Loading…
December 10, 2024
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for SOSS Community Day India 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in India Standard Time (UTC+5:30). To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

or to bookmark your favorites and sync them to your phone or calendar.
strong>Entry Level [clear filter]
Tuesday, December 10
 

9:50am IST

Building a Security-First Open Source Project: Tools and Best Practices - Abhinav Sharma, KodeKloud
Tuesday December 10, 2024 9:50am - 10:10am IST
In this session, I will demonstrate how to build security into the DNA of your open source project from day one, using industry-tested tools and automation. You'll learn how to implement a comprehensive security strategy leveraging popular open source security tools including GitHub's CodeQL for advanced vulnerability detection, OpenSSF Scorecard for automated security best practices assessment, and key supply chain security frameworks. Through live demonstrations, we'll walk through setting up automated security scanning pipelines that catch vulnerabilities early and maintain high security standards without burdening developers.
Speakers
avatar for Abhinav Sharma

Abhinav Sharma

Site Reliability Engineer, KodeKloud
Site Reliability Engineer at KodeKloud. I am an Open source contributor, evaluating and contributed in various open source tools and projects, such as, Microsoft's Open source libraries, OpenCV, SUSE, etc. I am also a Google Summer of Code Mentor 2023 and with OpenSUSE. I am passionate... Read More →
Tuesday December 10, 2024 9:50am - 10:10am IST
Room 201 (Level 2)
  Breakout Sessions

12:25pm IST

Securing CI/CD: Complexity & Inspiration from Runtime Security - Abhimanyu Dhamija, KoalaLab
Tuesday December 10, 2024 12:25pm - 12:40pm IST
Growth of software supply chain attacks has propelled a deeper look into security of CI/CD. Build environments are prone to secrets/sensitive data exfiltration attacks. Covering here, the learnings around building BOLT(https://github.com/koalalab-inc/bolt), an Open-source tool which secure CI runtime(For GitHub Actions). Taking inspiration from Runtime security, enabling a firewall on buildtime/CI runtime(Egress-filter as CI is a traffic source) should be good start. Complexity 1: IP-based rules won't work. A lot of internet traffic is behind CDNs/WAFs, so egress-filter will require domain-name based filtering. Complexity 2: CI runtime has outbound traffic to multi-tenant systems like github/dockerhub/jfrog etc. This demands deep SSL based inspection capabilities in egress control. Solution: TLS interception+eBPF Linux kernel supports eBPF which provides a way to tap into SSL traffic without the need to decrypt traffic. Such a solution does not add any overhead for developers and is efficient. Covering implementation complexity of eBPF probing for various different kind of SSL libraries to make the solution comprehensive for all kinds of CI pipelines.
Speakers
avatar for Abhimanyu Dhamija

Abhimanyu Dhamija

Co-Founder, KoalaLab
Founder, KoalaLab:Software supply chain security company. Previously, Vice-President @Khatabook Head, Data Sciences@Housing.com
Tuesday December 10, 2024 12:25pm - 12:40pm IST
Room 201 (Level 2)
  Breakout Sessions

2:20pm IST

Connecting the Dots: SBOM and VEX in Software Security - Rajan Ravi, RedHat India Pvt. Ltd.
Tuesday December 10, 2024 2:20pm - 2:40pm IST
The Software Supply Chain encompasses all components, libraries, tools, systems, and processes involved in a software artifact. To support effective risk management and to reduce attack vector while creating a software artifact, SBOM (Software Bill Of Materials) and VEX (Vulnerability Exploitability eXchange) documents can be used. An SBOM is a comprehensive list that details all components, libraries, and dependencies within a software package. Meanwhile, VEX serves as a communication standard for vulnerabilities in a software component. Correlating SBOM and VEX data enables to choose high-quality components and ultimately reducing the attack vectors. In this session, we will discuss the significance of SBOM (Software Bill of Materials) and VEX (Vulnerability Exploitability eXchange) documents to mitigate the dependency threats. Additionally, we’ll look at how trustification.io (a foundation of the Red Hat Trusted Profile Analyzer) provides developers with easy access to curated builds and hardened open-source libraries that have been verified and attested through provenance checks. Open Source Project: Trustify (https://github.com/trustification/trustify)
Speakers
avatar for Rajan Ravi

