Loading…
8 August | Hyderabad, India
Learn More and Register To Attend

The Sched app allows you to build your schedule, but it is not a substitute for event registration. To participate in the sessions, you must be registered for OpenSSF Community Day India 2025. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in India Standard Time. To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

Schedule is subject to change.
Venue: Meeting Room 1 + 2 clear filter
arrow_back View All Dates
Monday, August 4
 

10:00 IST

Welcome + Opening Remarks
Monday August 4, 2025 10:00 - 10:20 IST
Meeting Room 1 + 2
Monday August 4, 2025 10:00 - 10:20 IST
Meeting Room 1 + 2
  Keynote Sessions

10:25 IST

So You Want Runtime Security on Podman? - Rishabh Soni, Accuknox
Monday August 4, 2025 10:25 - 10:35 IST
Meeting Room 1 + 2
Podman is a daemonless, open source, Linux native tool designed to make it easy to find, run, build, share and deploy applications using Open Containers Initiative (OCI) Containers and Container Images. Enforcing runtime security to protect against threats like RCE and privilege escalation requires a steep learning curve to implement security primitives like apparmor, selinux and seccomp. It becomes very difficult to achieve simplistic policy expression. This is where kubearmor comes in.

This talk will explore how to implement runtime security on podman containers using kubearmor.

Kubearmor uses native Kubernetes resources and YAML for policy definition, allowing Kubernetes-style composition which is more intuitive for Kubernetes users, allowing defining desired needs easy.
Speakers
avatar for Rishabh Soni

Rishabh Soni

Software Engineer, Accuknox
Rishabh is passionate about low-level systems, cloud-native security, and developer tooling. He is a approver and key contributor to KubeArmor, a CNCF Sandbox project, and works as a Software Engineer at AccuKnox. With experience ranging from enhancing Kubernetes runtime security... Read More →
Monday August 4, 2025 10:25 - 10:35 IST
Meeting Room 1 + 2
  10 Minutes Presentation

10:40 IST

Vibe Coding With AI Is Cool Until You Get Hacked - Achanandhi M, Keploy
Monday August 4, 2025 10:40 - 10:55 IST
Meeting Room 1 + 2
There are a lot of new advancements coming up in the AI landscape like Vibe coding, MCP, Agents2Agents. Not just that, people are using AI coding assistant tools in their day-to-day life. There is more hype around AI, but wait we tend to forget one thing, and that is security.

There are a lot of problems in consuming all those AI coding assistant tools and LLMs. How do you know the code generated by your favourite coding assistant is not vulnerable? How do you verify it? Your code might use deprecated libraries or vulnerable ones too, right? LLMs have their own knowledge cut-off date, right? Then how do you make sure you are writing secure and clean code?

Don’t worry that’s where Codegate comes in, one of the popular open-source projects which solves these problems. Codegate acts as a proxy between your LLMs and coding assistants, analyzes the code generated by LLMs, fixes it, and recommends best practices to write secure code. All things happen locally nothing goes outside of your machine.

Most people are not aware of this popular open-source project. In my talk, I will show how Codegate helps you to consume the code generated by your favourite coding tools.
Speakers
avatar for Achanandhi M

Achanandhi M

Developer Advocate, Keploy
I love talking about Technology and Communities :)
Monday August 4, 2025 10:40 - 10:55 IST
Meeting Room 1 + 2
  15 Minutes Presentation

11:00 IST

The Migration To Post-Quantum Cryptography : Open-Source Innovations and Interoperability - Tony Chen, Keyfactor
Monday August 4, 2025 11:00 - 11:20 IST
Meeting Room 1 + 2
The countdown to post-quantum cryptography (PQC) has begun.
With NIST set to deprecate RSA and ECC by 2030, engineers and solution owners must prepare for a quantum-safe future. But migrating to PQC isn’t just about swapping algorithms—it’s about ensuring interoperability, adopting hybrid strategies, and tackling the realities of deployment at scale.

