OpenSSF Community Day North America 2025: Full Schedule

June 26, 2025 | Denver, Co
Learn More and Register To Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for OpenSSF Community Day NA 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Mountain Daylight Time. To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

Schedule is subject to change.

8:00am MDT

Registration + Badge Pick-up

Thursday June 26, 2025 8:00am - 5:15pm MDT

Bluebird Ballroom Foyer

Thursday June 26, 2025 8:00am - 5:15pm MDT
Bluebird Ballroom Foyer

Registration/Breaks

9:00am MDT

Welcome + Opening Remarks - Steve Fernandez, General Manager, OpenSSF, The Linux Foundation

Thursday June 26, 2025 9:00am - 9:15am MDT

Bluebird Ballroom 3A

Speakers

Steve Fernandez

General Manager, OpenSSF, Linux Foundation

Thursday June 26, 2025 9:00am - 9:15am MDT
Bluebird Ballroom 3A

Keynote Sessions

9:15am MDT

Keynote: Security Work isn't Special - Seth Larson, Security Developer-in-Residence, Python Software Foundation

Thursday June 26, 2025 9:15am - 9:30am MDT

Bluebird Ballroom 3A

Confidential. Sensitive. Security-critical.

What do these words mean in practice for open source today? That only the most resource-constrained actors in the system can do the work. These forces are in direct contradiction to what makes open source powerful: that the people most interested in the improvements are the ones that can do the work.

So why don’t we?

In this talk, we’ll challenge this thinking around open source security work and attendees will leave with new tools on how to make their contributions into open source security guidance, platforms, and tooling scale by inviting others to the table, turning expertise into results, and improving the security of the open source ecosystem in a way maintainers will love rather than dread.

Speakers

Seth Larson

Security Developer-in-Residence, Python Software Foundation

Seth is the Security Developer-in-Residence at the Python Software Foundation working to improve the security posture of the Python ecosystem. Seth maintains widely used open source Python projects like urllib3, truststore, and Requests.

Thursday June 26, 2025 9:15am - 9:30am MDT
Bluebird Ballroom 3A

Keynote Sessions

9:30am MDT

Keynote: Sarah Evans, Distinguished Engineer, Dell Technologies

Thursday June 26, 2025 9:30am - 9:40am MDT

Bluebird Ballroom 3A

Speakers

Sarah Evans

Distinguished Engineer, Dell Technologies

Sarah is a security innovation researcher, leveraging diverse experiences as an IT and security practitioner to improve security by design in emerging technologies. Prior to Dell, Sarah has had roles at in the finance, defense, manufacturing and education industries. Sarah also contributes... Read More →

Thursday June 26, 2025 9:30am - 9:40am MDT
Bluebird Ballroom 3A

Keynote Sessions

9:45am MDT

Keynote Session To Be Announced - Andrew Carney, Program Manager, Information Innovation Office, DARPA

Thursday June 26, 2025 9:45am - 10:00am MDT

Bluebird Ballroom 3A

Speakers

Andrew Carney

Program Manager, Information Innovation Office, Defense Advanced Research Projects Agency (DARPA)

Andrew Carney is program manager for the DARPA AI Cyber Challenge (AIxCC). He is also a program manager at the Advanced Research Projects Agency for Health (ARPA-H) where he leads programs and projects to improve health cybersecurity.Carney was previously a principal researcher in... Read More →

Thursday June 26, 2025 9:45am - 10:00am MDT
Bluebird Ballroom 3A

Keynote Sessions

10:10am MDT

Bridging the Chasm: Filling the Security Knowledge Gap Between Academia and Industry - Michael Biocchi, Snyk

Thursday June 26, 2025 10:10am - 10:25am MDT

Bluebird Ballroom 3B

In the realm of higher education, security education often remains less prioritized against the expanding sophistication of cyber threats. This oversight engenders a stark skills gap, subsequently contributing to a notable workforce deficiency within the cyber security sector. Despite numerous institutions across Canada and the United States offering computer security courses, their exclusion from the mandatory graduation requisites further accentuates the problem. In this talk, you’ll learn about these gaps and how to best address them within your organization and the technical community at large.

Speakers

Michael Biocchi

Senior Product Manager, Security Education, Snyk

Michael Biocchi has completed his PhD and received his Masters of Science as well as his Bachelor of Computer Science. He is a Certified Information Systems Security Professional (CISSP). Michael has taught in the education sector for 15+ years, teaching a variety of computer science... Read More →

Thursday June 26, 2025 10:10am - 10:25am MDT
Bluebird Ballroom 3B

15-minute Sessions

10:10am MDT

Taming the Wild West of ML: Practical Model Signing With Sigstore on Kaggle - Mihai Maruseac, Google

Thursday June 26, 2025 10:10am - 10:25am MDT

Bluebird Ballroom 3A

The rapid evolution of LLMs and the ML field has ushered in remarkable progress, but also a new wave of security threats. Model poisoning, supply chain vulnerabilities, and the challenge of verifying model and data provenance are just a few of the risks we face.

