Safely Sourcing OSS - Beyond 0 CVEs - John Kjell, ControlPlane

Описание: Don't miss out! Join us at our next Flagship Conference: KubeCon + CloudNativeCon events in Amsterdam, The Netherlands (23-26 March, 2026). Connect with our current graduated, incubating, and sandbox projects as the community gathers to further the education and advancement of cloud native computing. Learn more at https://kubecon.io

Safely Sourcing OSS - Beyond 0 CVEs - John Kjell, ControlPlane

As container images shrink and teams chase the elusive “0 CVE” scan, a host of other threats lurk beneath the surface of open source software. Security is more than vulnerabilities; it’s about trust, transparency, and maintainability.
Open source can be:
Improperly governed -- at risk of hostile takeovers
Maliciously licensed -- hiding legal landmines
End-of-life -- abandoned with no path forward
Poorly documented -- where “read the code” is the only option
Untested -- bugs waiting to detonate at scale
Insecurely released -- exposing the supply chain
These non-obvious risks often paralyze teams trying to make informed choices. But a new generation of tools is emerging to bring clarity.
We’ll explore how CNCF projects and Linux Foundation initiatives are using OpenSSF’s Security Scorecards, SLSA, Security Baseline, and the 2025 updated TAG Security guidance on supply chain security to surface and share critical metadata that empowers safer open source adoption.