Security-by-design is an approach that seeks to build security in products and services from the outset and throughout their lifecycle rather than as an afterthought, while maintaining the capacity to innovate and adapt to an ever-changing threat landscape. Following OECD Recommendations in this area, policy makers encourage its adoption by industry to reduce digital security risk, building on existing methodologies and standards such as the Secure Development Lifecycle. However, it is unclear how OSS projects can implement security-by-design. This session will explore the opportunities and challenges related to security-by-design in OSS.

When it comes to vulnerabilities, both proprietary and open-source software face the same reality: the more complex the code, the more vulnerabilities there are, and despite all efforts to secure the code by design, some vulnerabilities still remain, as explained in recent OECD work. The solution to software vulnerabilities is their detection and resolution, including through vulnerability treatment and co-ordinated vulnerability disclosure (CVD), a collaborative process involving all stakeholders, from security researchers (detection, disclosure) to software editors (vulnerability handling and resolution) and users (patching and vulnerability management). In 2022, the OECD recommended the adoption of public policies to encourage vulnerability treatment. This session will explore the specificities of OSS with respect to vulnerability treatment, and the unique characteristics of its ecosystem.

The 2020 attack that leveraged vulnerabilities of the MSP SolarWinds showed how devastating a supply chain attack can be, including through cascading effects affecting other managed service providers down the supply chain, including some of the most well-known cybersecurity firms. This attack also showed that the weakest link is not necessarily the smallest or the least secure partner. MSPs play an increasingly important role in the maintenance and operation of today’s information systems in organisations of all sizes. But at the same time, as MSPs are becoming critical in the supply chain, they are also becoming a prime target for malicious actors. MSPs can turn out to be the weakest point in the chain of security, leading to massive downstream incidents. This session will be an opportunity to discuss the criticality of MSPs and will bring together representatives from public and private organisations.

Zero trust is increasingly being promoted as a new security paradigm to address the vanishing of digital security perimeters around organisations, including partners within supply chains. While in principle at least the migration to zero trust security offers a way to improve security quite radically, its cost/benefit is unclear, notably when considering usability, organisation, complexity, and other management aspects. Another issue related to zero trust is the extent to which it can enhance the security of supply chains in complex ecosystems with numerous partners, and how smaller partners who are not zero trust-ready (or cannot afford it) can nevertheless be included. This session will bring together technical and policy experts.

In an increasingly interconnected world, the need for robust digital security measures is undeniable. Yet the landscape is complex, with various sectors facing unique challenges. From critical infrastructure to the Internet of Things (IoT), cloud services, and the realm of certification and labels, the demand for regulation varies. This session will explore where regulation should become the norm to enhance digital security. It will also examine instances where self-regulation has shown promise, and yet sometimes faltered. Experts from governmental and private organisations will exchange views during the session.

Collaboration among countries, stakeholders, and sectors is paramount to effectively combat cyber threats, which are constantly increasing in intensity and complexity. The session will look at best practices and concrete examples from a variety of contexts. From government initiatives to industry partnerships and cross-sectoral collaborations, the session will analyse what works best to foster cooperation and strengthen digital security. This session will bring together representatives from governmental organisation, private companies, and civil society.