Open Source Summit North America 2025: Full Schedule

June 23 - 25, 2025
Denver, Colorado
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Mountain Daylight Time (UTC/GMT -6). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

11:20am MDT

Building Trust in ML: Mapping the Model Lifecycle for ML Integrity and Transparency - Marcela Melara, Intel Labs

Monday June 23, 2025 11:20am - 12:00pm MDT

Bluebird Ballroom 2F

Open machine learning (ML) models and datasets are rapidly becoming central to building AI applications. While this trend accelerates innovation and democratizes AI, it exposes applications to security risks like data poisoning and supply chain attacks. Threats like malicious backdoors hidden in pre-trained ML models hosted on major hubs like Hugging Face emphasize the wide reach compromises can have. So, how do we build trust in the ML lifecycle?
This talk presents Atlas, a framework that combines open specifications for data and software supply chain provenance like Coalition for Content Provenance and Authenticity (C2PA) and Supply-chain Levels for Software Artifacts (SLSA) with the integrity features of transparency logs and trusted hardware to run attestable ML pipelines. First, we motivate the need to safeguard all layers of the ML lifecycle. We describe and demonstrate how Atlas’s three core mechanisms enable verification: (1) cryptographic artifact authentication, (2) hardware-based attestation of ML systems, and (3) provenance tracking across ML pipelines. Our Atlas demo integrates several open-source tools to build an end-to-end ML lifecycle transparency system.

Speakers

Marcela Melara

Research Scientist, Intel Labs

Marcela Melara is a research scientist in the Security and Privacy Research group at Intel Labs. Her current work focuses on developing solutions for high-integrity software and AI supply chains. She leads a number of internal, academic and open-source projects on supply chain and... Read More →

Monday June 23, 2025 11:20am - 12:00pm MDT
Bluebird Ballroom 2F

Cloud + Containers

Audience Experience Level Intermediate

1:30pm MDT

Mainframes Aren’t Dead, They’re Just Running Kubernetes Now - Josephine Pfeiffer, Red Hat

Monday June 23, 2025 1:30pm - 2:10pm MDT

Bluebird Ballroom 2F

Mainframes have been declared dead more times than JavaScript frameworks have been invented—but here they are, still running the backbone of global finance, government, and enterprise computing. And now? They’re running Kubernetes too.

This talk dives into the why and how of running Kubernetes on mainframes, from containerization on z/OS to networking, workload orchestration, and real-world use cases. We’ll break down the challenges, the benefits, and whether this is a clever hack or a genuinely viable approach for modern infrastructure. If you think mainframes are relics, think again—because they’re running microservices now.

Speakers

Josephine Pfeiffer

Senior Cloud Native Consultant, Red Hat

Josephine is a consultant specializing in developer productivity and infrastructure. She has worked for enterprises, SMEs, and startups in roles spanning platform engineering, DevOps, Site Reliability Engineering, and technology management.She is an active open-source contributor... Read More →

Monday June 23, 2025 1:30pm - 2:10pm MDT
Bluebird Ballroom 2F

Cloud + Containers

Audience Experience Level Intermediate

2:25pm MDT

Through the Looking Glass: Leveraging Overton Window Concepts To Redefine Infrastructure as Code - Ben Somogyi, Lockheed Martin

Monday June 23, 2025 2:25pm - 3:05pm MDT

Bluebird Ballroom 2F

The Overton window, a concept originating in politics, refers to the range of policies that are considered acceptable to a broad and diverse audience. In this session, we will share our experiences and recommendations on how to successfully adapt to shifting "Overton Windows", as they pertain to mainstreaming our platform to support a wide range of customer requirements while minimizing non-recurring engineering expenses. At Lockheed Martin, we have developed a modular open system that incorporates Secure Supply Chain and Cloud Native standards, enabling us to rapidly deliver capabilities to customers in highly regulated and diverse environments, while navigating the complexities of evolving requirements and priorities.

