BEGIN:VCALENDAR
VERSION:2.0
X-WR-CALNAME:openssfcdna2026
X-WR-CALDESC:Event Calendar
METHOD:PUBLISH
CALSCALE:GREGORIAN
PRODID:-//Sched.com OpenSSF Community Day North America 2026//EN
X-WR-TIMEZONE:UTC
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T123000Z
DTEND:20260521T220000Z
SUMMARY:Registration & Badge Pick-up
DESCRIPTION:\n
CATEGORIES:REGISTRATION / BREAKS & NETWORKING
LOCATION:Ballroom Lobby\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:d0a3248e0e762cf5f34e453750f443a8
URL:http://openssfcdna2026.sched.com/event/d0a3248e0e762cf5f34e453750f443a8
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T140000Z
DTEND:20260521T141000Z
SUMMARY:Welcome & Opening Remarks - Stacey Potter\, Community Manager - OpenSSF\, The Linux Foundation
DESCRIPTION:\n
CATEGORIES:KEYNOTE SESSIONS
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:0c80887c71466caab218fe68d17fb685
URL:http://openssfcdna2026.sched.com/event/0c80887c71466caab218fe68d17fb685
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T141500Z
DTEND:20260521T143500Z
SUMMARY:Keynote: Securing the Agentic Future: How OpenSSF is Leading the AI Security Transition - Steven Fernandez\, OpenSSF Managing Director\, The Linux Foundation
DESCRIPTION:As AI becomes a bigger part of software and open source development\, security needs are changing quickly. This talk will cover how the Open Source Security Foundation is ramping up the use of and support for AI security across the open source ecosystem.
CATEGORIES:KEYNOTE SESSIONS
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:3dba545cddd698f929babef211184f5d
URL:http://openssfcdna2026.sched.com/event/3dba545cddd698f929babef211184f5d
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T144000Z
DTEND:20260521T150000Z
SUMMARY:Keynote: Anatomy of a Phishing Campaign - Mike Fiedler\, Python Software Foundation
DESCRIPTION:In July 2025\, PyPI users received emails directing them to another site - a near-perfect clone transparently proxying requests to pypi.org. Within hours\, attackers compromised four accounts and uploaded malicious releases of the popular num2words package.This talk dissects the complete attack chain: how attackers harvested email addresses from public package metadata\, built a transparent proxy that relayed TOTP codes in real-time\, and why traditional 2FA failed while WebAuthn-based authentication stopped the attack cold.The session covers the incident response timeline\, challenges getting malicious infrastructure taken down (including initial rejection of abuse reports)\, and defensive measures deployed afterward—including new email verification for TOTP logins from unrecognized devices.Attendees will learn exactly how modern phishing attacks work against package repositories\, the critical difference between "phishable" and "phishing-resistant" 2FA\, and practical steps to protect accounts and packages from the next campaign. The talk also examines the September 2025 follow-up campaign targeting another domain&nbsp\;and patterns across these ongoing attacks.
CATEGORIES:KEYNOTE SESSIONS
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:de4d824d86d578909998b42369d57e73
URL:http://openssfcdna2026.sched.com/event/de4d824d86d578909998b42369d57e73
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T150500Z
DTEND:20260521T152000Z
SUMMARY:Keynote: BEAR-ing Fruit: A Year of Learning\, Mentorship\, and Community Building in Open Source Security - Marcela Melara\, Research Scientist\, Intel Corporation
DESCRIPTION:The OpenSSF BEAR (Belonging\, Empowerment\, Allyship\, and Representation) Working Group is on a mission to make cybersecurity a place where everyone belongs! We knock down barriers and crank up the volume for underrepresented voices. We've learned that true representation is about building fun\, lasting paths for participation. \n \n In this session\, we'll take you on a journey through the evolution of BEAR\, culminating in the exciting launch of our newest global family member\, SIG OpenSSF Africa (Open Source Security Foundation Africa)! We'll share some insights and "Aha!" moments from our monthly Community Office Hours - including those unexpected successful strategies - and get honest about the triumphs and challenges of our mentorship program. \n \n Looking to level up your community game? Whether you want to understand the real-world challenges facing diverse groups in security or just need some practical\, battle-tested frameworks for building vibrant community programs\, this session is your toolkit. Get ready for an open\, fun look at building a truly inclusive open source security community!
