OpenSSF Community Day Japan 2025

OpenSSF Community Day Japan 2025

June 18, 2025 | Tokyo, Japan
Learn More and Register To Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for OpenSSF Community Day Japan 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Japan Standard Time. To see the schedule in your preferred timezone, please select it from the drop-down menu at the bottom to the right.

The schedule is subject to change.

08:00 JST

Registration + Badge Pick-up

Wednesday June 18, 2025 08:00 - 19:00 JST

Wednesday June 18, 2025 08:00 - 19:00 JST
Pegasus Foyer

Registration / Breaks

09:00 JST

Welcome & Opening Remarks - Steve Fernandez, General Manager of OpenSSF, The Linux Foundation

Wednesday June 18, 2025 09:00 - 09:15 JST

Speakers

Steve Fernandez

Executive Director, Linux Foundation

Wednesday June 18, 2025 09:00 - 09:15 JST
Apollon A

Keynote Presentations

09:15 JST

Keynote: Cloud Native at 10: What's Next for CNCF, OpenSSF, and Open Source - Lin Sun, Head of Open Source, Solo.io

Wednesday June 18, 2025 09:15 - 09:30 JST

When CNCF launched in 2015, Kubernetes kickstarted a wave of innovation that now includes 200+ projects across the cloud native ecosystem. As we look to the next decade, new challenges and opportunities emerge, including AI, agentic systems, sustainability, and increasing complexity. Security is now front and center. OpenSSF is tackling this head-on with projects like Sigstore, Scorecard, SLSA, and OSPS Baseline, helping secure the open source software supply chain. Join us to explore key CNCF and OpenSSF initiatives shaping the future and what’s needed to keep open source resilient, secure, and ready for what’s next.

Speakers

Lin Sun

Head of Open-Source, Solo.io

Lin is the Head of Open Source at Solo.io, and a CNCF TOC member and ambassador. She has worked on the Istio service mesh since the beginning of the project in 2017 and serves on the Istio Steering Committee and Technical Oversight Committee. Previously, she was a Senior Technical... Read More →

Wednesday June 18, 2025 09:15 - 09:30 JST
Apollon A

Keynote Presentations

09:30 JST

Keynote Session To Be Announced

Wednesday June 18, 2025 09:30 - 09:45 JST

Wednesday June 18, 2025 09:30 - 09:45 JST
Apollon A

Keynote Presentations

09:50 JST

Building Trust in Open Source: A Practical Guide To Securing Your Software Supply Chain - Yash Pimple, Chainguard

Wednesday June 18, 2025 09:50 - 10:10 JST

As open-source software adoption accelerates, so do the threats targeting its supply chain. But what does it really mean to secure your software supply chain? And how do concepts like SLSA (Supply Chain Levels for Software Artifacts), SBOM (Software Bill of Materials), and tools like Sigstore fit into the picture?

In this session, I’ll cut through the noise to demystify the fundamentals of software supply chain security. We’ll explore these frameworks and tools in depth, understand how they work together, and provide a clear practical guide to building stronger, more resilient pipelines. I’ll also highlight real-world supply chain threats from dependency confusion to insecure deployments and show how open-source tools can help you detect, prevent, and respond to these risks effectively.

Speakers

Yash Pimple

Software Engineer, Chainguard

Yash is currently working as a Software Engineer Intern at Chainguard, specializing in securing software supply chains. He is an AWS Community Builder and CNCF Ambassador, he has also delivered talks at KubeCon + CloudNativeCon North America 2023 and KubeCon India 2024. Yash is an... Read More →

Wednesday June 18, 2025 09:50 - 10:10 JST
Apollon A

20 Minute Presentations

10:15 JST

OpenSSF Community Enhancement in Japan - Taku Shimosawa, Hitachi, Ltd.

Wednesday June 18, 2025 10:15 - 10:20 JST

The Japan Chapter of OpenSSF aims to promote the open-source security to the Japanese community. Muuhh and Taku will present briefly the recent activities done by the Japan Chapter: the meet-ups, the translation of the best practices, and the SLSA workshop. We will also share the feedback from the Japanese community, and the upcoming plan for our activities. We welcome anyone interested in the open-source security in Japan, and we are eager to seek the potential collaboration with the global open-source security community.

Speakers

Taku Shimosawa

Chief Researcher, Hitachi, Ltd.

Taku Shimosawa is a chief research at Hitachi, Ltd. He has contributed to the Hyperledger community, and has recently joined OpenSSF.

