The video on-demand of this session is available to logged in QCon attendees only. Please login to your QCon account to watch the session.

Session + Live Q&A

Securing the Development & Supply Chain of Open Source Software (OSS)

Open Source Software (OSS) is everywhere today. Unfortunately, all software (OSS and not) is under attack. This talk will briefly discuss how OSS is developed & distributed as a supply chain (SC) model, which then gives insights into how OSS is attacked and some countermeasures. We then discuss how OSS developers can develop & distribute secure OSS today, discuss how potential users can select secure OSS (including by looking for those developer practices), and obtain a glimpse at what’s coming in the future.


David Wheeler

Director of Open Source Supply Chain Security @linuxfoundation

Dr. David A. Wheeler is an expert on open source software (OSS) and on developing secure software. His works on OSS include "Publicly Releasing Open Source Software Developed for the U.S. Government", and "Open Source Software is Commercial". He also helped develop the U.S....

Read more
Find David Wheeler at:


Thursday May 20 / 09:10AM EDT (40 minutes)


Building Secure Systems



Add to Calendar

Add to calendar


From the same track

Session + Live Q&A Security

Depending On If I Had Coffee Or Not Your Application May Be High Risk

Thursday May 20 / 10:10AM EDT

Security practitioners are often espresso'ing risk with qualitative measurements. We use broad, imprecise risk measurements such as high, medium, and low while applying them inconsistently if we haven't had our first cup. We struggle to measure if security work is driving down risk,...

Shannon Morrison

Senior Security Engineer - Detection Engineering @Netflix

Scott Behrens

Senior Security Engineer @Netflix

Session + Live Q&A Security

Application-Layer Encryption Basics for Developers

Thursday May 20 / 11:10AM EDT

Application-layer encryption should be a tool in every developer's toolbox. In this talk, I cover the basics of encryption, what are application-layer and infrastructure-layer encryption, when to use asymmetric and symmetric keys, and how to do key management. Finally, we review a...

Isaac Potoczny-Jones

Founder @Tozny & Authentication and Privacy Specialist


Panel: Secure Systems

Thursday May 20 / 12:10PM EDT

In this panel, we will continue the conversation on security for the software supply chain and software security risk measurement.

Shannon Morrison

Senior Security Engineer - Detection Engineering @Netflix

Michael Fagan

Computer Scientist @NIST (National Institute of Standards and Technology)

Matt Jones

Vice President, Global Engineering @WindRiver

View full Schedule