Loading…
Open Source Summit + Embedded Linux Conference North America...
May 18-20, 2026
Minneapolis, MN
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Central DaylightTime (UTC -5). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
Type: cdCon clear filter
Monday, May 18
 

11:20am CDT

Keynote: The Revolution Hiding in Plain Sight: CI/CD Platform Is About to Change Forever - Dadisi Sanyika, Sol Duara, Inc.
Monday May 18, 2026 11:20am - 11:45am CDT
200C (Level Two)
Anyone who has worked on a CI/CD platform knows the feeling: the tools are powerful, but too much energy goes into making everything talk to everything else. Teams sense there should be a better way, but the ecosystem keeps pulling them back toward custom integrations.

This is an industry inefficiency. When hundreds of organizations each build integrations for the same tools, enormous effort is spent solving the same problems again and again. We’ve accepted this as normal, but there’s another pattern.

This talk explores why the status quo must change. Not through better tooling or more connectors, but through the same shift that transformed railroads, email, and the internet: shared protocol.

You’ll see the architecture making this inevitable: CDEvents as a shared vocabulary for SDLC, Workflow Segments as the semantic meaning behind “build” and “deploy,” and Conduit as an orchestration engine that understands the entire workflow. We’ll examine where boundaries exist in every pipeline, and how tools that broadcast proof of reaching those boundaries can coordinate without custom integrations.

The future of CI/CD isn’t more integrations; it’s one integration, used by everyone.
Speakers
avatar for Dadisi Sanyika

Dadisi Sanyika

CEO, Sol Duara, Inc.
I am the Governing Board Chair for the Continuous Delivery Foundation (Linux sub-foundation) and the CEO of Sol Duara, Inc. Previously, at Apple, I led a team of engineers dedicated to improving the Continuous Deployment experience for teams and the community. Our contributions are... Read More →
Monday May 18, 2026 11:20am - 11:45am CDT
200C (Level Two)
  cdCon

11:50am CDT

Jenkins - Year in Review and Future Roadmap - Mark Waite, Independent
Monday May 18, 2026 11:50am - 12:00pm CDT
200C (Level Two)

Speakers
avatar for Mark Waite

Mark Waite

Independent Consultant, Self-employed

Monday May 18, 2026 11:50am - 12:00pm CDT
200C (Level Two)
  cdCon

12:15pm CDT

CDF Town Hall - Moderated by Tracy Ragan, DeployHub, Inc.
Monday May 18, 2026 12:15pm - 1:15pm CDT
200C (Level Two)

Speakers
avatar for Tracy Ragan

Tracy Ragan

CEO, DeployHub
Tracy is a recognized expert in software supply chain security and DevSecOps, specializing in managing complex, decoupled architectures. She is the CEO of DeployHub, a scalable post-deployment vulnerability detection platform that empowers software to 'self-heal' by automatically... Read More →
Monday May 18, 2026 12:15pm - 1:15pm CDT
200C (Level Two)
  cdCon
  • about <br>

1:30pm CDT

Lightning Talk: From Embedded Artifacts To Durable Entities: Fixing State in Spinnaker - Ben Powell, Apple
Monday May 18, 2026 1:30pm - 1:40pm CDT
200C (Level Two)
Spinnaker historically embedded artifact data directly into pipeline execution context. As workflows grew more complex, this approach led to oversized context payloads, fragile retries, and tight coupling between pipeline logic and storage representation.

The Entity Store rethinks this model. By replacing embedded state with URI-based references and delegating persistence to pluggable handlers, Spinnaker separates semantic identity from storage mechanics. Execution context becomes lighter, more stable, and easier to evolve.

