SOSS Community Day Japan 2024

In recent years, supply chain security is strongly required as a mechanism to objectively and rationally ensure security concerning organizations, systems, products, services, and data with respect to trading partners and other stakeholders. Modern software development has become more complex due to the proliferation of multiple suppliers, vendors, and open source software (OSS), and this has increased the possibility of vulnerabilities being introduced by suppliers and the risk of attacks exploiting the supply chain in the software supply chain. This is the reason why the software supply chain is becoming more and more complex. Therefore, it is important to understand and manage security risks throughout the software supply chain. The presentation will compare SCAP, which has been used for a long time, and SBOM (Software Bill of Materials), which has been attracting attention in recent years, as a method for supply chain security, explaining the features of each, and discussing the possibilities of utilizing the tools in the future.

The CNCF Security Technical Advisory Group (TAG Security) is a group of cloud-native security experts and anyone interested in cloud-native security, and we can come together to work on various issues in different security areas. We do this in various ways, including through white papers we produce as resources for the community, presentations on new security projects including CNCF projects, and security assessments we provide to CNCF projects and many other initiatives. Previously, TAG Security meetings were only held in the US and EMEA time zones for a long time. This made it difficult for security friends in the APAC time zone to contribute to TAG Security, but we have now managed to hold meetings in the APAC time zone starting in August of this year! In this presentation, Yoshiyuki Tabata, facilitator for TAG Security APAC, will provide an overview of TAG Security and its latest trends. Let's make TAG Security APAC even more exciting together!

Fujitsu supports SPDX evolution and the movement to an international standard that provides a common SBOM basis for software exploitation for companies throughout the supply chain. We have long provided multilateral support for SPDX, especially thorough activities in Yocto and SPDX-Lite. From 2016, we have been joining maintainers of meta-spdxscanner, enabling SPDX functionality for the Yocto Project. Also, we are the top contributors of patch submissions to the Yocto Project. In recent years, increasing interest in cybersecurity has led to the need to quickly determine whether a product is vulnerable or not. In the supply chain, vulnerability information can be handled in combination with SBOM and VEX. An SBOM should be generated for each build, and a VEX should be generated for each vulnerability detection. It is necessary to manage them separately because their life cycles are different. In addition, there is a problem in the accuracy of the vulnerability, and there are some measures to solve it. In this presentation, we describe the advantages and challenges of creating VEX in Yocto as a use case.

I have been chosen a lecturer of IoT cyber security for Security Camp, and I taught them IoT system risk analysis from outside of the systems, and software levels which system internal risks identifying with SBOM. Many of them are very good cyber security learner, but there are some findings from the series of lecture. They are knowing about risks of software in general, but they have not much experiences yet then it's always discussing about basic things after all. e.g. Their knowledge and experiences are very limited then identify the risks of the OSS components by evaluating Software BOMs is quite challenging. I don't give you any guidance, ideas or so, but I will share my experiences with students.

Security training for developers has become more and more popular. However, do they bring the desired effect? In this talk, Marta will summarize the experience of communicating and training developers on security topics. She will share lessons learned and suggestions on topics like addressing previous bad experiences in communication between developers and security people, the existence of silos, developers being overwhelmed by methodologies and tools, lack of time and resources for security and quality work, and more. This session will be a call for a discussion on how to better explain security to people who are not security experts and do not want to be.