Wednesday June 18, 2025 10:15 - 10:20 JST
Apollon A

5 Minute Presentations

10:25 JST

Session To Be Announced- Whitney Lee, Datadog

Wednesday June 18, 2025 10:25 - 10:45 JST

Speakers

Whitney Lee

Senior Technical Advocate, Datadog

Whitney is a CNCF Ambassador who is passionate about cloud native tools. Creative and driven, she has created and delivered two KubeCon keynotes, a VMware Explore keynote, and countless fun, funny, and informative community conference keynotes. You can catch her lightboard show... Read More →

Wednesday June 18, 2025 10:25 - 10:45 JST
Apollon A

20 Minute Presentations

10:50 JST

True Security: Unforgeable Baseline Compliance - Adolfo García Veytia, Carabiner Systems & Carlos Tadeu Panato Junior, Chainguard

Wednesday June 18, 2025 10:50 - 11:10 JST

A year ago, with input from projects across different foundations, we set on a mission to delineate a minimum set of security requirements that could realistically be implemented by open source projects. No matter their size.

Thus, the Open Source Project Security Baseline was born.

With the Baseline maturing rapidly, it's time to check and enforce its requirements! For the Baseline to provide true security, cryptographically secure evidence has to be produced by projects that can, in turn, be tied to commits and built software artifacts.

Enter attestations!

By leveraging the In-Toto attestation framework and the Sigstore transparency log, this talk will show how to achieve unforgeable OSPS Baseline compliance through attested evidence that can securely be associated with repos, binaries, and container images.

It all sounds harder than it is. The talk will feature practical ways of achieving high compliance levels with only a handful of attestations from the OpenSSF family of tools, showing alternatives for each requirement.

The talk will conclude with an enforcement example, gating on build and deployment processes when repos and artifacts are not Baseline compliant.

Speakers

Carlos Panato

Staff Software Engineer, Chainguard

Carlos Panato (@cpanato) is a Staff Software Engineer at Chainguard, Inc., specializing in development and infrastructure with Kubernetes and containers. He has a diverse background in development, testing, processes, and management. Carlos actively contributes to several Linux Foundation... Read More →

Adolfo García Veytia

Principal Software Engineer / Cofounder, Carabiner Systems

Adolfo García Veytia (@puerco) is a software engineer with Carabiner Systems. He is one of the Kubernetes SIG Release Technical Leads, actively working with the Release Engineering team, improving the software that drives the automation behind the Kubernetes release process. He is... Read More →

Wednesday June 18, 2025 10:50 - 11:10 JST
Apollon A

20 Minute Presentations

11:10 JST

Break & Networking

Wednesday June 18, 2025 11:10 - 11:30 JST

Appollon A Foyer

Wednesday June 18, 2025 11:10 - 11:30 JST
Appollon A Foyer

Registration / Breaks

11:30 JST

Session To Be Announced

Wednesday June 18, 2025 11:30 - 11:50 JST

Wednesday June 18, 2025 11:30 - 11:50 JST
Apollon A

20 Minute Presentations

11:55 JST

From SBOM Basics To Automation: A Beginner's Journey in Extracting ELF Binary Dependencies - Takashi Ninjouji, Honda Motor Co., Ltd.

Wednesday June 18, 2025 11:55 - 12:05 JST

This presentation explores the journey of a beginner in embedded systems development, focusing on the dependencies of ELF binaries. Starting with the basics of Build SBOM, it highlights a software project example and efforts to streamline the process through automation. Attendees will gain practical insights into overcoming challenges and enhancing workflows in embedded development.

Speakers

Takashi Ninjouji

Chief Engineer, Honda Motor Co., Ltd.

Takashi Ninjouji is a Chief Engineer at Honda Motor Co., Ltd., focusing on Software-Defined Vehicles (SDV) and Open Source Program Office (OSPO). His interests also include Security Assurance, Open Source Compliance, and SBOM. He spent 10 years in Telecom R&D and the last 15 years... Read More →

Wednesday June 18, 2025 11:55 - 12:05 JST
Apollon A

10 Minute Presentations

12:10 JST

Secrets in Public Git Repos: Why It Keeps Happening and How To Fix It - Arpit Jain, Independent Security Researcher

Wednesday June 18, 2025 12:10 - 12:15 JST

Every day, thousands of API keys, credentials, and tokens are accidentally leaked into public Git repositories, putting users and organizations at massive risk. In this lightning talk, I'll quickly break down why secret sprawl happens despite increasing awareness. I’ll highlight real-world cases like Trufflehog's recent discovery of over 12,000 live API keys inside DeepSeek's AI model training data, demonstrating how leaked secrets can silently persist and escalate risks. I'll demonstrate how simple open source tools like Gitleaks, Trufflehog, and Git pre-commit hooks can detect and prevent exposures. Attendees will leave with immediate, practical steps to stop secret leaks in their repositories — before attackers find them.

