Loading…
May 21, 2026 | Minneapolis, Minnesota, USA
Learn More and Register To Attend
Schedule is subject to change.

The Sched app allows you to build your schedule, but it is not a substitute for event registration. To participate in the sessions, you must be registered for OpenSSF Community Day NA 2026. If you have not registered but would like to join us, please visit the event registration page to purchase a ticket.
Venue: 101E clear filter
Thursday, May 21
 

9:00am CDT

Welcome & Opening Remarks - Stacey Potter, Community Manager - OpenSSF, The Linux Foundation
Thursday May 21, 2026 9:00am - 9:10am CDT
101E

Speakers
avatar for Stacey Potter

Stacey Potter

Community Manager, OpenSSF

Thursday May 21, 2026 9:00am - 9:10am CDT
101E
  Keynote Sessions

9:15am CDT

Keynote: Securing the Agentic Future: How OpenSSF is Leading the AI Security Transition - Steven Fernandez, OpenSSF Managing Director, The Linux Foundation
Thursday May 21, 2026 9:15am - 9:35am CDT
101E
As AI becomes a bigger part of software and open source development, security needs are changing quickly. This talk will cover how the Open Source Security Foundation is ramping up the use of and support for AI security across the open source ecosystem.
Speakers
avatar for Steven Fernandez

Steven Fernandez

OpenSSF Managing Director, The Linux Foundation

Thursday May 21, 2026 9:15am - 9:35am CDT
101E
  Keynote Sessions

9:40am CDT

Keynote: Anatomy of a Phishing Campaign - Mike Fiedler, Python Software Foundation
Thursday May 21, 2026 9:40am - 10:00am CDT
101E
In July 2025, PyPI users received emails directing them to another site - a near-perfect clone transparently proxying requests to pypi.org. Within hours, attackers compromised four accounts and uploaded malicious releases of the popular num2words package.

This talk dissects the complete attack chain: how attackers harvested email addresses from public package metadata, built a transparent proxy that relayed TOTP codes in real-time, and why traditional 2FA failed while WebAuthn-based authentication stopped the attack cold.

The session covers the incident response timeline, challenges getting malicious infrastructure taken down (including initial rejection of abuse reports), and defensive measures deployed afterward—including new email verification for TOTP logins from unrecognized devices.

Attendees will learn exactly how modern phishing attacks work against package repositories, the critical difference between "phishable" and "phishing-resistant" 2FA, and practical steps to protect accounts and packages from the next campaign. The talk also examines the September 2025 follow-up campaign targeting another domain and patterns across these ongoing attacks.
Speakers
avatar for Mike Fiedler

Mike Fiedler

PyPI Safety & Security Engineer, Python Software Foundation
Mike’s been in the engineering game for 30+ years, leading teams at Datadog, MongoDB, LeafLink, Warby Parker, and Capital One. He’s a big believer in learning from every peer and helping others navigate tech’s complexities. An AWS Hero and Awesome Community Chef, Mike loves... Read More →
Thursday May 21, 2026 9:40am - 10:00am CDT
101E
  Keynote Sessions, Securing the Software Supply Chair

10:05am CDT

Keynote: BEAR-ing Fruit: A Year of Learning, Mentorship, and Community Building in Open Source Security - Marcela Melara, Research Scientist, Intel Corporation
Thursday May 21, 2026 10:05am - 10:20am CDT
101E
The OpenSSF BEAR (Belonging, Empowerment, Allyship, and Representation) Working Group is on a mission to make cybersecurity a place where everyone belongs! We knock down barriers and crank up the volume for underrepresented voices. We've learned that true representation is about building fun, lasting paths for participation.

In this session, we'll take you on a journey through the evolution of BEAR, culminating in the exciting launch of our newest global family member, SIG OpenSSF Africa (Open Source Security Foundation Africa)! We'll share some insights and "Aha!" moments from our monthly Community Office Hours - including those unexpected successful strategies - and get honest about the triumphs and challenges of our mentorship program.