We've developed an efficient solution to sign models with Sigstore, at scale. This talk explores the practical experience of integrating this solution into Kaggle, a leading platform for data science and machine learning. We’ll share our journey of implementing model signing, from initial design to overcoming technical hurdles, and the resulting impact on Kaggle's community and the broader ML ecosystem.

Attendees will learn about the benefits of model signing, the challenges of large-scale platform integration, and best practices for securing ML workflows. By sharing actionable insights, we aim to empower other model hubs to adopt similar solutions. Protecting the integrity of all ML models through widespread adoption will prevent a significant number of ML supply chain incidents.

Speakers

Mihai Maruseac

Staff SWE, Google

Mihai Maruseac is a member of Google Open Source Security team (GOSST), working on Supply Chain Security, specifically for ML, but also a GUAC maintainer. Before joining GOSST, Mihai created the TensorFlow Security team after joining Google, moving from a startup to incorporate Differential... Read More →

Thursday June 26, 2025 10:10am - 10:25am MDT
Bluebird Ballroom 3A

15-minute Sessions

10:30am MDT

OSPS: All Your Base Are Belong To Us - Christopher Robinson, OpenSSF & Eddie Knight, Sonatype

Thursday June 26, 2025 10:30am - 10:50am MDT

Bluebird Ballroom 3B

Contributors and maintainers will benefit from increased visibility to changes in the ecosystem, especially as LFX Insights works to display Baseline results for all projects. The baseline is already fully adopted as a project requirement by the OpenSSF TAC, and adoption is underway by the FINOS and CNCF technical oversight committees. Past or Present Chairs from each of the three bodies are leading contributors to the effort.

End User members will benefit by better understanding the measures that Linux Foundation is taking to ensure that projects are being held to robust security standards.

Speakers

Eddie Knight

OSPO Lead, Sonatype

Eddie Knight is a Software and Cloud Engineer with a background in banking technology. When he isn’t playing with his 2-year-old son, he combines his passion and job duties by working to improve the security of open source software. Eddie helps lead CNCF's Security Technical Advisory... Read More →

Thursday June 26, 2025 10:30am - 10:50am MDT
Bluebird Ballroom 3B

20-minute Sessions

10:30am MDT

Who Are You Building For: Pipelines Have a Purpose - Andrew McNamara & Julen Landa Alustiza, Red Hat

Thursday June 26, 2025 10:30am - 10:50am MDT

Bluebird Ballroom 3A

Software is built for a purpose. The same property applies to build platforms!

We will show you how we are leveraging Tekton and Tekton Chains at Red Hat to create a build platform that meets developers where they are at. Developers start with the pipeline defined in their git repository – free for them to modify and update on their terms, with Tekton tasks ready to scan artifacts for vulnerabilities and Renovate pre-configured to help keep dependencies up to date.

This platform helps make sure that the artifacts are going somewhere. Using the detailed SLSA Provenance generated by Tekton Chains, the build platform enables policy driven development. Developers can see in their PRs whether they are on track to meet the target’s requirements – whether it is pushing to a development or production environment. Gone are the days saying “I didn’t know I had to do that!”

We won’t send the artifacts just anywhere, however, as we can tailor policies to ensure that you are meeting all of the requirements. The platform can inspect the provenance to ensure that artifacts are built using trusted steps and all required checks are good for takeoff!

Speakers

Andrew McNamara

Engineer, Red Hat

Andrew McNamara is passionate about usable CI/CD, security, and DevSecOps, drawing from his experience of building and shipping containerized software at IBM and Red Hat. As a SLSA maintainer, Andrew is helping people identify how to approach and understand supply chain security... Read More →

Julen Landa Alustiza

Ansible Delivery Pipelines Architect, Red Hat

I am an Open Source enthusiast currently working for Red Hat as Ansible Delivery Pipelines techincal lead.

Thursday June 26, 2025 10:30am - 10:50am MDT
Bluebird Ballroom 3A

20-minute Sessions

10:55am MDT

A Dashboard for Actionable OpenSSF Scorecard Insights - Tracy Ragan, DeployHub, Inc.

