Session: 2 for 1: The “Why” and “How” of SBOMs for Open Source Projects / The Unseen, Underappreciated Security Work Your Maintainers May (or may not) Already Be Doing

Cortez Frazier Jr.: The “Why” and “How” of SBOMs for Open Source Projects

SBOMs (software bill of materials) have become an increasingly important tool for large enterprises seeking to manage software supply chain security, fulfill customer requests, and ensure compliance with government and industry regulations.

But, as the software transparency movement grows, open source projects would be well-served to start thinking about SBOMs as well.

In this talk, I’ll discuss three big benefits of SBOM adoption for open source projects: to further software transparency, to fulfill open source license compliance requirements, and to stay a step ahead of false positive vulnerability harassment.

I’ll also walk attendees through a straightforward SBOM generation workflow using free and open source tools — along with guidance on approaches that are best for projects written in a single language compared to those in multiple languages.

Lauren Hanford & Seth Michael Larson: The Unseen, Underappreciated Security Work Your Maintainers May (or may not) Already Be Doing

urllib3 is a mission critical, 15-year-old python package. From a security perspective, urllib3 continues to lead the pack for Python packages in terms of implementing security standards like OpenSSF Scorecard, SLSA, and Trusted Publishers — adopting this new feature days after it was announced during PyCon US 2023. The team remediated two moderate-severity vulnerabilities in 2023 and made the fixes available in both the new v2.0 and security-fix only v1.26.x release streams.

Join the lead maintainer of urllib3 Seth Larson and Tidelift VP of product Lauren Hanford to discuss all of the security work happening in the best maintained projects that you can’t observe or measure, including avoiding leaked environment variables from their toolchain, limiting API token access, streamlining automated release processes, and more. Audience members will learn how they can do their part to ensure the projects they rely on follow these top practices.

Presenters: