 This session is introducing the overall of the open source software and the security. And, oh, agenda, yes. Looking back the overall situation of OSS security, and the briefly introduction of OpenSSF. Probably you know that well, but the OpenSSF is the main body for the activities related to OSS and OSS software chain security. So let me briefly introduce the OpenSSF. And I'm introducing some general activities related to OSS security in Japan. And then on Cybertros Japan, I'm from Cybertros. Cybertros Japan activities, I'm introducing that. So the discussion is overall and slightly focusing on the Cybertros Japan activity and conclusion. Right? Okay. I'm Mui Keda from Cybertros Japan. All right, so let's go. First is the overall situation of OSS security. Nowadays, many guys are talking about security and OSS security is very important. But this chapter is not limited to the OSS. This is introducing and looking back the overall situation of cyber security. Well, on Japanese government agency, I think IPA Information Technology Promotion Agency is staying every year on the top 10 threats for cyber security. And this table is showing to 2021 and 2022 on the right hand. The important point is first thing is the rank one ransomware. The boss year, the ransomware is ranked as top number one. So the threat of ransomware is continuing. And second thing is supply chain attacks. The green box, well, in 2022, supply chain attacks is ranked number three, third rank. This is ranked up. So the threat of supply chain attacks is, I mean, raising. The point three is vulnerability attacks appeared. Number seven in 2022, I mean, the vulnerability attacks means like zero day attacks or something. Well, the zero day attack is newly ranked. So in 2022, the three points are new or continuing. So these are very important points. Well, ransomware, supply chain attack and vulnerability attacks. This is the overall situation. And I think the ransomware is ranked number one. So let's look back the ransomware incidents recently. Well, the companies we know well listed, for example, this or Coca-Cola or something. And the summary is, well, before two years ago, three years ago, the ransomware was attacking some business logic. But recently, it attacks also manufacture. That includes some factory or something, that changing point. And the whole attack is counting on the lack of it over 50% of the incidents. And this is a characteristic phenomena. Well, the information leaking in simultaneously happens. That means the ransomware is of course a lot of information and require the ransom. But if the ransom is not paid, the lack of it, the county is sending a blackmail to leak the information. And actually the information leaking happens. Well, and stay back to the open source software. Well, right table, this is very detailed. I cannot read it to detail. But anyway, please feel that the table is showing that where the open source software is existing. In the area, for example, very detailed, but here is desktop or web server database, AI, big data or something. So what I want you to feel here is OSS is now existing everywhere as omnipresent. Some reports said that 98% of software product includes the open source software code. So that just omnipresent. And second thing is now OSS is utilized for critical infrastructure also. So for example, Tokyo stock exchange is using a Linux system. This is the very popular story, which is from Fujitsu Retaro. And bank or some financial industry, the account system is built by the Linux system. And of course, the many infrastructure we are using daily. For example, transportation, electricity, gas broadcasting or something are using the open source. That's the situation. So OSS is omnipresent now. So I'm saying that infrastructure is using the open source. So looking back the actual instant for infrastructure. Well, these are very big instant. Last year to 2021 colonial pipeline, which is a US pipeline company. I believe that is the largest pipeline company in the US of the largest. Yes. And unfortunately, the colonial pipeline was attacked by the ransomware and business outage happened. Well, there's some news and I was broadcast it. So probably you may remember that one week or one and a half week, the pipeline was stopped. And the citizens in the east coast, like New York or Washington DC panic because gas station doesn't work. And you said that colonial pipeline paid the ransom. But I don't know how, but subsequently the ransom 80% of 85% of ransom was recovered. And this year 2022 Costa Rica, this is government. Government was attacked by the ransomware and government operation stopped. Well, and the government declared the state of national emergency. That's a big incident. And you said that this is done by Conti and Conti probably the Costa Rican government did not pay the ransom. So Conti disclosed some confidential information. So information leaking happens actually. All right. So many incidents. Infrastructure was attacked. Open source is how many present. And of course, the OSS community is reacting. Before that, the more important incident, let me look back. SolarWinds, you remember that. In case the solar wind is a network monitoring system, very major system. And the US government is also using probably many Japanese customers. But unfortunately the solar winds was contaminated with malware, sunburst. And the sunburst set the back door. And the sunburst said that over 100 users are also the interusion. That was the end of 2020. Right. And local shell. The end of last year. Well, that's a big accident. Instant. So as you see, the local shell is a vulnerability on local J. And the local four J is widely used and even you have a user. I'm not sure if I'm using the local share or not. So probably many person is in trouble to talk with that. This big incident and community and the government had a reaction. So middle 2021 US president is stating the executive order improving the nation's cybersecurity. It has 10 sections and it requires the US government, each agency to adapt to enhance the cybersecurity and make a adoption plan or something. This year, January of this year, OSS security summit was held at the White House in Washington DC. And actually the OSS security summit was held twice. First is January and second is May. And very important statement was published. The from the first one project alpha omega. And from the second one OSS mobilization plan. I'm looking at OSS mobilization plan later. But let me let me explain briefly the project of omega alpha omega consists of alpha part and omega part. Alpha part is for critical open source software very important one. They select 50, 20 or 50 critical open source software and inject the investment and human resource to scan and fix the vulnerability of them. This is alpha and omega is for the ordinary many open sources other than the alpha objective. The objective of omega is estimated 10,000. So this is this cannot be done by by hand. So omega project is making the tool automatically to scan the vulnerability and of course fix is not automated. But that's to that's our omega project and mobilization plan is very general plan. So in my understanding the project alpha omega is merged into the mobilization plan. Some I mean chapter article mobilization plan is mentioning that alpha omega. So that's my understanding but it doesn't mean that alpha omega and it omega is alive. And in Japan of course Japan has a reaction. This is made of Japan economic security promotion bill. This is my translation so I'm not sure if this is correct translation or not. It's low but I mean created by the diet. This defined 14 critical infrastructure and government requires the company to operate critical infrastructure to be inspected by the government. I mean inspected for system. If the company is buying or some replacing the servers or something. In that case government requires to inspect that for cyber security. This is safe for now. And last but not least security summit Japan. This is a following meeting like OSS security summit at White House but it was held in Japan. I will talk about that later. So this is a timeline recent timeline of the related to the OSS security government OSS community and big instance. So this is looking back. And OSS security summit as I said it was held twice in the US and one time in Japan in August. Well that meeting is a I mean in the US one and two I did giant gathered and discuss but how to enhance the OSS security. Well I did giant includes Amazon, Apple, Meta, Google IBM so many companies you know well and including the government agency DoD that's a defense. DoC is a commercial or something. And as I said the two statement was stated for omega and second is mobilization plan. And in Japan the purpose is safe as a security summit in the US but of course attendees are different. In Japan's security summit Japanese big company IT companies are gathering like Hitachi Fujitsu and they see entity data Toyota. Toyota is not IT company but for the now the car manufacturer is using a lot of IT so Toyota is invited. And of course that attendee included the OSSF Japan members with Sabato Japan and Cyborgs and the businesses. Oh I forgot to say that that meeting was held by the Linux Foundation and OpenSSF. So that's the reason why we can join that right and discuss about how to enhance how to improve the OSS security. And many things is done by OpenSSF. OpenSSF is now the center of open source security I think. So here let me briefly introduce the OpenSSF. Probably you know well that but please be patient. OpenSSF is the project under the Linux Foundation. It's a cross industry community. The purpose is to improve and enhance OSS security. OSS and OSS supply chain security. The number is probably a little bit old but now it has over 100 members including Premier General and Associates. Associates like University or something. Over 100 but unfortunately there are only three members of Japan. Cyborgs Japan, we and Cyborgs and the RuneSus. And yesterday we had an open SSF day as a co-operation event about open source in Japan. And we had some talk and discuss about the open source security enhancement. Well the OpenSSF consists of the usual structures of government board and tech and under that there were seven or eight working groups. This figure is a little bit probably out of fashion. Because yesterday at the OpenSSF day the latest figure of the structure was shown. It includes that the SIGS store is a categorized as a top level project under the OpenSSF. Of course the SIGS store is independent project but the OpenSSF is focusing on the enhancement and development of the SIGS store. So the SIGS store is shown here. Oh SIGS is here. But now this point it was said that the associated project but now it is top level project. The OpenSSF is of course the open source community but what should I say, it's a box. So that's a member's trouble consideration. I'm not sure the right word but how to contribute that is not so easy to find out. I don't mean that the contribution is very hard. I don't mean that but the contribution point to find the contribution point is not so easy because it's just a box. So the OpenSSF is providing many ways to get involved. Of course it has many guitar repositories and mirroring these meetings. So meetings listed in the calendar. So you can check the meetings. And I recommend that you should find out the interesting meeting and to jumping and discussion. That's the first way to join the OpenSSF. And if you can find some interesting project you can get involved with the project. After that it is same as usual open source project. That's my recommendation, recommending way to get involved and collaborate with the OpenSSF. So please do that. That's a very general situation looking back at OpenSSF. And from here let