Trustworthy and Secure OSS
Towards a trustworthy and secure ecosystem of OSS: Increasing the reliability and adoption of OSS projects
Workshop within the framework of the Open Source Workshops for Computing and Sustainability event
Albert Borschette Conference Center, Brussels: 02 December 2022
Workshop time: 14:30-16:00 CET | Room 3B
Workshop Description
From the surveys conducted by the EC as part of the study “The impact of Open Source Software and Hardware on technological independence, competitiveness and innovation in the EU economy” cybersecurity and trustworthiness of OSS and OSH was of significant importance. A particular concern identified is related to the ability of chips or software components to incorporate backdoors or malware embedded by a bad actor in the supply chain. The ability to develop and maintain a root of trust throughout the supply chain is facilitated by open hardware and software. This impact will increase over time.
Thus, the workshop will revolve around the following topics:
- OSS and Trust
- Cybersecurity Certification required?
- Self-Assessment versus Third Party Assessment? (Cost, Time, Resource Constraints)
- Who is making the OSS building blocks? Are there state actors involved or behind it? Should we trust OSS?
- OSS and backdoors (purposely embedded security “holes”)
- ECSO “made in Europe” label (also companies have to “certify” that there are no “backdoors”)
- Security standards and certification for OSS
- Who applies for certification? User? Integrator?
- Who is responsible if there is a security issue / breach? How to make them responsible (fine, pay for damage, etc.)?
Chair
James Galand-Jones (EC-CONNECT) James GALAND-JONES is a Policy Officer in the Unit for cybersecurity technology and capacity building at DG CONNECT. James spearheads the unit’s work on supply chain security and works on telecommunications security, including the EU Toolbox for 5G security. James also works on secure and resilient connectivity projects, within the EU and beyond, including under the EU-US Trade and Technology Council. Previously, James worked on emerging digital finance issues, including operational resilience and open finance. James began his professional life in the military before moving to the private sector working on digital and security issues. |
Panellists
Sebastian Proksch (TUDELFT - FASTEN project) Sebastian Proksch is a researcher interested in demystifying the software development process, both from the perspective of individuals and of teams. He studies the impact of novel technologies and envisions new tools to support software engineers in their day to day tasks. His most recent works in the CI/CD area have created tools that facilitate the adoption of CI/CD and help developers to spot anti-patterns in their build pipelines. Sebastian Proksch is Assistant Professor in the Software Engineering Research Group at Delft University of Technology (Netherlands) and the scientific coordinator of the FASTEN project. |
David Wheeler (Linux Foundation - OpenSSF) Dr. David A. Wheeler is the Director of Open Source Supply Chain Security at the Linux Foundation and teaches a graduate course on developing secure software at George Mason University. Dr. Wheeler has a PhD in Information Technology (on countering subverted / “trusting trust” compilers), a Master's in Computer Science, certificates in Information Security and Software Engineering, and a B.S. in Electronics Engineering. He helped develop the 2009 U.S. Department of Defense policy on open source software. He is a Certified Information Systems Security Professional (CISSP) and Senior Member of the Institute of Electrical and Electronics Engineers (IEEE). |
Volkmar Lotz (SAP) Volkmar Lotz is Head of SAP Security Research, a group of researchers aiming at future-proofing SAP’s security and privacy, in line with SAP’s business and technology strategy and global trends, covering topics ranging from applied cryptography over securing AI applications to software security analysis. He has 30+ years’ experience in industrial research on Security and Software Engineering. His own research interests include Security Certification, Software Security, and application security. He is located in Sophia Antipolis, France. Volkmar holds a diploma in Computer Science from the University of Kaiserslautern. |
Maika Fohrenbach (EC-CONNECT) Maika Föhrenbach is currently Policy Officer in the Unit for cybersecurity and digital privacy policy at DG CONNECT. In this position, Maika is part of the team working on the Cyber Resilience Act. Maika also works on the implementation of the EU cybersecurity certification framework, and is in charge of the EU-US cybersecurity dialogue for CNECT. Previously, Maika worked in the Unit for Cloud & Software at DG CNECT on cloud security and sovereignty issues. She started her professional life in the private sector working with different trade associations on digital files. |
Gaël Blondelle (Eclipse Foundation AISBL) Gaël Blondelle is passionate about open source software and open source ecosystems. He joined the Eclipse Foundation in 2013 and now serves as Chief Membership Officer. He has been involved in the open source arena for more than 18 years in a number of key roles. Gaël co-founded an open source start-up and worked as its Chief Technology Officer. Gaël then worked in business development for an open source systems integration company, helping to expand their customer base. Gaël also managed highly strategic research IT projects aiming to create open source ecosystems for major industrial players – including the likes of Airbus, Thales and Ericsson. Gaël joined the Eclipse Foundation to pursue his goal of helping more companies work in open source, and to implement open, innovative and collaborative eco-systems for mission-critical applications. Gaël is a known advocate of the benefits of open source and he is a sought-after keynote speaker at global industry events. Originally from Champagne (France), Gaël is a Computer Science graduate of TELECOM Nancy. Now based in Toulouse, he enjoys travel, hiking, as well as spending time with his family.
|