Nick Vidal

As we celebrate the triumph of open source software on its 25th anniversary, at the same time we have to acknowledge the great responsibility that its pervasiveness entails. Open source has become a vital component of a working society and there's a pressing need to secure it across the whole supply chain and beyond. In this session, we'll take the opportunity to look at three major advancements in open source security, from SBOMs and Sigstore to Confidential Computing. Open source plays a vital role in modern society given its pervasiveness in the Cloud, mobile devices, IoT, and critical infrastructure. Securing it at every step in the supply chain and beyond is of ultimate importance. As we prepare for the "next Log4Shell", there are some technologies that are emerging on the horizon, among which SBOMs, Sigstore, and Confidential Computing. In this session, we'll explore these technologies in detail. While SBOMs (Software Bill Of Materials) allow developers to track the dependencies of their software and ensure that they are using secure and reliable packages, Sigstore allows developers to verify the authenticity and integrity of open source packages, ensuring that the code has not been tampered with or compromised, Confidential Computing, on the other hand, protects code and data in use by performing computation in a hardware-based, attested Trusted Execution Environment, ensuring that sensitive code and data cannot be accessed or tampered by unauthorized parties, even if an attacker were to gain access to the computing infrastructure. SBOMs, Sigstore, and Confidential Computing provide a powerful combination to address security concerns and ensure the integrity and safety of open source software and data. They focus on “security first,” rather than perpetuating existing approaches which have typically attempted to bolt on security measures after development, or which rely on multiple semi-connected processes through the development process to provide marginal improvements to the overall security of an application and its deployment. As we celebrate the 25th anniversary of open source, these three technologies emerging represent a step forward on securing OSS across the whole supply chain and beyond. We foresee them playing a key role on minimizing the risk of vulnerabilities and protecting software and data against potential attacks, providing greater assurances for society as a whole.

Most CISOs and a great majority of developers are not aware of the importance of encrypting data in use (the core idea behind Confidential Computing). Confidential Computing is evolving rapidly and is starting to gain adoption by CSPs, but user adoption is still slow. But what if encrypting data in use became the default way to deploy applications, both in the Cloud and even on premises? In this session, we’ll discuss what are the main roadblocks towards this vision, what we can do about it, and what are the main implications if encrypting data in use becomes the norm.

There are three states in which data can be protected: at rest, in transit, and in use. Encrypting data at rest (e.g. files, objects, storage) and in transit (e.g. TLS, HTTPS) have become a common practice, while encrypting data in use (the core idea behind Confidential Computing) is still an emerging concern.

But while a common practice today, encrypting data in transit only gained wide adoption with the Let’s Encrypt movement, which was fundamental in changing the general mindset from “encryption is only important for e-commerce and banking applications” to “let’s encrypt everything by default, no matter what’s the application”. Confidential Computing is just starting to emerge, and most use cases are restricted to sectors like healthcare and banking, which require greater assurances that their sensitive code and data are protected.

We will look back at the Let's Encrypt project, which started 10 years, to understand why this movement was so successful and how we can replicate this success for encrypting data in use. Our hope is to make encrypting data in use the default way for deploying applications, which will fundamentally change the security approach that exists today.

Other people: Patrick Uiterwijk

February 2023 marks the 25th Anniversary of Open Source. This is a huge milestone for the whole community to celebrate! In this session, we'll travel back in time to understand our rich journey so far, and look forward towards the future to reimagine a new world where openness and collaboration prevail. Come along and celebrate with us this very special moment!

The open source software label was coined at a strategy session held on February 3rd, 1998 in Palo Alto, California. That same month, the Open Source Initiative (OSI) was founded as a general educational and advocacy organization to raise awareness and adoption for the superiority of an open development process. One of the first tasks undertaken by OSI was to draft the Open Source Definition (OSD). To this day, the OSD is considered a gold standard of open-source licensing.

In this session, we'll cover the rich and interconnected history of the Free Software and Open Source movements, and demonstrate how, against all odds, open source has come to "win" the world. But have we really won? Open source has always faced an extraordinary uphill battle: from misinformation and FUD (Fear Uncertainty and Doubt) constantly being spread by the most powerful corporations, to issues around sustainability and inclusion.

We'll navigate this rich history of open source and dive right into its future, exploring the several challenges and opportunities ahead, including its key role on fostering collaboration and innovation in emerging areas such as ML/AI and cybersecurity. We'll share an interactive timeline during the presentation and throughout the year, inviting the audience and the community at-large to share their open source stories and dreams with each other.

The Enarx project reached a huge milestone: its first official release, featuring WebAssembly runtime. WebAssembly and Confidential Computing are a great match because WebAssembly offers developers a wide range of language choices, it works across silicon architectures, and it provides a sandboxed environment. This presentation will highlight the benefits of WebAssembly to Confidential Computing and showcase some demos.

After 3 years since its inception, the Enarx project finally had its first official release, bringing WebAssembly to Confidential Computing.

Enarx is a deployment framework for running applications in TEE instances – which we refer to as “Keeps” – without the need to trust lots of dependencies, without the need to rewrite the application, and without the need to implement attestation separately.

The WebAssembly runtime, based on wasmtime, offers developers a wide range of language choices for implementation, including Rust, C, and C++. It is designed to work across silicon architectures transparently to the user so that the application can run equally simple on Intel platforms (SGX or the recently-announced TDX), AMD platforms (SEV) or forthcoming platforms such as Arms’ Realms and IBM’s PEF - all without having to recompile the application code. WebAssembly's sandbox model offers an extra layer of protection, isolating the application from the host.

The OSI was co-founded in 1998 by former Debian Project Leader Bruce Perens with the aim of explaining, advocating and protecting the term open source. Debian shares the OSI's desire to encourage software freedom and Debian's Social Contract commits it to producing a system which is 100% free. Since 2012, the Debian Project has been part of the Open Source Initiative (OSI) as an affiliate member. This panel/talk will discuss the role of the OSI, some of the history of the OSI and Debian but also how the OSI's Open Source Definition is closely based on the Debian Free Software Guidelines, the document that defines the types of software licenses which the Debian Project accepts.

Throughout the year of 2018, we celebrated the 20th Anniversary of Open Source. I'll provide an overview of what I've learned about the Open Source Community while celebrating its 20th Anniversary around the World.

In 2018, the OSI has organized several activities at major open source events worldwide to celebrate it's 20th Anniversary. Events included Linux Conf Australia, FOSDEM, Campus Party, FOSSAsia, OpenExpo Europe, OW2con, FOSS Backstage, OSCON, Open Source Summit, All Things Open, and Mozilla Festival.

As part of the OSI, I was able to work behind the scenes, as well as travel around the world, to help with the activities. This has allowed me to meet and talk with several members of the Open Source community: to learn from them, to hear their stories, and to discuss our future.

I hope to share some exciting insights from this experience!