me introduce the activities in Japan related to open source security and open source suppression security. After the Japan open source summit, open source security summit in Japan in August, we had small wrap up meeting among the OpenSSF members at the Cybertorps Japan's office. And the Brian Berendorf who is a GM of OpenSSF came to the meeting. And we had many discussion here. So I want to say thank you Brian. And thank you the member of OpenSSF member from Japan other than Cybertorps Japan. And this is my personal, not personal activity. Well, I'm promoting OpenSSF in Japan. This is a wild promotion. Recently I had three events and had speeches in each event. Japan's secret summit in October and HTECH November open source conference in November. In the Japan secret summit which is a virtual event for the World Cyber Security, my speech got the highest number of views. Congratulations. All right. And next is the breaking news. I stated yesterday this kind of breaking news. We decided to launch the OpenSSF Japan chapter. This should be open but initially let's do that as a small meeting. Well, we are gathering. We mean the OpenSSF Japan member, three companies gathering and LF Japan. And we will have the discussion. I will host the meeting. And at the meeting we will try to find the direction. Direction to what is a, this is what I said. What, how to contribute to OpenSSF? And what best way to contribute OpenSSF? How to grow like with OpenSSF? And after that we will open the meeting and we will public the message to anyone in Japan. This is also, I mean, of course the purpose is, the first purpose is of course to share. We are our idea, issues, challenges, status, anything related to the open source security. But the third purpose is of course the promotion of OpenSSF because it's very happy to me, for me to get involved. The many members get involved to OpenSSF. Right, that's the general. And at last, let me introduce the Cybertorch Japan's activities for open source security. Well, this is very late slide, but here let me introduce the Cybertorch Japan. Probably many of you don't know what the Cybertorch Japan. Cybertorch Japan is a company not making nice dishes like this. This is Cybertorch dishes, not a retail company, but a security and OSS company. Left-hand side is security. We have three pillars of business. So left-hand side is security. Actually Cybertorch is the first commercial certificate authority CA operator in Japan and which has over 20 years history. And this section is providing the electronic signature service also. And the right-hand side is OSS. We are providing the next distribution for Cybertorch, named as a miracle in X. Before, from Japan, there were multiple distributions, but now probably the miracle in X is the only one distribution for server from Japan. If, as far as I know, it survived, right? And the OSS section is providing also the vulnerability management tool, the Miracle Valhambra. M, in between, IoT section. I'm belonging to here. Well, IoT section is actually the fusion of OSS and security. And the focusing business area is IoT. This is providing the second distribution, reduction distribution for embedded system, EM Linux. This is based on Yachto and CIP. And also this section is providing the digital authentication, but probably the device lifecycle management service is provided, named as Secure IoT Platform, S-I-O-T-P, right? So this is a very fusion. Using the OSS and the provider security also. Three pillars. This is our company, Cybertox Japan. What I want to say here is our DNA is based on OSS and security. Right. So mobilization plan. As I said, this is stated, this was stated from the second open source security summit at the White House. It defined the three goals and ten streams to enhance and improve OSS security. So I'm not pointing the one by one, but please remember there are ten streams. And Cybertox Japan stated to focus on five points. One, three, eight, nine, ten. And I prioritize that especially the three points, number three, distance signature in the number nine, S-BOM everywhere, and number ten, better supply chain security. That's the most important focusing point for us. So let me introduce the activity related to them. First, stream three, this is all signature. And actually, this is for SIG store in concrete. To be honest, we are very newbie for this area. So same as the usual, the collaboration and the contribution starting point for open source, we are building that, trying that, and point out the not enough feature. So developing that and contribute. We are starting that. And the middle town goal for us is to operate the SIG store instance in Japan. That has a background. Well, it is from the experience of CA operation. If some severe incident happens, sometimes the government agency inspects the record. For example, police or some agency, right? In that case, but the Japanese police, the jurisdiction that power span is only inside Japan, please connect that record or something in US, in France, or in Germany, right? So the critical infrastructure operator, as our user, requires us to operate the CA instance inside Japan sometimes. SIG store is very important infrastructure even now, but it will be more. And I believe the same situation will happen on the SIG store servers. So providing the secure service is our responsibility. So I think to operate the SIG store inside Japan is also our responsibility. So we will do that. I'm saying I will do that. I will do that. So that's not done. So status is taxi to the runway. It is not flying. But we will do that. Oh, this is a structure. Please refer to that later. So second point, S-Bomb everywhere. This is also the focusing point for us. But we are very on unique position because as I explained, we have the relax distribution as a generator of the S-Bomb and vulnerability monitoring system, which is a user of the S-Bomb. So we can have boss