Open Source Security: The Good, The Bad, The Vulnerable

Open source is the backbone of nearly every application in every industry! As great as this may seem for the movement, it raises important questions about our progress. This panel discussion at the State of Open Conference 2025 explores some of these q's and discusses future implications.

Open Source Security: The Good, The Bad, The Vulnerable

A panel discussion between Aeva Black, Mike Bursell, and Nelson Batsford at State of Open Con 2025 in London moderated by Divya Mohan

The goal of this discussion is two-fold:

Firstly, supply chain security remains a mystery despite the many tools, frameworks, and ecosystems we've built around it - open source and otherwise. Even if we scope our discussion to include only the supply chain security of the open source components we employ in our workloads, how many of us can claim that we truly are aware of all our dependencies & can mitigate all the upstream risks associated with them? Especially in these times when malicious actors are becoming more sophisticated & AI-generated code is becoming the norm? Are these even a part of organisational discussions or considerations while adopting open source tools or technologies today?

Secondly, how do regulations, for example, the European Union's CRA, UK’s Cyber Security and Resilience Bill, etc., impact conversations around supply chain security? Are they helpful in improving the support we extend to the creators and maintainers of the software we depend on?

With this panel, we aimed to explore some of the upstream and downstream risks associated with open source software security today while also seeking to set the ball rolling on a collaborative dialogue toward addressing some of the current challenges and providing insights into future implications