OpenSource SecurityCon 2026 on TLDRecap ⏮️

Lightning Talk: Your Most Privileged User Isn't Human: The Agent Security Blinds... Atulpriya Sharma

Tue, 24 Mar 2026 00:19:11 -0700

Presenters

Atulpriya Sharma

Source

OpenSource SecurityCon 2026

Your Most Privileged User Isn’t Human: Securing AI Agents in Production 🤖💡

Ever wonder who’s the most powerful entity in your system today? It’s probably not a human. It’s your AI agent. And while these autonomous digital workers are revolutionizing how we operate, they’re also creating gaps in our security postures that we urgently need to address.

Atulpriya Sharma, a Senior Developer Advocate at Improving (formerly InfraCloud), CNCF Ambassador, and co-chair of KubeCon India 2025, recently shed light on this critical challenge. He compellingly argued that our existing security paradigms, built for humans, are simply not ready for the unique nature of AI agents.

Quantum Proofing Sigstore: A Tale of Three Approaches - Kevin Conner & Firas Ghanmi, Red Hat

Tue, 24 Mar 2026 00:19:11 -0700

Presenters

Source

OpenSource SecurityCon 2026

Quantum-Proofing Sigstore: Three Bold Approaches to Secure Our Software Supply Chain 🚀

The digital world runs on trust, and in the realm of software, that trust increasingly relies on robust supply chain security. Sigstore stands as a critical pillar, ensuring the integrity and authenticity of software artifacts. But what happens when the very foundations of our cryptographic security are threatened? Enter quantum computing – a game-changer that could render today’s most secure algorithms obsolete.

Simplifying Global Compliance for CNCF Projects With the OpenSSF OSPS Baseline - Madalin Neag

Tue, 24 Mar 2026 00:19:11 -0700

Presenters

Madalin Neag

Source

OpenSource SecurityCon 2026

Navigating the Global Compliance Maze: How OpenSSF OSPO’s Baseline Simplifies Security for Open Source 🌐🛡️

The world of open source software is a vibrant, collaborative engine powering critical infrastructure across the globe. From finance and healthcare to transportation and energy, open source projects are the unsung heroes. But as these projects grow in importance, so does the scrutiny they face, particularly regarding security and compliance. Madalin Neag, an EU Policy Advisor at OpenSSF, sheds light on the increasingly complex regulatory landscape and introduces a powerful solution: the OpenSSF OSPO’s Baseline.

Upstream Collaboration for the Win (of the CRA)! - Georg Kunz & Jan Melen

Tue, 24 Mar 2026 00:19:11 -0700

Presenters

Source

OpenSource SecurityCon 2026

Navigating the Cyber Resilience Act (CRA): Why Upstream Collaboration is Your Secret Weapon 🛡️🤝

The digital world is evolving at lightning speed, and with it, the complexities of securing our software supply chains. Enter the Cyber Resilience Act (CRA), a formidable new regulation poised to reshape how software manufacturers operate. But what if this challenge isn’t just a hurdle, but a golden opportunity?

Zero Privilege Architecture - 3 Years Onward - Thijs Ebbers & Tadeo Sanchez, ING

Tue, 24 Mar 2026 00:19:11 -0700

Presenters

Source

OpenSource SecurityCon 2026

🛡️ Beyond Zero Trust: How ING Achieves Zero Breaches with Zero Privilege Architecture

Imagine a world where production environments run autonomously, human error is designed out of the system, and security breaches simply don’t happen. For the team at ING, this isn’t a pipe dream—it is their daily reality.

In a recent deep dive, Thijs Ebbers (Architect) and Tadeo Sanchez (Lead Engineer) shared the secrets behind their container hosting platform’s success. The numbers speak for themselves: zero security breaches and 100% uptime. 🚀

From Mild To Wild: How Hot Can Your SLSA Be? - Andrew McNamara & Adolfo García Veytia

Tue, 24 Mar 2026 00:19:09 -0700

Presenters

Source

OpenSource SecurityCon 2026

Level Up Your Software Supply Chain: Policy Engines for Attestations and Provenance 🚀

Hey tech enthusiasts! 👋 Ever feel like generating software attestations and provenance is the easy part, but actually using that valuable data feels like a black box? You’re not alone! Andrew McNamara from Red Hat and Adolfo García Veytia (aka “puerco”) from the Kubernetes release engineering team are here to demystify this crucial step. They’re showcasing how policy engines can transform your attestations and provenance into actionable, automated decisions for a more secure software supply chain.

Lightning Talk: A Supply Chain Security View of OpenSearch - Ram Iyengar, Linux Foundation

Tue, 24 Mar 2026 00:19:09 -0700

Presenters

Ram Iyengar

Source

OpenSource SecurityCon 2026

Strengthening Open Source Security: A Look at OpenSearch’s Journey 🚀

Hey tech enthusiasts! 👋 It’s your favorite blogger here, diving deep into the crucial world of open source security. Today, we’re dissecting the efforts of a prominent project, OpenSearch, and exploring how we can all contribute to a more secure digital ecosystem.