In this talk, we’ll explore the architectural shift, implementation tradeoffs, migration strategy, and what this change means for future extensibility in Spinnaker and other CD systems.
Speakers
avatar for Ben Powell

Ben Powell

Software Engineer, Apple
Ben is a software engineer at Apple for the Spinnaker team with previous experience at AWS for the AWS SDK and ECS team. He has contributed to various different tools, services, and proposals through the years, governs the Cloud SIG for Spinnaker, and is an active participant for... Read More →
Monday May 18, 2026 1:30pm - 1:40pm CDT
200C (Level Two)
  cdCon

1:45pm CDT

Lightning Talk: Ortelius V12: Post-Deployment Security Defense for DevSecOps - Steve Taylor, DeployHub
Monday May 18, 2026 1:45pm - 1:55pm CDT
200C (Level Two)
Most DevSecOps pipelines stop protecting software once it is deployed, leaving organizations blind to newly disclosed vulnerabilities impacting live systems. Ortelius addresses this gap with post-deployment security powered by a digital twin of deployed software. By mapping SBOMs to running packages, versions, environments, and endpoints, Ortelius continuously correlates live systems with vulnerability databases, detecting critical and high-risk CVEs the moment they are published.

This session will introduce the latest Ortelius release, demonstrate new features, and show how teams can reduce MTTR from months to days by identifying which vulnerabilities truly impact production. Attendees will learn how Ortelius integrate with platform engineering workflows to provide continuous visibility and security beyond release.
Take Aways:
- Why pre-deployment SCA tools alone cannot protect production systems
- How Ortelius builds a digital twin of deployed software across clusters, clouds, and environments
- How SBOMs are mapped to live endpoints to identify true attack surface exposure
- How teams are reducing MTTR for critical CVEs to under 10 days
Speakers
avatar for Steve Taylor

Steve Taylor

CTO, DeployHub
Steve Taylor is a technology leader and innovator with deep expertise in service-based architecture, DevSecOps, open-source security, and secure software delivery. As CTO of DeployHub, he leads product strategy focused on build and release automation, vulnerability management, and... Read More →
Monday May 18, 2026 1:45pm - 1:55pm CDT
200C (Level Two)
  cdCon

2:00pm CDT

Lightning Talk: CDEvents: Ending the "Glue Code" Tax on Engineering Velocity - Mihir Vora & Prem Dhayalan, Capital One
Monday May 18, 2026 2:00pm - 2:10pm CDT
200C (Level Two)
We’ve achieved industry-wide standards for containers (docker) and orchestration (kubernetes), yet our delivery pipelines remain stuck in the "scripting era." In most organizations, the connection between a security scanner, a CI runner, and a deployment engine isn't a standard interface—it’s mostly a fragile web of custom Python scripts and yaml/jenkinsfile hacks.

This is the Glue Code Tax: a massive, invisible drain on resources that forces engineers to spend nearly half of their time maintaining integrations rather than shipping features.

This session tackles the "scripting fatigue" head-on. We will explore how to move away from fragile, one-off pipelines toward a truly modular, event-driven ecosystem. Using something like CDEvents standard as a blueprint, we’ll demonstrate how tools can "signal" their status natively, allowing you to swap out parts of your stack without rewriting your entire delivery logic. We’re moving past the era of digital duct tape and into the era of interoperable DevOps.
Speakers
avatar for Mihir Vora

Mihir Vora

Senior Distinguished Engineer, Capital One
Mihir is a Sr. Distinguished Engineer at Capital One with a passion for empowering teams and driving innovation. Mihir successfully led multiple projects that drive digital transformation and enhance customer experience over the years. Mihir has successfully balanced technical contributions... Read More →
avatar for Prem Dhayalan

Prem Dhayalan

Senior Distinguished Engineer, Capital One
Thought leader, evangelist in the areas of DevSecOps, Continuous Delivery, Developer Experience, Cloud Computing, Open Source Adoption, Digital Transformation. A hands-on developer
Monday May 18, 2026 2:00pm - 2:10pm CDT
200C (Level Two)
  cdCon

2:15pm CDT

Lightning Talk: CI/CD Cybersecurity Guide - Open Source Tools to Improve DevOps Security - Kate Scarcella, Independent
Monday May 18, 2026 2:15pm - 2:25pm CDT
200C (Level Two)

Speakers
avatar for Kate Scarcella

Kate Scarcella

Cybersecurity Architect, Independent
Kate Scarcella is a seasoned cybersecurity leader with over two decades of experience driving innovation and building cyber resilience. At IBM, she served on the Security Board of Advisors, where she guided Fortune 50 enterprises on strengthening their cybersecurity postures.

