Skip to main content

Register for Open Source SecurityCon 2025

search
Category

Blog

Sep 05
Love0

OpenSSF Community Day Korea 2025 Agenda Live!

By Blog

We’re excited to announce that the agenda for OpenSSF Community Day Korea is now live! Join the community on November 4, 2025, in Seoul, South Korea, co-located with Open Source Summit Korea. Join us for a full day of collaboration, hands-on learning, and future-focused conversations about securing open source software.

The OpenSSF Community Day Korea features a dynamic mix of keynotes, lightning-style talks, and technical sessions spanning software supply chain security, AI/ML security, SBOM quality and policy, and practical OSS tooling. You’ll gain networking time to connect with maintainers, contributors, and adopters from across South Korea and the broader APAC region.

👉 Register now to secure your spot.
 🕘 All sessions are listed in Korea Standard Time (KST).

Agenda Highlights

09:30 KST – Registration + Badge Pick-up
 Kick off the day by picking up your badge and connecting with fellow attendees in the foyer.

11:30 KST – Welcome & Opening Remarks

  • Steve Fernandez, General Manager, OpenSSF

11:50 KST – Keynote Sessions

  • Featured speakers to be announced soon.

12:40 KST – Containers, Code, and Chaos: Securing the CI/CD Supply Chain

  • Aditya Soni, Forrester Research
  • Anshika Tiwari, Amazon Web Services, Inc.

13:00 KST – DepConfuse: SBOM-first Detection of Dependency Confusion

  • Akhil Mahendra, Scapia
  • Harsh Vairagya, CRED

13:20 KST – OSS Risk Scoring Is Broken. We Tried To Build Our Own With Sigstore and Scorecard

  • Prerit Munjal, InfraOne

13:40 KST – Break & Networking

14:15 KST – Securing the Real-Time Linux Kernel: Fortifying PREEMPT_RT With Syzkaller Fuzzing

  • Yunseong Kim, Ericsson
  • Shung-Hsi Yu, SUSE

14:45 KST – The Migration To Post-Quantum Cryptography: Open-Source Innovations and Interoperability

  • Tony Chen, Keyfactor

15:10 KST – License to Inspect: Auditing ML Pipelines for Open Source – A Guide

  • Aroma Rodrigues, Former Microsoft, Intuit, JP Morgan Chase, Fidelity Investments

15:35 KST – Highlighting the Uniqueness and Prevalence of OSS AI/ML Vulnerabilities

  • Jessy Ayala, University of California, Irvine

15:50 KST – Standardizing the Unstandardized: Securing AI Supply Chain With Model-Spec and Kitops

  • Prasanth Baskar, 8gears

16:05 KST – Enabling Verifiable AI Transparency With Confidential Computing With ManaTEE

  • Yonggil Choi, TikTok

Why Attend

  • Learn: Practical strategies for securing open source, from kernel fuzzing to SBOM-driven dependency protection.
  • Connect: Meet experts from companies like AWS, Ericsson, Keyfactor, TikTok, SUSE, and more.
  • Contribute: Engage directly with OpenSSF projects and working groups making OSS safer for everyone.

Plan Your Day

👉 Register here to attend OpenSSF Community Day Korea.

Keep the Momentum Going

From Denver to Hyderabad to Tokyo, OpenSSF Community Days are uniting the global open source community around one shared goal: making OSS secure for everyone. We’re thrilled to bring this energy to Seoul and can’t wait to build with you.

See you on November 4 in Seoul!

Aug 28
Love0

OpenSSF Celebrates Global Momentum, AI/ML Security Initiatives and Golden Egg Award Winners at Community Day Europe

By Blog, Press Release

Foundation honors community achievements and strategic efforts to secure ML pipeline during community event in Amsterdam

AMSTERDAM – OpenSSF Community Day Europe – August 28, 2025 – The Open Source Security Foundation (OpenSSF), a cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), presents the Golden Egg Award during OpenSSF Community Day Europe and celebrates notable momentum across the security industry. The Foundation’s milestones include achievements in AI/ML security, policy education, and global community engagement.

