SOSS Community Day North America (NA) Agenda Live

We’re excited to announce that the agenda for Secure Open Source Software (SOSS) Community Day NA on April 15, 2024 is now available! Join us for a day of technical talks, panels, and a Table Top Exercise (TTX). SOSS Community Day is co-located with Open Source Summit North America in Seattle, WA. 

For the first time we will have Workshops, also on April 15, from both OpenSSF Scorecard and SLSA where each project will dive deeper into the technical aspects of each initiative. Sign up for these Workshops when you sign up for Open Source Summit (OSS) NA, which takes place April 16-19. 

Mark your calendar and join us for a full day of innovation and collaboration! We’ll also have a booth during OSS NA and will be deeply engaged with SupplyChainSecurityCon.

This year the agenda features two tracks for the first time. Several sessions are designed for you to explore and learn about open source software security, participate in ongoing initiatives, and pave the way for future advancements. We’d like to remind you to plan ahead to ensure you maximize your experience. Here’s the exciting agenda: 

Agenda Details

Welcome & Opening Remarks – Omkhar Arasaratnam, General Manager, OpenSSF

Track 1

• Connecting Supply Chain Security Projects to the Community – Exploring OpenSSF’s DevRel Mission – Katherine Druckman, Intel Corporation; Lori Lorusso; Angie Byron, Aiven; Tabatha DiDomenico, G-Research
• What Makes a Project Critical? Discovering and Evaluating Popular Open Source Software – Jeff Mendoza, Kusari
• Embrace the Differences: Securing Open Source Ecosystems Where They Are – Seth Larson, Python Software Foundation
• Critical Conversation: Consuming Open Source Securely – Katherine Druckman, Intel Corporation & Ryan Ware, Intel Corporation
• Every Journey to Securing the Software Supply Chain, Starts with a Single (Baby) Step – Justin Cappos, NYU
• Compiler Options Hardening for C and C++ – Georg Kunz, Ericsson
• Love Open Source in Your Supply Chain, but Worried About Security? The OpenSSF Community Can Help! – Jeffrey Borek, IBM; Sarah Evans, Dell Technologies; Rao Lakkakula, JPMorgan Chase
• Eating the Open Source Security Sandwich with Skootrs – Michael Lieberman, Kusari
• New Foundations of SBOM Are Underway at OpenSSF – Adolfo García Veytia, Stacklok
• Node.Js Security: From Zero to Hero – Marco Ippolito, Nearform
• DEI for the OpenSSF Community – Mo McElaney, IBM; John Kjell, TestifySec; Jay White, Microsoft; Chan Voong, Comcast; Marcela Melara, Intel Corporation

Track 2

• Driving Security at Scale: Principles for Package Repository Security – Jack Cable, CISA & Zach Steindler, GitHub
• Sigstore: 2024 and Beyond – Hayden Blauzvern, Google
• Leveraging Sigstore Capabilities in a Local Environment – Chad Coleman, Lockheed Martin
• Improving FOSS Security – Mark Esler, Canonical Ltd.
• Build Provenance: Lessons (so Far) from Homebrew – Joe Sweeney, Trail of Bits
• Beyond “Just Update All the Things”: Uncovering the Nuances of Dependency Security – Rex Pan & Holly Gong, Google
• Improving Posture of Critical OSS Projects with Security Audits – Amir Montazery, Open Source Technology Improvement Fund, Inc
• Effective Vulnerability Management for Over 400 Projects at the Eclipse Foundation – Michael Winser, Alpha Omega / Eclipse Foundation & Marta Rybczynska, Eclipse Foundation
• To Everyone It Does Concern: Bug Bounties for Third Party Open-Source Libraries – Chujiao Ma, Comcast
• Under the Radar: How We Found 0-Days in the Build Pipeline of OSS Packages – François Proulx, BoostSecurity.io & Benoît Côte-Jodoin, BoostSecurity
• Community Engagement and Security Initiatives: Examples from Python & Rust – Rebecca Rumbul, Rust Foundation & Deb Nicholson, Python Software Foundation

Closing Remarks followed by 90 minute TTX Session 

The agenda includes a 90 minute break for lunch, which is not provided. Both the OpenSSF Scorecard Workshop and SLSA Workshop occur in parallel to SOSS Community Day NA, on April 15.