Looking to level up your community game? Whether you want to understand the real-world challenges facing diverse groups in security or just need some practical, battle-tested frameworks for building vibrant community programs, this session is your toolkit. Get ready for an open, fun look at building a truly inclusive open source security community!
Speakers
avatar for Marcela Melara

Marcela Melara

Research Scientist, Intel Corporation
Marcela Melara is a research scientist at Intel making distributed and cloud systems more trustworthy. Her current work focuses on developing solutions for high-integrity software and AI supply chains. She leads a number of internal, academic and open-source projects on supply chain... Read More →
OpenSSF CD NA 2026 BEAR WG Keynote pdf
Thursday May 21, 2026 10:05am - 10:20am CDT
101E
  Keynote Sessions, Implementation Success Stories

10:25am CDT

The Architecture of Accountability: Transparency in Software - Hayden Blauzvern, Google
Thursday May 21, 2026 10:25am - 10:40am CDT
101E
In the context of secure systems, "transparency" is often a loaded term. We will propose a precise definition: the guarantee of discoverability and auditability. Transparency is the difference between a system that merely claims to be secure and a system that provides proof of its security claims.

This session offers a high-level primer on the principles of cryptographic transparency. We will discuss how to design transparent applications and explore the tooling available to create tamper-evident systems. We will examine how this pattern has already been used, from Certificate Transparency providing auditability for web PKI, Binary Transparency securing software delivery, and Key Transparency hardening messaging applications. We will demonstrate how transparency can be applied for emerging frontiers as well, such as AI model provenance and news authenticity.

Finally, we will discuss the ongoing specifications work to standardize transparency primitives and highlight opportunities to participate. Attendees will leave with a clear mental model for transparency by design, ready to build systems where accountability is a default feature, not an afterthought.
Speakers
avatar for Hayden Blauzvern

Hayden Blauzvern

Technical Lead Manager, Google
Hayden Blauzvern is a technical lead manager on Google’s Open Source Security Team, focused on making open-source software more secure through code signing and applied transparency. Hayden is a maintainer and the community chair on the Sigstore project.
OSSF Community Days NA 2026 The Architecture of Accountability Transparency in Software pdf
Thursday May 21, 2026 10:25am - 10:40am CDT
101E
  Enhancing Security Tools
  • Slides Attached Yes

11:00am CDT

OpenSSF Baseline Alignment in Open Source Repos: Automation, Surveys, and the Visibility Gap - Will Sergeant, Kiran Chana & Kavoi Mutisya, Harvard
Thursday May 21, 2026 11:00am - 11:15am CDT
101E
Project BaseJump is the result of months of Capstone Project effort from a team of three Cybersecurity Masters Degree Candidates at Harvard Extension School:

The project sought to develop a repeatable methodology for assessing Open Source Software repository alignment with the OpenSSF Baseline.

In this presentation we will go over our findings from the project. In addition, we have developed an application which seeks to automate much of the assessment process. This will be available on the OpenSSF GitHub.
Speakers
avatar for Will Sergeant

Will Sergeant

Graduate Student, Harvard Extension School
I am a Technologist at heart. I work on everything from microcircuits to cyber risk management. Currently I work as a Cybersecurity Analyst at Harvard Medical School and study as a Cybersecurity Masters Degree candidate at Harvard Extension School. I hold an active CISSP, AZ-104... Read More →
avatar for Kiran Chana

Kiran Chana

BaseJump Team Leader; Graduate Student, Harvard
cybersecurity master's candidate at Harvard; 5 years at MEDITECH developing software and leading teams; a lifetime of passion for diverse communities.
avatar for Kavoi Mutisya

Kavoi Mutisya

Student, Harvard Cybersecurity Masters Candidate 26'
Harvard Cybersecurity Masters Candidate 26'
Thursday May 21, 2026 11:00am - 11:15am CDT
101E
  Securing the Software Supply Chain

11:20am CDT

Curating Secure Software: The Art of Selecting Safe Dependencies - Kadi McKean, ReversingLabs
Thursday May 21, 2026 11:20am - 11:35am CDT
101E
Imagine curating an art gallery—you wouldn’t hang just any painting on the wall. Each piece is carefully selected, verified for authenticity, and preserved to ensure a valuable experience for visitors. The same meticulous approach applies to software development.
Secure curation of open source isn’t about stifling creativity; it’s about ensuring that the dependencies we bring into our applications are secure, well-maintained, and reliable. As an art curator protects against forgeries and deterioration, developers must assess third-party components for malware, tampering, vulnerabilities, licensing risks, and long-term sustainability.
This talk will explore why curation is the foundation of secure software supply chains. We’ll discuss practical strategies for evaluating dependencies, maintaining a trusted repository, and leveraging free tools to automate the process. By adopting a safe curation mindset, developers can sleep better at night, knowing their applications rest on a foundation of safe, high-quality components.
Speakers
avatar for Kadi McKean