CATEGORIES:KEYNOTE SESSIONS
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:dc2c33923c077d2cc5a509ea61e173c0
URL:http://openssfcdna2026.sched.com/event/dc2c33923c077d2cc5a509ea61e173c0
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T152500Z
DTEND:20260521T154000Z
SUMMARY:The Architecture of Accountability: Transparency in Software - Hayden Blauzvern\, Google
DESCRIPTION:In the context of secure systems\, "transparency" is often a loaded term. We will propose a precise definition: the guarantee of discoverability and auditability. Transparency is the difference between a system that merely claims to be secure and a system that provides proof of its security claims. \n \n This session offers a high-level primer on the principles of cryptographic transparency. We will discuss how to design transparent applications and explore the tooling available to create tamper-evident systems. We will examine how this pattern has already been used\, from Certificate Transparency providing auditability for web PKI\, Binary Transparency securing software delivery\, and Key Transparency hardening messaging applications. We will demonstrate how transparency can be applied for emerging frontiers as well\, such as AI model provenance and news authenticity. \n \n Finally\, we will discuss the ongoing specifications work to standardize transparency primitives and highlight opportunities to participate. Attendees will leave with a clear mental model for transparency by design\, ready to build systems where accountability is a default feature\, not an afterthought.
CATEGORIES:ENHANCING SECURITY TOOLS
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:663924d07efcda69831825511780678a
URL:http://openssfcdna2026.sched.com/event/663924d07efcda69831825511780678a
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T154000Z
DTEND:20260521T160000Z
SUMMARY:Break
DESCRIPTION:- Scones (v)&nbsp\;\n- Gluten-free Scones (v\, GF)&nbsp\;\n- Assorted Fruit\n- Yogurt\n\n
CATEGORIES:REGISTRATION / BREAKS & NETWORKING
LOCATION:101C+D\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:6eb65c06b5e85eef8013d65026680827
URL:http://openssfcdna2026.sched.com/event/6eb65c06b5e85eef8013d65026680827
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T160000Z
DTEND:20260521T161500Z
SUMMARY:OpenSSF Baseline Alignment in Open Source Repos: Automation\, Surveys\, and the Visibility Gap - Will Sergeant\, Kiran Chana & Kavoi Mutisya\, Harvard
DESCRIPTION:Project BaseJump is the result of months of Capstone Project effort from a team of three Cybersecurity Masters Degree Candidates at Harvard Extension School: \n \n The project sought to develop a repeatable methodology for assessing Open Source Software repository alignment with the OpenSSF Baseline. \n \n In this presentation we will go over our findings from the project. In addition\, we have developed an application which seeks to automate much of the assessment process. This will be available on the OpenSSF GitHub.
CATEGORIES:SECURING THE SOFTWARE SUPPLY CHAIN
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:a3b57b3b08b533d9d389ad35c93ace38
URL:http://openssfcdna2026.sched.com/event/a3b57b3b08b533d9d389ad35c93ace38
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T162000Z
DTEND:20260521T163500Z
SUMMARY:Curating Secure Software: The Art of Selecting Safe Dependencies - Kadi McKean\, ReversingLabs
DESCRIPTION:Imagine curating an art gallery—you wouldn’t hang just any painting on the wall. Each piece is carefully selected\, verified for authenticity\, and preserved to ensure a valuable experience for visitors. The same meticulous approach applies to software development. \nSecure curation of open source isn’t about stifling creativity\; it’s about ensuring that the dependencies we bring into our applications are secure\, well-maintained\, and reliable. As an art curator protects against forgeries and deterioration\, developers must assess third-party components for malware\, tampering\, vulnerabilities\, licensing risks\, and long-term sustainability. \nThis talk will explore why curation is the foundation of secure software supply chains. We’ll discuss practical strategies for evaluating dependencies\, maintaining a trusted repository\, and leveraging free tools to automate the process. By adopting a safe curation mindset\, developers can sleep better at night\, knowing their applications rest on a foundation of safe\, high-quality components.