This hands-on session breaks down the complexity and walks you through setting up a PQC-hybrid PKI using open-source EJBCA and Bouncy Castle cryptographic APIs. You’ll learn how to generate and manage hybrid certificates, stay up to date on the latest standards and protocols, and explore practical ways to integrate PQC into your systems, ensuring compatibility with today’s infrastructure while preparing for what’s next.

Join us to explore practical strategies for crypto agility and hybrid deployments, ensuring your infrastructure stays ahead of the quantum shift—2030 is closer than you think!
Speakers
avatar for Tony Chen

Tony Chen

Senior Solution Engineer, Keyfactor
Meet Tony Chen, the cybersecurity wizard with over 9 years of PKI magic up his sleeve! As an Asia-Pacific and Japan Solution Engineer at Keyfactor, he’s the go-to guy for all things secure. With a Master’s in Cybersecurity from the National University of Singapore and a CISSP... Read More →
Monday August 4, 2025 11:00 - 11:20 IST
Meeting Room 1 + 2
  20 Minutes Extended Presentation

11:40 IST

Keynote: Ryan Ware, Deputy Chief Product Security Officer, Carrier Global
Monday August 4, 2025 11:40 - 12:00 IST
Meeting Room 1 + 2
Speakers
avatar for Ryan Ware

Ryan Ware

Deputy Chief Product Security Officer, Carrier Global
Ryan has been working on software security and quality for 27 years. In his career, he has implemented security features in open source software stacks, been an offensive security researcher, been a developer and security architect for numerous open source projects including 3 different... Read More →
Monday August 4, 2025 11:40 - 12:00 IST
Meeting Room 1 + 2
  Keynote Sessions

12:05 IST

Keynote Sessions To Be Announced
Monday August 4, 2025 12:05 - 12:25 IST
Meeting Room 1 + 2
Monday August 4, 2025 12:05 - 12:25 IST
Meeting Room 1 + 2
  Keynote Sessions

12:30 IST

How Insecure Defaults Led To Undetected Supply Chain Incident: A CI/CD Security Nightmare - Vipul Gupta, Balena
Monday August 4, 2025 12:30 - 12:45 IST
Meeting Room 1 + 2
As an open-source company publishing packages and contributing widely, we navigate the complex balance of open code and private signing credentials for macOS, Linux, and Windows. This combination became a serious vulnerability when insecure defaults in our CI/CD pipeline created an undetected attack vector with potentially devastating consequences.

In this talk, we unpack how a 2-year-old token - exposed via a misconfigured Action, with no expiration or alerting — enabled bad actors to potentially manipulate public images and forced revocation of our code signing credentials.

We’ll walk through:

1. Our detailed forensic investigation: diffing registry images, scanning across npm, PyPI, and Docker Hub, and tracing the exposed token.

2. What went wrong: lack of artifact scanning, weak secret hygiene, and implicit trust in CI defaults.

3. Practical security improvements you can make — automated scanners, secret permissions, security reviews, and much more.

By sharing our experience, we aim to help the community identify and mitigate this highly exploitable attack vector that can remain undetected for years to prevent supply chain attacks before they happen.
Speakers
avatar for Vipul Gupta

Vipul Gupta

Senior Software Engineer, Balena
Vipul Gupta is a seasoned engineer with deep expertise in building hardtech products, scalable pipelines, & sustaining communities. Founded Mixster to write open-source documentation for startups. Occasionally reads, meticulously documents, and continuously automates, Vipul has... Read More →
Monday August 4, 2025 12:30 - 12:45 IST
Meeting Room 1 + 2
  15 Minutes Presentation

12:50 IST

Malicious Package Scanning Using Vet | Supply Chain Security - Teja Kummarikuntla, Harness
Monday August 4, 2025 12:50 - 13:05 IST
Meeting Room 1 + 2
Open source ecosystems frequently face supply chain attacks via malicious packages hidden in trusted registries. vet is an open-source security tool designed specifically to detect potentially malicious packages through behavioral and heuristic analysis.

This session covers:

Supply chain attacks: Brief overview and recent cases of malware found in popular ecosystems such as npm and PyPI.

