0
0
0
0
Hashtag
#OpenSSFCommunityDay
Advertisement · 728 × 90
At the OpenSSF Community Day event, six individuals participate in a panel discussion titled “OpenSSF TableTop Exercise (TTX): Continuously Integrating… Disaster!” The presentation slide is displayed behind them on a large screen with the OpenSSF logo. The event date is Thursday, June 18, 2025. One person stands at a lectern labeled “OpenSSF Community Day,” wearing a colorful hockey-style jersey and speaking into a microphone. Five panelists are seated on stools.
OpenSSF TTX Panel Session - John Kjell, ControlPlane; Seth Larson, Python Software Foundation; Mihai Maruseac, Google; Yesenia Yser, Microsoft; Megan Knight, Arm & Moderated by Christopher "CRob" Robinson, OpenSSF #OpenSSFCommunityDay
5
1
0
0
Brandt on stage at OpenSSF Community Day
Enhancing Supply Chain Security: Integrating Zarf and GUAC for Seamless SBOM Generation and Delivery - Brandt Keller, Defense Unicorns #OpenSSFCommunityDay
0
0
1
0
Allen and Ian in stage at OpenSSF Community Day
Bomctl Use Cases For software developers - “I need to pull SBOMs from an OCI registry and push them to my SBOM registry” - “I want to sign all of my SBOMs before releasing as github release artifacts” For an organisation - “Our product is an integration of subcomponents. How do we represent this system with SBOMs?” - “We want to redact sensitive information before sending our product’s SBOMs to a customer”
Simplifying SBOM Management: An Introduction To Bomctl - Allen Shearin & Ian Dunbar-Hall, Lockheed Martin #OpenSSFCommunityDay
1
0
1
0
👆 Unquestionably one of the most entertaining talks! #OpenSSFCommunityDay
0
0
1
0
Ram on stage at OpenSSF Community Day.
Evangelizing Security in India: Fears, Tears, and a Billion Deaf Ears - Ram Iyengar, Linux Foundation #OpenSSFCommunityDay
0
0
1
0
Left to Right: Adrian Diglio, Microsoft; Meder Kydyraliev, Google, & Tom Bedford, Bloomberg
Adrian Diglio (Microsoft), Meder Kydyraliev (Google), Tom Bedford (Bloomberg) #OpenSSFCommunityDay
0
0
1
0
Go and visit the SLSA Dependency Track @ slsa.dev/spec/draft/d... #OpenSSFCommunityDay
0
0
1
0
Adrian (left) and Tom (right) on stage at OpenSSF Community Day.
Tom (left) and Adrian (right) on stage at OpenSSF Community Day.
SLSA Dependency Track Update - Meder Kydyraliev, Google; Adrian Diglio, Microsoft & Tom Bedford, Bloomberg #OpenSSFCommunityDay
0
0
1
0
Shlok on stage at OpenSSF Community Day
A slide titled “Deconstructing the XZ Attack” presents a dual-axis line graph showing trends over time. The x-axis represents dates from late 2021 to mid-2023. The left y-axis (red) represents “Communication Risk Score (Based on Analysis of Mailing List Toxicity)” ranging from 0.0 to 0.5, while the right y-axis (blue) shows “Network Centralization (Gini coefficient based on commit distribution inequality)” ranging from 0.0 to 1.0. - A red line illustrates the Communication Risk Score, with a visible spike around April 2022 labeled “1. Sockpuppet Pressure Campaign.” - A blue dashed line shows increasing network centralization, with a notable rise beginning after “Jia Tan gains commit access (Jan 2023),” followed by an annotation labeled “2. Malicious Maintainer Consolidates Control.” The visual connects these metrics to key milestones in the XZ backdoor attack incident.
Predicting OSS Vulnerabilities Through Communication Analysis: A Work in Progress - Shlok Gilda, University of Florida #OpenSSFCommunityDay
1
0
1
0
Mihai and Eoin on stage at OpenSSF Community Day.
From Model To Trust: Building Upon Tamper-proof ML Metadata Records - Mihai Maruseac, Google & Eoin Wickens, HiddenLayer #OpenSSFCommunityDay
0
0
1
0
François on stage at OpenSSF Community Day
Living Off the Pipeline: From Supply Chain 0-Days To Predicting the Next XZ-like Attacks - François Proulx, BoostSecurity.io #OpenSSFCommunityDay
1
0
1
0
A photo taken at an OpenSSF Community Day presentation shows two speakers—one man and one woman—standing on stage next to a podium. They are presenting in a large conference room with tall acoustic panels. A large projection screen displays a slide titled “JOINing with deps.dev data,” which features SQL query snippets and annotated comments explaining how to join data from Rekor and deps.dev, including package ingestion, certificate generation by CI workflows, and joining on source repo and Rekor entry ID. Attendees are seated in the foreground, some working on laptops. The setting suggests a technical conference focused on software supply chain security.
