Open Source Summit + AI_dev Japan 2024

As Linux is increasingly deployed in systems with varying criticality constraints, distro providers are expected to ensure that security fixes in their offerings do not introduce regressions for customer products that have safety considerations. The key question arises: How can they establish consistent linkage between code, tests, and the requirements that the code satisfies? And which open source tools and specifically for Linux exist to support traceability in order to comply with standards such as ASPICE, ISO26262 or ISO21434? This talk addresses critical challenges in requirements tracking, documentation, testing, and artifact sharing within the Linux kernel ecosystem. Functionality has historically been added to the kernel with requirements explained in the email justifications for adding, but not formalized as “requirements” in the kernel documentation. While tests are contributed for the code, the underlying requirement that the tests satisfies is likewise not documented in a consistent manner. This and further topics will be discussed. Additionally, the results from the "Safe Systems with Linux" micro conference at Linux plumbers will be summarized.

You do your best to build a quality product and ensure testability and maintainable code. However, code security issues require a different domain of expertise, and your last vulnerable line of code is your first security regret. Maybe you heard about OWASP Top 10, and just maybe you can spot an SQL injection but how do you scale and prioritize code security across your tech stack and your development team? How do you ship secure operational technology (OT) software for critical infrastructure? This task becomes even more difficult to balance with false positive alerts, struggles to find vulnerable C++ libraries statically compiled in your runtime, and bridging the growing security knowledge gap that results in developers writing insecure code. Tune in to learn about secure coding practices and techniques to produce high-quality secure software. Your takeaways from this session will be learning from practical real-world vulnerable code, secure dependency upgrade policies, leveraging SBOMs for vulnerability and package signals, and hands-on hacking demos. This session offers actionable strategies and real-world applications to help you safeguard your critical software projects.

Linux is the foundational infrastructure for mission-critical systems across sectors like energy, transportation, and healthcare. These systems must operate reliably for decades while adapting to evolving Smart City and IoT landscapes. Interconnectivity brings challenges in managing vulnerabilities and upgrades, requiring adherence to standards and maintaining system integrity.

The Civil Infrastructure Platform (CIP) project addresses these challenges by providing an Industrial Grade Linux platform for robust, secure, and sustainable operations. Over 7 years, CIP has demonstrated a commitment to meeting current needs and addressing future threats.

This presentation will explore CIP's pivotal role in strengthening cyber resilience and enhancing system reliability. It will also delve into the CIP Security Working Group's efforts to align the platform with the IEC 62443 standard for industrial control system security.

The key topics covered will include ensuring IEC-62443-4-x compliance, bridging gaps for updates and long-term support, traceability between code, tests, and requirements for standards compliance. The presentation will also discuss CIP's role in building sustainable and cyber-resilient critical infrastructure, integrating security throughout the CIP ecosystem using the IEC 62443 framework, and the benefits of this alignment for improved risk management and threat mitigation.

Attendees will gain insights on how CIP can help build future-ready, cyber-resilient systems

At Open Source Summit Japan, within the Operation Management Summit, Keith Bergelt, CEO of Open Invention network, will address ways to mitigate risk to open source projects, developers and distributors. Few developers or businesses will show interest in contributing to an open source project if it doesn't address potential bugs, security issues, or feature additions to its repository. This is well understood by the OSS community and spurred its growth into new technological areas such as AI/ML, FinTech and Automotive, among many others. However, many of today’s most popular open source licenses do not adequately address patent risk for open source projects. As patent risk is a challenge that must be addressed, this presentation will discuss the key tenets around patent non-aggression in open source, key patent-related risks, and the best practices that open source projects and their management should consider moving forward to “address the issue.” . Key Takeaways: - An understanding of the patent threat matrix to open source projects - Ways patent litigation risks are rising & ways to reduce these risks - Best practice solutions for management to mitigate these challenges

To sustain the OS industry, we must assess the efficiency of the open source 3P cycle (Projects, Products, and Profits). Companies build products using open source software and generate revenue. This should incentivize them to reinvest in open source communities, thereby creating better products and increasing profits. However, the 3P cycle is not functioning smoothly. While companies utilize open source technologies, they often do so without collaborating with the community. This lack of interaction reduces their interest in reinvesting in the open source ecosystem. This issue significantly impacts the Japanese industry. Companies miss opportunities to leverage cutting-edge technologies and remain less inclined to invest in talent development within and outside their organizations. The resulting talent shortage poses a serious sustainability challenge for the industry. In this session, LF Japan evangelists will discuss this topic from their respective areas of expertise, including cloud, blockchain, security, compliance, and OSPO. Attendees will learn about the latest trends in open source and business and engage in discussions on how to enhance the 3P cycle in Japan.

International standards addressing specific challenges around open source provide organizations significant opportunities for increasing efficiency and reducing risk. This talk will explain practical ways for procurement departments to use these standards to benefit product teams, IP departments, legal departments or OSPOs supporting corporate policy. The focus will be on ISO/IEC 5230 (license compliance), ISO/IEC 18974 (security assurance) and ISO/IEC 5962 (SBOM), all mature standards maintained by Linux Foundation Projects. The audience of this talk will be equipped to immediately improve their supply chain management as either customers or suppliers in any industry sector.

This session will introduce the SPDX Lite profile, its background, and what and how it solves with many JSON examples. The Lite profile of SPDX 3.0 is designed to make it quick and easy to start creating a Software Bill of Materials (SBOMs) when a company has limited capacity for introducing new items into its process. Over the past few years, the importance of SBOM has increased. As interest in SBOM from government agencies and industries grows, the SBOM specification extends significantly to meet these various needs. SPDX Lite is a lightweight and compact SBOM specification. The OpenChain Project Japan WG explores and promotes SBOM. The focus is on making the SBOM practical from security assurance and license compliance perspectives and on sharing and transferring SBOM across the global software supply chain in any industry. SPDX Lite is one of the achievements of collaboration between the OpenChain project and the SPDX project. Attendees in this session will learn the first steps to creating an SBOM using the Lite profile of SPDX 3.0 by several examples of SBOM documents that address regulations and requirements.