Kat... Read More →
Monday May 18, 2026 2:15pm - 2:25pm CDT
200C (Level Two)
  cdCon

2:30pm CDT

Keynote: AI in CI/CD Without the Hype: Practical Patterns for Platform Engineers - Jennifer Mulford, Okta
Monday May 18, 2026 2:30pm - 3:00pm CDT
200C (Level Two)
AI is being discussed as the next evolution of CI/CD, but much of that conversation skips over the realities faced by platform and infrastructure teams responsible for reliability, security, and trust. In practice, introducing AI into pipelines requires restraint, clear boundaries, and a strong understanding of where AI use helps and where it creates risk.
This talk focuses on practical, open-source approaches to using AI in CI/CD pipelines today. We’ll explore patterns where AI acts as a copilot: summarizing pull requests, generating test suggestions, helping engineers interpret CI failures, and enriching security signals while keeping humans firmly in control of decisions.
The session will also cover security concerns, prompt injection risks, secrets exposure, and the importance of treating AI output as untrusted input. We’ll discuss guardrails that help teams experiment safely, such as read-only workflows, explicit review steps, and self-hosted or open-source tooling that avoids sending proprietary code to third-party services.
Attendees will leave with a clear mental model for evaluating AI use cases in their own pipelines and an understanding of the tradeoffs involved.
Speakers
avatar for Jennifer Mulford

Jennifer Mulford

Senior Platform Security Engineer, Okta
Jennifer Mulford is a Senior Platform Security Engineer with 8+ years in DevOps and security, holding certifications including CISSP, CKA, Security+, CEH, and AWS certifications. She focuses on practical, real-world security engineering and automation.
Monday May 18, 2026 2:30pm - 3:00pm CDT
200C (Level Two)
  cdCon
  • Audience Experience Level Any

3:35pm CDT

Lightning Talk: When Pipelines Decide: Governing Speed, Trust, and Accountability in AI-Driven CI/CD - Sundeep Bobba, Southwest Airlines & Naga Sujitha Vummaneni, Ripple
Monday May 18, 2026 3:35pm - 3:55pm CDT
200C (Level Two)
AI and autonomous agents are now coming into CI/CD pipelines more and more. Earlier they only followed instructions. Now they help in testing, deciding releases, approving deployments, and sometimes fixing problems on their own. This is a big change. Because of this, we need to think again about speed, security, and who is responsible when something goes wrong.

This session talks about few important things, in simple way:

• Moving from only making pipelines faster to also adding control. DevOps is not just optimization now, it also needs governance and good system design.
• Practical patterns from real work. Architecture and team setups that people can actually use and scale.
• Rules for bots that do not slow humans. Policy driven guardrails for autonomous pipelines.
• Clear decision points. Who decides what, and when humans must step in.
• Human oversight at scale. Reviews that still matter but do not block delivery.
• Security from the beginning. Audit logs, policy enforcement, and safe handling when signals are not very clear.
Speakers
avatar for Sundeep Bobba

Sundeep Bobba

Tech Lead Cloud DevOps Engineer, Southwest Airlines
Sundeep Bobba is a Tech Lead Cloud DevOps Engineer at Southwest Airlines with 15+ years of experience building large-scale, cloud-native CI/CD and automation platforms. He leads enterprise DevOps modernization supporting millions of customers and billions in digital revenue. He is... Read More →
avatar for Naga Sujitha Vummaneni

Naga Sujitha Vummaneni

Sr. Security Engineer, Ripple
Naga Sujitha Vummaneni is a Senior Security Engineer at Ripple with 10+ years of experience in cloud security automation and infrastructure engineering across Google, Nike, eBay, and other tech leaders. AWS Certified Security and CISM credential holder, she specializes in blockchain... Read More →
Monday May 18, 2026 3:35pm - 3:55pm CDT
200C (Level Two)
  cdCon

