2026-03-16 –, Room bUm Box
Improved security in open source is more than a theoretical goal but a plausible reality as shown by nonprofit Open Source Technology Improvement Fund, Inc. Following a best practice of independent code review with a process specifically tailored to open source projects and communities, OSTIF is turning funds into positive security outcomes.
The speaker will talk about the importance of security audits and a process tailored to open source communities, and highlight numerous success stories in improving the security posture of open source projects. Examples include the audit of git, kubernetes, ruby on rails, and php-src. The topic is relevant to the audience because the evidence presented in the talk suggests that a real implementable solution to solve the security and technical debt of software projects is tenable. The main takeaways are as follows: (a)Security audits are an effective tool for helping improve the security posture of projects (b)Projects of all sizes, maturity levels, and complexities have benefited from additional security audit work and (c) OSTIF, as an independent nonprofit, is facilitating and executing security audits for critical open source projects at a high level of effectiveness. While many solutions to the security problems of open source are theoretical and require considerable effort, OSTIF has honed in on a process to help open source projects en masse with a well established best practice: independent expert security review.
Amir Montazery is the Managing Director and Cofounder of Open Source Technology Improvement Fund, Inc (OSTIF). OSTIF is a Chicago-based organization focused on directly helping open-source software projects improve their security posture. Amir comes from a background in Finance, IT and Internal Auditing, applying years of experience to help develop OSTIF’s processes and partnerships. Furthermore, Amir is responsible for negotiating and organizing over 12,000 hours of security-focused work for organizations like Google and Amazon Web Services along with groups like Mozilla Foundation and Open Source Security Foundation (OpenSSF).