Open Source Summit + AI_dev Japan 2024

As Linux is increasingly deployed in systems with varying criticality constraints, distro providers are expected to ensure that security fixes in their offerings do not introduce regressions for customer products that have safety considerations. The key question arises: How can they establish consistent linkage between code, tests, and the requirements that the code satisfies? And which open source tools and specifically for Linux exist to support traceability in order to comply with standards such as ASPICE, ISO26262 or ISO21434? This talk addresses critical challenges in requirements tracking, documentation, testing, and artifact sharing within the Linux kernel ecosystem. Functionality has historically been added to the kernel with requirements explained in the email justifications for adding, but not formalized as “requirements” in the kernel documentation. While tests are contributed for the code, the underlying requirement that the tests satisfies is likewise not documented in a consistent manner. This and further topics will be discussed. Additionally, the results from the "Safe Systems with Linux" micro conference at Linux plumbers will be summarized.

You do your best to build a quality product and ensure testability and maintainable code. However, code security issues require a different domain of expertise, and your last vulnerable line of code is your first security regret. Maybe you heard about OWASP Top 10, and just maybe you can spot an SQL injection but how do you scale and prioritize code security across your tech stack and your development team? How do you ship secure operational technology (OT) software for critical infrastructure? This task becomes even more difficult to balance with false positive alerts, struggles to find vulnerable C++ libraries statically compiled in your runtime, and bridging the growing security knowledge gap that results in developers writing insecure code. Tune in to learn about secure coding practices and techniques to produce high-quality secure software. Your takeaways from this session will be learning from practical real-world vulnerable code, secure dependency upgrade policies, leveraging SBOMs for vulnerability and package signals, and hands-on hacking demos. This session offers actionable strategies and real-world applications to help you safeguard your critical software projects.

Linux is the foundational infrastructure for mission-critical systems across sectors like energy, transportation, and healthcare. These systems must operate reliably for decades while adapting to evolving Smart City and IoT landscapes. Interconnectivity brings challenges in managing vulnerabilities and upgrades, requiring adherence to standards and maintaining system integrity.

The Civil Infrastructure Platform (CIP) project addresses these challenges by providing an Industrial Grade Linux platform for robust, secure, and sustainable operations. Over 7 years, CIP has demonstrated a commitment to meeting current needs and addressing future threats.

This presentation will explore CIP's pivotal role in strengthening cyber resilience and enhancing system reliability. It will also delve into the CIP Security Working Group's efforts to align the platform with the IEC 62443 standard for industrial control system security.

The key topics covered will include ensuring IEC-62443-4-x compliance, bridging gaps for updates and long-term support, traceability between code, tests, and requirements for standards compliance. The presentation will also discuss CIP's role in building sustainable and cyber-resilient critical infrastructure, integrating security throughout the CIP ecosystem using the IEC 62443 framework, and the benefits of this alignment for improved risk management and threat mitigation.

Attendees will gain insights on how CIP can help build future-ready, cyber-resilient systems

At Open Source Summit Japan, within the Operation Management Summit, Keith Bergelt, CEO of Open Invention network, will address ways to mitigate risk to open source projects, developers and distributors. Few developers or businesses will show interest in contributing to an open source project if it doesn't address potential bugs, security issues, or feature additions to its repository. This is well understood by the OSS community and spurred its growth into new technological areas such as AI/ML, FinTech and Automotive, among many others. However, many of today’s most popular open source licenses do not adequately address patent risk for open source projects. As patent risk is a challenge that must be addressed, this presentation will discuss the key tenets around patent non-aggression in open source, key patent-related risks, and the best practices that open source projects and their management should consider moving forward to “address the issue.” . Key Takeaways: - An understanding of the patent threat matrix to open source projects - Ways patent litigation risks are rising & ways to reduce these risks - Best practice solutions for management to mitigate these challenges

To sustain the OS industry, we must assess the efficiency of the open source 3P cycle (Projects, Products, and Profits). Companies build products using open source software and generate revenue. This should incentivize them to reinvest in open source communities, thereby creating better products and increasing profits. However, the 3P cycle is not functioning smoothly. While companies utilize open source technologies, they often do so without collaborating with the community. This lack of interaction reduces their interest in reinvesting in the open source ecosystem. This issue significantly impacts the Japanese industry. Companies miss opportunities to leverage cutting-edge technologies and remain less inclined to invest in talent development within and outside their organizations. The resulting talent shortage poses a serious sustainability challenge for the industry. In this session, LF Japan evangelists will discuss this topic from their respective areas of expertise, including cloud, blockchain, security, compliance, and OSPO. Attendees will learn about the latest trends in open source and business and engage in discussions on how to enhance the 3P cycle in Japan.

International standards addressing specific challenges around open source provide organizations significant opportunities for increasing efficiency and reducing risk. This talk will explain practical ways for procurement departments to use these standards to benefit product teams, IP departments, legal departments or OSPOs supporting corporate policy. The focus will be on ISO/IEC 5230 (license compliance), ISO/IEC 18974 (security assurance) and ISO/IEC 5962 (SBOM), all mature standards maintained by Linux Foundation Projects. The audience of this talk will be equipped to immediately improve their supply chain management as either customers or suppliers in any industry sector.