CATEGORIES:SECURING THE SOFTWARE SUPPLY CHAIN
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:023ae0693208d0c9d203fffe5562bab0
URL:http://openssfcdna2026.sched.com/event/023ae0693208d0c9d203fffe5562bab0
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T164000Z
DTEND:20260521T170000Z
SUMMARY:Enforcing the OpenSSF Ecosystem With AMPEL - Adolfo García Veytia\, Carabiner Systems
DESCRIPTION:AMPEL\, the Amazing Multipurpose Policy Engine (and L)\, is the latest open-source project (about) to land in the OpenSSF sandbox. \n \n AMPEL is a policy engine designed to be embeddable and easy to use in modern CI/CD environments. It brings together verification of signed in-toto attestations against policies\, mapped to security framework controls\, enabling projects and organizations to demonstrate compliance with security frameworks. \n \n The OpenSSF ecosystem groups tools that produce\, manage\, and verify security data. AMPEL was created to combine them into a solution that actually protects you. \n \n Just name an OpenSSF project\, and AMPEL has your back: \n ✓ Native Sigstore verification \n ✓ Universal SBOM policies with protobom \n ✓ SLSA provenance \n ✓ Built-in OpenVEX support \n ... and more. \n \n These scenarios compose into a coherent solution to comply with common security frameworks\, such as the OSPS Security Baseline or the CRA. \n \n This is cryptographically probable compliance for everyone! \n Come and meet AMPEL\, its community maintained policy library\, and watch our practical examples in this hands-on session that promises a use case for everyone.
CATEGORIES:SECURING THE SOFTWARE SUPPLY CHAIN
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:6bd5fd4ccf9847792c41d552c145385a
URL:http://openssfcdna2026.sched.com/event/6bd5fd4ccf9847792c41d552c145385a
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T170500Z
DTEND:20260521T172000Z
SUMMARY:From SBOMs To Decisions: Prioritizing Supply Chain Risk in Time-Bound M&A Reviews - Prashanth Chandrasekar\, Bitsea US\, Inc.
DESCRIPTION:Software supply chain risk assessments increasingly rely on Software Bill of Materials (SBOMs)\, yet their practical value is often tested under severe time constraints. In Mergers and Acquisitions (M&A) due diligence\, Application Security (AppSec) teams are frequently required to assess large codebases and their third-party dependencies within days or weeks\, where the goal is informed risk visibility rather than exhaustive remediation. \n \n This talk presents a practitioner’s perspective on using SBOMs to prioritize software supply chain risk under tight M&A timelines. Drawing from real-world due-diligence engagements\, it explores how AppSec teams analyze SBOMs to identify high-impact dependencies\, assess transitive risk\, and correlate vulnerability intelligence with open-source license obligations that may influence post-acquisition risk. \n \n The session also addresses common challenges such as incomplete SBOMs\, noisy vulnerability data\, unclear license declarations\, and limited exploit or usage context. The emphasis is on practical\, risk-based prioritization techniques and legal-safe framing of findings. \n \n Attendees will leave with practical guidance on using SBOMs as a decision-support mechanism\, rather than just as compliance artifacts.
CATEGORIES:OSS SIGNATURES AND VERIFICATION
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:9c60fe979e095e8e62c592588d298f44
URL:http://openssfcdna2026.sched.com/event/9c60fe979e095e8e62c592588d298f44
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T172500Z
DTEND:20260521T174500Z
SUMMARY:Gemara: The GRC Architecture You Didn’t Know You Built - Hannah Braswell & Jennifer Power\, Red Hat
DESCRIPTION:If you’ve ever set a branch protection rule or configured a security scan\, you’ve already entered the world of GRC. You may not have realized it at the time\, though\, because GRC is often seen as a combination of spreadsheets and screenshots. Framing this through Gemara reveals a different reality: these security configurations don't exist in a vacuum\; they work within a larger\, interconnected architecture. \n \n In this session\, we’ll explore OpenSSF's Gemara Model to show you how your existing SDLC workflows can produce the compliance evidence you’ve been looking for. Join us to learn how to stop performing GRC as a chore\, and start managing it as the engineering task it already is.