Kadi McKean

OSS Community Manager, ReversingLabs
Kadi is passionate about the DevOps / DevSecOps community since her days of working with COBOL development and Mainframe solutions. At ReversingLabs she collaborates with developers and security researchers to help entities prioritize their open source risk, reduce technical debt... Read More →
Thursday May 21, 2026 11:20am - 11:35am CDT
101E
  Securing the Software Supply Chain

11:40am CDT

Enforcing the OpenSSF Ecosystem With AMPEL - Adolfo García Veytia, Carabiner Systems
Thursday May 21, 2026 11:40am - 12:00pm CDT
101E
AMPEL, the Amazing Multipurpose Policy Engine (and L), is the latest open-source project (about) to land in the OpenSSF sandbox.

AMPEL is a policy engine designed to be embeddable and easy to use in modern CI/CD environments. It brings together verification of signed in-toto attestations against policies, mapped to security framework controls, enabling projects and organizations to demonstrate compliance with security frameworks.

The OpenSSF ecosystem groups tools that produce, manage, and verify security data. AMPEL was created to combine them into a solution that actually protects you.

Just name an OpenSSF project, and AMPEL has your back:
✓ Native Sigstore verification
✓ Universal SBOM policies with protobom
✓ SLSA provenance
✓ Built-in OpenVEX support
... and more.

These scenarios compose into a coherent solution to comply with common security frameworks, such as the OSPS Security Baseline or the CRA.

This is cryptographically probable compliance for everyone!
Come and meet AMPEL, its community maintained policy library, and watch our practical examples in this hands-on session that promises a use case for everyone.
Speakers
avatar for Adolfo Garcia Veytia

Adolfo Garcia Veytia

Founding Engineer, Carabiner Systems
Adolfo García Veytia (@puerco) is one of the Kubernetes SIG Release Technical Leads and actively works on the Release Engineering team. He specializes in improving the software that drives the automation behind the Kubernetes release process. He is also the creator of the OpenVEX... Read More →
202605 OSS Summit AMPEL pdf
Thursday May 21, 2026 11:40am - 12:00pm CDT
101E
  Securing the Software Supply Chain
  • Slides Attached Yes

12:05pm CDT

From SBOMs To Decisions: Prioritizing Supply Chain Risk in Time-Bound M&A Reviews - Prashanth Chandrasekar, Bitsea US, Inc.
Thursday May 21, 2026 12:05pm - 12:20pm CDT
101E
Software supply chain risk assessments increasingly rely on Software Bill of Materials (SBOMs), yet their practical value is often tested under severe time constraints. In Mergers and Acquisitions (M&A) due diligence, Application Security (AppSec) teams are frequently required to assess large codebases and their third-party dependencies within days or weeks, where the goal is informed risk visibility rather than exhaustive remediation.

This talk presents a practitioner’s perspective on using SBOMs to prioritize software supply chain risk under tight M&A timelines. Drawing from real-world due-diligence engagements, it explores how AppSec teams analyze SBOMs to identify high-impact dependencies, assess transitive risk, and correlate vulnerability intelligence with open-source license obligations that may influence post-acquisition risk.

The session also addresses common challenges such as incomplete SBOMs, noisy vulnerability data, unclear license declarations, and limited exploit or usage context. The emphasis is on practical, risk-based prioritization techniques and legal-safe framing of findings.

Attendees will leave with practical guidance on using SBOMs as a decision-support mechanism, rather than just as compliance artifacts.
Speakers
avatar for Prashanth Chandrasekar

Prashanth Chandrasekar

Principal Consultant, Bitsea
Prashanth Chandrasekar is an Application Security practitioner and Open Source Consultant at Bitsea, focused on software supply chain risk and SBOM-driven analysis for stakeholders. He brings hands-on experience from time-bound due-diligence engagements, helping teams prioritize vulnerability... Read More →
OpenSSF Community Day 2026 From SBOMs to MnA Decisions Prashanth Chandrasekar pdf
Thursday May 21, 2026 12:05pm - 12:20pm CDT
101E
  OSS Signatures and Verification
  • Slides Attached Yes

12:25pm CDT

Gemara: The GRC Architecture You Didn’t Know You Built - Hannah Braswell & Jennifer Power, Red Hat
Thursday May 21, 2026 12:25pm - 12:45pm CDT
101E
If you’ve ever set a branch protection rule or configured a security scan, you’ve already entered the world of GRC. You may not have realized it at the time, though, because GRC is often seen as a combination of spreadsheets and screenshots. Framing this through Gemara reveals a different reality: these security configurations don't exist in a vacuum; they work within a larger, interconnected architecture.

