services that run them. You’ll learn how open source technologies like Sigstore and OIDC make this work possible, what CI providers and users need to establish this trust, and examples in the wild that do this to establish trust for their builds.
We hope to see you there, either virtually or in person!