Security issues in open source software are often discovered only after widespread adoption. While patching vulnerabilities is essential, a purely reactive approach does not scale as open source becomes critical infrastructure.
Most FOSS projects are maintained by small teams or individual contributors. Security gaps usually exist not due to negligence, but because security is treated as an afterthought rather than a design concern.
Some security challenges are especially difficult in open source environments:
Accepting contributions from unknown contributors without introducing supply-chain risks
Shipping software with safe defaults while keeping it easy to adopt
Handling vulnerability disclosure responsibly with limited maintainer bandwidth
Helping users verify the integrity of the software they depend on
Even when security checks exist, they are often inconsistent or optional, leading to fragile trust between maintainers, contributors, and users.
This lightning talk introduces the idea of secure-by-default design for open source projects. It focuses on small, high-impact practices that can be adopted early, without adding heavy process or vendor dependency.
The session briefly covers the open source threat model, common security failure patterns across FOSS projects, and how transparency and openness can become a security advantage rather than a weakness.
The talk emphasizes principles over tools, making it applicable across languages, ecosystems, and project sizes.
Understand important security challenges in open source software.
Learn practical secure-by-default principles for FOSS projects.
Build trust as a contributor, maintainer, or user of open source.