Thursday June 26, 2025 10:55am - 11:05am MDT

Bluebird Ballroom 3B

OpenSSF Scorecard is a powerful tool for assessing the security health of open-source projects. However, making sense of its vast data and prioritizing improvements can be challenging. This presentation introduces a dashboard designed to visualize and streamline Scorecard insights, providing maintainers and security teams with a clear, actionable view of their project's security posture. Attendees will learn about Ortelius, a CDF Project, that has delivered a dashboard that aggregates key Scorecard metrics, tracking progress over time, and integrates with CI/CD pipelines to enhance automation. By the end of the session, participants will understand how this dashboard can help improve security practices, reduce vulnerabilities, and ensure compliance with industry best practices.

Speakers

Tracy Ragan

CEO, DeployHub, Inc.

Tracy is a recognized expert in software supply chain security and DevSecOps, specializing in managing complex, decoupled architectures. She is the CEO of DeployHub, a scalable continuous vulnerability management platform that empowers software to 'self-heal' by automatically applying... Read More →

Thursday June 26, 2025 10:55am - 11:05am MDT
Bluebird Ballroom 3B

10-minute Sessions

10:55am MDT

Myths Developers Believe About Open Source Security - Jess Lowe & Tim Zhang, Google

Thursday June 26, 2025 10:55am - 11:05am MDT

Bluebird Ballroom 3A

Forget what you think you know about immutable tags, perfect dependency graphs, and those supposedly foolproof lock files. We'll get down to the nitty-gritty of open source security, giving you real-world insights to keep your projects safe. For example, did you know that one package url (or “purl”) can map to many different packages? Trying to find consistency in cross-ecosystem names and identifiers is a hard problem! And how can we meaningfully report vulnerabilities if we don’t even have a consistent way to identify packages?

We can talk about vulnerabilities in transitive dependencies, but what even are your dependencies? A package doesn’t uniquely map to one set of dependencies – depending on your build flags or operating system, you can end up with arbitrarily many dependency graphs for one package.

We break open source security down to first principles by challenging the assumptions that we’ve all built upon, to hopefully resolve to a more consistent vision of the open source.

Number 5 will shock you!

Speakers

Jess Lowe

Software Engineer, Google

Jess is a Software Engineer in the Google Open Source Security Team working on OSV.dev and OSV-Scanner.

Tim Zhang

Engineer at Deps.dev, Google

A software engineer at Google. Relative newcomer to the field of securing the software supply chain.

Thursday June 26, 2025 10:55am - 11:05am MDT
Bluebird Ballroom 3A

10-minute Sessions

11:05am MDT

Break + Networking

Thursday June 26, 2025 11:05am - 11:25am MDT

Foyer

Thursday June 26, 2025 11:05am - 11:25am MDT
Foyer

Registration/Breaks

11:25am MDT

Trends and Insights from the Sigstore Ecosystem - Eve Martin-Jones & Hayden Blauzvern, Google

Thursday June 26, 2025 11:25am - 11:45am MDT

Bluebird Ballroom 3A

Dive into the Sigstore ecosystem and discover insights about digital signing practices!

Sigstore provides tooling and services to simplify signing and verification. Critically, it makes signatures transparent and publicly auditable to detect malicious behavior. With the increasing adoption of Sigstore within open source communities, this has led to a wealth of information about supply chain security. Using the data in Sigstore's public transparency log Rekor, we can glean insights about signing in open source.

This talk will provide a brief overview of Sigstore, explaining its core components and how it enables secure digital signing. We will explore trends in how open source communities and organizations are utilizing Sigstore for signing, and answer questions such as, "What is the most commonly used identity provider?", "Do we see signing occur uniformly across a day?", and "How prevalent is the use of short-lived certificates rather than self-managed keys?"

Finally, we will describe how to access and leverage this data to find your own insights about the Sigstore ecosystem and signing in supply chain security.

Speakers

Hayden Blauzvern

Technical Lead Manager, Google

Hayden Blauzvern is a technical lead manager on Google’s Open Source Security Team, focused on making open-source software more secure through code signing and applied transparency. Hayden is a maintainer and the community chair on the Sigstore project.

Eve Martin-Jones

Senior Software Engineer, Google

Eve is an engineer working on open source software security at Google. She lives in Australia, with her cat Mochi, who is surprisingly proficient at JavaScript. Between D&D campaigns, she can be found deciphering the Cargo dependency-resolution algorithm bug-for-bug, advocating for... Read More →

Thursday June 26, 2025 11:25am - 11:45am MDT
Bluebird Ballroom 3A

15-minute Sessions

11:25am MDT

Living Off the Pipeline: From Supply Chain 0-Days To Predicting the Next XZ-like Attacks - François Proulx, BoostSecurity.io

Thursday June 26, 2025 11:25am - 11:45am MDT

Bluebird Ballroom 3A

The next wave of Supply Chain attacks is brewing in our Build Pipelines (CI/CD), where 0-days and novel attack paths are still waiting to be discovered. In 2024, the XZ compression library compromise was used as a trojan horse to backdoor OpenSSH, it was caught early on, next time it might go unnoticed.