Golden Egg Award Recipients

OpenSSF continues to shine a light on those who go above and beyond in our community with the Golden Egg Awards. The Golden Egg symbolizes gratitude for recipients’ selfless dedication to securing open source projects through community engagement, engineering, innovation, and thoughtful leadership. This year, we celebrate:

  • Ben Cotton (Kusari) – for work on GUAC and the Open Source Project Security Baseline (OSPS Baseline)
  • Kairo de Araujo (Eclipse Foundation) – for maintaining RSTUF and participation in the Securing Software Repositories Working Group
  • Katherine Druckman (Independent) – for dedication to community growth and developer relations (DevRel)
  • Eddie Knight (Sonatype) – for advancing OSPS Baseline and creating project courses that strengthen open source security education
  • Georg Kunz (Ericsson) – for leadership and contributions within the Best Practices Working Group

Achievements and Milestones

OpenSSF is supported by more than 118 member organizations and 1,519 technical contributors across OpenSSF projects, serving as a vendor-neutral partner to affiliated open source foundations and projects. As securing the global technology infrastructure continues to get more complex, OpenSSF will remain a trusted home to further the reliability, security, and universal trust of open source software.

Over the past quarter, OpenSSF has made several key achievements in its mission to sustainably secure open source software, including:

  • The release of a whitepaper by the AI/ML Security Working Group on securing the AI lifecycle, which maps OWASP ML Top 10 threats to MLOps stages and highlights tools like Sigstore and OpenSSF Scorecard.
  • Success at the AI Cyber Challenge (AIxCC) at DEF CON. OpenSSF participated as a challenge advisor and will be working with DARPA and ARPA-H to open source the winning systems, infrastructure, and data from the competition.
  • Co-launching the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families.
  • Publishing the Cyber Resilience Act (CRA) Brief Guide for OSS Developers, a practical overview to help open source maintainers and contributors understand when CRA requirements apply, what obligations exist, and how to prepare — paired with the free express course Understanding the EU Cyber Resilience Act (CRA) (LFEL1001) for those who want deeper learning and a digital badge.
  • Co-launching the Global Cyber Policy Working Group to collaborate on global cybersecurity-related legislation, frameworks, and standards which facilitate conformance to regulatory requirements by open source projects and their consumers; with initial focus on EU’s CRA legislation.

“Securing the AI and ML landscape requires a coordinated approach across the entire pipeline,” said Steve Fernandez, General Manager at OpenSSF. “Through our MLSecOps initiatives with OpenSSF members and policy education with our communities, we’re giving practitioners and their organizations actionable guidance to identify vulnerabilities, understand their role in the global regulatory ecosystem, and build a tapestry of trust from data to deployment.”

Global Community Engagement

OpenSSF continues to expand its influence on the international stage. OpenSSF Community Days drew record attendance globally, including standing-room-only participation in India, strong engagement in Japan, and sustained presence in North America.

Supporting Quotes

“As AI and ML adoption grows, so do the security risks. Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security is a practical guide that bridges the gap between ML innovation and security using open-source DevOps tools. It’s a valuable resource for anyone building and securing AI/ML pipelines.” Sarah Evans, Distinguished Engineer, Dell Technologies 

“The whitepaper distills our collective expertise into a pragmatic roadmap, pairing open source controls with ML-security threats. Collaborating through the AI/ML Security WG proved that open, vendor-neutral teamwork can significantly accelerate the adoption of secure AI systems.” Andrey Shorov, Senior Security Technology Specialist at Product Security, Ericsson

“The Cybersecurity Skills Framework is more than a checklist — it’s a practical roadmap for embedding security into every layer of enterprise readiness, open source development, and workforce culture across international borders. By aligning skills with real-world global threats, it empowers teams worldwide to build secure software from the start.” Jamie Thomas, Chief Client Innovation Officer and the Enterprise Security Executive, IBM 

“Open source is global by design, and so are the challenges we face with new regulations like the EU Cyber Resilience Act,” said Christopher “CRob” Robinson, Chief Security Architect, OpenSSF. “The Global Cyber Policy Working Group helps policymakers understand how open source is built and supports maintainers and manufacturers as they prepare for compliance.”

