OpenSSF Community Day North America 2025

OpenSSF Scorecard is a powerful tool for assessing the security health of open-source projects. However, making sense of its vast data and prioritizing improvements can be challenging. This presentation introduces a dashboard designed to visualize and streamline Scorecard insights, providing maintainers and security teams with a clear, actionable view of their project's security posture. Attendees will learn about Ortelius, a CDF Project, that has delivered a dashboard that aggregates key Scorecard metrics, tracking progress over time, and integrates with CI/CD pipelines to enhance automation. By the end of the session, participants will understand how this dashboard can help improve security practices, reduce vulnerabilities, and ensure compliance with industry best practices.

Forget what you think you know about immutable tags, perfect dependency graphs, and those supposedly foolproof lock files. We'll get down to the nitty-gritty of open source security, giving you real-world insights to keep your projects safe. For example, did you know that one package url (or “purl”) can map to many different packages? Trying to find consistency in cross-ecosystem names and identifiers is a hard problem! And how can we meaningfully report vulnerabilities if we don’t even have a consistent way to identify packages?

We can talk about vulnerabilities in transitive dependencies, but what even are your dependencies? A package doesn’t uniquely map to one set of dependencies – depending on your build flags or operating system, you can end up with arbitrarily many dependency graphs for one package.

We break open source security down to first principles by challenging the assumptions that we’ve all built upon, to hopefully resolve to a more consistent vision of the open source.

Number 5 will shock you!

This session will be an overview of our efforts in the Secure Web Application Guidelines (SWAG) group, which has been working in coordination with the OpenSSF Best Practices group to develop security guidelines aimed at web developers. We'll go into some detail on the work and research that preceded this work and then talk about some of how this work differs from existing Best Practices, and how the the work of this group has influenced other sources for web developer documentation.

This is a short session about my experiences in the past 18 months carrying the story of open source security across the length and breadth of India.
It is a geography that is just maturing in the IT spectrum, shifting from a predominantly services mindset to one of building products for the world.
This is a story of opportunities, of troubles, of tiresome evenings, and me questioning my life choices in airports as I battle flight delays and doom scrolling.
What does the country with the world’s largest developer population offer? A way forward? A threat of immaturity overpowering technical potential? A path to shape the developer mindset from the outset?
I don’t have all the answers. Maybe you do.

It seems like every day there’s a new security tool or best practice that emerges. At the same time developers are being asked to take on the burden of integrating all these tools and practices into their software development practices. These challenges mirror the problems developers and operators faced with the complexity of modern application operations that was eventually solved with technologies like kubernetes in the form of a container control plane. Come learn how a unified framework of software supply chain steps called AStRA can enable a new architecture in the form of a software development lifecycle (SDLC) control plane, to solve these problems and how building this might be simpler than you might think. OpenSSF has most of the pieces, they just need to be put together.

As generative AI moves rapidly into production environments, developers face security challenges that traditional application security frameworks cannot fully address. This concise talk explores the fundamentals of AI security and compares how different communities—from security practitioners to AI researchers—are developing solutions through collaborative initiatives and open source communities and working groups.

Attendees will gain a clear understanding of how different communities, such as OpenSSF and OPEA and others, are addressing AI security challenges through complementary approaches, providing a foundation for implementing appropriate security controls in their own AI applications.

Topics Covered
* overview of AI security challenges vs traditional app sec
* Comparison of approaches from OpenSSF, OPEA Security Working Group, and other industry collaborations

Bomctl is a new OpenSSF sandbox project designed to bridge the gap between SBOM generation and analysis. Leveraging the flexible and powerful expression of the Protobom library, bomctl
is natively format-agnostic, allowing effortless interaction with various SBOM formats. Bomctl enables the creation of to build a reference graph of SBOM documents and software packages, accurately representing modern software systems. With bomctl, data can be seamlessly pulled from SBOM generation tools and Source Code Management (SCM) platforms, and then pushed to SBOM registries, SCM platforms, and vulnerability analysis tools, streamlining your SBOM management workflow.