We tell the story of how we went from finding 0-day vulnerabilities in the Build Pipelines of critical Open Source packages to predicting TTPs for the next XZ-like attacks, adapting MITRE's ATT&CK for CI/CD. We'll go in depth on how Threat Actors can "Live Off the Pipeline" by abusing legitimate build tools to do their bidding.

We introduce practical methods for predicting and identifying threats, by mapping build pipeline tactics to our ATT&CK model. Case studies, based on forensics of recent supply chain compromises, will demonstrate how adversaries exploit build pipelines, escalate privileges, and can remain undetected long enough to have significant impact.

This session empowers attendees to proactively identify and defend against advanced supply chain attacks, effectively countering adversaries that seek to "Live Off the Pipeline" as demonstrated in the XZ compromise.

Speakers

François Proulx

Senior Product Security Engineer, BoostSecurity.io

François is a Senior Product Security Engineer for BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for large corporations (such as Intel) and small startups he has been in the heat of the action as the DevSecOps... Read More →

Thursday June 26, 2025 11:25am - 11:45am MDT
Bluebird Ballroom 3A

20-minute Sessions

11:50am MDT

Democratizing Cloud Native Security: How CNAMM Drives Evidence-Based Maturity - Abdel Sy Fane, DevSecFlow

Thursday June 26, 2025 11:50am - 12:05pm MDT

Bluebird Ballroom 3B

In the complex landscape of cloud native security, organizations struggle to effectively measure and improve their security posture. The Cloud Native Assurance Maturity Model (CNAMM) is an open, community-driven framework that democratizes security best practices through evidence-based assessment across 8 critical business functions. Learn how this practical framework helps organizations of all sizes build security excellence, backed by real implementation success stories. We'll explore CNAMM's methodology, demonstrate its value through case studies, and show how the community can contribute to its evolution.

Speakers

Abdel Sy Fane

CTO, DevSecFlow

Abdel Sy Fane is a visionary cybersecurity leader with over 15 years of experience transforming digital landscapes across healthcare, finance, technology, and government sectors. As CTO of DevSecFlow and Co-Founder/Executive Director of CyberSecurity NonProfit (CSNP), he leads initiatives... Read More →

Thursday June 26, 2025 11:50am - 12:05pm MDT
Bluebird Ballroom 3B

15-minute Sessions

11:50am MDT

From Model To Trust: Building Upon Tamper-proof ML Metadata Records - Mihai Maruseac, Google & Eoin Wickens, HiddenLayer

Thursday June 26, 2025 11:50am - 12:05pm MDT

Bluebird Ballroom 3A

The integrity and provenance of machine learning models are critical for building trustworthy AI systems. While cryptographic signing protects many digital assets, a standardized approach for verifying model origins and ensuring they haven't been tampered with is still missing. We are addressing this gap by building upon the OpenSSF Model Signing project – a PKI-agnostic method for creating verifiable claims on bundles of ML artifacts. We show how this project can expand beyond just model signing to also cover datasets, and other associated files, recording all integrity information in a single manifest.

In fact, this can be used as a foundation layer upon which we can build useful AI supply-chain solutions, both in terms of security and in terms of reducing development costs. Imagine querying "What datasets were used to train this model?" or determining which models and agents have been trained on a poisoned dataset, even before these get deploy in production systems. This is all possible by merging model signing, model cards, SLSA and AI-BOM information and analyzing all this metadata using tools such as GUAC. Our talk lays the groundwork for such capabilities.

Speakers

Mihai Maruseac

Staff SWE, Google

Eoin Wickens

Director of Threat Intelligence, HiddenLayer

Eoin Wickens is the Technical Research Director - Field at HiddenLayer, where he both researches and speaks about security for artificial intelligence and machine learning. He has previously worked in threat research, threat intelligence and malware reverse engineering and has been... Read More →

Thursday June 26, 2025 11:50am - 12:05pm MDT
Bluebird Ballroom 3A

15-minute Sessions

12:10pm MDT

Predicting OSS Vulnerabilities Through Communication Analysis: A Work in Progress - Shlok Gilda, University of Florida

Thursday June 26, 2025 12:10pm - 12:25pm MDT

Bluebird Ballroom 3A

Open-source software security depends not only on code quality but also on the health and effectiveness of developer communication. This session presents ongoing research developing “FORCE” (Framework for Open-Source Risk and Community Evaluation), a novel framework for proactively assessing OSS project risk. We will analyze communication patterns (sentiment, toxicity, outrage, stance, and key discussion topics) within GitHub repositories, combined with contributor network analysis and vulnerability data. This session will detail the methodology for creating the “Temporal Health Score” (THS), a composite metric designed to provide early warnings of potential security risks. We will discuss how prior research in areas like subtle toxicity detection and behavioral analysis informs the design of FORCE. The session will emphasize the potential for actionable insights for OSS maintainers, including strategies for improving communication, fostering collaboration, and mitigating identified risks. We also seek community feedback on the framework and its potential applications.