Speakers

Ben Somogyi

Senior Staff DevSecOps Engineer, Lockheed Martin

Versatile, hands-on technical leader and software developer who is building cloud native solutions for Lockheed Martin and its customers.

Monday June 23, 2025 2:25pm - 3:05pm MDT
Bluebird Ballroom 2F

Cloud + Containers

Audience Experience Level Intermediate

3:35pm MDT

Toward Usable Open-source Remote Attestation for Cloud and Edge - Lily Sturmann & Michael Peters, Red Hat

Monday June 23, 2025 3:35pm - 4:15pm MDT

Bluebird Ballroom 2F

The ability to quickly observe and respond to security threats on remote machines is critically important for business and infrastructure, yet gaps still exist when applying cryptographic attestation solutions in real-world scenarios. Accessible policy generation, clear ways to understand attestation results, and methods for handling system updates need to be available to make remote attestation feasible. Adapting attestation best practices and tools to environments like edge and IoT, with vast scale requirements and limited network connectivity, can pose challenges as well.

Using the speakers’ experience working on open source projects Keylime (remote attestation) and flightctl (edge management), the session will walk through design considerations and challenges in bringing these tools together to monitor remote fleets of edge, IoT, and cloud-based systems at key points in the devices’ lifecycles. Further, the session will discuss remaining open problems as well as some potential solutions working toward the goal of usable, clear, and accurate attestation of remote systems.

Speakers

Lily Sturmann

Principal Software Engineer, Red Hat

Lily is a principal software engineer at Red Hat in the Office of the CTO in Emerging Technologies. She has primarily worked remote attestation, confidential computing, and software supply chain security. Her favorite language is Rust.

Michael Peters

Red Hat, Red Hat

Michael Peters is a Principal Engineer in Emerging Technologies in Red Hat's Office of the CTO. He is a senior systems engineer and programmer with an emphasis on DevOps, Security, and Operability and is one of the current maintainers of the Keylime project. His experience in both... Read More →

Monday June 23, 2025 3:35pm - 4:15pm MDT
Bluebird Ballroom 2F

Cloud + Containers

Audience Experience Level Advanced

4:30pm MDT

Effortless Secure and Control Traffic Using Kubernetes Gateway API for Ingress, Egress and Mesh Traf - Lin Sun, solo.io

Monday June 23, 2025 4:30pm - 5:10pm MDT

Bluebird Ballroom 2F

How do you secure and control traffic for your north-south (ingress/egress) and east-west (service-to-service) traffic within your Kubernetes cluster? Do you have a unified approach for debugging, observability, and operational consistency across all traffic types?
With the growing maturity of the Kubernetes Gateway API, it’s now easier than ever to manage traffic in all directions with a unified and consistent approach. The Gateway API allows you to control and secure traffic flow without requiring application restarts, offering a seamless way to manage both ingress and egress traffic, as well as service mesh (east-west) communication.
This demo-driven session will showcase how to use the Kubernetes Gateway API to control traffic for both north-south and east-west directions. Leveraging Istio Ambient Mesh, Kgateway, and HTTP metrics, we’ll dynamically monitor application health, progressively roll out new versions, and control external API calls to optimize costs.

Speakers

Lin Sun

Head of Open-Source, solo.io

Lin is the Head of Open Source at Solo.io, and a CNCF TOC member and ambassador. She has worked on the Istio service mesh since the beginning of the project in 2017 and serves on the Istio Steering Committee and Technical Oversight Committee. Previously, she was a Senior Technical... Read More →

Monday June 23, 2025 4:30pm - 5:10pm MDT
Bluebird Ballroom 2F

Cloud + Containers

Audience Experience Level Beginner

11:00am MDT

Bring the Power of Wireshark To Syscalls and Logs With Stratoshark - Gerald Combs, Sysdig, Wireshark Foundation

Tuesday June 24, 2025 11:00am - 11:40am MDT

Bluebird Ballroom 2F

Stratoshark is a powerful system call and log analyzer built on Wireshark's ubiquitous exploration, drill-down, and analysis capabilities. It is enriched with data sources from the libraries of the open source detection engine Falco, the standard for cloud-native threat detection. Stratoshark enables deep analysis and troubleshooting across Linux servers, Kubernetes clusters, and any system that generates Linux system calls or real-time log events. But fear not, Stratoshark maintains Wireshark’s classic, intuitive interface.

In this talk, Gerald Combs, the creator of Wireshark and co-creator of Stratoshark, will provide an update on the project since its announcement in January and showcase a live demo of Stratoshark, including how it extends the familiar Wireshark user experience to system calls and AWS audit events. Learn how Stratoshark builds on a legacy of open source innovation to broaden and modernize Wireshark’s range of use cases into cloud-native computing.

Speakers

Gerald Combs

Director of Open Source Projects, Sysdig, Wireshark Foundation

Gerald has the great fortune of working with fantastic open source teams as part of Wireshark's leadership and at Sysdig.

Tuesday June 24, 2025 11:00am - 11:40am MDT
Bluebird Ballroom 2F

Cloud + Containers

Audience Experience Level Intermediate

11:55am MDT

Mock Me If You Can: Using Mocks in Container Applications for Integration Testing - John Coyne, Discover Financial Services

Tuesday June 24, 2025 11:55am - 12:35pm MDT

Bluebird Ballroom 2F

Automated testing needs to offer fast, reliable feedback so that defects can be quickly identified and resolved. In this session, I'll talk about how to use the open-source service virtualization framework, Wiremock, as a sidecar container to mock out the dependent services of an application running in a container platform. This can be used in Narrow Integration testing of an application as part of a CI/CD pipeline to ensure maximum code coverage along with stability of the test suite.

I'll walk attendees through a demo of practical use and share some best practices I've learned when setting up a Wiremock container for testing. Attendees will leave with a better understanding of Wiremock and tips for how to use it in their own testing scenarios.

Speakers

John Coyne

Distinguished Engineer of Application Engineering, Discover Financial Services

John is a Distinguished Engineer of Application Engineering at Discover Financial Services with over 20 years of experience building Java applications. His current interests include Observability, CI/CD automation, Kubernetes, and good API design. Outside of work, John enjoys spending... Read More →

Tuesday June 24, 2025 11:55am - 12:35pm MDT
Bluebird Ballroom 2F

Cloud + Containers

Audience Experience Level Intermediate

2:10pm MDT

Whoops! I Accidentally Leaked My Cloud Keys - Eve Martin-Jones & Hayden Blauzvern, Google

Tuesday June 24, 2025 2:10pm - 2:50pm MDT

Bluebird Ballroom 2F

Leaked credentials aren't a new problem, but the primacy and complexity of Cloud environments means that leaked credentials are more likely than ever to be your problem. Not only that, but recent research has shown that it may only be a matter of seconds between a leak and an exploit. As the systems for developing, building, publishing and deploying applications become more sophisticated, the types of leaks developers need to guard against also change.

In this talk, we will present new research by the Google Open Source Security Team into when and how developers leak credentials in modern software applications. We'll discuss some of the common ways leaks occur for developers of open source artifacts like containers and software packages. We'll also provide practical insights into scalable credential scanning and ecosystem-level protections for developers and organizations who want to keep their credentials secure to help when every second counts.

Speakers

Eve Martin-Jones

Senior Software Engineer, Google

Eve is an engineer working on open source software security at Google. She lives in Australia, with her cat Mochi, who is surprisingly proficient at JavaScript. Between D&D campaigns, she can be found deciphering the Cargo dependency-resolution algorithm bug-for-bug, advocating for... Read More →

Hayden Blauzvern

Technical Lead Manager, Google

Hayden Blauzvern is a technical lead manager on Google’s Open Source Security Team, focused on making open-source software more secure through code signing and applied transparency. Hayden is a maintainer and the community chair on the Sigstore project.

Tuesday June 24, 2025 2:10pm - 2:50pm MDT
Bluebird Ballroom 2F

Cloud + Containers

Audience Experience Level Any

3:05pm MDT

Apache Gravitino: A Multi-regional, Geo-distributed Meta Datalake - Justin Mclean, Datastrato

Tuesday June 24, 2025 3:05pm - 3:45pm MDT

Bluebird Ballroom 2F

Managing metadata can be complex and time-consuming, but Apache Gravitino offers the ultimate solution. It provides a single source of truth for multi-regional data with geo-distributed architecture support. This allows you to store and manage your data in one place, accessible from anywhere globally. With unified data and AI asset management, you get centralized security and data access management, making data protection easier. Gravitino helps you focus more on your data by simplifying tasks and offering these benefits:
- Secure and centralized metadata storage and management
- Anytime, anywhere data access
- Streamlined data management with an easy-to-use UI
Gravitino is the ideal solution for simplifying metadata management processes.

Speakers

Justin Mclean

Community Manager, Datastrato

Justin Mclean is a highly experienced professional with over 30 years in web application development, education, and community work, and is an active contributor to open source software. Justin is a renowned speaker at conferences worldwide and currently serves as the Community Manager... Read More →

Tuesday June 24, 2025 3:05pm - 3:45pm MDT
Bluebird Ballroom 2F

Cloud + Containers

Audience Experience Level Beginner

4:20pm MDT

Intuit Journey To Unified Observability at Scale: Challenges, Benefits and Lessons Learned - Kalyan Kolachala & Ashwini Dulam, Intuit

Tuesday June 24, 2025 4:20pm - 5:00pm MDT

Bluebird Ballroom 2F

At Intuit we have ~320 Kubernetes clusters running with ~8000 services and ~40 addons in a cluster which generate ~2 billion active time series metrics, 10 million Trace spans/sec and ~ 1.2PB of log data ingested (peak) in a single day. This talk focuses on Intuit’s journey from standalone, siloed, proprietary solutions for logs, metrics and traces to a unified observability solution. This is made possible with a data management architecture that enables seamless navigation and correlation between different observability pillars, usage of AI/ML techniques to quickly detect and isolate problems, UX that brings all the elements of data discovery with an interactive experience and high level features like golden signals, RUM (real user monitoring) and FCI (failed customer interactions). All of this leading to significantly lower MTTD and MTTI. We also discuss the challenges, choices, trade offs, benefits and lessons learned during this journey.

Speakers

Kalyan Kolachala

Director, Development and site head, Intuit

Kalyan is a senior engineering leader with experience in delivering world class, enterprise products and platforms involving SaaS, Kubernetes, Cloud, big data, AI/ML, IoT and observability. At the current job at Intuit and previously at Hitachi Vantara, he has been responsible for... Read More →

Ashwini Dulam

Principal Engineer, Intuit

Ashwini is a Principal Software Engineer for the Intuit Observability and Analytics team in Bangalore, India. One of Ashwini’s current day-to-day focus areas is on the various challenges in building scalable, data and AIOps solutions for solving problems in the observability domain... Read More →

Tuesday June 24, 2025 4:20pm - 5:00pm MDT
Bluebird Ballroom 2F

Cloud + Containers

Audience Experience Level Intermediate

11:00am MDT

Turning Policies, Standards, and Governance Into Enablers for Open-Source Innovation - Mark Paulsen, TD Bank

Wednesday June 25, 2025 11:00am - 11:20am MDT

Bluebird Ballroom 2F

Policies, standards, and governance are often perceived as hurdles for innovation - especially within regulated industries where it may be difficult to leverage and contribute to open-source. But there is a way to reframe these perceived obstacles and turn them into streamlined "guardrails" that can help drive innovation and enable the ability to not only consume, but also contribute to open-source.