4:00pm CDT

Panel Discussion: Protecting the Software Supply Chain with AI - Jennifer Mulford, Okta; Ryo Sugahara, NTT; Mihir Vora, Capital One; Tracy Ragan, DeployHub
Monday May 18, 2026 4:00pm - 4:30pm CDT
200C (Level Two)

Moderators
avatar for Tracy Ragan

Tracy Ragan

CEO, DeployHub
Tracy is a recognized expert in software supply chain security and DevSecOps, specializing in managing complex, decoupled architectures. She is the CEO of DeployHub, a scalable post-deployment vulnerability detection platform that empowers software to 'self-heal' by automatically... Read More →
Speakers
avatar for Jennifer Mulford

Jennifer Mulford

Senior Platform Security Engineer, Okta
Jennifer Mulford is a Senior Platform Security Engineer with 8+ years in DevOps and security, holding certifications including CISSP, CKA, Security+, CEH, and AWS certifications. She focuses on practical, real-world security engineering and automation.
avatar for Mihir Vora

Mihir Vora

Senior Distinguished Engineer, Capital One
Mihir is a Sr. Distinguished Engineer at Capital One with a passion for empowering teams and driving innovation. Mihir successfully led multiple projects that drive digital transformation and enhance customer experience over the years. Mihir has successfully balanced technical contributions... Read More →
avatar for Ryo Sugahara

Ryo Sugahara

Evangelist, NTT DATA GROUP Corporation
I joined NTT Data in 2005. Currently, I'm dedicated to driving modernization through the integration of CI/CD and infrastructure automation, transforming traditional projects.
Monday May 18, 2026 4:00pm - 4:30pm CDT
200C (Level Two)
  cdCon

4:35pm CDT

The Probabilistic Pipeline: From Green To Safe - Mihir Vora, Capital One
Monday May 18, 2026 4:35pm - 4:55pm CDT
200C (Level Two)
CI/CD has trained us to trust one signal: green means go. But modern systems don't fail in binary. A one-line UI tweak can trigger a 45-minute test marathon, while a risky change can go green and still take production down. The issue isn't "bad pipelines" - it's that pass/fail is no longer a reliable proxy for safe.

In this talk I introduce the Probabilistic Pipeline: shipping as risk management, not static gating. The pipeline produces a per-change risk/confidence score from signals you already have: diff blast radius, service criticality, incident hotspots, flaky tests, dependency/config deltas, and real-time system health (delivery events + telemetry). That score routes changes through adaptive lanes - Fast, Standard, Hardened - so low-risk work gets lightweight checks + automated canaries, while higher-risk work earns deeper validation, safer rollout, and tighter oversight.

You'll leave with a reference architecture, a concrete example and guardrails that keep trust: explainable scores, deterministic security/compliance hard floors, and a feedback loop that learns from outcomes. No ML background required - this is about practical delivery design.
Speakers
avatar for Mihir Vora

Mihir Vora

Senior Distinguished Engineer, Capital One
Mihir is a Sr. Distinguished Engineer at Capital One with a passion for empowering teams and driving innovation. Mihir successfully led multiple projects that drive digital transformation and enhance customer experience over the years. Mihir has successfully balanced technical contributions... Read More →
Monday May 18, 2026 4:35pm - 4:55pm CDT
200C (Level Two)
  cdCon

5:00pm CDT

Lightning Talk: Why Don't AI Technologies and CI/CD Pipelines Get Along? - Ryo Sugahara, NTT DATA GROUP Corporation
Monday May 18, 2026 5:00pm - 5:10pm CDT
200C (Level Two)
AI technologies are fundamentally transforming the landscape of IT system development. While they are increasingly applied across a wide range of development tasks, their potential remains largely untapped within CI/CD pipelines.

I have personally experimented with applying AI technologies to CI/CD pipelines in an effort to build more effective and intelligent workflows. However, these attempts did not lead to the expected results. This experience raises an important question: why is the integration of AI technologies into CI/CD pipelines so challenging?