CATEGORIES:ENHANCING SECURITY TOOLS
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:9adbb5c2e3232d20ecbd048e4f20ce96
URL:http://openssfcdna2026.sched.com/event/9adbb5c2e3232d20ecbd048e4f20ce96
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T174500Z
DTEND:20260521T184500Z
SUMMARY:Lunch
DESCRIPTION:- Roasted Chicken Caesar Wedge: Deli-Roasted Chicken\, Romaine\, Caesar Cream Cheese\, Asiago Focaccia \n-&nbsp\;Deli Roast Beef: Shaved Natural Roast Beef\, Lettuce\, Cucumber-Herb Cream Cheese\, Egg Focaccia \n- Roasted Veggies Wedge (vg): Roasted Vegetables\, Hummus\, Lettuce\, Rosemary Red Pepper Focaccia \n\n&nbsp\;Includes Dutch Crunch Potato Chips\, Fresh Grapes\, and Chocolate Chip Cookie
CATEGORIES:REGISTRATION / BREAKS & NETWORKING
LOCATION:101C+D\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:f09f21e30dcce96eca967647146e0a83
URL:http://openssfcdna2026.sched.com/event/f09f21e30dcce96eca967647146e0a83
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T184500Z
DTEND:20260521T185500Z
SUMMARY:Making a Lockfile for Maven - Adam Kaplan\, Red Hat
DESCRIPTION:Many package ecosystems produce a comprehensive list of dependencies known as a lockfile. These files serve several purposes\, ranging from optimizing application assembly to verifying package integrity and ensuring reproducible builds. Newer package ecosystems such as npm\, cargo\, and go modules incorporated lockfiles in their designs from the start. More recently\, the Python community adopted a lockfile standard that works across multiple packaging tools\, and dnf is experimenting with its own lockfile standard for RPM packages. \n \n Using recent academic research\, this session will describe the key requirements for lockfiles and apply them to one of the most widely adopted package ecosystems: Apache Maven. Through the experiences of the Maven Lockfile Plugin project\, you will learn the challenges of building a backwards-compatible lockfile and the barriers to generating complete Maven lockfiles in all situations. This session will conclude with other attempts within the Maven ecosystem to provide similar lockfile capabilities and the hurdles to making these features more widely adopted.
CATEGORIES:SECURING THE SOFTWARE SUPPLY CHAIN
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:c1c1834f6a70dbe349ea9b656cc1681d
URL:http://openssfcdna2026.sched.com/event/c1c1834f6a70dbe349ea9b656cc1681d
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T190000Z
DTEND:20260521T192000Z
SUMMARY:Beyond Keyless Signing: Using Ephemeral Certificates With BYOPKI - Kenneth Yang & Adrian Smith\, Coinbase
DESCRIPTION:Keyless signing in sigstore/cosign avoids the need to manage long-lived private keys by using ephemeral keys\, short-lived certificates issued by a Managed CA (sigstore/fulcio)\, and a Public Transparency Log (sigstore/rekor). While this model fits many use cases\, some organizations may prefer to run their own infrastructure with an Internal CA and Private Transparency Logs. \n \n At Coinbase\, the Security Platform Engineering team built an Internal CA that issues more than 100M certificates per year. We’ve applied keyless signing principles to our build pipelines\, where signers attest their workload identities (e.g.\, SPIFFE\, AWS OIDC)\, receive short-lived X.509 certificates\, and sign artifacts with ephemeral keys that are immediately discarded after use. \n \n This talk explores implementing a BYOPKI approach that maintains keyless signing principles\, issuing short-lived X.509 certificates using workload attestation\, and leveraging the new bundle format (v0.3+) within sigstore/cosign.
CATEGORIES:OSS SIGNATURES AND VERIFICATION
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:5dda5b534ea44555e6ee47baf566034c
URL:http://openssfcdna2026.sched.com/event/5dda5b534ea44555e6ee47baf566034c
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T192500Z
DTEND:20260521T194500Z
SUMMARY:GAME SHOW! GAME SHOW! - Christopher Robinson\, OpenSSF
DESCRIPTION:Join the OpenSSF staff and community and pit your knowledge of our community against your peers in this interactive game that EVERYONE can play. Come be educated\, informed\, and entertained.
CATEGORIES:SECURING THE SOFTWARE SUPPLY CHAIN
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:e4bb871e4741e80c70420d4f0ddbb966
URL:http://openssfcdna2026.sched.com/event/e4bb871e4741e80c70420d4f0ddbb966
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T195000Z
DTEND:20260521T200500Z
SUMMARY:Navigating the Land of Git Commit Signatures With Gittuf - Patrick Zielinski\, Secure Systems Lab @ NYU & Yongjae Chung\, New York University
DESCRIPTION:You’ve probably heard by now that Git supports signing your commits and the chorus encouraging you to sign your commits. \n \n There’s just a tiny little problem: what exactly do you do with those signatures? How do you know if a signature is legitimate? When a signing key needs to be rotated and is marked as untrusted\, does that mean your entire Git history is “untrusted”? What makes a commit “Verified” on GitHub? \n \n Wonder no more. In this talk\, we will discuss the state of Git commit signing today\, and dispel the mysteries that surround making sense of commit signatures. We’ll look at how gittuf brings structure to commit signatures\, and then uses these signatures to enforce a security policy on your repository.