Speakers

Mark Paulsen

Head, Open-Source Program Office, TD Bank

Over 20 years of experience in the tech industry working in startup environments as well as global enterprises. Passionate about building open and welcoming communities and helping developers around the world be successful, keep in the flow, and be happy in the job they love.

Wednesday June 25, 2025 11:00am - 11:20am MDT
Bluebird Ballroom 2F

Standards + Specifications

Audience Experience Level Beginner

11:20am MDT

Unlocking Telco APIs: How Open Source Is Driving Standardization & Interoperability - Markus Kummerle, Deutsche Telekom

Wednesday June 25, 2025 11:20am - 11:40am MDT

Bluebird Ballroom 2F

In the world of API development, standardization & interoperability are essential for seamless integration across industries. CAMARA Project, in collaboration with GSMA, TM Forum, and the LF, leads the charge in harmonizing telco API standards. Through open collaboration, the project has established a unified, industry-wide framework that simplifies API adoption for telco operators, enabling them to integrate with marketplaces, aggregators, & hyperscalers more efficiently.
This session summarizes the telco API ecosystem, the key organizations shaping it, and how developers can get involved:

How CAMARA defines telco end-user-facing APIs and streamlines adoption for operators; The GSMA Open Gateway Initiative’s role in standardizing API distribution across different channels;
TM Forum’s work in enabling communication between operators, marketplaces, and hyperscalers; and Practical ways developers can contribute—whether by implementing APIs within operators, connecting exposure platforms, integrating their own portals, or adapting products to fit into this growing ecosystem.

Explore how OSS transforms the telco industry and how to be part of this collaborative movement!

Speakers

Markus Kummerle

Program Manager Deutsche Telekom API Exposure, Deutsche Telekom

Markus Kümmerle is responsible for the 5G Network Exposure Program at Deutsche Telekom. Since 2014 Markus has been responsible for Quality for the System Integration / Digital Solutions unit of T-Systems. In parallel, he continues driving large projects and programs. In 2020 he took... Read More →

Wednesday June 25, 2025 11:20am - 11:40am MDT
Bluebird Ballroom 2F

Standards + Specifications

Audience Experience Level Beginner

11:55am MDT

Developing a Community-Driven Standard for Open Source Software Quality - Philipp Ahmann, Etas GmbH (BOSCH) & Gabriele Paoloni, Red Hat

Wednesday June 25, 2025 11:55am - 12:35pm MDT

Bluebird Ballroom 2F

Established quality standards, designed for traditional V-Model ( requirements driven) development, are inadequate for evaluating and supporting code-driven, CI/CD-based nature of modern (open source) software. This hinders OSS adoption in regulated industries, particularly for safety-critical systems. This session introduces a novel standard proposal specifically designed to assess OSS process capabilities by documenting open source best practices and providing a practical assessment guide. It aims to bridge the gap between OSS development practices and the needs of regulated industries, fostering greater trust and enabling wider adoption.

This session outlines the three phases from research to execution for establishing the standard, drawing on relevant academic research and showcasing exemplary open source projects with established best practices. The authors will also explore existing scoring initiatives and some quality metrics. The session concludes with a roadmap for collaborative development of the standard and a call to action for community participation.

Speakers

Philipp Ahmann

Sr. OSS Commumity Manager, Etas GmbH (BOSCH)

Philipp Ahmann is a Senior OSS Community Manager at ETAS (a Bosch subsidiary), specializing in safety-critical automotive open source software. With 15+ years' experience in Linux automotive platforms, he has held roles from software engineer to project & line manager. He currently... Read More →

Gabriele Paoloni

Sr SW Principal Engineer, Red Hat

Gabriele Paoloni is an Open Source Community Technical Leader at Red Hat. He is a passionate technologist and has strong experience in both functional safety and Linux Kernel development, including previous roles leading FuSa software architecture for Intel platforms, CCIX vice... Read More →

Wednesday June 25, 2025 11:55am - 12:35pm MDT
Bluebird Ballroom 2F

Standards + Specifications

Audience Experience Level Intermediate

2:10pm MDT

We Need a Standard for Open Source Package Requirements - Elitsa Bankova & Eve Martin-Jones, Google

Wednesday June 25, 2025 2:10pm - 2:50pm MDT

Bluebird Ballroom 2F

What does a version specification look like? Most would say that one looks something like “1.2.3”.