Speakers

Shlok Gilda

PhD Candidate, University of Florida

Shlok Gilda is a 5th year PhD Candidate at the University of Florida in the Natural Language Research & Culture (NLP&C) Lab, advised by Dr. Bonnie J. Dorr. His research interests span critical cybersecurity domains, including user privacy, identity and access management, and vulnerability... Read More →

Thursday June 26, 2025 12:10pm - 12:25pm MDT
Bluebird Ballroom 3A

15-minute Sessions

12:10pm MDT

Securing Public Sector Supply Chains Is a Team Sport - Daniel Moch, Lockheed Martin

Thursday June 26, 2025 12:10pm - 12:25pm MDT

Bluebird Ballroom 3B

The security of the software supply chain has attracted a lot of attention in recent years, and with efforts like Software Bill of Materials, Vulnerability Exchange and in-toto, a lot of work is being done to advance the state of the art. Drawing on a blog post published earlier this year on the OpenSSF blog and recent work from across industry, this talk describes some of the challenges public sector organizations face as they try to manage their supply chain and how the OpenSSF, with the broader open source community, can help address them.

Speakers

Daniel Moch

Staff Software Engineer, Lockheed Martin

For over 20 years, Daniel has worked as a software engineer in the Defense and Aerospace industry. His experience ranges from embedded device drivers to large logistics and information systems. In recent years, he has focused on helping legacy programs adopt modern DevOps practices... Read More →

Thursday June 26, 2025 12:10pm - 12:25pm MDT
Bluebird Ballroom 3B

15-minute Sessions

12:30pm MDT

SWAG: Bringing Software Security Best Practices To the Web - Daniel Appelquist, Samsung

Thursday June 26, 2025 12:30pm - 12:40pm MDT

Bluebird Ballroom 3B

This session will be an overview of our efforts in the Secure Web Application Guidelines (SWAG) group, which has been working in coordination with the OpenSSF Best Practices group to develop security guidelines aimed at web developers. We'll go into some detail on the work and research that preceded this work and then talk about some of how this work differs from existing Best Practices, and how the the work of this group has influenced other sources for web developer documentation.

Speakers

Daniel Appelquist

Open Source Strategist, Samsung

Dan Appelquist is Open Source Strategist at Samsung Open Source Group. He is a web & mobile industry veteran and long-time participant and leader in open source and open standards. He is co-chair of the W3C Technical Architecture Group and is Co-Chair of OpenSSF's Global Cybersecurity... Read More →

Thursday June 26, 2025 12:30pm - 12:40pm MDT
Bluebird Ballroom 3B

10-minute Sessions

12:30pm MDT

Beyond the Bot: Building Secure and Resilient AI Agents With Open Source - Mihai Maruseac, Google & Sarah Evans, Dell Technologies

Thursday June 26, 2025 12:30pm - 12:45pm MDT

Bluebird Ballroom 3A

2025 is the year LLMs broke out of the chatbot box. AI agents can now plan, execute, and learn all on their own in complex environments. This evolution makes 2023 seem like the stone age of AI. But with great power comes great responsibility - and a whole new attack surface to worry about: agentic AI demands a robust security model.

This talk dives into the world of AI agents, exploring what they are, what they can do, and—crucially—how to secure them. We'll examine the open-source tools that are fueling this revolution, including LangChain, LangGraph, DSPy, and the growing ecosystem of knowledge graph technologies and APIs. These powerful tools present incredible opportunities, but their architectural choices also introduce unique security risks. We'll dissect some of these risks, such as prompt injection and data poisoning, as well as compromised dependencies and insecure API interactions.

Our aim is to provide a guide on how to build secure and resilient AI agents using open-source best practices, ensuring today’s intelligent creations don't become tomorrow's security nightmares.