Trends and Insights from the Sigstore Ecosystem - Eve Martin-Jones & Hayden Blauzvern, Google #OpenSSFCommunityDay
0
0
2
0
Myth #5: "You know your code" #OpenSSFCommunityDay
1
0
1
0
Myth #4: "CVEs are unique and have no data quality issues" #OpenSSFCommunityDay
1
0
1
0
Myth #3: "Names are unique" #OpenSSFCommunityDay
1
0
1
0
Myth #2: "There is only 1 dependency graph" #OpenSSFCommunityDay
1
0
1
0
Below the command is a Git commit history diagram showing the tag foo pointing to commit abc1234, which is followed by commit def5678 and further commits below. The implication is that Git tags can be reassigned to different commits, debunking the myth of immutability.
Tim and Jess on stage at OpenSSF Community Day
Myths Developers Believe About Open Source Security - Jess Lowe & Tim Zhang, Google #OpenSSFCommunityDay
0
0
1
0
A speaker in a purple shirt and hat stands at a lectern labeled “OpenSSF Community Day,” presenting a session. Beside him, a man in black sits on the stage near the screen. The projected slide reads “What is the Baseline?” and describes the OpenSSF’s Open Source Project Security Baseline (OSPS Baseline), a collaborative effort by OpenSSF with partners like CNCF, FINOS, and OpenJS. The Baseline includes a catalog of requirements tied to industry standards and tooling to determine compliance, with automation features and links to evidence. The slide features an illustration of a snake wrapped around a microphone.
All Your Base Are Belong To Us - Christopher Robinson, OpenSSF & Eddie Knight, Sonatype #OpenSSFCommunityDay
1
0
1
0
A block diagram illustrating the model signing and verification workflow using Sigstore components. The steps are as follows: 1. Model Trainer → Sigstore CA: Sends a workload identity token. 2. Sigstore CA → Model Trainer: Returns a certificate. 3. Model Trainer → Sigstore Transparency Log: Submits the signed model and certificate. 4. Sigstore Transparency Log → Model Trainer: Provides a log inclusion proof. 5. Model Trainer → Model Hub: Sends the signed model, certificate, and proof. 6. Model Hub: Verifies the signed model. 7. Model Hub → Model Users: Serves the verified signed model to users. All components are enclosed within a large box indicating the scope of the model signing system. The flow emphasizes secure verification and provenance of machine learning models using Sigstore.
Model signing with Sigstore #OpenSSFCommunityDay
1
0
1
0
Mihai on stage at OpenSSF Community Day
Opening slide of Mihai's presentation
Taming the Wild West of ML: Practical Model Signing With Sigstore on Kaggle - Mihai Maruseac, Google #OpenSSFCommunityDay
0
0
1
0
The speaker is presenting at a lectern during an OpenSSF Community Day event. The slide on the screen is titled “What is AIxCC?” and reads: What is AIxCC? A public competition that rewards autonomous Cyber Reasoning Systems (CRSs) that find and patch vulnerabilities in source code. - The challenge problems are real, open-source projects. - The vulnerabilities are realistic (synthetic) or real (zero-day). - Patching is worth more than vulnerability discovery. - Team outputs and competition infrastructure will be released open sourced after August 2025.
Patching Critical Infrastructure: Lessons from DARPA’s AI Cyber Challenge - Andrew Carney, Program Manager, Information Innovation Office, DARPA #OpenSSFCommunityDay
1
0
1
0
Sarah on stage at OpenSSF Community Day
OpenSSF in the Age of AI - Sarah Evans, Distinguished Engineer, Dell Technologies #OpenSSFCommunityDay
0
0
1
0
A conference slide displays a screenshot of a security email from the Openwall mailing list. The header shows Openwall’s logo with the tagline “bringing security into open environments.” The email is dated Friday, March 29, 2024, from Andres Freund, with the subject line: “backdoor in upstream xz/liblzma.” The visible portion of the message explains observations of odd symptoms in Debian sid installations, hinting at performance issues tied to SSH logins. Overlaying the email in large, bold letters is the word: “Trust?” — emphasizing doubt or concern regarding the security of open-source software.
"What about xz?" #OpenSSFCommunityDay
2
0
1
0
A large presentation slide displays the text: “Smaller projects are shaped by tools.” The words “shaped by tools” are written in a cursive, hand-drawn font for emphasis. Below the text is a diagram of a square connected by an arrow to a circle, illustrating the idea of transformation or influence, likely implying that the tools used can change the nature or form of a project.
Smaller projects are shaped by tools. #OpenSSFCommunityDay
1
0
1
0
Seth on stage in front of a slide that says: Security work isn't "special".
Security Work isn't Special - Seth Larson, Security Developer-in-Residence, Python Software Foundation #OpenSSFCommunityDay
0
0
1
0