OpenSSF Community Day North America 2025

In the realm of higher education, security education often remains less prioritized against the expanding sophistication of cyber threats. This oversight engenders a stark skills gap, subsequently contributing to a notable workforce deficiency within the cyber security sector. Despite numerous institutions across Canada and the United States offering computer security courses, their exclusion from the mandatory graduation requisites further accentuates the problem. In this talk, you’ll learn about these gaps and how to best address them within your organization and the technical community at large.

Contributors and maintainers will benefit from increased visibility to changes in the ecosystem, especially as LFX Insights works to display Baseline results for all projects. The baseline is already fully adopted as a project requirement by the OpenSSF TAC, and adoption is underway by the FINOS and CNCF technical oversight committees. Past or Present Chairs from each of the three bodies are leading contributors to the effort.

End User members will benefit by better understanding the measures that Linux Foundation is taking to ensure that projects are being held to robust security standards.

OpenSSF Scorecard is a powerful tool for assessing the security health of open-source projects. However, making sense of its vast data and prioritizing improvements can be challenging. This presentation introduces a dashboard designed to visualize and streamline Scorecard insights, providing maintainers and security teams with a clear, actionable view of their project's security posture. Attendees will learn about Ortelius, a CDF Project, that has delivered a dashboard that aggregates key Scorecard metrics, tracking progress over time, and integrates with CI/CD pipelines to enhance automation. By the end of the session, participants will understand how this dashboard can help improve security practices, reduce vulnerabilities, and ensure compliance with industry best practices.

In the complex landscape of cloud native security, organizations struggle to effectively measure and improve their security posture. The Cloud Native Assurance Maturity Model (CNAMM) is an open, community-driven framework that democratizes security best practices through evidence-based assessment across 8 critical business functions. Learn how this practical framework helps organizations of all sizes build security excellence, backed by real implementation success stories. We'll explore CNAMM's methodology, demonstrate its value through case studies, and show how the community can contribute to its evolution.

The security of the software supply chain has attracted a lot of attention in recent years, and with efforts like Software Bill of Materials, Vulnerability Exchange and in-toto, a lot of work is being done to advance the state of the art. Drawing on a blog post published earlier this year on the OpenSSF blog and recent work from across industry, this talk describes some of the challenges public sector organizations face as they try to manage their supply chain and how the OpenSSF, with the broader open source community, can help address them.

This session will be an overview of our efforts in the Secure Web Application Guidelines (SWAG) group, which has been working in coordination with the OpenSSF Best Practices group to develop security guidelines aimed at web developers. We'll go into some detail on the work and research that preceded this work and then talk about some of how this work differs from existing Best Practices, and how the the work of this group has influenced other sources for web developer documentation.

Open-source AI software introduces a new family of vulnerabilities to organizations. Some components in AI, like model serving, include Remote Code Execution (RCE) by design, like when loading pre-trained models from external sources.

This talk will examine some of the common security anti-patterns prevalent in AI engineering, such as security issues that are not classified as CVEs by design, or patched security issues that introduce breaking changes and therefore are not practically implemented. We’ll review the methods introduced for better security hygiene such as new checkpoint formats (model files on disk) - like SavedModel and SafeTensors.

While SCA, SAST, and traditional approaches don't analyze model checkpoints, leaving these silent vulnerabilities in your stacks, we’ll demo through real code examples, why the runtime context is crucial to detect these security issues––and how this can be achieved by leveraging eBPF and open source tooling.

This is a short session about my experiences in the past 18 months carrying the story of open source security across the length and breadth of India.
It is a geography that is just maturing in the IT spectrum, shifting from a predominantly services mindset to one of building products for the world.
This is a story of opportunities, of troubles, of tiresome evenings, and me questioning my life choices in airports as I battle flight delays and doom scrolling.
What does the country with the world’s largest developer population offer? A way forward? A threat of immaturity overpowering technical potential? A path to shape the developer mindset from the outset?
I don’t have all the answers. Maybe you do.

Bomctl is a new OpenSSF sandbox project designed to bridge the gap between SBOM generation and analysis. Leveraging the flexible and powerful expression of the Protobom library, bomctl
is natively format-agnostic, allowing effortless interaction with various SBOM formats. Bomctl enables the creation of to build a reference graph of SBOM documents and software packages, accurately representing modern software systems. With bomctl, data can be seamlessly pulled from SBOM generation tools and Source Code Management (SCM) platforms, and then pushed to SBOM registries, SCM platforms, and vulnerability analysis tools, streamlining your SBOM management workflow.

Software supply chain security is a critical concern for organizations operating in both connected and disconnected environments. The OpenSSF projects Zarf and GUAC (Graph for Understanding Artifact Composition) provide complementary capabilities to enhance security and transparency. Zarf enables the secure packaging and deployment of software in connected or disconnected environments, while GUAC aggregates and contextualizes Software Bill of Materials (SBOMs) to improve software provenance and risk assessment.

This talk will explore how integrating Zarf and GUAC can streamline SBOM generation, verification, and delivery across connected and disconnected environments. We will demonstrate how this integration facilitates:
- Secure SBOM packaging and transport with Zarf.
- Automated SBOM generation and enrichment using GUAC.
- Improved traceability and risk assessment in airgapped environments.

Attendees will gain practical insights into leveraging these OpenSSF projects to strengthen their supply chain security posture and meet emerging compliance requirements.

Sven will cover hybrid cryptography in the context of post-quantum cryptography (PQC), examining the reasoning behind hybrid systems and their role in ensuring interoperability during migration while strengthening security against quantum threats.

He will also discuss hybrid PKI, exploring various proposed standards, their advantages and drawbacks, and their practical applications. Additionally, he will outline different PKI migration paths, providing strategies tailored to diverse organizational needs.

As organizations and solutions navigate the quantum horizon, it is essential to consider their unique circumstances when planning for the transition.