Open source software provides a tremendous public good - but proportional to its’ social and technical importance, the open source ecosystem also presents an enticing attack surface for adversaries. The combination of deobfuscated and public-facing source code, distributed community-driven development, a lack of consistently-deployed security reviews and tooling, and the prominence of many key FOSS projects as the core infrastructure of enterprises around the world and of the internet itself means that the unique model that has made open source software projects and development lifecycles so impactful is also that which has historically made them difficult to secure. In this presentation, we discuss the present challenges and opportunities for securing open source projects, and discuss a roadmap to a future where we can all help to secure open source software at massive scale.

We will explore challenges and opportunities in securing the open source software ecosystem against a range of threat actors through a variety of interventions at all phases of the software development lifecycle. Part 1 of this presentation will give a brief overview of the mission, priorities, and current work within the Open Source Security Foundation (, including an end-to-end threat model of the open source ecosystem. Part 2, which will comprise the majority of the presentation, will be a panel discussion amongst open source maintainers, tool developers, and security researchers regarding some of the most pressing issues in the security of open source software.

FOSS Backstage 2021
Panel Discussion