Vet introduction: How vet identifies suspicious packages beyond traditional CVE-based scanning (Malware Analysis Docs).https://docs.safedep.io/cloud/malware-analysis

Technical walkthrough: Practical use of vet in CI/CD pipelines and developer workflows (CLI and GitHub Actions examples).

Actionable outcomes: Understanding and responding to vet results effectively.
Speakers
avatar for TEJA KUMMARIKUNTLA

TEJA KUMMARIKUNTLA

Developer Relations Engineer, Harness
Teja is a Developer advocate, Podcaster and an open-source contributor, his interest lies in understanding and improving the developer experience and evangelizing through the developer community.
Monday August 4, 2025 12:50 - 13:05 IST
Meeting Room 1 + 2
  15 Minutes Presentation

14:05 IST

Going Beyond SBOM Generation: Ensuring Quality, Compliance, and Real Security Readiness - Vivek Kumar Sahu, Interlynk
Monday August 4, 2025 14:05 - 14:25 IST
Meeting Room 1 + 2
The wake up call like Log4shell vulnerability demanded clear visibility into software components to quickly identify the exploited components/dependencies. This is where SBOMs comes into role play.

But not all SBOMs are created equal.
A low-quality, incomplete, inaccurate SBOM can be just as dangerous and even non-compliant under laws like the Cyber Resilience Act(CRA).

In this Session, we will go one step further i.e beyond SBOM generation. We will cover how to assess the quality of SBOMs, enrich them with missing or incorrect data, and ensure they meet compliance standards like NTIA, CRA, OCT, and more.
Using real open source tools like sbomqs and sbomasm, will transform raw SBOMs into actionable SBOMs, i.e ready to be deployed on SBOM management platforms, share with consumers, or reported to govt bodies.

We will start with chaos of the Log4j vulnerability and walk through how a strong SBOM workflow could have made all the difference.

sbomqs: https://github.com/interlynk-io/sbomqs
sbomasm: https://github.com/interlynk-io/sbomasm/
Speakers
avatar for vivek kumar sahu

vivek kumar sahu

Open Source Developer, Interlynk
I'm passionate about open-source software and actively contribute to improving software supply chain security, with a strong focus on SBOM (Software Bill of Materials) tooling. I collaborate on projects like sbommv, sbomqs, and sbomasm — all open-source tools maintained by Interlynk... Read More →
Monday August 4, 2025 14:05 - 14:25 IST
Meeting Room 1 + 2
  20 Minutes Extended Presentation

14:30 IST

From Code To Kernel: Enforcing Supply Chain Security for Linux Distributions - Aditya Soni, Forrester Research & Anshika Tiwari, AWS
Monday August 4, 2025 14:30 - 14:45 IST
Meeting Room 1 + 2
The security of a Linux distribution depends on the integrity of its entire software supply chain, from source code to compiled binaries. With rising threats like dependency poisoning, malicious injections, and package manager compromises, securing the supply chain is no longer optional.

This talk will present a practical framework for strengthening Linux supply chain security.

We'll cover:
1. Verifying source authenticity with cryptographic signing and reproducible builds.
2. Automating SBOM generation to track dependencies and prevent supply chain attacks.
3. Enforcing integrity using open-source tools like Sigstore (Cosign, Rekor), in-toto, and OpenSCAP.
4. Analyzing real-world attack scenarios and how to mitigate them effectively.

By the end, attendees will gain actionable strategies to prevent tampering, detect anomalies early, and ensure trusted software delivery across open-source Linux distributions.
Speakers
avatar for Aditya Soni

Aditya Soni

DevOps Engineer II, CNCF Ambassador, Forrester Research
Aditya Soni is a DevOps/SRE tech professional He worked with Product and Service based companies including Red Hat, Searce, and is currently positioned at Forrester Research as a DevOps Engineer II. He holds AWS, GCP, Azure, RedHat, and Kubernetes Certifications.He is a CNCF Ambassador... Read More →
avatar for Anshika Tiwari

Anshika Tiwari

CSA - Cloud Engineer, AWS
Anshika is a passionate DevOps/SRE Engineer who is always eager to learn & implement cloud-native solutions, she has contributed to streamlining deployment processes and enhancing system reliability. She is eager to share her experiences and insights at conferences, contributing to... Read More →
Monday August 4, 2025 14:30 - 14:45 IST
Meeting Room 1 + 2
  15 Minutes Presentation

