Open Source Summit Europe 2024

OpenSSF and other organizations such as CNCF have been developing new technologies aiming at improving the security posture of open source and the software supply chain. This panel will give attendees a chance to hear from the very people involved in the development of some of these technologies and learn what's behind names like SLSA, S2C2F, and GUAC, the status of these technologies and how they relate to one another.

Large open-source foundations like the Eclipse Foundation are faced with the challenge of maintaining thousands of repositories for the numerous projects and monitoring that these repositories adhere to certain policies and security guidelines to provide an open, transparent and secure environment for the development of open-source software. We would like to present our approach to tackle these challenges: a system where our projects as hosted on GitHub have their configuration stored as code in a repository itself, and project members can request changes to this configuration by opening a pull request, and once approved, changes get applied automatically. With this approach it is possible to make the current infrastructure of a project transparent to everyone involved, highlight items that should be addressed to adhere to certain policies and empower teams to improve and secure their repositories more easily. In this talk we would also like to outline what we have learned while rolling out this service to projects at the Eclipse Foundation and how such an approach can help to increase collaboration in your community as members are able to learn from each other.

The ambiguity surrounding terminology and general uncertainty amplifies the end-of-life/end-of-support problem: What is end-of-life? How is end-of-life different from end-of-support? How does this affect supply chain and operational security? This presentation will begin with an overview of the EOL/EOS problem and suggest definitions for key terms to the discussion. Creating shared terminology can support the community in facilitating discussions around EOL/EOS and generating solutions. This presentation will map the EOL/EOS problem to other ongoing discussions including software naming and versioning, acknowledging that this is not a new problem and it is unlikely there is one singular solution. The presentation will also include discussion of the potential role of existing software transparency and supply chain security efforts, such as SBOM, VEX, and CSAF, may play in managing EOL/EOS. We will highlight the OpenEoX efforts from the OASIS community seeking to develop an open source, standardized method to ascertain the EOL/EOS status of products, as well as other ongoing policy efforts. The presentation will close with time for feedback on the presentation and discussion.

For several years now we’ve heard the mantra of shifting left to move security as early as possible in the development process. The aim is to enable developers to understand and produce secure code right away. The primary method to support developers is to enhance their IDE with extensions which can identify security issues, highlight insecure code practices and handle integration with external services. VSCode is one of the most popular IDEs with a flourishing community of extensions for data manipulation, theming, programmatic language features and additional debugging functionality. There is a great deal of trust placed in these extensions so what would happen if an extension turned against you? This talk explores the supply chain risks associated with VSCode extensions, what is required to get an extension included in the marketplace and how simply we hand over control to an unknown third party. We will demonstrate what an adversary can achieve with a malicious extension and how it represents a future red team target from enumeration, persistence and execution.Lastly we’ll offer advice on how to prevent common attack paths.

Open source dependencies pose the most serious threat for all software. Software Composition Analysis (SCA) tools can help understand the risk profile using data collected about known vulnerabilities. But what about the unknown ones? The Alpha-Omega project, sponsored by Amazon, Google and Microsoft, has been challenged with the tasks of scouring the most popular Open Source libraries in order to “clean the beach” to make it safe for everyone. But the beach is huge and how can this project be performed at scale? In this talk, Michael Winser, Alpha-Omega co-founder, and Dr. Munawar Hafiz, CEO of OpenRefactory, will discuss the progress that Alpha-Omega has made in scanning and repairing thousands of Open Source libraries. They will describe the scaling challenges, the data handling and storage challenges and how the information is made available to the end users.

In the evolving landscape of software development, ensuring the integrity of build artifacts like container images is crucial. In this talk, we'll demonstrate how to use GitHub's Build Provenance API to generate SLSA attestations and create robust policies for your artifacts, verifying their origin and authenticity. We'll examine the contents and significance of these attestations and discuss how to integrate them into your CI/CD pipelines. Additionally, we'll explore using Minder to monitor and enforce these policies across your repositories, ensuring these attestation practices do not degrade over time. We’ll also show how combining these tools can safeguard even in the event of someone else gaining access and pushing a malicious image to your container registry. By the end of this session, you'll have a good understanding of how open source tools like Sigstore, in-toto, SLSA, TUF, and Minder can collectively strengthen the security of the software supply chain. You'll gain practical insights into setting up artifact attestations with GitHub's API and establishing tailored policies with Minder to protect your development processes against vulnerabilities.

When considering open source software that you include in your products, engaging with your upstream is a more robust and resilient way to gauge your security risks than relying on outsourcing your trust modeling to metrics and GitHub stars. Becoming a partner to your upstream community helps you build more secure software and create the relationships you'll need if there's ever an attack. Plus community engagement has a lot of follow-on benefits for the way your company makes use of open source. This talk covers how to keep surprises to a minimum by engaging with your upstream communities. We'll look at several ways to gracefully go from "who the heck is in charge of that code" to being an open source insider that always knows what’s going on with your upstream partners. We'll also look at how to identify red flags at projects that you may not want to rely on.

We won! Open source software is everywhere... so now what? Shifting left starts at the beginning – ensuring the security of open source software requires careful evaluation, use, and contribution. This talk will cover some important challenges in securely consuming open source software. Attendees will learn to evaluate projects based on active maintenance, patch cycles, and vulnerability management. We will explore the role of project documentation, code contribution expectations, and community involvement in project maturity and code quality, as well as tools and community guidance. Walk away with the beginnings of a practical framework and checklist that you can mold to your own needs.

The first half of 2024 saw an entirely new category of threat against open source, one that rocked its trust-based system at its core: social engineering takeover attempt of critical open source projects. These attacks uncovered a systemic gap in open source security management. Up until now, the open source community wasn’t thought of as a potential cyber attack target. But when critical open source projects become stepping stones for industrial espionage, ransomware attacks, or cyberwarfare, maintainers need to adopt comparable security practices to those found in target organizations. This creates a unique set of challenges for open source because of its highly distributed nature and volunteer-based model. In this talk we'll do a post-mortem of the social engineering takeover attempt at the OpenJS Foundation. Without revealing confidential information, we'll still be able to outline critical industry gaps uncovered during this attack and suggest ways to meaningfully improving security at scale while preserving the ethos, culture, and diversity of communities that characterize open source.

As modern platforms integrate an increasing array of tools, so too grows the complexity of software dependencies within your codebase. While mainstream dependencies like Docker images, Terraform and NPM packages are well-covered by existing solutions, what about the myriad obscure or custom tooling, perhaps even manually installed binaries lurking in your Dockerfiles? In this session, we'll unveil an Open Source solution designed to systematically extract data from diverse toolsets. Learn how to effectively catalog, track, and maintain these dependencies, eliminating blind spots and ensuring robustness in your development workflow.