Rajan Ravi

Senior Software Quality Engineer, RedHat India Pvt Ltd
I am Rajan, Senior Software Quality Engineer at RedHat with over 9 years of experience in software quality - currently pursuing a journey into software security within the supply chain, aiming to enhance the resilience and integrity of software products
Tuesday December 10, 2024 2:20pm - 2:40pm IST
Room 201 (Level 2)
  Breakout Sessions

3:10pm IST

From Bloat to Secure: Rethinking Container Base Images for the Modern Security Landscape - Abhishek Anand, KoalaLab
Tuesday December 10, 2024 3:10pm - 3:20pm IST
Containers have revolutionised SDLC but we still build them on Linux distributions designed for physical/virtual machines. The mismatch between single-process containers and full-system distros creates security risks. Minimal base containers are the solution, building them presents unique challenges & this talk presents suggestion around common problems building Secure base containers 1. Container-first Design: a. Traditional distros mark packages(like shell & coreutils) as essential based on machine runtime but real world containers don’t need that. b. Implement installation scripts to avoid unnecessary dependencies 2. Container build enhancements: a. Creating FROM SCRATCH images is tough, bootstrapping with package manager leads to cyclic or installation script dependencies. b. Support for rapid rebuild cycles. 3. Metadata framework: a. Current minimisation approaches miss out on metadata causing container scanning mismatches 4. Porting existing packages: a. The universe covered by existing distros is vast. it makes sense to create tools to transform those packages into self contained binaries that don’t require any package outside of runtime dependencies
Speakers
avatar for Abhishek Anand

Abhishek Anand

Co-Founder, KoalaLab
Tech entrepreneur building in Open Source Security.
Tuesday December 10, 2024 3:10pm - 3:20pm IST
Room 201 (Level 2)
  Breakout Sessions

4:15pm IST

CERT.in Guidelines on Software Bill of Materials (SBOM) - Biju Nair, Legalitech
Tuesday December 10, 2024 4:15pm - 4:25pm IST
Speakers
avatar for Biju.K.Nair

Biju.K.Nair

Founding Partner, Legalitech.in
Biju Nair is a Technology lawyer focused on Open source and Data protection. He is the founding and Managing Partner at Legalitech.in. He represents Open Invention Network and LOT Network in India.
Tuesday December 10, 2024 4:15pm - 4:25pm IST
Room 201 (Level 2)
  Breakout Sessions

4:30pm IST

Adversarial Resilience in Open-Source LLMs: A Comprehensive Approach to Security and Robustness - Padmajeet Mhaske, JP Morgan Chase
Tuesday December 10, 2024 4:30pm - 4:45pm IST
The rise of open-source large language models (LLMs) like GPT, BERT, and T5 has greatly enhanced natural language processing. However, these models face significant security challenges due to their vulnerability to adversarial attacks. This abstract examines the susceptibility of open-source LLMs to OWASP Top 10 risks, including model inversion, data poisoning, insecure deployment, and adversarial examples. While open-source LLMs democratize AI, their transparent architecture can expose sensitive data. Model inversion can extract proprietary information, and data poisoning can corrupt outputs with malicious data. Insecure deployment without encryption or authentication leads to data breaches, while adversarial examples exploit model weaknesses. To strengthen these models, implementing differential privacy, adversarial training, and rigorous data validation is crucial. Adopting security best practices, such as penetration testing and real-time monitoring, along with fostering a security-aware community, is essential. By addressing these vulnerabilities, organizations can enhance the robustness and security of open-source LLMs, ensuring safe deployment and trust in AI applications.
Speakers
avatar for Padmajeet Mhaske

Padmajeet Mhaske

VP, JP Morgan Chase
I am Padmajeet Mhaske, a Vice President and AI/ML Platform Architect at JPMorgan Chase, where I lead the AI/ML division on the Data Technology Team. With over 18 years of experience in designing and implementing large-scale AI and machine learning platforms, I combine strategic vision... Read More →
Tuesday December 10, 2024 4:30pm - 4:45pm IST
Room 201 (Level 2)
  Breakout Sessions
 
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.