Every August, the security community converges for two of the biggest events in cybersecurity: Black Hat USA and DEF CON. This year, both gatherings underscored the growing urgency to secure software that underpins mission-critical systems that businesses and municipalities rely on daily.
In conversations with CISOs and other security professionals onsite, several major themes stood out; including AI-enabled security, SBOM adoption and the value of collaboration between industry, government and the open source community.
The Open Software Security Foundation (OpenSSF)’s attendance at both events allowed the foundation to tap into these conversations and see where the open source security industry is headed next. Together we discussed a few of the top focuses for CISOs and security teams, which I explore below alongside other experts from the likes of Trail of Bits, Canonical and the Open Source Tech Improvement Fund (OSTIF).
AI-Powered Security: Promise and Proof
One of the topics that had executives and security professionals alike buzzing was the premise of AI-powered vulnerability detection. Organizations already face a torrent of security alerts daily, so the premise of automating some or all of that manual labor would be a major efficiency boon.
Security leaders also expressed their concerns about the data protections around AI usage generally – pointing to worries about reliability and repeatability. Proving the value of AI for security is going to be a large focus for the future, with many practitioners musing about AI for cybersecurity.
The culmination of DARPA’s AI Cyber Challenge (AIxCC) at DEF CON added extra emphasis to the value that AI holds for security leaders. Led by DARPA and ARPA-H, AIxCC’s competition aimed to create AI-driven systems capable of automatically detecting and patching vulnerabilities, especially in open source software that underpins critical infrastructure.
As a challenge advisor, I got to work closely with competitors and judges on the challenge, even guiding a few winning projects to open source their creations for public consumption. These winners, like Trail of Bits, showcased that AI in security is no longer just a theoretical tool, but a practicality that more organizations should be exploring.
Michael Brown, principal security engineer at Trail of Bits, pointed out the reality of AI-driven security.
"Government-sponsored competitions like the AIxCC are incredible opportunities for us to make game-changing advances in cybersecurity that benefit everyone,” he said.
“In the AIxCC, our cyber reasoning system, Buttercup, showed that vulnerability discovery and remediation for large and under-resourced software ecosystems can be done automatically, at scale, and at an acceptable cost. These technologies have tremendous potential to tip the scales back in favor of cyber defenders, and almost certainly would not exist or be publicly available without DARPA and ARPA-H's support," added Brown.
Our takeaway: AI can meaningfully reduce the time from vulnerability discovery to remediation. The more open source AI security tools there are on the market, the better armed developers will be for preventing threats to their teams.
SBOMs: Moving Toward Practical Adoption
While AI stole many headlines, the conversation on Software Bills of Materials (SBOMs) continued to evolve. At Black Hat, OpenSSF engaged with members of the SBOM community, US government representatives and enterprise security teams to discuss practical challenges in generating and consuming SBOMs.
Some of these include educating development teams, establishing clear standards for teams to operate against and integration with established processes and tools. Accuracy and upkeep of SBOMs also poses a significant manpower challenge.
“SBOMS continue to show great promise and are already starting to deliver on some of their expected benefits, but still face some implementation challenges"
The potential value and challenges of SBOMs are echoed by industry leaders.
“SBOMS continue to show great promise and are already starting to deliver on some of their expected benefits, but still face some implementation challenges,” said Stephanie Domas, CISO at Canonical.
“Accuracy of SBOM generation, adequate reflection of applied patches, and complex versioning situations when dependencies have been forked are all growing pains the industry as a whole will have to work through to continue to deliver on the promise of SBOMS. Collaboration through organizations like OpenSSF will be critical to help us get there,” Domas continued.
The takeaway: SBOM adoption is progressing, but organizations still face hurdles in standardization, integration with CI/CD pipelines, and ensuring the accuracy and timeliness of SBOM data. Many security leaders agreed that automation and better tooling are critical to making SBOMs a dependable part of vulnerability management.
Relationships Matter: Government and Industry Collaboration
Conversations at both Black Hat and DEF CON showed a strong appetite for deeper collaboration between government agencies and the open source community. This was underscored in my meetings with representatives from DARPA, ARPA-H and multiple private sector organizations.
Such collaboration is critical for scaling security solutions. AIxCC is a prime example, to call back to DEF CON. The event brought together government funding, open source expertise and competitive energy to deliver tools that are now available to the global community.
Open sourcing these projects is the equivalent to taking several large steps towards the next groundbreaking AI-driven vulnerability solution. Only through collaboration on a global scale will the most secure, most efficient projects be able to scale.
"Partnerships between the open source community and the federal government can turn good ideas into deployed defenses,” said Derek Zimmer, executive director of the nonprofit Open Source Tech Improvement Fund.
While also at AIxCC at DEF CON, Zimmer noted that “funding, openness, and competition helped accelerate tools the whole community can potentially use,” pointing out that OSTIF supports funding models like this because “success can bring outsized benefits to the open source ecosystem.”
The takeaway: Cross-sector partnerships can fast-track the development and adoption of impactful security solutions. Events like Black Hat and DEF CON underscore this reality, as these conferences are vital for building relationships that lead to real-world security improvements.
Conclusion
This year’s Black Hat and DEF CON events in Las Vegas were a reminder that securing open source software is a shared challenge, and that the tools, relationships and practices forged in collaborative settings can have lasting impact.
AI security, SBOM adoption and government support will continue to evolve and the momentum from this summer’s events suggests the community is ready to meet these challenges head-on.