CATEGORIES:SECURING THE SOFTWARE SUPPLY CHAIN
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:6d285a1f9d597eac7a32cec31ddeeb9d
URL:http://openssfcdna2026.sched.com/event/6d285a1f9d597eac7a32cec31ddeeb9d
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T201000Z
DTEND:20260521T202500Z
SUMMARY:Petra: SBOMs Without Oversharing for Confidential Supply Chain Transparency - Eman Abu Ishgair\, Purdue University & Marcela Melara\, Intel Corporation
DESCRIPTION:Software Bills of Materials are central to improving transparency and trust in modern software supply chains. However\, organizations often hesitate to share complete SBOMs due to intellectual property or security concerns. This challenge is amplified in multi-tier supply chains\, where SBOMs are routinely redistributed across vendors. \n We present Petra\, a system that enables confidential and policy-bounded SBOM exchange without sacrificing verifiability. \n Petra allows producers to selectively encrypt sensitive SBOM metadata while preserving structural integrity and enabling authorized consumers to search redacted SBOMs for answers to specific security questions without revealing information they are not authorized to access. Importantly\, Petra supports controlled redistribution: SBOMs can be shared across organizational boundaries while cryptographically enforcing downstream access restrictions. \n We discuss selective disclosure for real-world SPDX and CycloneDX SBOMs\, cryptographically verifiable redactions\, and practical deployment considerations. Through a demo\, attendees will see how Petra enables secure SBOM sharing that supports transparency and compliance without oversharing.
CATEGORIES:SECURING THE SOFTWARE SUPPLY CHAIN
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:e7963078fcd110411ce58b4f73f9e2ba
URL:http://openssfcdna2026.sched.com/event/e7963078fcd110411ce58b4f73f9e2ba
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T202500Z
DTEND:20260521T204500Z
SUMMARY:Break
DESCRIPTION:-&nbsp\;Rice Crispy Bars (GF)\n-&nbsp\;Potato Chips (GF\, Vg)\n-&nbsp\;French Onion Dip (V\, GF)&nbsp\;
CATEGORIES:REGISTRATION / BREAKS & NETWORKING
LOCATION:101C+D\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:69c795e3d89e273610dc923a2b21faea
URL:http://openssfcdna2026.sched.com/event/69c795e3d89e273610dc923a2b21faea
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T204500Z
DTEND:20260521T210000Z
SUMMARY:Verification Toward Applying SLSA in Automotive IVI Software Development - Yuta Kiyoumi & Takashi Ninjouji\, Honda Motor Co.\, Ltd.
DESCRIPTION:In automotive software development—such as IVI (In-Vehicle Infotainment) software—many layers of the supply chain are involved\, including automotive OEMs and Tier‑1 suppliers. Automotive OEMs\, in particular\, are required to manage a complex and multi‑layered software supply chain under strict safety and regulatory constraints. \n \n To evaluate supply chain security efforts within software development\, we have been conducting a feasibility study on applying SLSA\, a supply chain security framework being developed by the OpenSSF. \n \n In this session\, we will share insights gained through our validation of SLSA adoption and discuss approaches to supply chain security in large-scale software development projects such as AAOS.
CATEGORIES:SECURING THE SOFTWARE SUPPLY CHAIN
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:f058bafc4218a0972de71fd306a07f48
URL:http://openssfcdna2026.sched.com/event/f058bafc4218a0972de71fd306a07f48
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T210500Z
DTEND:20260521T211500Z
SUMMARY:What Are Web Developers Doing About Security? - Daniel Appelquist\, Samsung
DESCRIPTION:The W3C SWAG community group (which is linked with the OpenSSF Best Practices working group) recently ran a survey of web developers to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG\, an overview of the surprising results\, and what it means for the work ahead. I will also touch on the topic of how web developers and web browser developers are responding to the requirements of the CRA.