In this session, I will explore the practical and conceptual barriers encountered when applying AI technologies to CI/CD pipelines, and examine the underlying reasons behind their apparent lack of compatibility, drawing on firsthand experience. This exploration is still a work in progress. Rather than presenting a success story, this session aims to frame the problem clearly and honestly.

Also, by raising key questions and sharing lessons learned from failed attempts, this session seeks to encourage broader discussion and invite more practitioners to engage with this challenge and collaboratively explore possible paths forward.
Speakers
avatar for Ryo Sugahara

Ryo Sugahara

Evangelist, NTT DATA GROUP Corporation
I joined NTT Data in 2005. Currently, I'm dedicated to driving modernization through the integration of CI/CD and infrastructure automation, transforming traditional projects.
[cdCon2026] Why don't AI technologies and CICD pipelines get along pdf
Monday May 18, 2026 5:00pm - 5:10pm CDT
200C (Level Two)
  cdCon
  • Audience Experience Level Any

5:15pm CDT

Lightning Talk: The Era of Agentic Continuous Delivery - Vibhav Bobade, Red Hat
Monday May 18, 2026 5:15pm - 5:25pm CDT
200C (Level Two)
How do we ensure that Agentic Delivery follows the same rigour as tools when only humans created software? With AI Agents, we are slowly being forced to look at software development and delivery that looks more like a statistical distribution than a carefully implemented solution. The software delivery lifecycle is now completely touched by AI, from writing code and testing to pushing to production and testing against production code.

In this talk, we will peel the layers of Continuous Delivery and see the new verticals in delivery AI is giving rise to and problems yet to be solved from a first principle basis, and with guidance on what questions we can ask to choose the right AI tools and keep up without exhausing outselves.
Speakers
avatar for Vibhav Bobade

Vibhav Bobade

Senior Software Engineer, Red Hat
I am an open-source developer who enjoys containers, audio, and running. I work at Red Hat as a Senior Software Engineer and help maintain Tekton Pipelines.
Monday May 18, 2026 5:15pm - 5:25pm CDT
200C (Level Two)
  cdCon

5:30pm CDT

Lightning Talk: Simple Yet Scalable MLOps: Bridging the Gap Between Data Science and CI/CD - Sachin Garg, NavankurIT; Sameeksha Garg, Carnegie Mellon University
Monday May 18, 2026 5:30pm - 5:40pm CDT
200C (Level Two)
The transition of Machine Learning (ML) models from experimental notebooks to reliable production environments often reveals a significant disconnect between Data Scientists and Infrastructure/Operations teams. While traditional DevOps has mastered code delivery, the unique "state" of ML—comprising both code and massive datasets—requires a specialized evolution: MLOps. This session provides a practical roadmap for building a simple yet highly scalable CI/CD pipeline using a purely open-source stack.

We begin by addressing the critical challenge of Model Reproducibility. Standard version control systems like Git excel at managing algorithms but fail when handling the 500MB weights or multi-gigabyte training sets typical of modern ML. Our proposed architecture integrates DVC (Data Version Control) to version-control data alongside source code, ensuring that every deployment is fully traceable and repeatable.
Speakers
avatar for Sachin Garg

Sachin Garg

CTO, NavankurIT
Dr. Sachin Garg built India's early FOSS infrastructure: MNNIT's first internet server (1995) over 9.6 kbps VSAT, core BLUG member (1996-2002), IT.com '99 Linux Pavilion participant, and architect of Wipro's landmark FOSS.in 2006 sponsorship. At C-DAC, championed Linux for PARAM supercomputers... Read More →
avatar for Sameeksha Garg

Sameeksha Garg

Student, Carnegie Mellon University
Sameeksha Garg is a Computer Science student at Carnegie Mellon University (graduating May 2026), specializing in Machine Learning. With hands-on experience in open-source security at Visa, building ML monitoring systems using Grafana and Prometheus, and developing AI-driven pipelines... Read More →
Monday May 18, 2026 5:30pm - 5:40pm CDT
200C (Level Two)
  cdCon

5:45pm CDT

Lightning Talk: Taming MCP Challenges at Scale: Move Fast and Build Right - Muktesh Mishra, Adobe
Monday May 18, 2026 5:45pm - 5:55pm CDT
200C (Level Two)
Tired of governance slowing you down while you’re racing to ship AI features? You’re not alone—every AI builder has felt that friction.