“The OpenSSF’s brief guide to the Cyber Resilience Act is a critical resource for the open source community, helping developers and contributors understand how the new EU law applies to their projects. It clarifies legal obligations and provides a roadmap for proactively enhancing their code’s security.” Dave Russo, Senior Principal Program Manager, Red Hat Product Security

Events and Gatherings

New and existing OpenSSF members are gathering this week in Amsterdam at the annual OpenSSF Community Day Europe

OpenSSF will continue its engagement across Europe this fall with participation in the Linux Foundation Europe Member Summit (October 28) and the Linux Foundation Europe Roadshow (October 29), both in Ghent, Belgium. At the Roadshow, OpenSSF will sponsor and host the CRA in Practice: Secure Maintenance track, building on last year’s standing-room-only CRA workshop. On October 30, OpenSSF will co-host the European Open Source Security Forum with CEPS in Brussels, bringing together open source leaders, European policymakers, and security experts to collaborate on the future of open source security policy. A landing page for this event will be available soon, check the OpenSSF events calendar for updates and registration details.

Additional Resources

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry organization at the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org

Media Contact
Grace Lucier
The Linux Foundation

[email protected] 

Aug 27
Love0

Trustify joins GUAC

By Blog, Guest Blog

By Ben Cotton and Dejan Bosanac

The superpower of open source is multiple people working together on a common goal. That works for projects, too. GUAC and Trustify are two projects bringing visibility to the software supply chain. Today, they’re combining under the GUAC umbrella. With Red Hat’s contribution of Trustify to the GUAC project, the two combine to create a unified effort to address the challenges of consuming, processing, and utilizing supply chain security metadata at scale.

Why Join?

The Graph for Understanding Artifact Composition (GUAC) project was created to bring understanding to software supply chains. GUAC ingests software bills of materials (SBOMs) and enriches them with additional data to create a queryable graph of the software supply chain. Trustify also ingests and manages SBOMs, with a focus on security and compliance. With so much overlap, it makes sense to combine our efforts.

The grand vision for this evolved community is to become the central hub within OpenSSF for initiatives focused on building and using supply chain knowledge graphs. This includes: defining & promoting common standards, data models, & ontologies; developing shared infrastructure & libraries; improving the overall tooling ecosystem; fostering collaboration & knowledge sharing; and providing a clear & welcoming community for contributors.

What’s Next?

Right now, we’re working on the basic logistics: migrating repositories, updating websites, merging documentation. We have created a new GUAC Steering Committee that oversees two core projects: Graph for Understanding Artifact Composition (GUAC) and Trustify, and subprojects like sw-id-core and GUAC Visualizer. These projects have their own maintainers, but we expect to see a lot of cross-collaboration as everyone gets settled in.

If you’d like to learn more, join Ben Cotton and Dejan Bosanac at OpenSSF Community Day Europe for their talk on Thursday 28 August. If you can’t make it to Amsterdam, the community page has all of the ways you can engage with our community.

Author Bios

Ben Cotton is the open source community lead at Kusari, where he contributes to GUAC and leads the OSPS Baseline SIG. He has over a decade of leadership experience in Fedora and other open source communities. His career has taken him through the public and private sector in roles that include desktop support, high-performance computing administration, marketing, and program management. Ben is the author of Program Management for Open Source Projects and has contributed to the book Human at a Distance and to articles in The Next Platform, Opensource.com, Scientific Computing, and more.

Dejan Bosanac is a software engineer at Red Hat with an interest in open source and integrating systems. Over the years he’s been involved in various open source communities tackling problems like: Software supply chain security, IoT cloud platforms and Edge computing and Enterprise messaging.