SOSS Community Day Japan 2024

As artificial intelligence becomes increasingly integral to various industries, ensuring its security is becoming paramount. The Coalition for Secure AI (CoSAI), led by Anthropic, Cisco, Google, IBM, Intel, Microsoft, NVIDIA, OpenAI, PayPal and others are coming together to collaborate on guidelines, best practices and ultimately robust security standards for AI systems. We will discuss the coalition's three critical workstreams: Supply Chain Security for AI Systems, Preparing Defenders for a Changing Cybersecurity Landscape, and AI Security & Risk Governance. Attendees will gain insights into how CoSAI is committed to working with the OpenSSF, LF AI & Data, and other communities to foster collaboration, innovation, and education across the AI cybersecurity realm. Join us to discover how CoSAI's collaborative approach is paving the way for proactive self-regulation in this rapidly evolving "new" industry, and how you can help.

OpenSSF Scorecard and Allstar are tools for automatically scanning source code repositories for security misconfigurations. Scorecard looks at a GitHub or GitLab project’s source code, CI workflows, and repository settings and provides an actionable list of findings for a maintainer to improve their project’s security practices. Allstar is a way to run security analysis at scale, and automatically remediate issues. This talk will focus on one specific use case that blue teams face: how can Scorecard be used to secure first party repos? Is there a way to integrate Scorecard into an actual development process so that it doesn’t just detect an issue, but prevents it from being introduced into the supply chain? There are two aspects to this answer: infrastructure and policy. We’ll look at how probes enable the creation of granular policies, data pipelines for gathering results from probe runs, and techniques for shifting Scorecard scans left with pre-commit GitHub Actions.

In recent years, supply chain security is strongly required as a mechanism to objectively and rationally ensure security concerning organizations, systems, products, services, and data with respect to trading partners and other stakeholders. Modern software development has become more complex due to the proliferation of multiple suppliers, vendors, and open source software (OSS), and this has increased the possibility of vulnerabilities being introduced by suppliers and the risk of attacks exploiting the supply chain in the software supply chain. This is the reason why the software supply chain is becoming more and more complex. Therefore, it is important to understand and manage security risks throughout the software supply chain. The presentation will compare SCAP, which has been used for a long time, and SBOM (Software Bill of Materials), which has been attracting attention in recent years, as a method for supply chain security, explaining the features of each, and discussing the possibilities of utilizing the tools in the future.

Linux distributions provide users with great convenience by centralized access to multiple independent OSS into a single location. This has been an essential function that OSS can be popularized and rule the world. The nature of distributions that provide convenience to users by consolidating multiple means of access can be expected to play an important role in OSS supply chain security enhancement. For example, SBOM, provenance, and vulnerability information can be provided with trust. Currently, however, it is difficult to provide a unified means of providing these in a convenient manner while guaranteeing their authenticity and integrity. In this session, the speaker will share the current issues as a developer of multiple Linux distributions and will propose the role that distributions and distributors should play in the enhancement of supply chain security. Then he will propose necessary mechanisms to achieve it and discuss them with the attendees.

In the area of computer security, we are on the cusp of the post-quantum era: cryptanalytically-relevant quantum computers (CRQC) pose a threat to public-key algorithms used today in network protocols and data formats. To address this concern, NIST has standardized a set of quantum-resistant algorithms, while NSA has announced the guidance for migrating national security systems to quantum resistant algorithms targeting 2035. In the open source community, we at the Fedora project are exploring adoption of those algorithms to set the ground for protecting our current and future users. In this session, we will present our strategy and the status of the effort.

Topics to be covered:

1. Key exchange and digital signature: threat models and priorities
2. State of the art algorithms and cryptanalysis
3. Avoiding implementation divergences across the operating system: consolidating the implementation to liboqs, a project part of the Post-Quantum Cryptography Alliance
4. Safely integrating non-finalized algorithms in a backward compatible manner
5. Example integration in TLS, IPsec, and verifiable data storage

In the cloud-native landscape, the integration of security into the CI/CD pipeline is not just a best practice—it's a necessity. ArgoCD has emerged as the leading GitOps controller for Kubernetes, automating deployments with precision. However, ensuring that every deployment is secure requires more than just automated workflows; it demands continuous security checks before, during, and after the deployment process. This talk will demonstrate how the combination of ArgoCD and Kubescape, a powerful open-source Kubernetes security tool, delivers a comprehensive security solution for Kubernetes deployments. We will walk through setting up an end-to-end workflow that integrates security checks into every stage of the deployment process. Attendees will learn how to implement security gates that assess vulnerabilities in container images and Kubernetes configurations before any changes are committed and receive real-time alerts if vulnerabilities are detected in production. By the end of this talk, participants will be equipped to enhance their GitOps workflows with robust security practices, making their Kubernetes deployments more resilient and secure.