Additional Details for Co-Located Events

Table Top Exercise (TTX)

The TTX will be a 90-minute interactive session that occurs at the end of SOSS Community Day NA’s regular programming (after Track 1 and 2), we’ll stay in the same room as Track 1 to hear from 20 active participants on the TTX panel. 

The TTX session is open to all SOSS Community Day attendees as audience observers. Questions from the audience during the session can be raised via Slido. The panel will consist of panelists of diverse backgrounds from both public and private sectors. Participation for TTX speakers is now available and applications will be accepted until March 8, 2024. 

Apply to participate in the panel now: 20 people will be selected to be the active participants on the panel. 

SLSA Workshop

Sign up for this workshop when you sign up for OSS NA 2024. 

In this interactive workshop, we will guide participants through the effective utilization of the Supply-chain Levels for Software Artifacts (SLSA) framework to enhance the Software Development Life Cycle (SDLC) of deployed code. To provide a comprehensive understanding of the scalable deployment of SLSA, we will lead attendees through a series of hands-on coding activities. These exercises will focus on securing a container developed on GitHub and its deployment on Kubernetes.

Our practical example will emphasize two critical properties: firstly, ensuring that all released images maintain integrity protection against unauthorized access, and secondly, restricting deployed images to a specific set of cloud privileges, mirroring the approach used for restricting privileges in operating system processes.

Moving beyond traditional software like containers, we will demonstrate how SLSA can be applied to fortify the development and inference phases of AI models. Through hands-on activities and demonstrations, participants will gain practical experience in implementing SLSA for AI models.

The overarching goal of this workshop is to demystify the process of leveraging the SLSA framework throughout the entire supply chain. We recognize that discussions around securing the supply chain can be complex, and our approach aims to make this challenge less daunting. Through live demonstrations, we will provide clear insights into how to secure a container deployment end-to-end. While we have built this workshop using popular frameworks and tools such as GitHub, Kubernetes, and Kyverno, the principles and contributions are transferable to other systems.

By the conclusion of this session, participants will have acquired the knowledge and practical skills necessary to deploy SLSA effectively within their own deployments. Additionally, access to the source code will be provided to facilitate a deeper understanding of the proposed solution.

To participate in the SLSA Workshop, individuals must register for Open Source Summit NA. During the registration process, indicate your interest in the workshop by checking the corresponding option.

OpenSSF Scorecard New Contributor Workshop

Sign up for this workshop when you sign up for OSS NA 2024. 

The Scorecard Workshop presents a valuable hands-on onboarding opportunity, allowing participants to engage directly with project maintainers and potentially submit their first Pull Request (PR) to the OpenSSF Scorecard in real-time. The session will commence with an overview of the project and its architecture, followed by breakout discussions tailored to participant interests. We will pinpoint beginner-friendly issues within documentation, the website, and potentially propose updates to the scorecard checks.

Upon conclusion of the session, participants will gain a comprehensive understanding of the OpenSSF Scorecard’s functionality, learn to identify beginner-friendly tasks, and acquire the skills needed to successfully submit a PR.

To join the OpenSSF Scorecard New Contributor Workshop, individuals should register for OSS NA. During registration, express your interest in the workshop by checking the corresponding option.

Register Now

Secure your spot for SOSS Community Day NA by registering now. Find venue details on the event website. As a friendly reminder, make sure to book your hotel and travel arrangements promptly before the hotel room blocks close.

Sponsorship Opportunities

SOSS Community Day NA provides opportunities for connection and collaboration that you won’t want to miss. Feel free to reach out to us at sponsor@openssf.org to secure your sponsorship, inquire about specific details, or explore various options. For more details on sponsorships, download the prospectus!

For those ready to formalize the agreement, complete the online contract on our sponsorship page.