Enterprise AI builders struggle to move fast: governance feels like a roadblock, data access is inconsistent and risky, best practices and security controls are manually enforced (or ignored), and every team reinvents the wheel—leading to slow delivery, compliance gaps, quality issues, and mounting technical debt.

Join us for a hands-on session featuring code examples and demos to learn how we overcome these challenges at Adobe, enabling AI builders at scale without compromising quality and speed.

Through a series of code snippets and demos, we will show:
- Paved paths via reusable templates and reference architectures to accelerate onboarding and iterations.
- Automated governance gates covering evaluations, best practices, access controls, and security
- Interoperability and discoverability, via an automated well-formed AI registry
- Standardized data access patterns that ensure compliance, auditability, and efficiency

Join us for a fun session, and let's learn together.





Speakers
avatar for Muktesh Mishra

Muktesh Mishra

Lead Engineer, AI Foundations and Platforms, Adobe
Muktesh is Lead AI Builder at Adobe. Active contributor to 20+ open-source projects and enjoys solving problems at scale. Conference junkie who has spoken at MongoDB Local, JavaOne, API World, OSCON, DockerCon, Open Source Summit & more. Active in teaching and development across Apache... Read More →
Monday May 18, 2026 5:45pm - 5:55pm CDT
200C (Level Two)
  cdCon
 
Tuesday, May 19
 

11:00am CDT

Panel Discussion: Building an Enterprise Platform for Production-Ready AI Agents - Jothsna Praveena Pendyala, Infosys Ltd; Brett Smith, SAS; Steve Taylor, DeployHub; Sundeep Bobba, Southwest Airlines
Tuesday May 19, 2026 11:00am - 11:30am CDT
200C (Level Two)

Speakers
avatar for Sundeep Bobba

Sundeep Bobba

Tech Lead Cloud DevOps Engineer, Southwest Airlines
Sundeep Bobba is a Tech Lead Cloud DevOps Engineer at Southwest Airlines with 15+ years of experience building large-scale, cloud-native CI/CD and automation platforms. He leads enterprise DevOps modernization supporting millions of customers and billions in digital revenue. He is... Read More →
avatar for Brett Smith

Brett Smith

Distinguished Software Developer, SAS
Distinguished Software Architect/Engineer/Developer with 25+ years of experience.
Specialties: Event Driven Automation, Continuous Integration/Delivery/Testing/Deployment, Supply Chain Security, AI Security
Expertise: Linux, packaging, and tool design.

Currently Engineering an... Read More →
avatar for Steve Taylor

Steve Taylor

CTO, DeployHub
Steve Taylor is a technology leader and innovator with deep expertise in service-based architecture, DevSecOps, open-source security, and secure software delivery. As CTO of DeployHub, he leads product strategy focused on build and release automation, vulnerability management, and... Read More →
avatar for Jothsna Praveena Pendyala

Jothsna Praveena Pendyala

Senior Data Scientist, Infosys Ltd
Jothsna Pendyala is a Senior Data Scientist and AI Engineer focused on enterprise AI platforms, agentic AI systems, and production-ready AI applications. Her work centers on building secure, scalable, and reliable AI solutions for enterprise environments, with expertise in AI platform... Read More →
Tuesday May 19, 2026 11:00am - 11:30am CDT
200C (Level Two)
  cdCon

11:35am CDT

Lightning Talk: It's Friday! - Alon Nisser, Zencity
Tuesday May 19, 2026 11:35am - 11:45am CDT
200C (Level Two)
It's Friday afternoon, and you've got plans for this evening. You've just finished the feature. you push to main and click deploy. OR DO YOU?
Let's talk about Friday deployments and what they can teach us.
Speakers
avatar for Alon Nisser