Speakers

Arpit Jain

Security Researcher | Open Source Contributor, Independent Security Researcher

Arpit Jain is a security researcher and active open source contributor, focusing on supply chain security, secure coding, and ethical AI. He has contributed security patches to multiple open source projects on GitHub. Arpit’s mission is to help new engineers gain visibility in the... Read More →

Wednesday June 18, 2025 12:10 - 12:15 JST
Apollon A

5 Minute Presentations

12:20 JST

Current Remote Attestation on IoT --- Arm TrustZone OP-TEE With VERAISON Verifier - - Kuniyasu Suzaki, Institute of Information Security (IISEC), graduate school

Wednesday June 18, 2025 12:20 - 12:40 JST

Remote Attestation is a mechanism to confirm the genuine device and software. This mechanism is required for IoT devices because they are geographically distributed without an administrator, especially on the IoT devices which treat confidential data. To run a confidential application, CPU has a TEE (Trusted Execution Mechanism). The most popular IoT CPU, Arm Cortex-A also have TEE mechanism named TrustZone.

I report on the attestation mechanism implemented in OP-TEE, a trusted OS running on the Arm Cortex-A TrustZone. This mechanism generates attestation evidence accepted by VERAISON, an open-source verification platform.

I report the provisioning process for both the attester and verifier in this model, emphasizing the need for secure setup. Additionally, we explain how to program a confidential application to leverage this remote attestation mechanism. These explanations aim to enable broader adoption of remote attestation by users.

The current source code is open and runs on QEMU and Raspberry Pi 3:
https://github.com/iisec-suzaki/optee-ra
The source codes are integrated into the OP-TEE mainline:
https://github.com/OP-TEE/optee_os/pull/7006

Speakers

Kuniyasu Suzaki

Professor, Institute of Information Security (IISEC), graduate school

Professor of Institute of Information Security (IISEC, graduate school). He received the B.E. and M.E. degrees in computer science from the Tokyo University of Agriculture and Technology and the Ph.D. in computer science from The University of Tokyo. His current research interests... Read More →

Wednesday June 18, 2025 12:20 - 12:40 JST
Apollon A

20 Minute Presentations

12:45 JST

What Is This Package Even Doing? Analyzing Behaviors of Our Software Dependencies - Isaac Dawson, GitLab Inc

Wednesday June 18, 2025 12:45 - 13:05 JST

As developers, we include or update dependencies on almost every project we touch. Even with a general idea of their capabilities, it can be hard to know exactly what these packages are doing. Despite this, we include them and hope it doesn't break our build, or worse, introduce vulnerabilities.
This talk will present data analysis of capabilities of two types of software packages: Those with known CVE records, and those without, to see if we can identify any signal regarding the packages security posture. This talk will also highlight the risk associated with the various capabilities these software dependencies include, and how we can make better decisions when it comes time to upgrade or add new dependencies to our software stacks. To enable this analysis, GitLab has extracted thousands of packages from various package managers. These package versions are then stored on GitLab.com where users can navigate the exact source code of every version of a software package released.
By the end of this presentation the audience should leave with a better understanding of what to look for when adding new dependencies and how the capabilities of those dependencies may introduce risks.

Speakers

Isaac Dawson

Principal Vulnerability Researcher, GitLab Inc

With almost 25 years of information security experience, from @stake to Symantec Consulting to Veracode. Isaac has been involved with various aspects of offensive security and research. While the days of writing exploits are long past, he enjoys building systems to automatically identify... Read More →

Wednesday June 18, 2025 12:45 - 13:05 JST
Apollon A

15 Minute Presentations

13:05 JST

Lunch

Wednesday June 18, 2025 13:05 - 14:05 JST

Wednesday June 18, 2025 13:05 - 14:05 JST
Apollon A

Registration / Breaks

14:05 JST

Transparency in the AI Software Supply Chain. - Anirudh Srinivas, NielsenIQ Pvt Ltd

Wednesday June 18, 2025 14:05 - 14:15 JST

As AI is becoming an integral part of modern applications, ensuring its security and integrity is crucial. This talk explores the growing security risks in the AI software supply chain, including model tampering and vulnerabilities. We’ll focus on solutions like Sigstore’s model transparency tools and other model signing libraries to safeguard AI assets. Learn how these tools can help verify model authenticity, track provenance, and enhance trust in AI systems.

