SOSS Community Day Japan 2024

The CNCF Security Technical Advisory Group (TAG Security) is a group of cloud-native security experts and anyone interested in cloud-native security, and we can come together to work on various issues in different security areas. We do this in various ways, including through white papers we produce as resources for the community, presentations on new security projects including CNCF projects, and security assessments we provide to CNCF projects and many other initiatives. Previously, TAG Security meetings were only held in the US and EMEA time zones for a long time. This made it difficult for security friends in the APAC time zone to contribute to TAG Security, but we have now managed to hold meetings in the APAC time zone starting in August of this year! In this presentation, Yoshiyuki Tabata, facilitator for TAG Security APAC, will provide an overview of TAG Security and its latest trends. Let's make TAG Security APAC even more exciting together!

With the arrival of the new Post Quantum Cryptography (PQC) NIST standards, we look at the current state. Cryptography and crypto agility are cornerstones of cybersecurity and are essential for everyone. With this presentation, we want to empower every engineer and security expert with hands-on insights into quantum-resistant cryptography to help them navigate the quantum readiness journey. We will explore PQC aspects for use cases in IoT, container, and software supply chain security, as well as initiatives based on standards such as those involving FIPS and IEFT. Additionally, we will discuss the advancements in PQC within the Open-Source products available from bouncycastle.org, ejbca.org, and signserver.org. Security is a collective effort; community collaboration is vital for high-quality, interoperable cryptographic solutions.

DevOps, CI/CD, and rapid improvement cycles have improved code maintenance and quality. Yet, application security remains vulnerable and underdeveloped. Drawing on my experience with the OWASP community in Japan and some OWASP Projects like the OWASP LLM Top 10 Risks project, I will share some concepts of beneficial and risky practices throughout DevOps.

I have been chosen a lecturer of IoT cyber security for Security Camp, and I taught them IoT system risk analysis from outside of the systems, and software levels which system internal risks identifying with SBOM. Many of them are very good cyber security learner, but there are some findings from the series of lecture. They are knowing about risks of software in general, but they have not much experiences yet then it's always discussing about basic things after all. e.g. Their knowledge and experiences are very limited then identify the risks of the OSS components by evaluating Software BOMs is quite challenging. I don't give you any guidance, ideas or so, but I will share my experiences with students.

Security training for developers has become more and more popular. However, do they bring the desired effect? In this talk, Marta will summarize the experience of communicating and training developers on security topics. She will share lessons learned and suggestions on topics like addressing previous bad experiences in communication between developers and security people, the existence of silos, developers being overwhelmed by methodologies and tools, lack of time and resources for security and quality work, and more. This session will be a call for a discussion on how to better explain security to people who are not security experts and do not want to be.