Alon Nisser

Principal engineer, Zencity
Software developer. currently in Zencity.io. Writing software as a hobby and as a profession. Strong opinions on things. Open source aficionado. Trying to make a difference.
Sometimes software makes we wonder if I'd be better off being a farmer
Tuesday May 19, 2026 11:35am - 11:45am CDT
200C (Level Two)
  cdCon

11:50am CDT

Platform Engineering: Herding the Electric Sheep - Brett Smith, SAS
Tuesday May 19, 2026 11:50am - 12:15pm CDT
200C (Level Two)
A talk about platform engineering, DevOps, DevSecOps, sprawl, chaos, compliance, and security. Why engineer an Internal Developer Platform when I have DevOps? DevOps works fine when you are a 20 person start-up but it often doesn't scale to Enterprise level development efforts. When you have 3000 developers with different needs and you are responsible for EO compliance and security a modular self-service platform is a good choice to build. In this talk I cover the challenges we have faced in a 3000 developers enterprise and how we are working to address them. I also cover how we are working on automating, integration, and scaling the creation of our internal developer platform. Leveraging SBOMs, SLSA, and other tools to help build out a secure and compliant platform. Attendees will learn the benefits and challenges of Platform Engineering
Attendee Takeaways
Answers for the following questions:
- Do we need a Platform Engineering Team?
- Is an IDP the right solution for my situation?
- What does a large scale IDP look like?
- What does it take to support a large scale IDP?
- What does security and compliance look like in an IDP?
Speakers
avatar for Brett Smith

Brett Smith

Distinguished Software Developer, SAS
Distinguished Software Architect/Engineer/Developer with 25+ years of experience.
Specialties: Event Driven Automation, Continuous Integration/Delivery/Testing/Deployment, Supply Chain Security, AI Security
Expertise: Linux, packaging, and tool design.

Currently Engineering an... Read More →
Tuesday May 19, 2026 11:50am - 12:15pm CDT
200C (Level Two)
  cdCon

12:20pm CDT

Lightning Talk: Where Deployment Authority Lives: A Cloud Native Design Pitfall in GitOps - Kim Schaefer, Game Plan Tech
Tuesday May 19, 2026 12:20pm - 12:30pm CDT
200C (Level Two)
Many cloud-native GitOps systems quietly treat a Git merge as both a change proposal and a deployment authorization. While this works in low-risk environments, it collapses two very different responsibilities into a single decision. As systems grow more complex, that shortcut creates ambiguity around authorization, accountability, and audit trails that many environments simply cannot tolerate.

In this lightning talk, we’ll reframe that assumption as a cloud-native architectural concern, not just a tooling or security issue. Using GitOps as the example, we’ll look at how proposal, approval, and enforcement often become unintentionally coupled, and why that coupling makes it harder to reason about who is actually allowed to deploy.

The talk will walk through the architectural implications of letting Git act as the final authority, including where deployment decisions truly occur and how auditability and accountability can be lost when authority boundaries are unclear. We’ll then show how treating deployment authorization as a first-class architectural concept leads to clearer responsibility boundaries and more defensible cloud-native systems.
Speakers
avatar for Kim Schaefer

Kim Schaefer

Senior DevOps Engineer, Game Plan Tech
Kim Schaefer is a Senior DevOps and Cloud Engineer specializing in Kubernetes, GitOps, and secure platform engineering. Kim designs and operates production Kubernetes platforms on Google Cloud, including approval-gated GitOps systems that balance automation with explicit deployment... Read More →
Tuesday May 19, 2026 12:20pm - 12:30pm CDT
200C (Level Two)
  cdCon

12:45pm CDT

Bring Your Lunch, We'll Bring Our Notebooks: Securing Software Workflows - Tabatha DiDomenico, G-Research Open Source; Kadi McKean, ReversingLabs; Stacey Potter, OpenSSF & Katherine Druckman, JetBrains
Tuesday May 19, 2026 12:45pm - 1:45pm CDT
200C (Level Two)
Somewhere along the way, the security ecosystem started asking you to add more steps, update more plugins, and generate more outputs without asking what that actually costs you.