Speakers

Anirudh Srinivas

Trust but Verify: Securing the SDLC, NielsenIQ Pvt Ltd

With over 4 years of experience in product security, I am currently focused on enhancing secure SDLC practices within my organization empowering global engineering teams to build resilient software. My areas of expertise include DevSecOps, MLSecOps, and Cloud Security. I’ve been... Read More →

Wednesday June 18, 2025 14:05 - 14:15 JST
Apollon A

10 Minute Presentations

14:20 JST

The Hidden Adversaries: An Open-Source Blueprint for AI and Deep Learning Model Protection - Anmol Krishan Sachdeva & Paras Mamgain, Google

Wednesday June 18, 2025 14:20 - 14:40 JST

Deep Learning and AI models are rapidly becoming integral to critical applications, yet they harbor a significant, often underestimated, vulnerability: adversarial attacks. These intentionally crafted manipulations to input data can deceive even state-of-the-art models, leading to incorrect predictions, compromised system behavior, safety failures, and a significant erosion of trust. The challenge lies in the stealthy nature of these attacks, their continuous evolution, and the difficulty in building defenses that are both robust and adaptable without hampering model performance. How can we shield our AI investments from such threats?

As AI systems become increasingly sophisticated into 2025, so too do the adversarial threats they face. This session offers a forward-looking blueprint to proactively harden your models and implement next-gen. threat detection. We will focus on practical open-source approaches for building intrinsic robustness and deploying intelligent defenses against emerging adversarial tactics, including those targeting GenAI. Learn how cutting-edge open-source tools can be leveraged to create reliable, secure, and scalable AI defenses for tomorrow's challenges.

Speakers

Anmol Krishan Sachdeva

Sr. Hybrid Cloud Architect, Google

Anmol is a seasoned International Tech Speaker (delivered 75+ talks globally), a Distinguished Guest Lecturer, an active conference organizer, and has published several notable papers. He works at Google and focuses on Emerging Technologies. Anmol has years of rich experience in... Read More →

Paras Mamgain

Software Engineer, Google

Paras has been an active speaker sharing his technical expertise at Google tech conferences, Linux Foundations Open source summit in Japan and North America. Paras is a highly skilled backend developer with a passion for information retrieval and a knack for translating complex technical... Read More →

Wednesday June 18, 2025 14:20 - 14:40 JST
Apollon A

20 Minute Presentations

14:45 JST

Securing Open Source Code: From AI Vulnerabilities To Supply Chain Defense - Arpit Jain, Independent Security Researcher

Wednesday June 18, 2025 14:45 - 15:00 JST

Open source security faces growing risks from dependency vulnerabilities, leaked secrets, insecure AI-generated code, and supply chain attacks. In this talk, I will demonstrate how to use open source tools like Trivy, Grype, Gitleaks, and Trufflehog to scan dependencies and detect exposed secrets.

I will explain how to build and maintain a Software Bill of Materials (SBOM) to protect codebases and organizational assets. Using real-world case studies—Trufflehog’s discovery of 12,000+ live API keys in AI training data, the Rabbit R1 credential exposure, and supply chain incidents in the US and Japan—I will show the impact of poor code security practices.

Live demo will highlight how AI models trained on insecure code can propagate vulnerabilities. Attendees will leave with practical techniques for scanning codebases, securing their development pipelines, and preventing the next generation of supply chain threats.

Speakers

Arpit Jain

Security Researcher | Open Source Contributor, Independent Security Researcher

Arpit Jain is a security researcher and active open source contributor, focusing on supply chain security, secure coding, and ethical AI. He has contributed security patches to multiple open source projects on GitHub. Arpit’s mission is to help new engineers gain visibility in the... Read More →

Wednesday June 18, 2025 14:45 - 15:00 JST
Apollon A

15 Minute Presentations

15:05 JST

The Migration To Post-Quantum Cryptography: Open-Source Innovations and Interoperability - Tony Chen, www.keyfactor.com

Wednesday June 18, 2025 15:05 - 15:25 JST

The countdown to post-quantum cryptography (PQC) has begun.
With NIST set to deprecate RSA and ECC by 2030, engineers and solution owners must prepare for a quantum-safe future. But migrating to PQC isn’t just about swapping algorithms—it’s about ensuring interoperability, adopting hybrid strategies, and tackling the realities of deployment at scale.

