Safely Sourcing OSS - Beyond 0 CVEs - John Kjell, ControlPlane

less than 1 minute read

Abstract

As container images shrink and teams chase the elusive “0 CVE” scan, a host of other threats lurk beneath the surface of open source software. Security is more than vulnerabilities; it’s about trust, transparency, and maintainability. Open source can be: - Improperly governed – at risk of hostile takeovers - Maliciously licensed – hiding legal landmines - End-of-life – abandoned with no path forward - Poorly documented – where “read the code” is the only option - Untested – bugs waiting to detonate at scale - Insecurely released – exposing the supply chain These non-obvious risks often paralyze teams trying to make informed choices. But a new generation of tools is emerging to bring clarity. We’ll explore how CNCF projects and Linux Foundation initiatives are using OpenSSF’s Security Scorecards, SLSA, Security Baseline, and the 2025 updated TAG Security guidance on supply chain security to surface and share critical metadata that empowers safer open source adoption.

Sched URL

Video

Share on

X Facebook LinkedIn Bluesky

About

Conferences

Safely Sourcing OSS - Beyond 0 CVEs - John Kjell, ControlPlane

Abstract

Video

Share on

You May Also Enjoy

You Deployed What?! Data-Driven Lessons on Unsafe Helm Chart Defaults - Yossi Weizman, Microsoft

Tools and Strategies for Making the Most of Kubernetes Access Control - Lucas Käldström, Upbound & Micah Hausler, AWS

The Ultimate Container Challenge: An Interactive Trivia Game on Supply Chain Security - Aurélie Vache, OVHcloud & Sherine Khoury, Red Hat

Securing Data Applications at Pinterest With Finer Grained Access Control on Kubernetes - Soam Acharya & William Tom, Pinterest