experience and we can collect the voice of customers from boss. So I think we are very unique. So the first collaboration point is to collect the use cases of the S-Bomb and feedback to the community and collaboration. That's the first point, I think. So we will do that. And actually we are starting the S-Bomb promotion in Japan. S-Bomb is very important now. So we are saying, hey, S-Bomb is very important. Hey, please, let's make that. Let's use that in the private or public seminars or some, I mean, many meetings. And S-B-D-X. I know that now the S-Bomb format is not fluctuated. And there are two major S-Bomb formats. One is S-B-D-X and the other is S-B-B-D-X. And of course I don't mean the S-B-D-X is worse than S-B-D-X. And someone says that S-B-D-X is better because which can have more information comparing to the S-B-D-X. But this is 64% my personal opinion, not the company's opinion. But I think S-B-D-X has the advantage of openness. It is standardized as an ISO. And the development of S-B-D-X is free open. So I want to bet S-B-D-X. And actually, the side of Japan is focusing on S-B-D-X. We are not wasting the S-B-D-X, but the focusing point priority is on S-B-D-X. So we are making our product to adopt S-B-D-X. And that's the activity for S-B-B-D-X. Well, as I said, something is in the future and something is already doing. So status is now taken off. We assume flying higher. Alright, so number three. Better supply chain security. Well, this is a point I'm very confident to say we are doing a lot. And we contribute a lot. Well, mainly on the EML Nexus development, we are contributing and collaborating with the community a lot. So this is an example. First is CIP, studio infrastructure platform. This is a community to provide a long support for, I mean, industry users. Actually, as a CyberTorch Japan member of CIP and actively contributing the development. And kernel CI. This is a test framework of the Linux kernel. And we are actively using that and actively developing that new feature in the bug fixes. And my colleague is a mentor of some project under kernel CI. And she is also the technical steering committee member of kernel CI. And Yachto, no, sorry. Let's call them. All that need is to say we are backpotting the many bug fixes. And Yachto. Yachto is a build system for mainly the embedded system. The EML Nexus based on the Yachto. And we are a heavy user and heavy contributor. We are backfix and developing the new features. And also we have one employee who is a Yachto ambassador. He is the only one Yachto ambassador from APAC. So he is promoting the Yachto. That's also the contribution. And at last, MetaDebian. MetaDebian or Debian. We are contributing a lot to the MetaDebian and Debian. So they are doing. And of course, not there. We are doing. And of course, we will do that. We are keeping on doing that. So the status is equal. Keeping on. All right. Three points. Our activity related to the mobilization plan. And at last, let me briefly say that why Cybertox Japan can contribute. Why I am very confident for each area. So first, distance signature. This is because of our experience of root CA operator with over 20 years history. The CA operation is very critical work. It must not be down. So we have experience and we have how to operate the critical infrastructure. So we are sure to provide the signature service as a same level of root CA. The related products are here. CA and the security platform that they are related to the signature activity. And that's about. As I said, why we can, because we are very in unique position as a user and generator. So we can correct many voices of users. So that should be the contribution for the community, I believe. And related product is everything because it's bomb everywhere. And last, better supply chain. Why we can contribute? Because we have two distributions and we are continuously improving them. That is a, that lead into the many cooperation and enhancement. The related product is Miracle-Renax, the distribution for servers, and EM-Renax, distribution for embedded IoT systems. Well, so that's the reason why we can contribute. So we are doing that. That's a commitment from us. Well, our business or our product, all of them are based on the open source software. That means we are user of open source. And of course, we are contributing a lot to the community. That means we are contributed. So we are boss. And we stated that the commitment to get involved to the community. So that's our first priority. So we are keeping on doing that. And we promised that collaboration. Okay, let's move forward to enhance the OSS security and OSS supply chain security. Thank you for listening. Any questions? What are some advantages of joining OpenSSS? What are some of the advantages to joining OpenSSS as a contributor? What are advantages? Other pages. Like pros, like pros or advantages. Oh, yeah, yeah, yeah. Well, you mean that what are other pages, do you say? Sorry? I'm sorry. Advantage. Advantage to attend OpenSSS? Yes. Okay, yes. All right, thank you. Thank you so much. Well, yeah, that's not the easy question to answer. I mean, the direct contribution is, of course, investment. Because some fee is required. So this is direct. Did you benefit for OpenSSS? But your question is for us, right? That's a, I think we can stand on the, I mean, first place to gather the, I mean, information is gathering, gathering. That's the first benefit for us. So we can attend the meeting and, I mean, many information there. And also, we are meeting here, first place. In that case, if I'm a member of the OpenSSS, of course, some, for example, Brian Berendorf knows me, right? So we can discuss about many things and collaborate. That's probably the first benefit I feel. Is that the answer for you? Thank you so much. Okay. Well, so cool listening. Remember, Sabato's Japan is doing a lot. So let's collaborate to the community. Thank you so much.