But what does a requirement look like? That is a more complicated question and answers vary and depend on which packaging ecosystem —Maven, Cargo, PyPI and so on— is involved.

While Semver 2.0 offers a generally agreed upon syntax for versions, there is no standard for requirements.

Understanding how requirements work is required for addressing issues such as vulnerabilities and license conflicts. The absence of an agreed-upon requirement specification limits the ability to understand the problem and limits the sharing of tooling across ecosystems.

Deps.dev has looked at the way requirements are specified in five ecosystems and translated them into a single set representation that enables unified tooling. We’ve discovered many ecosystem-specific quirks, but also discovered much commonality we can build upon.

This talk will define the essence of requirements, demonstrate how they are incompletely met by various existing systems, and most importantly we will argue that a well-defined, well-supported requirement specification is vital to the industry.

Speakers

Eve Martin-Jones

Senior Software Engineer, Google

Elitsa Bankova

Software Engineer, Google

Elitsa is a Software engineer at Google, Australia and is working on Open Source security. She has lived in over 4 countries: born in Bulgaria, she graduated from the University of Edinburgh and worked in Google Switzerland before moving down under. Outside of work, you can find her... Read More →

Wednesday June 25, 2025 2:10pm - 2:50pm MDT
Bluebird Ballroom 2F

Standards + Specifications

Audience Experience Level Beginner

3:05pm MDT

Panel Discussion: Strengthening Software Supply Chains: Harmonizing SLSA Provenance and SPDX SBOM for Better Adoption - Gopi Krishnan Rajbahadur & Elyas Rashno, Queen's University; Mihai Maruseac, Google; Karen Bennet, Responsible AI Solutions

Wednesday June 25, 2025 3:05pm - 3:45pm MDT

Bluebird Ballroom 2F

The Software Bill of Materials (SBOM) and Supply-chain Levels for Software Artifacts (SLSA) are key frameworks for securing modern software supply chains. SPDX SBOM provides a detailed inventory of software components, dependencies, and metadata, while SLSA ensures these components are built through verifiable, tamper-resistant processes with clear provenance.

This talk will examine the synergies and differences between SLSA and SPDX SBOM, focusing on how SLSA’s provenance and authentication mechanisms can enhance the trustworthiness of SBOMs. We will explore overlapping fields captured by both standards, emphasizing the importance of interoperability and a shared roadmap to reduce duplication while leveraging their respective strengths.

A clear separation of concerns, with SLSA handling provenance and verification, and SPDX SBOM capturing comprehensive component metadata, can reduce redundancy and promote more efficient adoption. This session will outline how aligning these standards can improve software supply chain security and reliability, while fostering collaboration for cohesive evolution within the open-source community.

Speakers

Gopi Krishnan Rajbahadur

Research Fellow, Queen's University

Gopi Krishnan Rajbahadur is a Research Fellow at Queen's University, Canada. He is currently working on SE for Large Language Models and the governance of AI datasets. He is the co-lead for the AI and datasets profile in the ISO/IEC 5692 SPDX standard and co-founder of the open-source... Read More →

Mihai Maruseac

Staff SWE, Google

Mihai Maruseac is a member of Google Open Source Security team (GOSST), working on Supply Chain Security, specifically for ML, but also a GUAC maintainer. Before joining GOSST, Mihai created the TensorFlow Security team after joining Google, moving from a startup to incorporate Differential... Read More →