14:50 IST

Allstar in Action: Automating Security Policies for GitHub Organizations - Abhinav Sharma, KodeKloud
Monday August 4, 2025 14:50 - 15:10 IST
Meeting Room 1 + 2
Managing security across dozens or hundreds of repositories is nearly impossible without automation. In this practical session, I'll demonstrate how OpenSSF Allstar transforms manual security enforcement into automated guardrails.
What you'll see demonstrated live:
1. Setting up Allstar to monitor an entire GitHub organization
2. Creating custom security policies that reflect your specific requirements
3. Detecting and mitigating common security misconfigurations automatically
4. Implementing branch protection requirements across multiple repositories
5. Preventing dangerous workflow patterns before they create vulnerabilities
Speakers
avatar for Abhinav Sharma

Abhinav Sharma

Site Reliability Engineer, KodeKloud
I am Site Reliability Engineer at KodeKloud . I am an Open source contributor, evaluating and contributed in various open source tools and projects, such as, Microsoft's Open source libraries, OpenCV, SUSE, etc. I was also a Google Summer of Code contributor 2022 and a GitHub Extern... Read More →
Monday August 4, 2025 14:50 - 15:10 IST
Meeting Room 1 + 2
  20 Minutes Extended Presentation

15:15 IST

Policy-as-Code: Choosing the Right Engine for Effective Validation and Enforcement - Ruhika Bulani, Spyderbat & Harsh Thakur, Nuon
Monday August 4, 2025 15:15 - 15:35 IST
Meeting Room 1 + 2
Choosing a policy engine today can be overwhelming. Tools like OPA, Kyverno-JSON, and Kubewarden offer different languages, semantics, and integrations—but each comes with trade-offs in expressiveness, performance, and developer experience.

Policy engines are expanding beyond Kubernetes admission control to validate arbitrary JSON payloads like Terraform plans, Dockerfiles, and cloud configs. But not all tools make it easy to write, test, or integrate policies early in the dev cycle, before reaching the Kubernetes API. Some lack testing, others struggle with composition or debugging.

This talk’ll compare these policy engines across language design, evaluation semantics, and developer tooling. We’ll explore their strengths, gaps, and emerging trends like WASM and shift-left validation.

Join us for the talk, and leave equipped to confidently choose the right policy engine, a clear view of the pitfalls to avoid before they hit production, and a clear idea of where the ecosystem is heading.
Speakers
avatar for Ruhika Bulani

Ruhika Bulani

Associate Software Developer, Spyderbat
Ruhika works at a startup specializing in cloud-native runtime security. Her profound interest lies in the cloud-native landscape and Kubernetes security. Ruhika has further enriched her professional journey by serving as an LFX Mentee for the CNCF-Crossplane project. Her interest... Read More →
avatar for Harsh Thakur

Harsh Thakur

Infrastructure Engineer, Nuon
Harsh's tech journey began in software development, leading to open-source contributions in the CNCF. His passion for complex systems propelled him into infrastructure engineering, gaining expertise in building control planes and designing APIs, and architecting cost-effective solutions... Read More →
Monday August 4, 2025 15:15 - 15:35 IST
Meeting Room 1 + 2
  20 Minutes Extended Presentation

15:40 IST

Enhancing Vulnerability Triage With VEX: A GSoC Journey in CVE Binary Tool - Sanskar Sharma, Nirmata
Monday August 4, 2025 15:40 - 15:55 IST
Meeting Room 1 + 2
The triage process in the CVE Binary Tool enables users to customize vulnerability reports by adding contextual information such as mitigations or justifications for ignoring certain issues. This feature is especially useful for filtering out false positives or highlighting cases where a vulnerability is deemed non-exploitable based on a specific risk assessment.

While the CVE Binary Tool has offered basic triage support for some time, this GSoC project significantly extended its capabilities by integrating support for all four major VEX formats: CSAF, CycloneDX, OpenVEX, and SPDX. This was made possible through the integration of the lib4vex library, which provides robust parsing and generation of VEX documents across these different standards.

