As 2023 drew to a close, OpenSSF convened the open source community in Tokyo, Japan, to delve into discussions surrounding the challenges, overarching solutions, ongoing initiatives, and triumphs in fortifying the open source software (OSS) supply chain. Alongside dedicated OpenSSF contributors and thought leaders, we embarked on an in-depth exploration of topics such as security best practices, vulnerability discovery, securing critical projects, and the evolving landscape of OSS security. These insightful sessions included engaging formats like presentations, panels, and lightning talks.
Here’s a recap of what we addressed during the conference:
Opening Keynote Session
The event kicked off with an opening remark from Omkhar Arasaratnam, the General Manager of OpenSSF, who extended a warm welcome to four new members and provided insights into the ongoing initiatives of OpenSSF. Omkhar shared an overview of OpenSSF’s current projects, blog posts, and various undertakings, offering attendees a comprehensive understanding of the organization’s recent developments and future endeavors.
Following the opening remarks, Kazuki Omo, the Sub CSO of SIOS Technology Inc., took the stage for a captivating keynote session. Kazuki delved into a detailed analysis of the trends in Open Source Software (OSS) Common Vulnerabilities and Exposures (CVEs) over recent years. He shed light on which vulnerabilities have been exploited and divulged valuable information on the types of threat actors leveraging specific OSS vulnerabilities during distinct phases. Kazuki’s presentation provided a strategic overview of the evolving landscape, empowering the audience with crucial insights into the dynamics of OSS security and the challenges posed by various threat actors in exploiting vulnerabilities.
Sessions and Panels
We were delighted to host two insightful panel discussions. The first panel brought together esteemed industry experts, including Jeffrey Borek (WW Program Director, IBM), Kentarou Fukuda (Manager of Standards & Product Compliance, IBM Japan / Research and Development), Rao Lakkakula (Senior Director of Security Engineering, JPMorgan), and Aya Tokura (Manager of Data and AI Customer Success, IBM Japan). The discussion covered the crucial topics of open standards and government directives within the open source space. The panel explored how traditional standards organizations have significantly enhanced modern life by establishing guidelines across product, service, process, and management categories as open source software has evolved beyond its initial focus on operating systems to permeate every aspect of the software stack, creating de-facto ‘standards’ that reshape the IT ecosystem. The conversation also addressed the ongoing challenge of finding the right balance between open source and open standards in today’s landscape, especially as governments globally navigate this intricate intersection with varying degrees of success.
In the second panel of the OpenSSF Day Japan, we were privileged to have distinguished speakers, including Omkhar Arasaratnam (General Manager, OpenSSF), Chiseki Sagawa (Executive Advisor, Information-technology Promotion Agency, Japan), and Sandy Radesky (Associate Director for Vulnerability Management, CISA). The focus of this panel was on the critical theme of global collaboration in open source security, drawing on the expertise and perspectives of these prominent figures from OpenSSF, IPA, and CISA.
The session presentations at the event covered various themes related to software supply chain security. One prominent category focused on enhancing and securing the software supply chain. Munehiro Ikeda (Cybertrust Japan Co. Ltd.) addressed this theme in his talk “Integration for Software Supply Chain Security: OS to User Apps, Local to Global.” He highlighted the importance of mechanisms within operating systems and proposed solutions to bridge the gap between global and local communities. Michael Lieberman (Kusari)’s talk, “Production, Consumption, and the Data: The Open Source Security Sandwich,” explored projects like SLSA, Scorecard, and SBOM generation tools, emphasizing the integration of tools for secure production and consumption of software.
Another significant theme revolved around secure coding in open source projects. Nandini Sharma (Zeta) and Amisha Srivastava (Dell Technologies) discussed “Secure Coding in Open Source,” offering guidelines and techniques to avoid common vulnerabilities, contributing to the overall improvement of software security.
Stephen Chin (JFrog) from JFrog presented the crucial but often overlooked aspect of application security in his talk, “Know Your Ingredients: Security Starts with the Source.” He drew parallels to a restaurant, emphasizing the significance of fresh, quality ingredients in securing the software supply chain. This theme echoed throughout the session, stressing the importance of understanding and securing the components that go into developing software.
Caleb Brown (Google) from Google introduced a different perspective with his talk, “The Malicious Packages Repo – Filling the Data Gap with Open Source.” This session focused on the growing threat of malicious packages, presenting the Package Analysis project and the creation of a public database, the Malicious Packages repo, to aggregate reports of malicious packages discovered in open source repositories.
Justin Cappos (NYU) from NYU discussed the sandbox level projects in the OpenSSF, providing a quick overview of RSTUF, SBOMit, and gittuf. This session aimed to help the audience understand the core goals of each project and how to get involved, contributing to the broader mission of securing the open source software landscape.
Ian Lewis (Google) from Google delved into “OSS Release Verification and Policy Enforcement with SLSA,” exploring the integration of Sigstore tools with existing build tools, considering various methods to collaborate effectively in securing software supply chains.
Jack Kelly (ControlPlane) from ControlPlane discussed “Integrating Existing Build-Tools with Sigstore: How It Went and What’s Left to Do,” contributing to the ongoing efforts in the tech industry to secure the software supply chain. The talk focused on the importance of understanding and verifying the provenance and security of open source dependencies.
The day also featured a series of illuminating lightning talks:
- How to Write and Distribute Security Advisories by Norihiro Nakaoka (Future Corporation): Several OSS vulnerability scanners have been developed to collect security advisories, but the quality and distribution of advisories often pose challenges. Norihiro Nakaoka introduced the format used in actual advisories and shared insights on effective distribution and writing practices to enhance vulnerability detection.
- SBOM Policy for Japan’s Industry Sector by Taketo Yamada (Ministry of Economy, Trade and Industry – METI): Taketo Yamada discussed the importance of Software Bill of Materials (SBOM) policies for Japan’s industry sector. Highlighting the significance of SBOM in supply chain security, the talk explored the regulatory landscape and implications for the industry.
- Safety First: Using OpenSSF to Harden Your Open Source Code by Saurav Jain (Amplication): Security vulnerabilities in open source projects can pose significant risks. Saurav Jain’s lightning talk emphasized the importance of OpenSSF in fortifying open source code. The session provided insights into common security pitfalls, offering actionable steps and resources that OpenSSF provides to enhance the security of open source projects.
With Omkhar’s closing remark, the 2023 OpenSSF Day Japan comes to an end, concluding a day filled with insightful discussions and collaborative efforts aimed at strengthening software supply chain security. Thanks to all participants who joined OpenSSF Day Japan, contributing their expertise and enthusiasm to advance the collective mission of enhancing software security. As we advocate for software security in innovative ways, let us continue fostering collaboration and sharing knowledge to address the evolving challenges in the open source landscape.