Open source software forms the foundation of modern infrastructure—from the servers running our hospitals and power grids to the dependencies buried deep in critical enterprise and government systems. As reliance on open source accelerates, so too does the risk: bad actors have learned to exploit its visibility, complexity, and our collective inaction. What used to be considered a developer problem has quickly escalated into a national security crisis.

This talk argues that securing and supporting open source software isn’t just a tech best practice—it’s a national security imperative. We’ll explore how software supply chain attacks are increasingly targeting the very building blocks of our digital infrastructure and how that puts everything from utilities to defense systems at risk.

We'll highlight how government and industry are responding together—through groundbreaking efforts led by the NTIA, CISA, and public-private SBOM working groups—to create shared frameworks for securing the software we all depend on. These collaborative initiatives are beginning to lay the foundation for transparency, accountability, and automation across the software ecosystem, with SBOMs (Software Bill of Materials) serving as a critical first step.

But guidance and frameworks are only the beginning. This session will unpack:

• How open source vulnerabilities impact infrastructure security at a national scale
• The role of federal agencies, regulators, and private-sector partners in shaping new standards
• Why SBOMs (actually) matter—and what it will take to operationalize them at scale
• Where security practitioners, maintainers, and vendors can plug in to help
• What still needs to change to make open source resilient by default

If our infrastructure runs on open source, then the safety of our nation does, too. This talk is a call to action for security professionals, engineers, and policymakers to come together—not just to defend what we build but to protect the commons we build it with.