Applying Cybersecurity Regulations and Industry Standards to Open Source Projects
CVE/FIRST VulnCon 2025 · Main Stage
In an era where open source software forms the bedrock of nearly every technological stack, the intersection of open source development with stringent cybersecurity regulations and industry standards presents a complex challenge. Luchi Stanesco, a Security Engineering Manager at Canonical, tackled this critical topic at VulnCon, presenting a compelling argument for how these seemingly disparate worlds can not only coexist but mutually benefit. The talk, titled "Applying Cybersecurity Regulations and Industry Standards to Open Source Projects," delves into the practicalities of bridging the gap between prescriptive regulatory frameworks and the often-decentralized, volunteer-driven nature of open source development.
AI review
Stanesco brings a genuinely useful framing problem to VulnCon — how do you reconcile the language of traditional regulatory compliance tooling with the reality of open source projects that will never have a legal department or a PERT? The mapping exercise (32/58 NCSC VSA criteria, 13/16 CISA SCRM questions correlating to OpenSSF frameworks) is concrete and the unmapped-criteria analysis is actually the most interesting part. This is competent, well-structured policy/supply-chain content that will be valuable to the security engineers and vendor compliance folks in the audience. It won't be…