On September 19, the OpenSSF community gathered in Vienna for SOSS Community Day EU, held alongside Open Source Summit EU. Each summit and community day is a celebration of open source excellence, showcasing the collective efforts of passionate individuals committed to making the world a safer place. We extend a heartfelt thanks to our dedicated maintainers for their continuous efforts in advancing open source security!
Recordings and photos are now available. Relive the moment as we recap some of the exciting conversations from the event!
Keynotes
Katherine Druckman (Intel) opened with remarks on the importance of collaboration within the open source community. Fernando Diaz (GitLab) followed, emphasizing how open source transparency helps address security risks through community-driven efforts like vulnerability reporting and security auditing. Liz Rice (Isovalent/Cisco) explored how eBPF might help prevent future global outages by providing secure tools without exposing systems to kernel vulnerabilities. Aeva Black (CISA) provided updates on CISA’s initiatives in open source security, while CRob (Intel) wrapped up with a fun dive into the world of vulnerability disclosure, breaking down the alphabet soup of CVE, CVSS, and other crucial security frameworks.
Track 1
SOSS Community Day featured two tracks, with the first track kicking off with Deb Nicholson (Python Software Foundation) and Rebecca Rumbul (Rust Foundation) discussing security initiatives in community-driven projects. They highlighted the Python and Rust foundations’ efforts to embed good security practices, outlining strategies such as building consensus, transparent communication, and responding to pushback. They also emphasized the need for sustained investment and cross-ecosystem collaboration to ensure long-term security. Adolfo García Veytia (Stacklok) followed with a discussion on automated VEX streams, marking a significant milestone in securing the software supply chain. Damian Ludwig and Andreas Neth (BSI) introduced Germany’s national guideline for secure open source software development, encouraging collaboration from the open-source community. Abdullah Garcia (J.P. Morgan) explored risk-based approaches to securing the software supply chain, while a panel featuring Georg Link, Miguel Ángel Fernández Sánchez (Bitergia), Ana Jiménez Santamaría (Linux Foundation), and Wietse Braam (ING BANK) discussed OSS dependency health and sustainability. Philippe Ombredanne (AboutCode) stressed the need for practical solutions in compliance and supply chain security, followed by Mihai Maruseac (Google), who presented cryptographic model signing to enhance machine learning model provenance. Kairo De Araujo (TestifySec) and Martin Vrachev (Open Source Contributor) showcased advancements in securing content distribution with RSTUF, while Michael O’Reilly (Intel) shared lessons on improving the security of an open-source Kubernetes networking CNI repository. Andrew McNamara (Red Hat) addressed balancing developer innovation with security, and Mike Agrenius Kushner (Keyfactor) explored Quantum Readiness with open-source cryptography. Michelle Tabirao (Canonical) wrapped up with insights on securing GenAI projects at scale, from operating systems to MLOps platforms.
Track 2
Track 2 of SOSS Community Day started with Mihai Maruseac (Google) exploring how to secure GenAI end-to-end. He covered securing data ingestion, model fine-tuning, and securing AI outputs and deployments, offering a comprehensive look at securing AI-powered applications. Ross Bryant (Phylum) followed with an insightful talk on nation-state threats, focusing on the Lazarus Group’s cyber campaigns targeting software developers. Zoran Regvart (Red Hat) discussed enforcing organizational policies with Enterprise Contract, leveraging Sigstore signatures and Tekton for policy validation in container images. Julia Lamenza introduced gamification as a powerful tool in security training, while Joseph Katsioloudes (GitHub) shared the success of GitHub’s gamified security training, highlighting its impact on developer engagement and ownership of security practices. Chris Swan (Atsign) delivered a lightning talk on handling security vulnerabilities through forking dependencies, and Cosmin Cojocar (Google) provided essential security checks for Go projects, showcasing tools like gosec and sigstore/cosign. The day concluded with an interactive TTX session led by Daniel Appelquist (Samsung), Kairo De Araujo (TestifySec), and Georg Kunz (Ericsson), simulating a security incident to enhance preparedness under the upcoming EU software regulations. Katherine Druckman (Intel) closed the day with final remarks.
See you next time – at SOSS Fusion!
Looking ahead, we extend our heartfelt thanks to all the speakers, panelists, and attendees who made SOSS Community Day a success! Your contributions and engagement are what drive the ongoing effort to secure open source software. As we move forward, we are excited to invite you to the SOSS Fusion Conference. This premier event will bring together the brightest minds in software development and cybersecurity, fostering in-depth technical conversations on innovative ways to secure open source software. Join us at SOSS Fusion, where we will continue to push the boundaries of open source security and work towards a more secure future.