Skip to main content

The OSS Security Adventure: Exploring the Frontlines of OSS Security through SOSS Policy Summit, RSA Conference, and Japan Meetup

By May 31, 2024Blog
SecurityAdventure

OpenSSF is making waves globally, with our footprint evident in discussions and events across continents. Join us on an “OSS Security Adventure” as we delve into our impactful presence at the SOSS Policy Summit in Brussels, the RSA Conference in San Francisco, and our engaging meetup in Tokyo.

SOSS Policy Summit 

The 2024 Secure Open Source Software (SOSS) Policy Summit Europe in Brussels, Belgium, brought together the OSS community, European governments, and the private sector to advance impactful security initiatives and policies for securing open source software. SOSS promotes resilience, sovereignty, and autonomy for consumers of open source in the software supply chain.

Session Highlights

The summit began with a keynote by Lorenzo Pupillo (Head of Cybersecurity, CEPS) and Mirko Boehm (Sr Director of Community Development, Linux Foundation Europe), emphasizing the central role of open source in the Information and Communications Technology (ICT) landscape. They particularly highlighted its significance amidst Europe’s focus on digital sovereignty and cybersecurity vulnerabilities. The speakers underscored the importance of addressing liability, responsibilities, and international security concerns, especially in light of the increasing prevalence of supply chain attacks.

In the keynote panel, Lorena Boix-Alonso from the European Commission highlighted the Commission’s active engagement with open source, citing examples like the COVID certificate and digital identities regulation. Koos Lodewijkx from IBM emphasized the need for community collaboration and clarity on roles in open source projects. Cédric Gégout from Canonical reinforced the importance of clear roles and responsibilities for those relying on open source contributions.

The panel on “Open Source Software and Changing Regulatory Landscape in the EU” featured Benjamin Boegel (Head of Sector of Product Security & Certification Policy, DG CNECT, European Commission), Cristian Tracci (Senior Policy Manager, ECSO), Florian Pennings (Director Cybersecurity Policy, European Government Affairs, Microsoft), and Amelia Andersdotter (Risk & Compliance Officer, Safespring AB). They discussed the balance between bottom-up and top-down regulatory approaches, the idea of basic income for maintainers, and compliance challenges for small companies, emphasizing security by design from the start of software products.

In the “Open Source Security and Open Source AI” panel, Lorenzo Pupillo, Andreas Tsamados, Miriam D’Arrigo, and Hrant Kostanyan discussed threats to AI models, transparency in AI systems, and challenges like model poisoning, emphasizing the need for transparency in open source AI systems.

The “Secure Open Source Software and a Resilient Public Sector Europe” panel included Andreas Mitrakas, Andreas Neth, Jack Hamande, and Leonardo Favario. They explored strategies for open source adoption in the public sector, highlighting the importance of clear ownership, commitment to sustainability, and engaging smaller companies in procurement.

The “Economic Advantage of Secure Open Source Software in Europe” panel featured Ana Jimenez, Martina Goetz, Karen Melchior, Ilkka Turunen, Daniel Appelquist, and Per Beming. They discussed the regulatory landscape’s impact on companies, best practices for startups to engage with open source, and the role of the public sector in promoting open source security, highlighting the significance of the Sovereign Tech Fund.

The summit concluded with a session on “Taking Stock and Closing Remarks,” summarizing key insights and emphasizing the importance of ongoing collaboration and innovation within the open source community.

We appreciate everyone’s participation in this collective endeavor, which marks a significant step towards fostering a more secure and robust digital ecosystem. Presentations from the summit are available.

RSA Conference 

The RSA Conference (RSAC) is a major annual cybersecurity event, where organizations and industry professionals gather and share knowledge, innovations, strategies, and showcase the latest cybersecurity initiatives, products and services.

OpenSSF attended this year’s RSAC aiming to increase the awareness of the foundation’s global impacts in making open source software more secure. Engaging with the broader cybersecurity community highlighted the foundation’s critical role in education, training, software solutions, securing software repository and package registry, incident response, and engagement with regulation and public policy decision makers in Asia Pacific, European and North America. 

OpenSSF Highlights

OpenSSF kicked off our RSAC week with a happy hour on the first day of the conference.  Community members engaged in meaningful discussions at the event, focusing on improving services for existing members, fostering a welcoming environment for future organizations, and expanding their professional networks.

Omkhar teamed up with Perri Adams, Special Assistant to the Director, DARPA (US Defense Advanced Research Projects Agency)  and presented a 50-minute talk on “Cracking the Code: Unveiling Synergies Between Open Source Security and AI”. The session covered how some of the key tenets of open source security can (and should) be applied to AI to address the demand to produce AI benefits while mitigating AI risk. The  session offered a deeper understanding of the interplay between AI and open source security, which will ultimately foster more secure software supply chains and continually gain from community collaboration.

Japan Meetup

On May 13, OpenSSF’s General Manager Omkhar Arasaratnam joined an in-person meetup in Tokyo, Japan, alongside members of OpenSSF, including Cybertrust, Cybozu, Hitachi, and Renesas. This initiative united key open source security individuals and companies. During the meetup, Omkhar delivered a keynote address discussing topics such as the backdoor  in XZ Utils and how OpenSSF is working to prevent future issues. A video of the meetup is available.

Join Us

Looking back and looking forward, OpenSSF still has a long way to go in bringing open source software security to the world. Exciting events are on the horizon, such as the SOSS Community Day Europe, co-located with the Open Source Summit Europe in Vienna, Austria, and the first-ever SOSS Fusion Conference in Atlanta, GA. This premier event will bring together both upstream producers and downstream consumers of open source software, attracting a diverse array of professionals. CFPs and registrations for both events are now open—join us and be part of the conversation. For updates on future events, participation, and sponsorship opportunities, sign up for our newsletter.