This talk will walk through the development journey, detailing the challenges faced while implementing VEX support and the key decisions that shaped the final solution.
Speakers
avatar for Sanskar Sharma

Sanskar Sharma

Intern, Nirmata
Hi, I’m Sanskar Sharma, a maintainer of the CVE Binary Tool under Intel. As a GSoC contributor, I added support for CSAF, CycloneDX, OpenVEX, and SPDX VEX formats using lib4vex to enhance vulnerability triage. I’ve also been an LFX mentee, working on Inspektor Gadget to improve... Read More →
Monday August 4, 2025 15:40 - 15:55 IST
Meeting Room 1 + 2
  15 Minutes Presentation

16:15 IST

Exploiting Open Source Mail: Real-World Attacks and Defenses in Zimbra’s Core - Ashish Kataria, Synacor Inc.
Monday August 4, 2025 16:15 - 16:35 IST
Meeting Room 1 + 2
Email remains a mission-critical service in both government and private sectors, and Zimbra—one of the most widely used open-source mail platforms—exposes real-world security challenges in open infrastructure.

This talk explores several critical vulnerabilities discovered in Zimbra, including a pre-auth RCE via SMTP command handling, an SSRF that enables remote shell access through internal proxy chaining, and a 2FA bypass that weakens authentication. These reflect systemic issues in open-source security at scale.

I’ll also introduce the Kobold Letter attack—an effective email parsing exploit that bypasses UI logic in Zimbra, Gmail, and Outlook using invisible formatting to aid phishing. This points to the urgent need for better mail parsing standards.

The session will blend offensive insights with defense: how these flaws were disclosed, mitigated, and what OSS maintainers can do to secure their stacks earlier. It’s ideal for red teamers, defenders, and those securing collaborative infrastructure.
Speakers
avatar for Ashish Kataria

Ashish Kataria

Security Architect Engineer, Synacor Inc.
Ashish is the head of security at Zimbra, overseeing vulnerability analysis,triage,and remediation for the widely deployed open-source Zimbra Collaboration Suite. He has led the resolution of high-impact CVEs and contributed to hardening against threats like the Kobold Letter attack... Read More →
Monday August 4, 2025 16:15 - 16:35 IST
Meeting Room 1 + 2
  20 Minutes Extended Presentation

16:40 IST

Chaos Engineering for Security: Breaking Systems To Strengthen Defenses - Pratik Mahalle, Keploy
Monday August 4, 2025 16:40 - 16:50 IST
Meeting Room 1 + 2
We often hear about chaos engineering in the context of reliability, but what if we applied that same philosophy to security? In this session, I’ll explore the emerging field of Security Chaos Engineering. In this innovative practice, we intentionally inject failures and simulate attacks to uncover hidden security weaknesses before adversaries do.

Using open source tools like ChaosMesh, LitmusChaos, and KubeArmor, I'll demonstrate how teams can proactively test assumptions about their security posture. From simulating pod compromise in Kubernetes to testing firewall rule effectiveness under duress, the session will walk through real-world scenarios where controlled chaos leads to deeper system hardening.

Rather than reacting to incidents, what if we could break things on purpose—and make our systems safer.
Speakers
avatar for Pratik Mahalle

Pratik Mahalle

DevRel @Keploy, AWS Community Builder, Open Source Advocate, Keploy
Hey, I am Pratik, currently working as DevRel. I am also an AWS Community Builder and I love spending my time in community.
Monday August 4, 2025 16:40 - 16:50 IST
Meeting Room 1 + 2
  10 Minutes Presentation

16:55 IST

Debian Inspired Container-first Linux Distro - Abhishek Anand, Koalalab & Abhimanyu Dhamija, KoalaLab
Monday August 4, 2025 16:55 - 17:10 IST
Meeting Room 1 + 2
Kubernetes drove the transition from VMs to Containers, but Linux distro tooling (package manager & package archives) remained focussed on a full blown OS. Distros didn't adapt to serve the needs of a containerised SDLC.

