SOSS Fusion Event - Feedback on content tracks

[theheels]

Hey folks, here are our proposed topics / tracks for our SOSS Fusion event in October.

• OSPO: Security and Open Source Program Offices (OSPOs)
• Maintainer Roles: Maintainer and Contributor roles in Securing Open Source Software
• SW Development: Need for Secure Open Source Software in the Software Development Lifecycle
• What’s Next: Fresh Ideas for Security Research and Innovation
• OSS as a Secure Digital Public Good (DPG): How the Public Sector (Gov’t) can Promote & Adopt Secure Open Source Software Principles
• As We Are: How Diversity Improved Security of Open Source Software
• Importance of Education and the Future of Secure Open Source Software

Notes, feedback, and patches welcome.

[mlieberman85]

I think there are a few things missing.

Maintainer roles and SW development works for secure software production.

Separately there's a need for a topic around secure open source software consumption, e.g. S2C2F, OSV scanner, etc. Maybe it could be combined with the OSPO topic if we broaden it.

Finally there's also the need for a topic around secure open source software (and metadata) storage and distribution. This would include things like how folks are securing npm, pypi, and specs/tools like deps.dev, osv, GUAC, etc.

[mlieberman85]

Who is the intended audience for SOSS?

[sevansdell]

Here is the sponsorship prospectus with more information about audience.

My question: If security conversations are consolidated into the SOSS Fusion, is there still a desire to also have security tracks and OSSF sponsorships at other developer oriented conferences (Kubecon, FOSDEM, StateofOpen, OSS Summit) as well? And OSS security tracks and OSSF sponsorships at established security conferences, like RSA or Blackhat / Defcon?

I believe consumer security practitioners have to choose between multiple established security cons, and multiple developer oriented cons security tracks, and the SOSS fusion con. With tight travel budgets, I wonder if consumer security practitioners be able to have an effective presence at all three types of cons? I know for myself this year I will have to be very selective, and am more apt to go to a larger security con and submit to/attend OSS tracks, or larger developer cons and submit to/attend security tracks. I believe a larger OSSF presence at existing cons could help stretch consumer security practitioner travel dollars and exposure to OSSF. This would be good brand awareness and hopefully help drive memberships. Similarly, local BSides and DevOps Days are easy for consumer security practitioners to get to, and I want to increase the awareness of OSSF in these distributed, easily accessible cons.

I am hoping the SOSS Fusion will be in parallel with investments in other cons, and not in place of.

[marcelamelara]

+1 to Mike's and Sarah's comments, and I definitely want to stress Sarah's point about travel restrictions and having to be selective about which conferences to attend. I've also got a few clarifying questions/comments.

What’s Next: Fresh Ideas for Security Research and Innovation

This track will be interesting for academic and industry researchers as well. While there are dedicated academic security conferences as well, academics have very limited venues for interacting with practitioners, even though they often work on practical problems. So, this feels like a great opportunity to bridge that gap. Hopefully, we can include these communities in the outreach for this particular track, at least.

As We Are: How Diversity Improved Security of Open Source Software

As currently written, this seems to suggest that the issue of diversity may be "solved". I'd suggest a re-wording of this, or maybe it's enough to change this track title to "Improves Security".

Importance of Education and the Future of Secure Open Source Software

Who's the audience for this track, and what sort of talks do you envision? One of the activities we've been looking to support as part of the DEI WG is to engage and connect with K-12 students in underrepresented groups, so this track may be a potential opportunity for outreach to these communities.

[hythloda]

in GC meeting there was a strong need for these tracks

• End User (Strong desire)
• Public Policy
• AI
• A per ecosystems track

[EricBrewer-g]

Maybe add a track or focus on ecosystems? (PyPI, Maven, Crate, RubyGems, NPM, etc.)

[arun-gupta]

The current proposed tracks seem to be more developer/maintainer-focused. There should be an End User-focused track that can tell stories on how organizations are making their processes more secure. This may include using OSSF tools and tools by other foundations to be more inclusive.

On AI, there should be a focus on what is being done to make AI more secure and how AI is used to improve security. This is particularly relevant given the responsible elements of LLMs.

There is a strong influence of public policy and the federal government on our work. I wonder if DPG track will capture that.