Merging Security and Compliance: Perspectives on Emerging Regulations and Best Practices
CVE/FIRST VulnCon 2025 · Main Stage
This talk, presented at VulnCon, delves into the intricate and increasingly vital intersection of security, compliance, and open source software, with a particular focus on emerging global regulations like the European Union's **Cyber Resilience Act (CRA)**. Given by Mike Lieberman, a TAG Security Tech Lead at the CNCF and an OpenSSF Governing Board member, and Eddie Knight, who works with the CNCF Security Advisory Group and leads initiatives at the Fintech Open Source Foundation, the session illuminates the profound implications these legislative shifts have on software supply chains. The speakers, both co-authors of the **Open Source Project Security Baseline**, share insights from their work at the forefront of open source security, emphasizing the need for a unified approach to meet compliance obligations while enhancing real-world security.
AI review
A competent policy/compliance briefing from two speakers who clearly know this space — they co-authored the OSPSB and have direct exposure to CRA rulemaking discussions. The talk is well-structured, covers the CRA persona breakdown cleanly, and the OSPSB-to-Annex-1 mapping (19/21 requirements) is a concrete deliverable worth knowing about. But it rarely escapes the altitude of 'here is what the regulation says and why you should care.' For a VulnCon audience — practitioners who came to dig into vulnerability mechanics — this sits comfortably in the 'useful briefing, not a research drop'…