Containers are meant to run single-processes in isolation, but package management is built for VMs, leading to bloated containers that increase attack surface for applications and lead to patching overhead for developers.

Minimal containers are becoming the standard for modern application development.

This talk explores an approach for creating a Debian-inspired distro with a container-first design.

Debian container bloat stems from:
1. Essential packages needed for VMs but not containers - like bash, libc6
2. APT package manager footprint - installs 59 packages
3. Maintainer script dependencies in Debian packages - scripts can require runtimes like perl, python etc

Proposing a new approach:
1. Portable APT replacement implemented in Go
2. Reimplementing maintainer scripts with minimal dependencies
3. Bootstrapping a distro so that only required packages can be installed, no "essentials"
Speakers
avatar for Abhishek Anand

Abhishek Anand

Co-Founder/CTO, Koalalab
Tech entrepreneur building in Open Source Security. Prev: - CTO @ Housing.com : Scaled infra to 13Mn daily traffic. - Platform engineering @ WhitehatJr : Built a self serve Kubernetes platform. - YC Alum.
avatar for Abhimanyu Dhamija

Abhimanyu Dhamija

Co-founder, KoalaLab, KoalaLab
Founder& CEO, KoalaLab:Software supply chain security & Open-source Security Previously: Head, Data Sciences@Housing.com Quant@Citigroup
Monday August 4, 2025 16:55 - 17:10 IST
Meeting Room 1 + 2
  15 Minutes Presentation

17:15 IST

UEFI Secure Boot in Linux - Sumeet Pawnikar, Cisco
Monday August 4, 2025 17:15 - 17:30 IST
Meeting Room 1 + 2
# Abstract:-
==========
This tech talk will cover the comprehensive overview of Secure boot support under UEFI based GRUB bootloader on X86 based platforms. Explains the dependencies and available kernel options with code snippets to enable UEFI based Secure boot support. Also, touch upon the steps for Secure boot enablement on VMs.


# Agenda brief:-
==============
+ What is secure boot ? Benefit with pros-cons, requirements in boot sequence.
+ Why is Secure boot required in today's world?
+ What's the Significance of Shim in Secure boot?
+ What is UEFI and different bootloaders like GRUB and others?
+ What is UEFI's role in GRUB for secure boot?
+ What are the dependencies and available options in Linux kernel with respect to UEFI and GRUB for Secure boot enablement?
+ Signing the UEFI binaries and Custom kernel modules with keys.
+ Step by step guide on required signing tools with Certificates.
+ How to enable Secure boot for a Virtual Machine?
+ Verification of secure boot on Linux based platforms.
Speakers
avatar for Sumeet Pawnikar

Sumeet Pawnikar

Software Architect, Cisco
+ An experienced Platform Software Architect majorly worked in Linux device drivers, kernel, BSP and firmware/bootloader development on Linux based OS platforms like Android, Chrome and RTOS. + Active contributor in Linux Mainline kernel and device driver development. + Maintainer... Read More →
Monday August 4, 2025 17:15 - 17:30 IST
Meeting Room 1 + 2
  15 Minutes Presentation

17:35 IST

Closing Remarks
Monday August 4, 2025 17:35 - 17:40 IST
Meeting Room 1 + 2
Monday August 4, 2025 17:35 - 17:40 IST
Meeting Room 1 + 2
  Keynote Sessions
 
  • Filter By Venue
    Hyderabad, Telangana, India
    All
    Meeting Room 1 + 2
    Registration Centre - Ground Floor
    TBA
  • Filter By Type
    10 Minutes Presentation
    15 Minutes Presentation
    20 Minutes Extended Presentation
    Keynote Sessions
    Registration / Breaks
  • Timezone
Need help? View Support Guides
Event questions? Contact Event Planner
Powered by Sched Event Planning App
©2025 Sched About Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Filtered by Date - 
Clear filter
Monday, August 4
Meeting Room 1 + 2
Registration Centre - Ground Floor
TBA
  • 10 Minutes Presentation
  • 15 Minutes Presentation
  • 20 Minutes Extended Presentation
  • Keynote Sessions
  • Registration / Breaks