OpenSSF Meetup - learn about PyPI, SBOM and Dependency Track

Come to the 1st OpenSSF meetup in 2024 - hosted by G-Research. Join the OpenSSF community for presentations about PyPI, SBOM and Dependency Track, meet with industry leaders and ask them questions and make connections. Refreshments will be provided by our host G-Research - thank you for their support.

Please note: For security purposes, we will collect your First and Last name when RSVPing for the event and pass it to the building reception.

Agenda
5:30 pm - Door open / networking
6:15 pm - Opening
6:30 pm - 15 mins talk - An Introduction to Trusted Publishing on PyPI
6:45 pm - break
7:00 pm - 15 mins talk - Flat vs Hierarchical SBOMs
7:15 pm - break
7:30 pm - 30 mins talk - Hyades – Dependency Track for Enterprise
8:00 pm - networking (till 9pm)

Talks

Hyades – Dependency Track for Enterprise - by Meha Bhargava
With the need to deliver software faster to clients, it is typical not to "reinvent the wheel" and instead rely on open source/3rd party components. Increasing the adoption of open source/3rd party components makes complexity and inherited risk of software supply chain to rise. It is crucial to have a complete and accurate inventory of the open source/3rd party component usage and risk associated with it as “our software supply chain security is our responsibility“. In order, to achieve a complete inventory, Bill Of Material (BOM) is a fundamental building block. OWASP Dependency Track consumes BOM and helps to continuously monitor risk associated with these components. In this talk, we will explain and demonstrate OWASP Dependency Track Hyades that is a rearchitected form of OWASP Dependency Track Hyades that is now scalable at the enterprise level and how it can be a foundational platform to add to your arsenal of tools to improve software supply chain security.
---

An Introduction to Trusted Publishing on PyPI - by William Woodruff

Trusted Publishing is a new authentication scheme for PyPI
package uploads, designed to be both convenient for packagers and also
more secure than manual API token use. This talk will provide an
overview of Trusted Publishing, how it works, lessons so far from its
adoption, as well as future expansion plans and tie-ins with other
supply chain security initiatives on PyPI
---

Flat vs Hierarchical SBOMs - by Jeff Mendoza
Using GUAC to explore your nested dependency relationships
A valid SBOM should list all the components of a package, container, or deployment. However, the SBOM may or may not describe the transitive dependencies between those components. Learn how to peek into an SBOM and read those dependency relationships. Then we will use GUAC to make this process easier, and fill in missing details.