Recap: OpenSSF Community Day North America 2025

OpenSSF Community Day North America 2025 brought together contributors and stakeholders from across the open source security ecosystem for a full day of exchange, discussion, and collaboration. Held alongside Open Source Summit in Denver, the event featured over 25 sessions, Lightning Talks, and a live Table-Top Exercise (TTX) — drawing participation from large cloud providers, federal contractors, academic institutions, startups, and open source maintainers alike.

This year’s agenda reflected the evolution of open source software security: moving from awareness to implementation, from isolated tools to integrated frameworks, and from individual responsibility to shared resilience.

If you missed a session or want to revisit one of the talks, you can now access:

• Full recordings
• Event photos
• Presentation slides via the event schedule

Key Themes and Takeaways

Implementation Matters: Tools Are Getting Real

A number of sessions focused on the growing maturity and interoperability of security tooling — highlighting real-world deployments and lessons learned.

• Lockheed Martin’s Daniel Moch presented Bomctl, a new command-line tool for managing Software Bill of Materials (SBOMs) within internal ecosystems and supplier networks.
• Defense Unicorns’ Brandt Keller shared how they’ve integrated Zarf (their secure software delivery platform) with GUAC (Graph for Understanding Artifact Composition) to simplify provenance tracking and SBOM ingestion in disconnected or classified environments.
• Google’s Mihai Maruseac demonstrated how Sigstore is being used to sign machine learning models on Kaggle, opening a conversation around secure model supply chains in AI/ML workflows.
• Docker’s Britney Blodget highlighted how Docker Hub—central to nearly every containerized application—has become both a cornerstone of open source adoption and a critical supply chain security focal point. She shared how Docker is evolving the platform to embed security at the source, enabling developers to build with open source safely and confidently from the very start.

Also from Google, Eve Martin-Jones and Hayden Blauzvern gave an update on Sigstore ecosystem growth, including work to support multi-signer policies and broader adoption across open source projects.

This theme was echoed in several lightning talks as well, including DeployHub’s Tracy Ragan explored enhanced visualization for OpenSSF Scorecard results, and a presentation from Datadog’s Trishank Kuppusamy and Intel Labs’ Marcela Melara on enabling in-toto policies to enforce artifact integrity in real-time.

Security as a Lifecycle: AStRA and the Control Plane Vision

One of the most anticipated sessions came from Kusari’s Michael Lieberman  and Eman Abu Ishgair (Purdue University), who introduced the AStRA framework — a proposed “control plane” for secure open source software development. The framework enables organizations to apply structured security policies and observability across different phases of the SDLC, while supporting modular tooling and upstream interoperability.

The concept resonated strongly with attendees facing compliance mandates (e.g., NIST SSDF, CRA) or managing large multi-repo environments. Rather than advocating a new tool, AStRA proposes a composable approach that helps teams map controls and gaps across an open source development ecosystem.

Shared Readiness: Learning Through Simulation

In the afternoon, participants took part in an interactive Table-Top Exercise (TTX) facilitated by leaders from the OpenSSF community. The scenario — a compromised open source dependency detected downstream — walked teams through the steps of identifying, verifying, disclosing, and responding to a real-world supply chain incident.

It featured guidance and moderation from experts at Intel Labs, Fermyon, and Control Plane, and highlighted the communication and coordination breakdowns that can occur even when technical safeguards are in place.

This session reinforced a central theme of the day: tooling and automation are critical, but process discipline and cross-organizational collaboration are equally essential for incident response.

Metadata, Monitoring, and Risk Signals

Multiple presentations emphasized the importance of metadata and contextual intelligence to support proactive risk identification.

• University of Florida researcher Shlok Gilda shared a study that used contributor communication and metadata patterns to forecast vulnerability likelihood in open source projects — a controversial but thought-provoking approach to risk detection.
• Keyfactor’s Sven Rajala offered a forward-looking session on post-quantum cryptography for supply chain tooling, addressing the potential impacts on signing systems and SBOM formats.

AI and Security: From Conversation to Action

Artificial intelligence emerged as a major focus, with several sessions and keynotes highlighting its growing impact on open source security:

• Dell Technologies’ Sarah Evans, in her keynote, explored what open source security looks like in the age of AI — emphasizing that security must be integrated into the developer experience.
• DARPA’s Andrew Carney shared lessons from the AI Cyber Challenge, exploring how AI techniques can be applied to patching critical infrastructure at scale.
• Google’s Mihai Maruseac and HiddenLayer’s Eoin Wickens outlined how to build trust in ML pipelines using tamper-proof metadata and signing.
• Google’s Mihai Maruseac and Dell Technologies’ Sarah Evans also co-presented a forward-looking session on building secure and resilient AI agents using open source components.
• Intel Corporation’s Katherine Druckman discussed the practical challenges of securing generative AI development workflows.

These sessions marked a shift from conceptual discussions about AI to hands-on approaches for securing AI systems across the supply chain.

Who Was in the Room?

The diversity of the Community Day audience underscored the broad stakeholder base behind OpenSSF’s work. Presenters and attendees included contributors from:

• Google
• Meta
• Intel
• Lockheed Martin
• Datadog
• Defense Unicorns
• DeployHub
• Sonatype
• Dell Technologies
• Control Plane
• Fermyon
• Keyfactor
• Snyk
• University of Florida
• Purdue University
• Carnegie Mellon
• and many others.

This year’s sessions reflected real production use cases and adoption roadblocks, with conversations anchored in experience—not just aspiration.

What’s Next

OpenSSF Community Day North America 2025 made clear that the open source security community is moving toward stronger coordination, deeper integration, and more practical delivery. Tools like OpenSSF Scorecard, Sigstore, and GUAC are becoming part of the day-to-day development environment, and new frameworks like AStRA are laying the groundwork for more consistent implementation across ecosystems.

But the work is far from done. As regulations tighten and software complexity grows, the call for shared responsibility grows louder. OpenSSF Community Days like this one offer space to test ideas, learn from peers, and build toward a more resilient future.

Get Involved

Thank you to everyone who joined us in Denver. We encourage you to:

• Get involved: Join an OpenSSF Working Group
• Stay connected: Subscribe to our monthly newsletter
• Explore resources: Check out OpenSSF tools and courses

Join us at future OpenSSF Community Days & Events:

• 📍 OpenSSF Community Day India | Hyderabad – August 4
  
• 📍 OpenSSF Community Day EU | Amsterdam – August 28
  
• 📍 OpenSSF Community Day Korea | Seoul – November 4
• 📍 Open Source SecurityCon | Atlanta – November 10