OpenSSF Community Day Japan 2025

As open-source software adoption accelerates, so do the threats targeting its supply chain. But what does it really mean to secure your software supply chain? And how do concepts like SLSA (Supply Chain Levels for Software Artifacts), SBOM (Software Bill of Materials), and tools like Sigstore fit into the picture?

In this session, I’ll cut through the noise to demystify the fundamentals of software supply chain security. We’ll explore these frameworks and tools in depth, understand how they work together, and provide a clear practical guide to building stronger, more resilient pipelines. I’ll also highlight real-world supply chain threats from dependency confusion to insecure deployments and show how open-source tools can help you detect, prevent, and respond to these risks effectively.

A year ago, with input from projects across different foundations, we set on a mission to delineate a minimum set of security requirements that could realistically be implemented by open source projects. No matter their size.

Thus, the Open Source Project Security Baseline was born.

With the Baseline maturing rapidly, it's time to check and enforce its requirements! For the Baseline to provide true security, cryptographically secure evidence has to be produced by projects that can, in turn, be tied to commits and built software artifacts.

Enter attestations!

By leveraging the In-Toto attestation framework and the Sigstore transparency log, this talk will show how to achieve unforgeable OSPS Baseline compliance through attested evidence that can securely be associated with repos, binaries, and container images.

It all sounds harder than it is. The talk will feature practical ways of achieving high compliance levels with only a handful of attestations from the OpenSSF family of tools, showing alternatives for each requirement.

The talk will conclude with an enforcement example, gating on build and deployment processes when repos and artifacts are not Baseline compliant.

Remote Attestation is a mechanism to confirm the genuine device and software. This mechanism is required for IoT devices because they are geographically distributed without an administrator, especially on the IoT devices which treat confidential data. To run a confidential application, CPU has a TEE (Trusted Execution Mechanism). The most popular IoT CPU, Arm Cortex-A also have TEE mechanism named TrustZone.

I report on the attestation mechanism implemented in OP-TEE, a trusted OS running on the Arm Cortex-A TrustZone. This mechanism generates attestation evidence accepted by VERAISON, an open-source verification platform.

I report the provisioning process for both the attester and verifier in this model, emphasizing the need for secure setup. Additionally, we explain how to program a confidential application to leverage this remote attestation mechanism. These explanations aim to enable broader adoption of remote attestation by users.

The current source code is open and runs on QEMU and Raspberry Pi 3:
https://github.com/iisec-suzaki/optee-ra
The source codes are integrated into the OP-TEE mainline:
https://github.com/OP-TEE/optee_os/pull/7006

Deep Learning and AI models are rapidly becoming integral to critical applications, yet they harbor a significant, often underestimated, vulnerability: adversarial attacks. These intentionally crafted manipulations to input data can deceive even state-of-the-art models, leading to incorrect predictions, compromised system behavior, safety failures, and a significant erosion of trust. The challenge lies in the stealthy nature of these attacks, their continuous evolution, and the difficulty in building defenses that are both robust and adaptable without hampering model performance. How can we shield our AI investments from such threats?

As AI systems become increasingly sophisticated into 2025, so too do the adversarial threats they face. This session offers a forward-looking blueprint to proactively harden your models and implement next-gen. threat detection. We will focus on practical open-source approaches for building intrinsic robustness and deploying intelligent defenses against emerging adversarial tactics, including those targeting GenAI. Learn how cutting-edge open-source tools can be leveraged to create reliable, secure, and scalable AI defenses for tomorrow's challenges.

The countdown to post-quantum cryptography (PQC) has begun.
With NIST set to deprecate RSA and ECC by 2030, engineers and solution owners must prepare for a quantum-safe future. But migrating to PQC isn’t just about swapping algorithms—it’s about ensuring interoperability, adopting hybrid strategies, and tackling the realities of deployment at scale.

This hands-on session breaks down the complexity and walks you through setting up a PQC-hybrid PKI using open-source EJBCA and Bouncy Castle cryptographic APIs. You’ll learn how to generate and manage hybrid certificates, stay up to date on the latest standards and protocols, and explore practical ways to integrate PQC into your systems, ensuring compatibility with today’s infrastructure while preparing for what’s next.

Join us to explore practical strategies for crypto agility and hybrid deployments, ensuring your infrastructure stays ahead of the quantum shift—2030 is closer than you think!

In today's dynamic cloud-native environments, relying on network perimeters for security is obsolete. True Zero Trust demands strong authentication and fine-grained authorization for every interaction, especially between microservices. This session explores how to achieve this end-to-end security using complementary open-source projects.

First, we address the challenge of reliably identifying who is making a request. We'll delve into establishing cryptographic, verifiable workload identities using open-source frameworks like SPIFFE/SPIRE. Learn how services can automatically obtain short-lived, platform-agnostic identities (SVIDs), eliminating the need for managing secrets like API keys or passwords for service-to-service authentication.

With a trusted identity established, we then tackle what that service is allowed to do. We'll demonstrate how to leverage these workload identities within open-source authorization engines like Open Policy Agent (OPA). See how to define and enforce granular, context-aware access control policies based on the verified identity of the calling service, rather than just its network location.