The “Finger in the Dike” Analogy: A Developer’s Reality 🤏

We’ve all heard the classic tale of the little boy with his finger in the dike, preventing a flood. In the open source world, many developers find themselves in a similar, albeit digital, predicament. They’re often the first line of defense, patching vulnerabilities and ensuring the stability of projects while juggling feature development and community demands. This constant “plugging the holes” can be exhausting and, frankly, unsustainable.

Open Source SecurityCon | Sponsored Keynote: From Packets to Pods: Lessons from 25... Gerald Combs

Tue, 24 Mar 2026 00:19:09 -0700

Presenters

Gerald Combs

Source

OpenSource SecurityCon 2026

The Magic of Open Source: Building Communities That Matter ✨

Hey tech enthusiasts! 👋 Ever wondered what makes open-source projects like Wireshark and Falco tick? Gerald Combs, the brilliant mind behind Wireshark and a key contributor to Falco, recently shared some incredible insights into nurturing these vital communities. It’s not just about code; it’s about people, purpose, and progress. Let’s dive into what makes these projects, and by extension, the systems they power, so robust and reliable.

Panel: It’s Not If, It’s When - Practical Preparation for the Next Software Supply Chain Attack

Tue, 24 Mar 2026 00:19:09 -0700

Presenters

Source

OpenSource SecurityCon 2026

Navigating the Storm: Practical Strategies for Modern Supply Chain Security 🛡️

The digital landscape is a battlefield, and the supply chain is the new frontier. From the chilling lyrics of a song about relentless attacks to the serious discussions of industry leaders, one thing is clear: the threat to our software supply chains is real, it’s evolving, and we need practical strategies to defend ourselves. This panel brought together some brilliant minds to tackle this critical issue, and here’s a breakdown of their insights.

Tarmageddon: One Bug, Four Forks, and a Disclosure Scavenger Hunt - Marina Moore & Alex Zenla, Edera

Tue, 24 Mar 2026 00:19:09 -0700

Presenters

Source

OpenSource SecurityCon 2026

The Unseen Dangers in Open Source: A Deep Dive into a Critical Tar Bug 🐛💻

Hey tech enthusiasts! 👋 Ever wonder what lurks beneath the surface of the open-source software you use every day? Today, we’re diving deep into a fascinating, albeit slightly terrifying, bug that Marina Moore (Head of Research at Ada) and Alex Zenla (CTO of Ada) stumbled upon. This isn’t just about a single bug; it’s a journey into the intricate world of software supply chain security, the complexities of open-source ecosystems, and the often-overlooked responsibilities of project maintainers. 🚀

Thinking About Source Code Security in New Ways - Yongjae Chung & Justin Cappos, New York University

Tue, 24 Mar 2026 00:19:09 -0700

Presenters

Source

OpenSource SecurityCon 2026

🛡️ Beyond the Green Checkmark: Securing Source Code with git-tough

Source code serves as the foundation of our digital world, yet it remains an ideal target for attackers. We often trust the platforms where we host our code, but what happens when that trust is misplaced? At a recent tech talk, Justin Cappos (creator of TUF and in-toto) and Yongjae Chung (Master’s student and contributor) introduced git-tough, an incubating project under the OpenSSF designed to bring industrial-grade security directly into your Git workflow.

Trust, Tampering, and Transparency: What History Can Teach Us About Open Source... Lisa Tagliaferri

Tue, 24 Mar 2026 00:19:09 -0700

Presenters

Lisa Tagliaferri

Source

OpenSource SecurityCon 2026

From Chained Libraries to Sigstore: What 500 Years of History Teaches Us About Open Source Security 🚀

History and technology often feel like two parallel lines that never meet. However, Lisa Tagliaferri, a medieval and Renaissance historian turned open-source security expert, argues that the two are deeply intertwined. In a recent talk, Lisa shared how the ways we protected information in the 15th century mirror the ways we secure our software supply chains today.

Lightning Talk: A Case Study in Cross-Ecosystem Security Response - Lori Lorusso, Rust Foundation

Tue, 24 Mar 2026 00:19:08 -0700

Presenters

Source

OpenSource SecurityCon 2026

🦀 Strength in Numbers: How Cross-Ecosystem Collaboration Saved Rust from a Fishing Attack

In the world of open-source, we often talk about code, compilers, and performance. But what happens when the biggest threat isn’t a bug in the software, but a trap for the humans behind it? Lori Lorusso, Director of Outreach for the Rust Foundation, recently shared a compelling case study on how a “super team” of foundations joined forces to thwart a sophisticated phishing campaign.

Secure Your MCP Servers With OAuth, JWT, SPIFFE and More - Lin Sun, Solo.io & Yi Yang, IBM

Tue, 24 Mar 2026 00:19:08 -0700

Presenters

Source

OpenSource SecurityCon 2026

🔐 Secure Your AI: Mastering MCP Server Security with OAuth, JWT, and Spiffe

Welcome to Amsterdam! 🇳🇱 At the recent conference, Lin Sun (Head of Open Source at Solo.io) and Yi Yang (IBM) took the stage to tackle one of the most pressing challenges in the burgeoning world of AI agents: How do we move Model Context Protocol (MCP) servers from local experiments to secure, production-ready Kubernetes deployments?