Open Source Summit North America 2025

The federal government builds and maintains hundreds of thousands of software systems - and it would be difficult to find a system that doesn't rely on open source software. In fact, the government is likely the single largest consumer of OSS in the world and considering the criticality of the mission, the security of those systems is paramount. There has been limited guidance on how government programs should select, consume, contribute to, and publish open source software, but things are getting better! This session will discuss the current landscape of open source in the federal government and present methods for how we can secure our own systems with tools and processes to vet open source projects, ingest that software securely, and support those projects with substantive contributions.
Attendees from government entities, contractors, and members of the community should attend to learn how the government can tackle the supply chain risks inherent in open source while still capturing the benefits that it has to offer. They'll come away with an understanding of how this might impact their work, and how by working together we can build a better open source ecosystem for everyone.

Most modern software assumes the internet is always available—but what happens when it’s not? Air-gapped environments are more prevalent than you might think. While they are essential in government, they’re also common in finance, healthcare, and manufacturing. Yet, a surprising amount of today’s tooling—from CI/CD pipelines to package managers—relies on network access and fails when that assumption is broken.

Working in these environments means finding new ways to handle familiar problems. In this talk, we’ll look at the challenges teams face when managing dependencies, applying updates, and automating deliveries without internet access. We’ll share practical solutions, real-world examples, and ways to make modern development practices work in restricted environments.

In this session we will perform a case study of load testing for a US State’s Unemployment Insurance Modernization initiative. We will talk about the unique requirements and constraints of the project, such as the looming specter of the COVID-19 Unemployment boom. We’ll also review how the testing was done and why we ultimately decided on using browser-based tools such as Artillery with Playwright to build a testing system that could deliver and measure massive amounts of realistic traffic in a way that is quick (30 minutes) and easy to run. Attendees will walk away with an understanding of how one might approach load testing for a system like this, and why using browser based testing might or might not be a good idea.

As government regulations, such as Executive Order 14028 - Improving the Nation's Cybersecurity, drive organizations to adopt Software Bill of Materials (SBOM) reporting, modern software systems face unique challenges in achieving compliance. Decoupled cloud-native architectures—comprised of microservices, containers, APIs, and distributed dependencies—make it exponentially more difficult to produce accurate, real-time SBOMs. This talk explores the complexities of implementing SBOM practices in distributed environments, the risks of non-compliance, and strategies to streamline compliance efforts.

Most developers generating SBOMs use a tool like Syft or Trivy and yell “SHIP IT!” While this might generate an NTIA Minimum Field adherent SBOM, it often lacks information that truly makes it actionable for downstream users.

This talk covers the work of a CISA SBOM Community Tiger Team who created SBOM Generation Reference Implementations for multiple languages and scenarios. We will discuss the distinct phases of SBOM generation and highlighting how each step contributes to a more robust and actionable SBOM. By expanding the SBOM authoring process, organizations can better integrate multiple data sources, enhance metadata accuracy, and customize their workflows to align with evolving security frameworks. This approach enables tool interchangeability while maintaining data integrity and transparency.

Additionally, we will explore implementations, including the integration of SBOM generation into CI/CD pipelines using GitHub and GitLab, supporting multiple programming languages, and ensuring interoperability with both CycloneDX and SPDX formats. We will also discuss ecosystem challenges such as supplier identification, license consistency, and benchmarking completeness.

With escalating cyber threats and increasing regulatory pressure, government agencies face a critical need to modernize their security strategies. The Zero Trust model—"never trust, always verify"—has emerged as a cornerstone for safeguarding sensitive data and infrastructure. However, implementing Zero Trust in government settings presents unique challenges, including legacy systems, complex compliance requirements, and the need to balance security with operational efficiency. This talk will provide a roadmap for adopting Zero Trust principles in government environments, offering actionable insights to overcome obstacles and ensure mission readiness.

Drawing from our experiences within the public sector, we discuss software supply chain security as it pertains to public sector organizations, including the unique risks and challenges they face and how we can all work together to improve the security of the open source ecosystem.

In this session, I will explore how Generative AI agents are becoming a cornerstone of Digital Public Infrastructure (DPI) using open source, reshaping citizen services and empowering governments to deliver more efficient, responsive, and accessible public services. Learn how Generative AI Agents are revolutionizing government websites, offering 24/7 citizen support, and providing real-time assistance across a wide range of public services. With the ability to handle inquiries, process data, and generate personalized responses, these AI agents significantly reduce wait times and streamline interactions, ensuring faster and more seamless communication between citizens and government agencies. We’ll dive into practical applications, from simplifying bureaucracy to enhancing transparency and accountability, and discuss the transformative potential of Generative AI in creating smarter, more inclusive government channels.

As security concerns continue to grow in the software industry, customers seek assurance that the software they rely on is built securely. While applying security patches is essential, it is equally important to understand the proactive measures taken throughout the development process to ensure that our software is built securely.

Red Hat follows a comprehensive Secure Software Development Lifecycle (SDLC) framework to improve software security during the entire software lifecycle. We use an open source end-to-end build and release environment, which uses SLSA framework as a guide for reinforcing and gating the build process to secure and fortify your software supply chain against various threats.

This session will include:
- The key difference between proactive and reactive security measures.
- SDLC objectives and how Red Hat achieves them to meet high security standards.
- Overview of how automated testing and open-source solutions enhance SDLC.
- Proactive vulnerability management during the build lifecycle phase.
- Secure software building with attestation data production, including CSAF/VEX and SBOM.
- Future of AI testing within the software supply chain security.

Additional Authors: Jiyong Jang & Douglas Schales, IBM Research

Software supply chain attacks have surged in recent years, posing significant threats to organizations. In response, Software Bill of Materials (SBOMs)—structured inventories that document software components—have been proposed to enhance supply chain transparency, track dependencies, and manage vulnerabilities. Despite increasing adoption, their correctness and completeness in real-world open-source ecosystems remain largely unexamined. Incomplete SBOMs can result in overlooked vulnerabilities while incorrect dependency may waste resources on non-existent issues.

This talk introduces JBomAudit, an open-source tool to automatically verify Java SBOMs by systematically assessing their correctness and completeness against NTIA minimum requirements. We will cover technical details of JBomAudit, demonstrate how it examines missing and incorrect dependencies, and present findings from our large-scale analysis of over 25,000 Java SBOMs, highlighting the prevalence of non-compliant SBOMs and security implications. We will also discuss common pitfalls in SBOM generation, analyze the root causes of non-compliance, and provide actionable recommendations to improve SBOM quality.