In this session, we’ll explore OpenSSF's Gemara Model to show you how your existing SDLC workflows can produce the compliance evidence you’ve been looking for. Join us to learn how to stop performing GRC as a chore, and start managing it as the engineering task it already is.
Speakers
avatar for Hannah Braswell

Hannah Braswell

Associate Product Security Engineer, Red Hat, Inc.
Hannah is an Associate Product Security Engineer at Red Hat, focusing on proactively securing complex open-source systems. As an active contributor to the OSCAL Compass CNCF community, she is passionate about pragmatic development and using automation to enhance security workflows... Read More →
avatar for Jennifer Power

Jennifer Power

Principal Product Security Engineer, Red Hat
Jennifer Power is a Principal Product Security Engineer at Red Hat, where she focuses on open-source solutions for compliance automation. She is active in the open-source community, contributing to multiple projects and is currently a maintainer of the OSCAL Compass CNCF project... Read More →
The GRC Architecture You Didn't Know You Built (1) pdf
Thursday May 21, 2026 12:25pm - 12:45pm CDT
101E
  Enhancing Security Tools
  • Slides Attached Yes

1:45pm CDT

Making a Lockfile for Maven - Adam Kaplan, Red Hat
Thursday May 21, 2026 1:45pm - 1:55pm CDT
101E
Many package ecosystems produce a comprehensive list of dependencies known as a lockfile. These files serve several purposes, ranging from optimizing application assembly to verifying package integrity and ensuring reproducible builds. Newer package ecosystems such as npm, cargo, and go modules incorporated lockfiles in their designs from the start. More recently, the Python community adopted a lockfile standard that works across multiple packaging tools, and dnf is experimenting with its own lockfile standard for RPM packages.

Using recent academic research, this session will describe the key requirements for lockfiles and apply them to one of the most widely adopted package ecosystems: Apache Maven. Through the experiences of the Maven Lockfile Plugin project, you will learn the challenges of building a backwards-compatible lockfile and the barriers to generating complete Maven lockfiles in all situations. This session will conclude with other attempts within the Maven ecosystem to provide similar lockfile capabilities and the hurdles to making these features more widely adopted.
Speakers
avatar for Adam Kaplan

Adam Kaplan

Senior Principal Software Engineer, Red Hat
Adam Kaplan (he/him/his) is a software engineer at Red Hat, a maintainer of the Shipwright and Tekton projects, and former CD Foundation Governing Board member. He currently leads efforts to simplify hybrid cloud application development and secure Red Hat's software supply chain... Read More →
Making a Lockfile for Maven Final pdf
Thursday May 21, 2026 1:45pm - 1:55pm CDT
101E
  Securing the Software Supply Chain
  • Slides Attached Yes

2:00pm CDT

Beyond Keyless Signing: Using Ephemeral Certificates With BYOPKI - Kenneth Yang & Adrian Smith, Coinbase
Thursday May 21, 2026 2:00pm - 2:20pm CDT
101E
Keyless signing in sigstore/cosign avoids the need to manage long-lived private keys by using ephemeral keys, short-lived certificates issued by a Managed CA (sigstore/fulcio), and a Public Transparency Log (sigstore/rekor). While this model fits many use cases, some organizations may prefer to run their own infrastructure with an Internal CA and Private Transparency Logs.

At Coinbase, the Security Platform Engineering team built an Internal CA that issues more than 100M certificates per year. We’ve applied keyless signing principles to our build pipelines, where signers attest their workload identities (e.g., SPIFFE, AWS OIDC), receive short-lived X.509 certificates, and sign artifacts with ephemeral keys that are immediately discarded after use.

This talk explores implementing a BYOPKI approach that maintains keyless signing principles, issuing short-lived X.509 certificates using workload attestation, and leveraging the new bundle format (v0.3+) within sigstore/cosign.
Speakers
avatar for Kenneth Yang

Kenneth Yang

Staff Software Engineer, Coinbase
Kenneth is a Staff Software Engineer at Coinbase and ex-Airbnb Security Engineer focusing on Key Management systems. When he’s not getting paged and pulled into incidents he enjoys spending time with his two dogs and being in the outdoors.
avatar for Adrian Smith

Adrian Smith

Senior Software Engineer, Coinbase
Adrian is a software engineer at Coinbase who helps build and maintain PKI systems at scale
Thursday May 21, 2026 2:00pm - 2:20pm CDT
101E
  OSS Signatures and Verification

2:25pm CDT

GAME SHOW! GAME SHOW! - Christopher Robinson, OpenSSF
Thursday May 21, 2026 2:25pm - 2:45pm CDT
101E
Join the OpenSSF staff and community and pit your knowledge of our community against your peers in this interactive game that EVERYONE can play. Come be educated, informed, and entertained.
Speakers
avatar for Christopher

Christopher "CRob" Robinson

Chief Architect - OpenSSF, OpenSSF
Christopher Robinson (aka CRob) is the Chief Security Architect for the Open Source Security Foundation. With over 25 years of Enterprise-class engineering, architectural, operational and leadership experience, CRob has worked at several Fortune 500 companies with experience in the... Read More →
Thursday May 21, 2026 2:25pm - 2:45pm CDT
101E
  Securing the Software Supply Chain

2:50pm CDT

Navigating the Land of Git Commit Signatures With Gittuf - Patrick Zielinski, Secure Systems Lab @ NYU & Yongjae Chung, New York University
Thursday May 21, 2026 2:50pm - 3:05pm CDT
101E
You’ve probably heard by now that Git supports signing your commits and the chorus encouraging you to sign your commits.

There’s just a tiny little problem: what exactly do you do with those signatures? How do you know if a signature is legitimate? When a signing key needs to be rotated and is marked as untrusted, does that mean your entire Git history is “untrusted”? What makes a commit “Verified” on GitHub?

Wonder no more. In this talk, we will discuss the state of Git commit signing today, and dispel the mysteries that surround making sense of commit signatures. We’ll look at how gittuf brings structure to commit signatures, and then uses these signatures to enforce a security policy on your repository.
Speakers
PZ

Patrick Zielinski

PhD Candidate, NYU
Patrick is a Ph.D. student at New York University researching software supply chain security. He focuses on securing version control systems that underpin systems such as The Archive Framework (TAF). He is also a maintainer of gittuf, an incubating project at the Open Source Security... Read More →
avatar for Yongjae Chung

Yongjae Chung

Masters Student, New York University
Yongjae is a Master's student at New York University. He is a contributor to gittuf, an incubating project at Open Source Security Foundation.
Thursday May 21, 2026 2:50pm - 3:05pm CDT
101E
  Securing the Software Supply Chain

3:10pm CDT

Petra: SBOMs Without Oversharing for Confidential Supply Chain Transparency - Eman Abu Ishgair, Purdue University & Marcela Melara, Intel Corporation
Thursday May 21, 2026 3:10pm - 3:25pm CDT
101E
Software Bills of Materials are central to improving transparency and trust in modern software supply chains. However, organizations often hesitate to share complete SBOMs due to intellectual property or security concerns. This challenge is amplified in multi-tier supply chains, where SBOMs are routinely redistributed across vendors.
We present Petra, a system that enables confidential and policy-bounded SBOM exchange without sacrificing verifiability.
Petra allows producers to selectively encrypt sensitive SBOM metadata while preserving structural integrity and enabling authorized consumers to search redacted SBOMs for answers to specific security questions without revealing information they are not authorized to access. Importantly, Petra supports controlled redistribution: SBOMs can be shared across organizational boundaries while cryptographically enforcing downstream access restrictions.
We discuss selective disclosure for real-world SPDX and CycloneDX SBOMs, cryptographically verifiable redactions, and practical deployment considerations. Through a demo, attendees will see how Petra enables secure SBOM sharing that supports transparency and compliance without oversharing.
Speakers
avatar for Marcela Melara

