OpenSSF Community Day North America 2025

Confidential. Sensitive. Security-critical.

What do these words mean in practice for open source today? That only the most resource-constrained actors in the system can do the work. These forces are in direct contradiction to what makes open source powerful: that the people most interested in the improvements are the ones that can do the work.

So why don’t we?

In this talk, we’ll challenge this thinking around open source security work and attendees will leave with new tools on how to make their contributions into open source security guidance, platforms, and tooling scale by inviting others to the table, turning expertise into results, and improving the security of the open source ecosystem in a way maintainers will love rather than dread.

The rapid evolution of LLMs and the ML field has ushered in remarkable progress, but also a new wave of security threats. Model poisoning, supply chain vulnerabilities, and the challenge of verifying model and data provenance are just a few of the risks we face.

We've developed an efficient solution to sign models with Sigstore, at scale. This talk explores the practical experience of integrating this solution into Kaggle, a leading platform for data science and machine learning. We’ll share our journey of implementing model signing, from initial design to overcoming technical hurdles, and the resulting impact on Kaggle's community and the broader ML ecosystem.

Attendees will learn about the benefits of model signing, the challenges of large-scale platform integration, and best practices for securing ML workflows. By sharing actionable insights, we aim to empower other model hubs to adopt similar solutions. Protecting the integrity of all ML models through widespread adoption will prevent a significant number of ML supply chain incidents.

Software is built for a purpose. The same property applies to build platforms!

We will show you how we are leveraging Tekton and Tekton Chains at Red Hat to create a build platform that meets developers where they are at. Developers start with the pipeline defined in their git repository – free for them to modify and update on their terms, with Tekton tasks ready to scan artifacts for vulnerabilities and Renovate pre-configured to help keep dependencies up to date.

This platform helps make sure that the artifacts are going somewhere. Using the detailed SLSA Provenance generated by Tekton Chains, the build platform enables policy driven development. Developers can see in their PRs whether they are on track to meet the target’s requirements – whether it is pushing to a development or production environment. Gone are the days saying “I didn’t know I had to do that!”

We won’t send the artifacts just anywhere, however, as we can tailor policies to ensure that you are meeting all of the requirements. The platform can inspect the provenance to ensure that artifacts are built using trusted steps and all required checks are good for takeoff!

Forget what you think you know about immutable tags, perfect dependency graphs, and those supposedly foolproof lock files. We'll get down to the nitty-gritty of open source security, giving you real-world insights to keep your projects safe. For example, did you know that one package url (or “purl”) can map to many different packages? Trying to find consistency in cross-ecosystem names and identifiers is a hard problem! And how can we meaningfully report vulnerabilities if we don’t even have a consistent way to identify packages?

We can talk about vulnerabilities in transitive dependencies, but what even are your dependencies? A package doesn’t uniquely map to one set of dependencies – depending on your build flags or operating system, you can end up with arbitrarily many dependency graphs for one package.

We break open source security down to first principles by challenging the assumptions that we’ve all built upon, to hopefully resolve to a more consistent vision of the open source.

Number 5 will shock you!

Dive into the Sigstore ecosystem and discover insights about digital signing practices!

Sigstore provides tooling and services to simplify signing and verification. Critically, it makes signatures transparent and publicly auditable to detect malicious behavior. With the increasing adoption of Sigstore within open source communities, this has led to a wealth of information about supply chain security. Using the data in Sigstore's public transparency log Rekor, we can glean insights about signing in open source.

This talk will provide a brief overview of Sigstore, explaining its core components and how it enables secure digital signing. We will explore trends in how open source communities and organizations are utilizing Sigstore for signing, and answer questions such as, "What is the most commonly used identity provider?", "Do we see signing occur uniformly across a day?", and "How prevalent is the use of short-lived certificates rather than self-managed keys?"

Finally, we will describe how to access and leverage this data to find your own insights about the Sigstore ecosystem and signing in supply chain security.

The next wave of Supply Chain attacks is brewing in our Build Pipelines (CI/CD), where 0-days and novel attack paths are still waiting to be discovered. In 2024, the XZ compression library compromise was used as a trojan horse to backdoor OpenSSH, it was caught early on, next time it might go unnoticed.

We tell the story of how we went from finding 0-day vulnerabilities in the Build Pipelines of critical Open Source packages to predicting TTPs for the next XZ-like attacks, adapting MITRE's ATT&CK for CI/CD. We'll go in depth on how Threat Actors can "Live Off the Pipeline" by abusing legitimate build tools to do their bidding.

We introduce practical methods for predicting and identifying threats, by mapping build pipeline tactics to our ATT&CK model. Case studies, based on forensics of recent supply chain compromises, will demonstrate how adversaries exploit build pipelines, escalate privileges, and can remain undetected long enough to have significant impact.

This session empowers attendees to proactively identify and defend against advanced supply chain attacks, effectively countering adversaries that seek to "Live Off the Pipeline" as demonstrated in the XZ compromise.

The integrity and provenance of machine learning models are critical for building trustworthy AI systems. While cryptographic signing protects many digital assets, a standardized approach for verifying model origins and ensuring they haven't been tampered with is still missing. We are addressing this gap by building upon the OpenSSF Model Signing project – a PKI-agnostic method for creating verifiable claims on bundles of ML artifacts. We show how this project can expand beyond just model signing to also cover datasets, and other associated files, recording all integrity information in a single manifest.

