OpenSSF Community Day North America 2025

In the realm of higher education, security education often remains less prioritized against the expanding sophistication of cyber threats. This oversight engenders a stark skills gap, subsequently contributing to a notable workforce deficiency within the cyber security sector. Despite numerous institutions across Canada and the United States offering computer security courses, their exclusion from the mandatory graduation requisites further accentuates the problem. In this talk, you’ll learn about these gaps and how to best address them within your organization and the technical community at large.

The rapid evolution of LLMs and the ML field has ushered in remarkable progress, but also a new wave of security threats. Model poisoning, supply chain vulnerabilities, and the challenge of verifying model and data provenance are just a few of the risks we face.

We've developed an efficient solution to sign models with Sigstore, at scale. This talk explores the practical experience of integrating this solution into Kaggle, a leading platform for data science and machine learning. We’ll share our journey of implementing model signing, from initial design to overcoming technical hurdles, and the resulting impact on Kaggle's community and the broader ML ecosystem.

Attendees will learn about the benefits of model signing, the challenges of large-scale platform integration, and best practices for securing ML workflows. By sharing actionable insights, we aim to empower other model hubs to adopt similar solutions. Protecting the integrity of all ML models through widespread adoption will prevent a significant number of ML supply chain incidents.

Dive into the Sigstore ecosystem and discover insights about digital signing practices!

Sigstore provides tooling and services to simplify signing and verification. Critically, it makes signatures transparent and publicly auditable to detect malicious behavior. With the increasing adoption of Sigstore within open source communities, this has led to a wealth of information about supply chain security. Using the data in Sigstore's public transparency log Rekor, we can glean insights about signing in open source.

This talk will provide a brief overview of Sigstore, explaining its core components and how it enables secure digital signing. We will explore trends in how open source communities and organizations are utilizing Sigstore for signing, and answer questions such as, "What is the most commonly used identity provider?", "Do we see signing occur uniformly across a day?", and "How prevalent is the use of short-lived certificates rather than self-managed keys?"

Finally, we will describe how to access and leverage this data to find your own insights about the Sigstore ecosystem and signing in supply chain security.

In the complex landscape of cloud native security, organizations struggle to effectively measure and improve their security posture. The Cloud Native Assurance Maturity Model (CNAMM) is an open, community-driven framework that democratizes security best practices through evidence-based assessment across 8 critical business functions. Learn how this practical framework helps organizations of all sizes build security excellence, backed by real implementation success stories. We'll explore CNAMM's methodology, demonstrate its value through case studies, and show how the community can contribute to its evolution.

The integrity and provenance of machine learning models are critical for building trustworthy AI systems. While cryptographic signing protects many digital assets, a standardized approach for verifying model origins and ensuring they haven't been tampered with is still missing. We are addressing this gap by building upon the OpenSSF Model Signing project – a PKI-agnostic method for creating verifiable claims on bundles of ML artifacts. We show how this project can expand beyond just model signing to also cover datasets, and other associated files, recording all integrity information in a single manifest.

In fact, this can be used as a foundation layer upon which we can build useful AI supply-chain solutions, both in terms of security and in terms of reducing development costs. Imagine querying "What datasets were used to train this model?" or determining which models and agents have been trained on a poisoned dataset, even before these get deploy in production systems. This is all possible by merging model signing, model cards, SLSA and AI-BOM information and analyzing all this metadata using tools such as GUAC. Our talk lays the groundwork for such capabilities.

Open-source software security depends not only on code quality but also on the health and effectiveness of developer communication. This session presents ongoing research developing “FORCE” (Framework for Open-Source Risk and Community Evaluation), a novel framework for proactively assessing OSS project risk. We will analyze communication patterns (sentiment, toxicity, outrage, stance, and key discussion topics) within GitHub repositories, combined with contributor network analysis and vulnerability data. This session will detail the methodology for creating the “Temporal Health Score” (THS), a composite metric designed to provide early warnings of potential security risks. We will discuss how prior research in areas like subtle toxicity detection and behavioral analysis informs the design of FORCE. The session will emphasize the potential for actionable insights for OSS maintainers, including strategies for improving communication, fostering collaboration, and mitigating identified risks. We also seek community feedback on the framework and its potential applications.

The security of the software supply chain has attracted a lot of attention in recent years, and with efforts like Software Bill of Materials, Vulnerability Exchange and in-toto, a lot of work is being done to advance the state of the art. Drawing on a blog post published earlier this year on the OpenSSF blog and recent work from across industry, this talk describes some of the challenges public sector organizations face as they try to manage their supply chain and how the OpenSSF, with the broader open source community, can help address them.

2025 is the year LLMs broke out of the chatbot box. AI agents can now plan, execute, and learn all on their own in complex environments. This evolution makes 2023 seem like the stone age of AI. But with great power comes great responsibility - and a whole new attack surface to worry about: agentic AI demands a robust security model.

This talk dives into the world of AI agents, exploring what they are, what they can do, and—crucially—how to secure them. We'll examine the open-source tools that are fueling this revolution, including LangChain, LangGraph, DSPy, and the growing ecosystem of knowledge graph technologies and APIs. These powerful tools present incredible opportunities, but their architectural choices also introduce unique security risks. We'll dissect some of these risks, such as prompt injection and data poisoning, as well as compromised dependencies and insecure API interactions.

Our aim is to provide a guide on how to build secure and resilient AI agents using open-source best practices, ensuring today’s intelligent creations don't become tomorrow's security nightmares.

Sven will cover hybrid cryptography in the context of post-quantum cryptography (PQC), examining the reasoning behind hybrid systems and their role in ensuring interoperability during migration while strengthening security against quantum threats.

He will also discuss hybrid PKI, exploring various proposed standards, their advantages and drawbacks, and their practical applications. Additionally, he will outline different PKI migration paths, providing strategies tailored to diverse organizational needs.

As organizations and solutions navigate the quantum horizon, it is essential to consider their unique circumstances when planning for the transition.

Multi-architecture containers are magical to use—but a bit arcane to work with. Why does `docker pull python:3` grab only one architecture? How can we verify that the signed one is in use? In this talk, I’ll demystify how the order of operations for container resolution works. We’ll then dive into OCI manifests, image layers, tags, and how those map to annotations like SBOMs, attestations, and signatures. Using this info, we'll map out a couple strategies on generating and verifying this information with Cosign regardless of the architecture we need to use. I’ll walk through real-world weirdness I’ve helped folks through managing multi-arch images at scale, including how some registries and pull-through caches behave unexpectedly. This talk is for folks who use containers daily but want to lay the foundation for their software supply chain security.