This hands-on session breaks down the complexity and walks you through setting up a PQC-hybrid PKI using open-source EJBCA and Bouncy Castle cryptographic APIs. You’ll learn how to generate and manage hybrid certificates, stay up to date on the latest standards and protocols, and explore practical ways to integrate PQC into your systems, ensuring compatibility with today’s infrastructure while preparing for what’s next.

Join us to explore practical strategies for crypto agility and hybrid deployments, ensuring your infrastructure stays ahead of the quantum shift—2030 is closer than you think!

Speakers

Tony Chen

Senior Solution Engineer, Keyfactor

Meet Tony Chen, the cybersecurity wizard with over 9 years of PKI magic up his sleeve! As an Asia-Pacific and Japan Solution Engineer at Keyfactor, he’s the go-to guy for all things secure. With a Master’s in Cybersecurity from the National University of Singapore and a CISSP... Read More →

Wednesday June 18, 2025 15:05 - 15:25 JST
Apollon A

20 Minute Presentations

15:25 JST

Break & Networking

Wednesday June 18, 2025 15:25 - 15:45 JST

Appollon A Foyer

Wednesday June 18, 2025 15:25 - 15:45 JST
Appollon A Foyer

Registration / Breaks

15:45 JST

Beyond Network Trust: End-to-End Secure Service Communication With Open Source IAM - Anmol Krishan Sachdeva & Devashish Patil, Google

Wednesday June 18, 2025 15:45 - 16:05 JST

In today's dynamic cloud-native environments, relying on network perimeters for security is obsolete. True Zero Trust demands strong authentication and fine-grained authorization for every interaction, especially between microservices. This session explores how to achieve this end-to-end security using complementary open-source projects.

First, we address the challenge of reliably identifying who is making a request. We'll delve into establishing cryptographic, verifiable workload identities using open-source frameworks like SPIFFE/SPIRE. Learn how services can automatically obtain short-lived, platform-agnostic identities (SVIDs), eliminating the need for managing secrets like API keys or passwords for service-to-service authentication.

With a trusted identity established, we then tackle what that service is allowed to do. We'll demonstrate how to leverage these workload identities within open-source authorization engines like Open Policy Agent (OPA). See how to define and enforce granular, context-aware access control policies based on the verified identity of the calling service, rather than just its network location.

Speakers

Anmol Krishan Sachdeva

Sr. Hybrid Cloud Architect, Google

Anmol is a seasoned International Tech Speaker (delivered 75+ talks globally), a Distinguished Guest Lecturer, an active conference organizer, and has published several notable papers. He works at Google and focuses on Emerging Technologies. Anmol has years of rich experience in... Read More →

Devashish Patil

Cloud Architect, Google

Devashish is an experienced cloud-native developer currently working at Google, and specializing in the design and development of complex systems across diverse cloud platforms. He has successfully tackled projects of varying sizes and technical intricacies throughout his career... Read More →

Wednesday June 18, 2025 15:45 - 16:05 JST
Apollon A

20 Minute Presentations

16:10 JST

Tabletop Excercise / TTX Panel Session - Moderated by Christopher 'CRob' Robinson, OpenSSF | The Linux Foundation; Panelist & Session Details TBA

Wednesday June 18, 2025 16:10 - 17:40 JST

Speakers

Christopher "CRob" Robinson

Chief Architect - OpenSSF, OpenSSF

Christopher Robinson (aka CRob) is the Chief Security Architect for the Open Source Security Foundation. With over 25 years of Enterprise-class engineering, architectural, operational and leadership experience, CRob has worked at several Fortune 500 companies with experience in the... Read More →

Wednesday June 18, 2025 16:10 - 17:40 JST
Apollon A

TTX Panel Presentation

17:40 JST

Closing Remarks - Steve Fernandez, General Manager of OpenSSF, The Linux Foundation

Wednesday June 18, 2025 17:40 - 17:45 JST

Speakers

Steve Fernandez

Executive Director, Linux Foundation

Wednesday June 18, 2025 17:40 - 17:45 JST
Apollon A

Keynote Presentations