On September 18, 2023, we hosted OpenSSF Day Europe at the Open Source Summit Europe in Bilbao, Spain. Throughout the day, we hosted a number of sessions around the state of open source software security, discussed current initiatives and what’s next. If you weren’t able to attend, check out our playlist on YouTube to view each session.
Here’s a summary of what we covered at OpenSSF Day EU 2023:
Opening Keynote Sessions
The day started with a welcome from Yesenia Yser, Senior Software Security Engineer for the Alpha-Omega project, followed by Opening Remarks from Omkhar Arasaratnam, General Manager of the OpenSSF. Arasaratnam welcomed new members and shared a few exciting highlights from the past few months.
Next, Rebecca Rumbul, Executive Director and CEO of the Rust Foundation, gave a keynote on A Balancing Act: Collaboratively Developing Security in the Open. She discussed the unique challenges of developing security in the open, and the opportunities that exist to work across different organizations to better secure open source in a collaborative manner. She encouraged the community to “stop competing” and instead “start collaborating.”
Sessions and Panels
We had a panel discussion on Navigating Open Source, Open Standards & Government Directives for Better Cybersecurity, which featured Sarah Evans, Dell Technologies; Christopher Robinson, Intel; Sachiko Muto, OpenForum Europe & RISE; Jeffrey Borek, IBM and was moderated by Nithya Ruff, Amazon. Panelists discussed the balance between open source and open standards, as well as the implications these have for modern supply chain security as well as policy and actions by government agencies and standards organizations.
Another session, OSV and the Life of an Open Source Vulnerability, featured Andrew Pollock from Google who explained the purpose and details behind the OSV Schema, a database that stores vulnerability information in a better way. Nithya Ruff from Amazon then gave a big-picture view of the open source software supply chain, drawing on her experience leading Amazon’s Open Source Programs Office, in Collaborating Along The Software Supply Chain.
Two sessions focused particularly on current security efforts in the Python ecosystem. William Woodruff from Trail of Bits gave an introduction to trusted publishing, an OpenID Connect-based authentication scheme for publishing packages on package registries, and how PyPI has implemented it in Trusted Publishing: Lessons from PyPI. Then, Cheuk Ting Ho & Seth Michael Larson from the Python Software Foundation (PSF) discussed how the PSF recently conducted a security audit and improved security practices in We Make Python Safer Than Ever. All this was possible due to hiring a Security Developer-in-Residence with support from the OpenSSF’s Alpha-Omega Project.
In the session Exploring the Large Language Models Open-Source Security Landscape, Yotam Perkal from Rezilion addressed how large language models (LLMs) affect security and how we can adopt a security-first approach to their adoption. He also presented the results of a survey of major LLM projects using OpenSSF Scorecard, which showed significant concerns around their security posture. Later that day, Ryan Ware from Intel Corporation also discussed OpenSSF Scorecard in the context of educating Intel about open source risks in I Drank What? (Or Intel’s Experiences Using OpenSSF Scorecard To Better Secure Our Software Portfolio).
In Unpacking Open Source Security in Public Repos & Registries, Ben Hirschberg from Armo explored security considerations around public-facing registries, particularly those that host container images such as DockerHub and Quay. Raz Probstein from Jit also gave tips around open source tooling that can be easily integrated into CI/CD pipelines in 5 Open Source Security Tools All Developers Should Know About.
Finally, Adolfo García Veytia from Chainguard gave a status update on the OpenVEX project, which was donated to the OpenSSF six months ago and is now part of the Vulnerability Disclosures Working Group. In his talk OpenVEX: Six Months of Progress as an OpenSSF Project, he discussed how OpenVEX makes a difference by providing a standardized vulnerability exchange format to better understand how a vulnerability impacts a piece of software.
Lightning Talks
During the day, we also featured three lightning talks:
- A Beginner’s View of Public Instances: In this talk, Evan Anderson from Stacklok discussed how “public good” instances, such as Sigstore, are hosted, as well as their scale and importance to open source security.
- In Honk We Trust: Better Build Pipelines: In this talk, Ram Iyengar from the Cloud Foundry Foundation demonstrated how various tools can be integrated into a build pipeline to make the final results have a higher level of trust. He featured the use of cosign, SBOMs, and SLSA.
- The Journey of the Node.js Permission Model: Rafael Gonzaga from Nearform discussed the Node.js Permission Model. As a member of the Node.js Technical Steering Committee, he discussed the motivation and design behind it, as well as how it improves security.
Finally, Arasaratnam closed out the event with Closing Remarks. Thank you to everyone who shared a session and who attended to help us secure the open source software ecosystem together! We look forward to continuing to improve open source security, one step at a time.
You are invited to join us for our next OpenSSF Day – OpenSSF Day Japan in Tokyo on December 4, 2023.