In fact, this can be used as a foundation layer upon which we can build useful AI supply-chain solutions, both in terms of security and in terms of reducing development costs. Imagine querying "What datasets were used to train this model?" or determining which models and agents have been trained on a poisoned dataset, even before these get deploy in production systems. This is all possible by merging model signing, model cards, SLSA and AI-BOM information and analyzing all this metadata using tools such as GUAC. Our talk lays the groundwork for such capabilities.

Open-source software security depends not only on code quality but also on the health and effectiveness of developer communication. This session presents ongoing research developing “FORCE” (Framework for Open-Source Risk and Community Evaluation), a novel framework for proactively assessing OSS project risk. We will analyze communication patterns (sentiment, toxicity, outrage, stance, and key discussion topics) within GitHub repositories, combined with contributor network analysis and vulnerability data. This session will detail the methodology for creating the “Temporal Health Score” (THS), a composite metric designed to provide early warnings of potential security risks. We will discuss how prior research in areas like subtle toxicity detection and behavioral analysis informs the design of FORCE. The session will emphasize the potential for actionable insights for OSS maintainers, including strategies for improving communication, fostering collaboration, and mitigating identified risks. We also seek community feedback on the framework and its potential applications.

2025 is the year LLMs broke out of the chatbot box. AI agents can now plan, execute, and learn all on their own in complex environments. This evolution makes 2023 seem like the stone age of AI. But with great power comes great responsibility - and a whole new attack surface to worry about: agentic AI demands a robust security model.

This talk dives into the world of AI agents, exploring what they are, what they can do, and—crucially—how to secure them. We'll examine the open-source tools that are fueling this revolution, including LangChain, LangGraph, DSPy, and the growing ecosystem of knowledge graph technologies and APIs. These powerful tools present incredible opportunities, but their architectural choices also introduce unique security risks. We'll dissect some of these risks, such as prompt injection and data poisoning, as well as compromised dependencies and insecure API interactions.

Our aim is to provide a guide on how to build secure and resilient AI agents using open-source best practices, ensuring today’s intelligent creations don't become tomorrow's security nightmares.

A status update on the SLSA Dependency Track from the members of the working group. In the update we'll outline the objectives we are trying to achieve with the dependency track, highlight some of the challenges and the next steps.

It seems like every day there’s a new security tool or best practice that emerges. At the same time developers are being asked to take on the burden of integrating all these tools and practices into their software development practices. These challenges mirror the problems developers and operators faced with the complexity of modern application operations that was eventually solved with technologies like kubernetes in the form of a container control plane. Come learn how a unified framework of software supply chain steps called AStRA can enable a new architecture in the form of a software development lifecycle (SDLC) control plane, to solve these problems and how building this might be simpler than you might think. OpenSSF has most of the pieces, they just need to be put together.

As generative AI moves rapidly into production environments, developers face security challenges that traditional application security frameworks cannot fully address. This concise talk explores the fundamentals of AI security and compares how different communities—from security practitioners to AI researchers—are developing solutions through collaborative initiatives and open source communities and working groups.

Attendees will gain a clear understanding of how different communities, such as OpenSSF and OPEA and others, are addressing AI security challenges through complementary approaches, providing a foundation for implementing appropriate security controls in their own AI applications.

Topics Covered
* overview of AI security challenges vs traditional app sec
* Comparison of approaches from OpenSSF, OPEA Security Working Group, and other industry collaborations

U.S. executive orders 14028 and 14144 are driving greater adoption of supply chain security and transparency. The in-toto framework, a widely-deployed CNCF project, provides tools and data formats for generating and verifying authenticated supply chain metadata such as SBOMs and SLSA Build Provenance. in-toto plays a central role in enabling vendors to comply with regulations, but consumers and auditors still face challenges defining intuitive policies that allow them to derive meaning from existing attestations.

This session will present ongoing work on in-toto policies, where the community has been (re)defining policy specification and artifact verification for a rapidly evolving supply chain ecosystem. It starts with a brief introduction to the in-toto Attestation Framework, which is a standard way to describe supply chain data. This will be followed by sharing how the previous version of in-toto policies were unfortunately incompatible with new attestations formats. This concludes by demoing in-toto’s new policy framework that not only links attestations but also does so in more powerful, flexible, and user-friendly ways that accommodate a wide variety of real-world use cases.

Multi-architecture containers are magical to use—but a bit arcane to work with. Why does `docker pull python:3` grab only one architecture? How can we verify that the signed one is in use? In this talk, I’ll demystify how the order of operations for container resolution works. We’ll then dive into OCI manifests, image layers, tags, and how those map to annotations like SBOMs, attestations, and signatures. Using this info, we'll map out a couple strategies on generating and verifying this information with Cosign regardless of the architecture we need to use. I’ll walk through real-world weirdness I’ve helped folks through managing multi-arch images at scale, including how some registries and pull-through caches behave unexpectedly. This talk is for folks who use containers daily but want to lay the foundation for their software supply chain security.