Marcela Melara

Research Scientist, Intel Corporation
Marcela Melara is a research scientist at Intel making distributed and cloud systems more trustworthy. Her current work focuses on developing solutions for high-integrity software and AI supply chains. She leads a number of internal, academic and open-source projects on supply chain... Read More →
avatar for Eman Abu Ishgair

Eman Abu Ishgair

Graduate Research Assistant, Purdue University
PhD candidate in ECE @ Purdue, working on software supply chain security
Thursday May 21, 2026 3:10pm - 3:25pm CDT
101E
  Securing the Software Supply Chain

3:45pm CDT

Verification Toward Applying SLSA in Automotive IVI Software Development - Yuta Kiyoumi & Takashi Ninjouji, Honda Motor Co., Ltd.
Thursday May 21, 2026 3:45pm - 4:00pm CDT
101E
In automotive software development—such as IVI (In-Vehicle Infotainment) software—many layers of the supply chain are involved, including automotive OEMs and Tier‑1 suppliers. Automotive OEMs, in particular, are required to manage a complex and multi‑layered software supply chain under strict safety and regulatory constraints.

To evaluate supply chain security efforts within software development, we have been conducting a feasibility study on applying SLSA, a supply chain security framework being developed by the OpenSSF.

In this session, we will share insights gained through our validation of SLSA adoption and discuss approaches to supply chain security in large-scale software development projects such as AAOS.
Speakers
avatar for Yuta KIYOUMI

Yuta KIYOUMI

Security Architect for IVI software development, HONDA MOTOR CO.,LTD.
Yuta Kiyoumi is the Security Architect for IVI software development at Honda Motor Co., Ltd. He also serves as a member of the Honda OSPO promoting secure OSS adoption, and participates as a member of the OpenSSF.
avatar for Takashi Ninjouji

Takashi Ninjouji

Chief Engineer, Honda Motor Co., Ltd.
Takashi Ninjouji is a Chief Engineer at Honda Motor Co., Ltd., with a focus on Software-Defined Vehicles (SDV). He is a manager of the Open Source Program Office (OSPO). His interests also include AI-assisted engineering automation.
Applying SLSA by Kiyoumi Ninjouji OpenSSF Community Day NA26 pdf
Thursday May 21, 2026 3:45pm - 4:00pm CDT
101E
  Securing the Software Supply Chain
  • Slides Attached Yes

4:05pm CDT

What Are Web Developers Doing About Security? - Daniel Appelquist, Samsung
Thursday May 21, 2026 4:05pm - 4:15pm CDT
101E
The W3C SWAG community group (which is linked with the OpenSSF Best Practices working group) recently ran a survey of web developers to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead. I will also touch on the topic of how web developers and web browser developers are responding to the requirements of the CRA.
Speakers
avatar for Dan Applequist

Dan Applequist

Open Source Strategist, Samsung

SWAG deck for OpenSSF Day NA 2026 pdf
Thursday May 21, 2026 4:05pm - 4:15pm CDT
101E
  Case studies and real-world experiences
  • Slides Attached Yes

4:20pm CDT

Quantum Proofing Sigstore: A Tale of Three Approaches - Kevin Conner, Red Hat
Thursday May 21, 2026 4:20pm - 4:40pm CDT
101E
Implementing post quantum cryptography in supply chain security requires decisions beyond algorithm selection, with trade offs impacting performance and storage. This talk explores three approaches for adding PQC into Sigstore, the open standard for signing and verifying artifacts. The first maintains classical certificates, adding PQC signatures to transparency log inclusion proofs. The second implements hybrid X.509 certificates with dual classical/PQC signatures, modifying signing, verification and transparency components. The third leverages merkle tree certificates, embedding PQC commitments for efficient batch verification with minimal overhead. The talk presents prototypes, demonstrates post quantum signing and verification, reveals compromises in each approach and how assumptions in existing code created unexpected challenges. Attendees gain understanding of each method, providing a foundation for contributing to community discussions around post quantum adoption.
Speakers
avatar for Kevin Conner