CATEGORIES:CASE STUDIES AND REAL-WORLD EXPERIENCES
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:466e67c834e1aacab4cc0852b94d7873
URL:http://openssfcdna2026.sched.com/event/466e67c834e1aacab4cc0852b94d7873
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T212000Z
DTEND:20260521T214000Z
SUMMARY:Quantum Proofing Sigstore: A Tale of Three Approaches - Kevin Conner\, Red Hat
DESCRIPTION:Implementing post quantum cryptography in supply chain security requires decisions beyond algorithm selection\, with trade offs impacting performance and storage. This talk explores three approaches for adding PQC into Sigstore\, the open standard for signing and verifying artifacts. The first maintains classical certificates\, adding PQC signatures to transparency log inclusion proofs. The second implements hybrid X.509 certificates with dual classical/PQC signatures\, modifying signing\, verification and transparency components. The third leverages merkle tree certificates\, embedding PQC commitments for efficient batch verification with minimal overhead. The talk presents prototypes\, demonstrates post quantum signing and verification\, reveals compromises in each approach and how assumptions in existing code created unexpected challenges. Attendees gain understanding of each method\, providing a foundation for contributing to community discussions around post quantum adoption.
CATEGORIES:ENHANCING SECURITY TOOLS
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:ea909b7ce243e8fc63a03f8d431c88f3
URL:http://openssfcdna2026.sched.com/event/ea909b7ce243e8fc63a03f8d431c88f3
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T214500Z
DTEND:20260521T220000Z
SUMMARY:AI as Security Orchestrator: An Introduction To Darnit - Michael Lieberman\, Kusari
DESCRIPTION:There's a million security tools\, specifications\, formats\, models\, schemas\, and the list goes on. The problem of keeping up to date on security best practices seems insurmountable even for experienced practitioners. The problem is even worse for your average open source developer who wants to focus on features\, not integrating the latest security and compliance tooling. \n \n In this talk you'll how AI can be utilized to integrate with existing open source security validation tools like OpenSSF Scorecard\, Privateer\, Minder\, and then use the data from that along with the context of a project to enable AI guided remediation. \n \n This talk will introduce Darnit\, a framework for architecting and implementing this pattern. It is an MCP/Agentic framework that: \n 1. Loads controls and context about a project \n 2. Runs an audit utilizing deterministic and heuristic tools \n 3. Gathers context not found in the audit and confirms with user about anything not clear and stores it. \n 4. Re-audits \n 5. Automatically remediates any issues discovered\, and falls back to manual suggestions where it can't.
CATEGORIES:AI AND ML IN SECURITY
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:ffbbc20d08e81ff637ca3cad46007346
URL:http://openssfcdna2026.sched.com/event/ffbbc20d08e81ff637ca3cad46007346
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T220500Z
DTEND:20260521T222500Z
SUMMARY:Keynote: OSS-CRS: Next Generation Bug-Finding and Remediation for the LLM Era - Andrew Chin\, Georgia Institute of Technology
DESCRIPTION:The AI Cyber Challenge demonstrated that AI-powered Cyber Reasoning Systems (CRS) can autonomously find and fix software vulnerabilities at scale. But how do we take those advancements and make them accessible to the broader security community? Enter OSS-CRS: an open-source\, standardized framework designed to accelerate the development of AI-assisted bug-finding and remediation systems. In this session\, we'll walk through the design principles of OSS-CRS\, show how it lowers the barriers to building and benchmarking next-generation CRS tooling\, and demonstrate how users can easily deploy and run CRSs against their own codebases. Whether you're a security researcher\, tooling developer\, AI practitioner\, or project maintainer\, come learn about the growing ecosystem around AI-powered CRSs.
CATEGORIES:KEYNOTE SESSIONS
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:2db172cd1fcb677e821ddddd6a8392d2
URL:http://openssfcdna2026.sched.com/event/2db172cd1fcb677e821ddddd6a8392d2
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260528T032122Z
DTSTART:20260521T222500Z
DTEND:20260521T223000Z
SUMMARY:Closing Remarks
DESCRIPTION:\n
CATEGORIES:KEYNOTE SESSIONS
LOCATION:101E\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:5cf3fa3c2680e2228bb3ec22425f409a
URL:http://openssfcdna2026.sched.com/event/5cf3fa3c2680e2228bb3ec22425f409a
END:VEVENT
END:VCALENDAR