Skip to Main Content
Lightning Talk Beginner

Guarding the Gates: Secure Open Source Library Consumption with vet

Approved
Session Description

Modern software is built on a mountain of open source code but inside that code there are hidden risks we often overlook: known vulnerabilities, malicious packages, abandoned projects, and incompatible licenses.

In this talk, we'll walk through the real-world problem of insecure OSS consumption, and introduce vet - an open source tool designed to automate the vetting of OSS libraries before use. With features like customizable filters and policy-as-code, vet empowers security and engineering teams to build guardrails directly into CI/CD pipelines.

Attendees will get practical understanding of how to integrate vet into their workflows, reduce technical debt, and make better, safer choices in their dependency stack.

Key Takeaways

1. Helps teams catch vulnerable or risky dependencies before they enter the codebase
2. Enables organizations to define OSS security policies in code and enforce them consistently.
3. Drives adoption of well-maintained and secure open source projects

References

https://github.com/safedep/vet
https://docs.safedep.io/
https://safedep.io/

Session Categories

Other
Security
Which track are you applying for?
Main track

Speakers

Sudhanshu Dasgupta
Software Engineer | SafeDep

I’m a Software Engineer and Open-Source Maintainer. You will find me talking on open-source, web development, supply chain security, UI design systems, cloud-native technologies, and community building.

I’m a core maintainer of Meshery (a CNCF open-source cloud-native management plane) along with contributing to and maintaining several other open-source projects.

Beyond coding, I actively mentor and guide new contributors, helping them navigate and grow in the open-source ecosystem. I also write technical blogs and enjoy advocating for open-source projects and cloud-native technologies, making them more accessible to developers.

 https://www.linkedin.com/in/sudhanshu-dasgupta/
Sudhanshu Dasgupta

Reviews

The FOSS security definitely has its place at a FOSS conference. This may be a little too niche and not technical enough for the folks who would be interested. But since it's a lightning talk and should be kept at 10 minutes, I think it still should be approved.

This is an interesting project. It definitely has its place, It would be interesting to see this talked about at some of our city chapters.

Reviewer #1 Approved

I am not sure how this tool can help "reduce technical debt", as claimed in the proposal. I agree with the other reviewer - this may be suited for a lightning talk that shows various use cases of the tool. Many devs will find value in the use cases for the vet tool shown in its github repo. Extra points for the proposer if they are able to show scan results on well known repositories and come up with uncommon insights.

Reviewer #2 Not Sure

+1 as Lightning talk. Would be relatable and useful to developers across the tech stack.

Reviewer #3 Approved

We need to build awareness and have conversations about foss security.

Reviewer #4 Approved