The CNCF Security Technical Advisory Group (TAG Security) is a group of cloud-native security experts and anyone interested in cloud-native security, and we can come together to work on various issues in different security areas. We do this in various ways, including through white papers we produce as resources for the community, presentations on new security projects including CNCF projects, and security assessments we provide to CNCF projects and many other initiatives. Previously, TAG Security meetings were only held in the US and EMEA time zones for a long time. This made it difficult for security friends in the APAC time zone to contribute to TAG Security, but we have now managed to hold meetings in the APAC time zone starting in August of this year! In this presentation, Yoshiyuki Tabata, facilitator for TAG Security APAC, will provide an overview of TAG Security and its latest trends. Let's make TAG Security APAC even more exciting together!

Fujitsu supports SPDX evolution and the movement to an international standard that provides a common SBOM basis for software exploitation for companies throughout the supply chain. We have long provided multilateral support for SPDX, especially thorough activities in Yocto and SPDX-Lite. From 2016, we have been joining maintainers of meta-spdxscanner, enabling SPDX functionality for the Yocto Project. Also, we are the top contributors of patch submissions to the Yocto Project. In recent years, increasing interest in cybersecurity has led to the need to quickly determine whether a product is vulnerable or not. In the supply chain, vulnerability information can be handled in combination with SBOM and VEX. An SBOM should be generated for each build, and a VEX should be generated for each vulnerability detection. It is necessary to manage them separately because their life cycles are different. In addition, there is a problem in the accuracy of the vulnerability, and there are some measures to solve it. In this presentation, we describe the advantages and challenges of creating VEX in Yocto as a use case.

With the arrival of the new Post Quantum Cryptography (PQC) NIST standards, we look at the current state. Cryptography and crypto agility are cornerstones of cybersecurity and are essential for everyone. With this presentation, we want to empower every engineer and security expert with hands-on insights into quantum-resistant cryptography to help them navigate the quantum readiness journey. We will explore PQC aspects for use cases in IoT, container, and software supply chain security, as well as initiatives based on standards such as those involving FIPS and IEFT. Additionally, we will discuss the advancements in PQC within the Open-Source products available from bouncycastle.org, ejbca.org, and signserver.org. Security is a collective effort; community collaboration is vital for high-quality, interoperable cryptographic solutions.

DevOps, CI/CD, and rapid improvement cycles have improved code maintenance and quality. Yet, application security remains vulnerable and underdeveloped. Drawing on my experience with the OWASP community in Japan and some OWASP Projects like the OWASP LLM Top 10 Risks project, I will share some concepts of beneficial and risky practices throughout DevOps.

I have been chosen a lecturer of IoT cyber security for Security Camp, and I taught them IoT system risk analysis from outside of the systems, and software levels which system internal risks identifying with SBOM. Many of them are very good cyber security learner, but there are some findings from the series of lecture. They are knowing about risks of software in general, but they have not much experiences yet then it's always discussing about basic things after all. e.g. Their knowledge and experiences are very limited then identify the risks of the OSS components by evaluating Software BOMs is quite challenging. I don't give you any guidance, ideas or so, but I will share my experiences with students.

Security training for developers has become more and more popular. However, do they bring the desired effect? In this talk, Marta will summarize the experience of communicating and training developers on security topics. She will share lessons learned and suggestions on topics like addressing previous bad experiences in communication between developers and security people, the existence of silos, developers being overwhelmed by methodologies and tools, lack of time and resources for security and quality work, and more. This session will be a call for a discussion on how to better explain security to people who are not security experts and do not want to be.

This session will delve into the practical experience of discovering and reporting Linux kernel vulnerabilities using the powerful kernel fuzzer, e.g. syzkaller. We will walk through the step-by-step process of conducting fuzzing tests, identifying potential vulnerabilities, and ultimately submitting them to the Linux kernel Security community. Beyond the technical aspects of vulnerability discovery, we'll also discuss the broader implications of this work on the open source ecosystem. By sharing insights into the benefits of using kernel fuzzers, we aim to encourage more developers to contribute to the security of Linux and other open source projects. Topics will include: Introduction to syzkaller and Real-world case studies: Practical examples of vulnerabilities discovered using syzkaller The vulnerability reporting process: practices for submitting vulnerabilities to the Linux kernel Security community with PoC