Open Source Summit + AI_dev Japan 2024

As Linux is increasingly deployed in systems with varying criticality constraints, distro providers are expected to ensure that security fixes in their offerings do not introduce regressions for customer products that have safety considerations. The key question arises: How can they establish consistent linkage between code, tests, and the requirements that the code satisfies? And which open source tools and specifically for Linux exist to support traceability in order to comply with standards such as ASPICE, ISO26262 or ISO21434? This talk addresses critical challenges in requirements tracking, documentation, testing, and artifact sharing within the Linux kernel ecosystem. Functionality has historically been added to the kernel with requirements explained in the email justifications for adding, but not formalized as “requirements” in the kernel documentation. While tests are contributed for the code, the underlying requirement that the tests satisfies is likewise not documented in a consistent manner. This and further topics will be discussed. Additionally, the results from the "Safe Systems with Linux" micro conference at Linux plumbers will be summarized.

You do your best to build a quality product and ensure testability and maintainable code. However, code security issues require a different domain of expertise, and your last vulnerable line of code is your first security regret. Maybe you heard about OWASP Top 10, and just maybe you can spot an SQL injection but how do you scale and prioritize code security across your tech stack and your development team? How do you ship secure operational technology (OT) software for critical infrastructure? This task becomes even more difficult to balance with false positive alerts, struggles to find vulnerable C++ libraries statically compiled in your runtime, and bridging the growing security knowledge gap that results in developers writing insecure code. Tune in to learn about secure coding practices and techniques to produce high-quality secure software. Your takeaways from this session will be learning from practical real-world vulnerable code, secure dependency upgrade policies, leveraging SBOMs for vulnerability and package signals, and hands-on hacking demos. This session offers actionable strategies and real-world applications to help you safeguard your critical software projects.

Linux is the foundational infrastructure for mission-critical systems across sectors like energy, transportation, and healthcare. These systems must operate reliably for decades while adapting to evolving Smart City and IoT landscapes. Interconnectivity brings challenges in managing vulnerabilities and upgrades, requiring adherence to standards and maintaining system integrity.

The Civil Infrastructure Platform (CIP) project addresses these challenges by providing an Industrial Grade Linux platform for robust, secure, and sustainable operations. Over 7 years, CIP has demonstrated a commitment to meeting current needs and addressing future threats.

This presentation will explore CIP's pivotal role in strengthening cyber resilience and enhancing system reliability. It will also delve into the CIP Security Working Group's efforts to align the platform with the IEC 62443 standard for industrial control system security.

The key topics covered will include ensuring IEC-62443-4-x compliance, bridging gaps for updates and long-term support, traceability between code, tests, and requirements for standards compliance. The presentation will also discuss CIP's role in building sustainable and cyber-resilient critical infrastructure, integrating security throughout the CIP ecosystem using the IEC 62443 framework, and the benefits of this alignment for improved risk management and threat mitigation.

Attendees will gain insights on how CIP can help build future-ready, cyber-resilient systems