Speakers

Mihai Maruseac

Staff SWE, Google

Sarah Evans

Distinguished Engineer, Dell Technologies

Thursday June 26, 2025 12:30pm - 12:45pm MDT
Bluebird Ballroom 3A

15-minute Sessions

12:45pm MDT

Lunch Break

Thursday June 26, 2025 12:45pm - 2:15pm MDT

Bluebird Terrace

Thursday June 26, 2025 12:45pm - 2:15pm MDT
Bluebird Terrace

Registration/Breaks

2:15pm MDT

Shadow Vulnerabilities in AI/ML Data Stacks - What You Don’t Know CAN Hurt You - Mic McCully, Oligo Security

Thursday June 26, 2025 2:15pm - 2:35pm MDT

Bluebird Ballroom 3B

Open-source AI software introduces a new family of vulnerabilities to organizations. Some components in AI, like model serving, include Remote Code Execution (RCE) by design, like when loading pre-trained models from external sources.

This talk will examine some of the common security anti-patterns prevalent in AI engineering, such as security issues that are not classified as CVEs by design, or patched security issues that introduce breaking changes and therefore are not practically implemented. We’ll review the methods introduced for better security hygiene such as new checkpoint formats (model files on disk) - like SavedModel and SafeTensors.

While SCA, SAST, and traditional approaches don't analyze model checkpoints, leaving these silent vulnerabilities in your stacks, we’ll demo through real code examples, why the runtime context is crucial to detect these security issues––and how this can be achieved by leveraging eBPF and open source tooling.

Speakers

Mic McCully

Field CTO, Oligo Security

Mic is an experienced senior security advocate who has spent his career evangelizing security software as a business enablement solution in some of the earliest security startups, as well as in significant positions within leading global security software enterprises. His security... Read More →

Thursday June 26, 2025 2:15pm - 2:35pm MDT
Bluebird Ballroom 3B

20-minute Sessions

2:15pm MDT

SLSA Dependency Track Update - Meder Kydyraliev, Google & Adrian Diglio, Microsoft

Thursday June 26, 2025 2:15pm - 2:35pm MDT

Bluebird Ballroom 3A

A status update on the SLSA Dependency Track from the members of the working group. In the update we'll outline the objectives we are trying to achieve with the dependency track, highlight some of the challenges and the next steps.

Speakers

Meder Kydyraliev

GOSST, Google

Meder is a lead on the Google Open Source Security Team where he drives initiatives to secure all aspects of the open source software supply chain, including secure dependency management practices, vulnerability management, artifact integrity and policy enforcement.

Adrian Diglio

Secure Software Supply Chain, Microsoft

Adrian Diglio leads the Secure Software Supply Chain (S3C) team that secures Microsoft's end-to-end software supply chain. He leads Microsoft's SBOM efforts and published and contributed the Secure Supply Chain Consumption Framework (S2C2F) to the OpenSSF. He is an inventor, conference... Read More →

Thursday June 26, 2025 2:15pm - 2:35pm MDT
Bluebird Ballroom 3A

20-minute Sessions

2:40pm MDT

Evangelizing Security in India: Fears, Tears, and a Billion Deaf Ears - Ram Iyengar, Linux Foundation

Thursday June 26, 2025 2:40pm - 2:50pm MDT

Bluebird Ballroom 3B

This is a short session about my experiences in the past 18 months carrying the story of open source security across the length and breadth of India.
It is a geography that is just maturing in the IT spectrum, shifting from a predominantly services mindset to one of building products for the world.
This is a story of opportunities, of troubles, of tiresome evenings, and me questioning my life choices in airports as I battle flight delays and doom scrolling.
What does the country with the world’s largest developer population offer? A way forward? A threat of immaturity overpowering technical potential? A path to shape the developer mindset from the outset?
I don’t have all the answers. Maybe you do.

Speakers

Ram Iyengar

Open Source Evangelist, Linux Foundation

Ram Iyengar is an engineer by practice and an educator at heart. He was (cf) pushed into technology evangelism along his journey as a developer and hasn’t looked back since! He enjoys helping engineering teams around the world discover new and creative ways to work. He is a proponent... Read More →

Thursday June 26, 2025 2:40pm - 2:50pm MDT
Bluebird Ballroom 3B

10-minute Sessions

2:40pm MDT

The Open Source SDLC Control Plane: Building the Supply Chain Security Sandwich - Michael Lieberman, Kusari & Eman Abu Ishgair, Purdue

Thursday June 26, 2025 2:40pm - 2:50pm MDT

Bluebird Ballroom 3A

It seems like every day there’s a new security tool or best practice that emerges. At the same time developers are being asked to take on the burden of integrating all these tools and practices into their software development practices. These challenges mirror the problems developers and operators faced with the complexity of modern application operations that was eventually solved with technologies like kubernetes in the form of a container control plane. Come learn how a unified framework of software supply chain steps called AStRA can enable a new architecture in the form of a software development lifecycle (SDLC) control plane, to solve these problems and how building this might be simpler than you might think. OpenSSF has most of the pieces, they just need to be put together.