This session will introduce the SPDX Lite profile, its background, and what and how it solves with many JSON examples. The Lite profile of SPDX 3.0 is designed to make it quick and easy to start creating a Software Bill of Materials (SBOMs) when a company has limited capacity for introducing new items into its process. Over the past few years, the importance of SBOM has increased. As interest in SBOM from government agencies and industries grows, the SBOM specification extends significantly to meet these various needs. SPDX Lite is a lightweight and compact SBOM specification. The OpenChain Project Japan WG explores and promotes SBOM. The focus is on making the SBOM practical from security assurance and license compliance perspectives and on sharing and transferring SBOM across the global software supply chain in any industry. SPDX Lite is one of the achievements of collaboration between the OpenChain project and the SPDX project. Attendees in this session will learn the first steps to creating an SBOM using the Lite profile of SPDX 3.0 by several examples of SBOM documents that address regulations and requirements.

This is an updated version of my previous CFP for OSS Summit EU. I will add deeper analysis of unique supply chain issues of Japan and SBOM best practice of Japanese companies. It would be a special insight of current SBOM practice of Japan. I believe this is a best topic to be discussed at OSS Summit Japan. Three years have passed since the issuance of the U.S. Executive Order (EO #14028), the adoption of SBOM in Japan has gradually progressed. Japanese companies are learning the minimum elements of SBOM which was published by NTIA, and are converting to a development process that takes automated SBOM generation into account. In July 2023, the Ministry of Economy, Trade, and Industry (METI) published a guide on the introduction of SBOM for software management, then the second version is scheduled to be released this summer. In this session, Ayumi Watanabe, a Japanese SBOM evangelist and an advisor to METI's SBOM PoC project, will discuss the status of SBOM in Japan, including the content of METI's guidelines, and the maturity and challenges of SBOM implementation in Japanese companies.

Developers are often faced with an overwhelming number of vulnerabilities reported against their dependencies. The best way to deal with this is to keep all dependencies up to date, however, this is not possible for everyone. There is a lot of work to get all dependencies up to date for older projects, or to figure out what dependencies and versions to update in response to vulnerabilities. The open source OSV project built a feature called “guided remediation” to automatically update dependencies while minimising breakages. Upgrades with greater number of vulnerabilities fixed at once are prioritised. Mechanisms such as vulnerability dependency depth are also developed to further help prioritise the work. While developing these functionality to tackle these problems, we discovered that this is not as easy as it sounds. There are complexities in every step of the whole process - from scanning project files, to resolving dependencies in ecosystems with complicated rules, to determining possible updates, to writing back to the files. This talk explores the many challenges faced within npm and Maven, their complicated rules, and potential solutions for wider ecosystem support.

The xz-utils vulnerability has attracted attentions from every person who are involved in not only open-source software but also any form of software that is built with a collaboration of developers. The vulnerability, or rather the social engineering attack has combined multiple attack techniques: maintainer takeover, obfuscated trigger code, and binary files pretending sample archives, and targeted Linux distributions, which are fundamental in the current software supply chain. In this session, Taku aggregates multiple existing analyses about the vulnerability, and explains how the attack was performed with a progress of the incident as well as technology details of the malicious source code and binary. Taku also presents a potential risk of similar incidents in open-source repositories by using some utilities including OpenSSF’s Scorecard and Criticality Score. This session would suggest what kind of attacks would come next for the software industry and would be mitigated or coped with.

Container image vulnerabilities pose significant security challenges. While tools like Grype and Trivy identify issues, efficient remediation remains a hurdle. Enter Copa, a groundbreaking CNCF project designed to automatically patch vulnerabilities within container images. Copa enables swift OS-level vulnerability remediation without upstream rebuilds, crucial for complex supply chains and third-party sources with delayed updates. It works with existing vulnerability scanners to streamline patching processes, reducing complexity and turnaround time. In this session, we’ll explore Copa’s integration with current workflows, its ability to patch images without requiring specific customizations, and support for containers without package managers, including distroless containers. Attendees will learn how Copa empowers DevSecOps teams to deploy secure containers faster and with greater confidence, minimizing exposure to potential threats. Join us to discover how Copa transforms container security, making automated patching accessible and effective for all practitioners.

Explore the dark side of powerful AI tools and the burning question: Are they truly secure? Join me as we unravel the construction of AI models, focusing on their weak spots. Through multiple demos, witness how AI models can be manipulated to become malicious. This session offers a deep dive into a case study on the "Malicious Copilot" IDE plugin will showcase how a code-completion model can be trained to target specific victims, embedding malicious code within models, and more. Additionally, we'll tackle practical takeaways for companies utilizing generative AI and LLMs.

Let’s be honest, delivering software can be a dirty business. Especially if you are in the critical path of delivering legacy software, or software born from mergers and acquisitions. How can we secure so many differences at scale? How can we build trust into everything we do so that we can delay evaluation until we have enough trust later? In this talk, Jagadish and Jesse show you how Autodesk is thinking about solving both of these problems simultaneously. Through the use of “attestations”. Simple, cryptographically verifiable bits of telemetry that when combined, equal a whole lot more than the sum of their parts. Get enough of them and they build a story of trust. By weaving a software lifecycle tale through a series of verifiable inputs, actions and outcomes we can decide for example, when to allow a build be deployed. Or better, decide when it’s to be deployed to a secure and compliant location. Autodesk is starting to tell those software lifecycle stories using open source software weaved into our platform, making the software we build safer for all, despite our diversity.