Kevin Conner

Senior Principal Software Engineer, Red Hat
Kevin is a Senior Principal Software Engineer at Red Hat's Trusted Artifact Signer team, working on Sigstore projects. Previously Chief Engineer at GetUp Cloud, focusing on Kubernetes and DevSecOps, he's worked at startups and major companies like Sun Microsystems and Red Hat, leading... Read More →
Post Quantum Cryptography in Sigstore OpenSSF Community Day NA26 pdf
Thursday May 21, 2026 4:20pm - 4:40pm CDT
101E
  Enhancing Security Tools

4:45pm CDT

AI as Security Orchestrator: An Introduction To Darnit - Michael Lieberman, Kusari
Thursday May 21, 2026 4:45pm - 5:00pm CDT
101E
There's a million security tools, specifications, formats, models, schemas, and the list goes on. The problem of keeping up to date on security best practices seems insurmountable even for experienced practitioners. The problem is even worse for your average open source developer who wants to focus on features, not integrating the latest security and compliance tooling.

In this talk you'll how AI can be utilized to integrate with existing open source security validation tools like OpenSSF Scorecard, Privateer, Minder, and then use the data from that along with the context of a project to enable AI guided remediation.

This talk will introduce Darnit, a framework for architecting and implementing this pattern. It is an MCP/Agentic framework that:
1. Loads controls and context about a project
2. Runs an audit utilizing deterministic and heuristic tools
3. Gathers context not found in the audit and confirms with user about anything not clear and stores it.
4. Re-audits
5. Automatically remediates any issues discovered, and falls back to manual suggestions where it can't.
Speakers
avatar for Michael Lieberman

Michael Lieberman

CTO, Kusari
Michael Lieberman is co-founder and CTO of Kusari where he helps build transparency and security in the software supply chain. Michael is an active member of the open-source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference... Read More →
Thursday May 21, 2026 4:45pm - 5:00pm CDT
101E
  AI and ML in Security

5:05pm CDT

Keynote: OSS-CRS: Next Generation Bug-Finding and Remediation for the LLM Era - Andrew Chin, Georgia Institute of Technology
Thursday May 21, 2026 5:05pm - 5:25pm CDT
101E
The AI Cyber Challenge demonstrated that AI-powered Cyber Reasoning Systems (CRS) can autonomously find and fix software vulnerabilities at scale. But how do we take those advancements and make them accessible to the broader security community? Enter OSS-CRS: an open-source, standardized framework designed to accelerate the development of AI-assisted bug-finding and remediation systems. In this session, we'll walk through the design principles of OSS-CRS, show how it lowers the barriers to building and benchmarking next-generation CRS tooling, and demonstrate how users can easily deploy and run CRSs against their own codebases. Whether you're a security researcher, tooling developer, AI practitioner, or project maintainer, come learn about the growing ecosystem around AI-powered CRSs.
Speakers
avatar for Andrew Chin

Andrew Chin

Ph.D. Student, Georgia Institute of Technology
Andrew is part of Team Atlanta, the winning team in the AIxCC finals competition at DEF CON 33.

He is currently a Ph.D. student at the Georgia Institute of Technology, working with Prof. Taesoo Kim at the Systems Software & Security Lab. Building on the work from AIxCC, Andrew is leading a Team Atlanta effort — in partnership with the OpenSSF — to strengthen the security... Read More →
OSS CRS OpenSSF Community Day 2026 pdf
Thursday May 21, 2026 5:05pm - 5:25pm CDT
101E
  Keynote Sessions

5:25pm CDT

Closing Remarks
Thursday May 21, 2026 5:25pm - 5:30pm CDT
101E

Thursday May 21, 2026 5:25pm - 5:30pm CDT
101E
  Keynote Sessions
 
  • Filter By Venue
    Minneapolis, MN, USA
    All
    101C+D
    101E
    Ballroom Lobby
  • Filter By Type
    AI and ML in Security
    Case studies and real-world experiences
    Enhancing Security Tools
    Keynote Sessions
    All
    Implementation Success Stories
    Securing the Software Supply Chair
    OSS Signatures and Verification
    Registration / Breaks & Networking
    Securing the Software Supply Chain
  • Slides Attached
    Yes
  • Timezone

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Thursday, May 21
101C+D
101E
Ballroom Lobby
  • AI and ML in Security
  • Case studies and real-world experiences
  • Enhancing Security Tools
  • Keynote Sessions
  • OSS Signatures and Verification
  • Registration / Breaks & Networking
  • Securing the Software Supply Chain
  • Slides Attached
  • Yes