Speakers

Michael Lieberman

CTO, Kusari

Michael Lieberman is co-founder and CTO of Kusari where he helps build transparency and security in the software supply chain. Michael is an active member of the open-source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference... Read More →

Eman Abu Ishgair

PhD Candidate in Electrical and Computer Engineering, Purdue

PhD candidate in ECE @ Purdue, working on software supply chain security

Thursday June 26, 2025 2:40pm - 2:50pm MDT
Bluebird Ballroom 3A

10-minute Sessions

2:55pm MDT

Navigating Security in Generative AI Development - Katherine Druckman, Intel Corporation

Thursday June 26, 2025 2:55pm - 3:05pm MDT

Bluebird Ballroom 3A

As generative AI moves rapidly into production environments, developers face security challenges that traditional application security frameworks cannot fully address. This concise talk explores the fundamentals of AI security and compares how different communities—from security practitioners to AI researchers—are developing solutions through collaborative initiatives and open source communities and working groups.

Attendees will gain a clear understanding of how different communities, such as OpenSSF and OPEA and others, are addressing AI security challenges through complementary approaches, providing a foundation for implementing appropriate security controls in their own AI applications.

Topics Covered
* overview of AI security challenges vs traditional app sec
* Comparison of approaches from OpenSSF, OPEA Security Working Group, and other industry collaborations

Speakers

Katherine Druckman

Open Source Evangelist, Intel Corporation

Katherine Druckman is an Open Source Evangelist at Intel, where she enjoys sharing her passion for a variety of open source topics. She currently combines her enthusiasm for software security and emerging AI technology as the OPEA Security Working Group Lead and Co-Chair of the OpenSSF... Read More →

Thursday June 26, 2025 2:55pm - 3:05pm MDT
Bluebird Ballroom 3A

10-minute Sessions

2:55pm MDT

Simplifying SBOM Management: An Introduction To Bomctl - Allen Shearin & Ian Dunbar-Hall, Lockheed Martin

Thursday June 26, 2025 2:55pm - 3:05pm MDT

Bluebird Ballroom 3B

Bomctl is a new OpenSSF sandbox project designed to bridge the gap between SBOM generation and analysis. Leveraging the flexible and powerful expression of the Protobom library, bomctl
is natively format-agnostic, allowing effortless interaction with various SBOM formats. Bomctl enables the creation of to build a reference graph of SBOM documents and software packages, accurately representing modern software systems. With bomctl, data can be seamlessly pulled from SBOM generation tools and Source Code Management (SCM) platforms, and then pushed to SBOM registries, SCM platforms, and vulnerability analysis tools, streamlining your SBOM management workflow.

Speakers

Allen Shearin

Senior Full Stack Engineer, Lockheed Martin

Lockheed Martin Software Factory, Secure Software Supply Chain Team, Open Source Ecosystem Team. Active with a few OpenSSF projects, maintainer of bomctl.

Ian Dunbar-Hall

Open Source Program Office, Lockheed Martin

Ian is a holds the position of Chief Engineer for Lockheed Martin Software Factory and specializes in DevSecOps and full stack engineering. Additionally he is a maintainer on SBOMit and an OpenSSF Governing Board General Member Representative.

Thursday June 26, 2025 2:55pm - 3:05pm MDT
Bluebird Ballroom 3B

10-minute Sessions

3:10pm MDT

Enhancing Supply Chain Security: Integrating Zarf and GUAC for Seamless SBOM Generation and Delivery - Brandt Keller, Defense Unicorns

Thursday June 26, 2025 3:10pm - 3:30pm MDT

Bluebird Ballroom 3B

Software supply chain security is a critical concern for organizations operating in both connected and disconnected environments. The OpenSSF projects Zarf and GUAC (Graph for Understanding Artifact Composition) provide complementary capabilities to enhance security and transparency. Zarf enables the secure packaging and deployment of software in connected or disconnected environments, while GUAC aggregates and contextualizes Software Bill of Materials (SBOMs) to improve software provenance and risk assessment.

This talk will explore how integrating Zarf and GUAC can streamline SBOM generation, verification, and delivery across connected and disconnected environments. We will demonstrate how this integration facilitates:
- Secure SBOM packaging and transport with Zarf.
- Automated SBOM generation and enrichment using GUAC.
- Improved traceability and risk assessment in airgapped environments.

Attendees will gain practical insights into leveraging these OpenSSF projects to strengthen their supply chain security posture and meet emerging compliance requirements.