Elyas Rashno

Research Assistant, Queen’s University

I am a PhD student at Queen’s University with a background in Artificial Intelligence, specializing in transformer-based models and multimodal data fusion. My current work focuses on software engineering and the governance of dataset profiles. Additionally, I contribute to the development... Read More →

Karen Bennet

Executive Director, AI Expert for ISO and IEEE, Responsible AI Solutions

Executive Director, Responsible AI Solutions, former executive of IBM, Yahoo, Red Hat and multiple AI startups, Co-Chair of Linux Foundation SPDX AI and Dataset Groups, IEEE Vice Chair Technology Society Impact Committee, Canadian expert of ISO/IEC JTC 1/SC 42 Participant in US CISA... Read More →

Wednesday June 25, 2025 3:05pm - 3:45pm MDT
Bluebird Ballroom 2F

Standards + Specifications

Audience Experience Level Intermediate

4:20pm MDT

SBOMs in the Real World: Practical Guidance for Managing Three Common SBOM Scenarios - Cortez Frazier Jr., FOSSA

Wednesday June 25, 2025 4:20pm - 4:40pm MDT

Bluebird Ballroom 2F

The last 12-18 months have been a landmark period for SBOM (software bill of materials) adoption. Although a fair number of organizations have been producing SBOMs for multiple years (often for specific regulatory compliance purposes), a much larger group has recently implemented broader SBOM management programs that cover a wider range of use cases.

This presentation — “SBOMs in the Real World: Practical Guidance for Three Common SBOM Scenarios” — will focus on three of these emerging areas:

SBOM generation and distribution to meet customer requests and new regulatory requirements
SBOM aggregation from internal teams and product units to facilitate centralized vulnerability management and response
SBOM ingestion from external software supplier networks to facilitate first- and third-party vulnerability management and response

Each section of this talk — which is based on extensive firsthand experience directly supporting numerous SBOM programs (from organizations in multiple regions, industries, and stages of maturity) — will include specific guidance to help attendees understand how SBOM programs within their organizations can more effectively manage these scenarios.

Speakers

Cortez Frazier Jr.

Principal Product Manager, FOSSA

Cortez Frazier Jr. is the product lead for FOSSA. FOSSA is a developer software composition analysis tool for managing open source license compliance and security vulnerabilities. Before joining FOSSA, Cortez served as product lead for all of Puppet’s SaaS-based products Earlier... Read More →

Wednesday June 25, 2025 4:20pm - 4:40pm MDT
Bluebird Ballroom 2F

Standards + Specifications

Audience Experience Level Intermediate

4:40pm MDT

Expanding the OpenChain Standards Portfolio - More Sister Standards? - Shane Coughlan, The Linux Foundation

Wednesday June 25, 2025 4:40pm - 5:00pm MDT

Bluebird Ballroom 2F

A discussion has opened inside the OpenChain community regarding what future standards may join the existing portfolio of ISO/IEC 5230 for license compliance and ISO/IEC 18974 for security assurance.

The focus of the OpenChain Project is on building trust in the supply chain, and on doing this from the perspective of compliance matters. In the last year, the project has begun to prepare guides for SBOM Quality Management and AI Bill of Material Compliance in the Supply Chain. Both of these read against the project charter and mission.

This talk will explore how these two guides could potentially grown into future ISO standards via the existing practices of the OpenChain Project and lessons learned in making ISO/IEC 18974 in the 2023/2024 period. Rather than announcing new standards, the talk is sharing the processes involved in consideration, to illustrated how open projects address ideas and proposals from all parties in a genuinely inclusive manner.

Speakers

Shane Coughlan

OpenChain General Manager, The Linux Foundation

Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated OIN into the largest patent non-aggression community in history and establishing the first global network for open... Read More →

Wednesday June 25, 2025 4:40pm - 5:00pm MDT
Bluebird Ballroom 2F

Standards + Specifications

Audience Experience Level Intermediate