Philippe Ombredanne
nexB Inc.
Biography
Philippe Ombredanne is a FOSS hacker on a mission to make it easier and safer to reuse FOSS code. He is the maintainer of ScanCode, the industry standard licence detection tool, and other open-source tools for software composition analysis and licence & security compliance at AboutCode.org.
Philippe is the project lead in two supply chain projects funded by NGI0: FOSS Code Supply Chain Assurancewhich is building a new system to help verify the integrity of deployed code packages and validate their origin with external data sources, with the potential to mitigate attacks on open-source packages supply chains such as detecting if a package in use is matching verified code by matching source and binaries exactly and approximately; and Free Software Vulnerability Database which is a resource set up to aggregate software updates.
Organisation
nexB Inc.
SME
We are on a mission to make it easier to reuse free and open source software to build better apps and system, faster and more efficiently. For this we are creating the best-in-class open source tools and open data for software origin, license and security determination to help secure your software supply chain.
Speaker session
PLENARY 4 : Securing the Open-Source Frontier: Navigating Supply Chain Risks
Open-source components are literally everywhere in the digital infrastructure, products and services. The modern ecosystem offers a wealth of advantages for an open-source software developer, enabling fast, permission-less innovation However, incorporating third-party code, even from trusted sources, introduces an element of uncertainty. This uncertainty is precisely where supply chain attacks come into play and underscore the need for a proactive approach to security.
When contributing to or relying on open-source or any software development projects, it is essential to consider the integrity of the entire supply chain and ensure that all contributors across the chain adhere to best security practices. Collaborative efforts within the open-source community, such as code audits and timely updates, are essential in maintaining a robust defence against supply chain threats.
The panel will bring together experts in the area of software supply chain, open source and the software industry. It will discuss how open source empowers developers, but also obliges them to be vigilant guardians of the software supply chain and how, balancing the benefits with the risks, security measures are essential to uphold the trust placed in open-source development.
Anthony Harrison
APH10
Biography
Anthony Harrison is an experienced independent consultant from the UK delivering and securing mission critical systems. He founded and is currently the director of APH10, a consultancy focused on helping organisations manage software risks more effectively.
He has been involved in promoting the software bill of materials (SBOM) since 2021 as a way of supporting vulnerability management, and taken part in various working groups related to SBOM, including the SBOM Forum, SPDX Defects and OpenSSF SBOM Everywhere initiative.
Anthony has also been actively promoting open-source for many years and regularly contributes to an increasing number of related projects.
Organisation
APH10
Start-up
APH10 was founded in 2022 to help organizations identify, assess, and mitigate software risks, especially those related to security and resilience.
Currently developing a product to reduce the time and effort required to assess and manage software vulnerabilities by providing an automated process which prioritises the vulnerabilities.
Speaker session
PLENARY 4 : Securing the Open-Source Frontier: Navigating Supply Chain Risks
Open-source components are literally everywhere in the digital infrastructure, products and services. The modern ecosystem offers a wealth of advantages for an open-source software developer, enabling fast, permission-less innovation However, incorporating third-party code, even from trusted sources, introduces an element of uncertainty. This uncertainty is precisely where supply chain attacks come into play and underscore the need for a proactive approach to security.
When contributing to or relying on open-source or any software development projects, it is essential to consider the integrity of the entire supply chain and ensure that all contributors across the chain adhere to best security practices. Collaborative efforts within the open-source community, such as code audits and timely updates, are essential in maintaining a robust defence against supply chain threats.
The panel will bring together experts in the area of software supply chain, open source and the software industry. It will discuss how open source empowers developers, but also obliges them to be vigilant guardians of the software supply chain and how, balancing the benefits with the risks, security measures are essential to uphold the trust placed in open-source development.
Georg Rehm
Deutsches Forschungszentrum für Künstliche Intelligenz GmbH (DFKI)
Biography
Prof. Dr Georg Rehm is principal researcher in the Speech and Language Technology Lab at the German Research Center for Artificial Intelligence (DFKI) and adjunct professor at Humboldt University of Berlin. Georg currently coordinates the Language Data Space (LDS) project, co-coordinates the European Language Equality (ELE and ELE2) project and is involved as principal investigator in many more. In 2018, he was appointed DFKI research fellow for outstanding scientific achievements and special accomplishments in technology transfer.
Since 2013, he has headed the German/Austrian Chapter of the World Wide Web Consortium (W3C) in Berlin. Georg is also a member of the DIN Presidential Committee FOCUS.ICT which addresses ICT and standardisation matters, and in 2021/2022 was secretary of the European Chapter of the Association for Computational Linguistics (EACL).
Georg holds an MA in computational linguistics and artificial intelligence, linguistics and computer science. After completing his PhD in computational linguistics, he worked at the University of Tübingen leading projects on the sustainability of language resources and technologies. He joined DFKI in early 2010 after being part of an award-winning internet start-up. Georg has authored, co-authored or edited more than 250 research publications.
Organisation
Deutsches Forschungszentrum für Künstliche Intelligenz GmbH (DFKI)
Research centre
The German Research Center for Artificial Intelligence (DFKI) was founded in 1988 as a non-profit public-private partnership. It has research facilities in Kaiserslautern, Saarbrücken and Bremen, Niedersachsen, laboratories in Berlin and Darmstadt, and branch offices in Lübeck and Trier. In the field of innovative commercial software technology using Artificial Intelligence, DFKI is the leading research center in Germany. Based on application oriented basic research, DFKI develops product functions, prototypes and patentable solutions in the field of information and communication technology. Research and development projects are conducted in 28 research departments, nine competence centers and eight living labs. Funding is received from government agencies like the European Union, the Federal Ministry of Education and Research (BMBF), the Federal Ministry for Economic Affairs and Climate Action (BMWK), the German Federal States and the German Research Foundation (DFG), as well as from cooperation with industrial partners. Twice a year, a committee of internationally renowned experts (Scientific Advisory Board) audits the progress and results of state-funded projects. Apart from the state governments of Rhineland-Palatinate, Saarland and Bremen, numerous renowned German and international high-tech companies from a wide range of industrial sectors are represented on the DFKI supervisory board. The DFKI model of a non-profit public-private partnership (ppp) is nationally and internationally considered a blueprint for corporate structure in the field of top-level research. DFKI is actively involved in numerous organizations representing and continuously advancing Germany as an excellent location for cutting-edge research and technology. Far beyond the country's borders DFKI enjoys an excellent reputation for its academic training of young scientists. At present, approx. 930 highly qualified researchers, administrators and 630 graduate students from more than 76 countries are contributing to more than 560 DFKI research projects. Over the years, more than 160 staff members have been appointed professors at universities in Germany and abroad.
Speaker session
PLENARY 4 : Securing the Open-Source Frontier: Navigating Supply Chain Risks
Open-source components are literally everywhere in the digital infrastructure, products and services. The modern ecosystem offers a wealth of advantages for an open-source software developer, enabling fast, permission-less innovation However, incorporating third-party code, even from trusted sources, introduces an element of uncertainty. This uncertainty is precisely where supply chain attacks come into play and underscore the need for a proactive approach to security.
When contributing to or relying on open-source or any software development projects, it is essential to consider the integrity of the entire supply chain and ensure that all contributors across the chain adhere to best security practices. Collaborative efforts within the open-source community, such as code audits and timely updates, are essential in maintaining a robust defence against supply chain threats.
The panel will bring together experts in the area of software supply chain, open source and the software industry. It will discuss how open source empowers developers, but also obliges them to be vigilant guardians of the software supply chain and how, balancing the benefits with the risks, security measures are essential to uphold the trust placed in open-source development.