Speakers

Brandt Keller

OSS Maintainer, Defense Unicorns

Brandt is a Software Engineer with a passion for Open Source. As a Maintainer and Contributor to multiple Open Source projects, he finds distinct pleasure in solving difficult problems and being a voice for Critical - Regulated - and Air-Gapped environments (most often all of the... Read More →

Thursday June 26, 2025 3:10pm - 3:30pm MDT
Bluebird Ballroom 3B

20-minute Sessions

3:10pm MDT

Harnessing In-toto Attestations for Security and Compliance With Next-gen Policies - Marcela Melara, Intel Labs & Trishank Kuppusamy, Datadog

Thursday June 26, 2025 3:10pm - 3:30pm MDT

Bluebird Ballroom 3A

U.S. executive orders 14028 and 14144 are driving greater adoption of supply chain security and transparency. The in-toto framework, a widely-deployed CNCF project, provides tools and data formats for generating and verifying authenticated supply chain metadata such as SBOMs and SLSA Build Provenance. in-toto plays a central role in enabling vendors to comply with regulations, but consumers and auditors still face challenges defining intuitive policies that allow them to derive meaning from existing attestations.

This session will present ongoing work on in-toto policies, where the community has been (re)defining policy specification and artifact verification for a rapidly evolving supply chain ecosystem. It starts with a brief introduction to the in-toto Attestation Framework, which is a standard way to describe supply chain data. This will be followed by sharing how the previous version of in-toto policies were unfortunately incompatible with new attestations formats. This concludes by demoing in-toto’s new policy framework that not only links attestations but also does so in more powerful, flexible, and user-friendly ways that accommodate a wide variety of real-world use cases.

Speakers

Marcela Melara

Research Scientist, Intel Labs

Marcela Melara is a research scientist in the Security and Privacy Research group at Intel Labs. Her current work focuses on developing solutions for high-integrity software and AI supply chains. She leads a number of internal, academic and open-source projects on supply chain and... Read More →

Thursday June 26, 2025 3:10pm - 3:30pm MDT
Bluebird Ballroom 3A

20-minute Sessions

3:35pm MDT

PQC & Crypto Agility: Hybrid Certificates, Different Formats, and Migration Strategies - Sven Rajala, Keyfactor

Thursday June 26, 2025 3:35pm - 3:50pm MDT

Bluebird Ballroom 3B

Sven will cover hybrid cryptography in the context of post-quantum cryptography (PQC), examining the reasoning behind hybrid systems and their role in ensuring interoperability during migration while strengthening security against quantum threats.

He will also discuss hybrid PKI, exploring various proposed standards, their advantages and drawbacks, and their practical applications. Additionally, he will outline different PKI migration paths, providing strategies tailored to diverse organizational needs.

As organizations and solutions navigate the quantum horizon, it is essential to consider their unique circumstances when planning for the transition.

Speakers

Sven Rajala

Senior Solution Engineer, Keyfactor

Sven Rajala is a cybersecurity geek with 17+ years of expertise in PKI, automating PKI/signing solutions, and mastering containers. Known for sharing insights on PKI, EJBCA, and DevSecOps through YouTube tutorials, KEYMASTER sessions (@KeyfactorCommunity), and forums, he often infuses... Read More →

Thursday June 26, 2025 3:35pm - 3:50pm MDT
Bluebird Ballroom 3B

15-minute Sessions

3:35pm MDT

Signing and Verifying Multi-architecture Containers With Sigstore - Natalie Somersall, Chainguard

Thursday June 26, 2025 3:35pm - 3:50pm MDT

Bluebird Ballroom 3A

Multi-architecture containers are magical to use—but a bit arcane to work with. Why does `docker pull python:3` grab only one architecture? How can we verify that the signed one is in use? In this talk, I’ll demystify how the order of operations for container resolution works. We’ll then dive into OCI manifests, image layers, tags, and how those map to annotations like SBOMs, attestations, and signatures. Using this info, we'll map out a couple strategies on generating and verifying this information with Cosign regardless of the architecture we need to use. I’ll walk through real-world weirdness I’ve helped folks through managing multi-arch images at scale, including how some registries and pull-through caches behave unexpectedly. This talk is for folks who use containers daily but want to lay the foundation for their software supply chain security.

Speakers

Natalie Somersall

Principal Field Engineer, Public Sector, Chainguard

Natalie is a principal solutions engineer at Chainguard serving the public sector market. She spent years designing, building, and leading complex systems in regulated environments at a major systems integrator, but has also taken her career in many other directions - including detours... Read More →

Thursday June 26, 2025 3:35pm - 3:50pm MDT
Bluebird Ballroom 3A

15-minute Sessions