We asked for feedback during a lunch time session at cdCon last year. The feedback was blunt, honest and exactly why we are back for this open-floor discussion hosted by the OpenSSF Developer Relations (DevRel) community. No slides, no demos, no pitches. This is a no-shame venting session with purpose; bring your lunch, your coffee, and your honest feedback. We want to hear from the people implementing and operating these tools. Share where security tools are missing the mark and what's standing between "this is a good idea" and "this is actually working for us."

This session leads directly into sessions with OpenSSF project maintainers, so the people who can act on your feedback will already be in the room.
Speakers
avatar for Katherine Druckman

Katherine Druckman

Head of Community and Partnership Engagement, JetBrains
Katherine Druckman is a senior technologist, speaker, and longtime advocate for open ecosystems. She specializes in developer experience, combining software ecosystem strategy, content creation, and community building, grounded in a foundation of hands-on software engineering experience... Read More →
avatar for Tabatha D.

Tabatha D.

OSS Security Engineer, G-Research Open Source
Tabatha DiDomenico is part of the Open Source team at G-Research focusing on supply chain security, secure open source practices, and community and developer relations.

Tabatha is president of Security BSides Orlando, co-host of the GR-OSS Out podcast and holds an MS in Cybersecurity from the University of South Florida. She has spoken at conferences including Black Hat Tools Arsenal, SOSS Fusion, ShmooCon, and Grace Hopper Celebration... Read More →
avatar for Kadi McKean

Kadi McKean

OSS Community Manager, ReversingLabs
Kadi is passionate about the DevOps / DevSecOps community since her days of working with COBOL development and Mainframe solutions. At ReversingLabs she collaborates with developers and security researchers to help entities prioritize their open source risk, reduce technical debt... Read More →
avatar for Stacey Potter

Stacey Potter

Community Manager, OpenSSF
Stacey brings extensive experience in open source community building, marketing, and event coordination. With a background spanning projects like Minder, Flux and Flagger, OpenFeature, and Keptn, she has played a key role in fostering engagement and driving adoption across cloud-native... Read More →
Tuesday May 19, 2026 12:45pm - 1:45pm CDT
200C (Level Two)
  cdCon
  • Audience Experience Level Any

2:10pm CDT

Security Things: How OpenSSF’s Technical Initiatives Keep You Safe From the Upside Down! - Stacey Potter, OpenSSF & Katherine Druckman, JetBrains
Tuesday May 19, 2026 2:10pm - 2:40pm CDT
200C (Level Two)
As a sister foundation to the Continuous Delivery Foundation (CDF) under the auspices of The Linux Foundation, the Open Source Security Foundation’s (OpenSSF) mission is to make it easier to sustainably secure the development, maintenance, release, and consumption of open source software (OSS). This includes fostering collaboration within and beyond the OpenSSF, establishing best practices, and developing innovative solutions.

In this hour long session, we’ll connect real problems to OpenSSF solutions, then invite OpenSSF Working Group Leads and Project Maintainers to demo their respective projects in shortlightning rounds that show you how they’ll make your DevOps, CI/CD, or Platform Engineering lives easier to secure!
Speakers
avatar for Stacey Potter

Stacey Potter

Community Manager, OpenSSF
Stacey brings extensive experience in open source community building, marketing, and event coordination. With a background spanning projects like Minder, Flux and Flagger, OpenFeature, and Keptn, she has played a key role in fostering engagement and driving adoption across cloud-native... Read More →
avatar for Katherine Druckman

Katherine Druckman

Head of Community and Partnership Engagement, JetBrains
Katherine Druckman is a senior technologist, speaker, and longtime advocate for open ecosystems. She specializes in developer experience, combining software ecosystem strategy, content creation, and community building, grounded in a foundation of hands-on software engineering experience... Read More →
Tuesday May 19, 2026 2:10pm - 2:40pm CDT
200C (Level Two)
  cdCon

2:45pm CDT

Lightning Talk: Offensive and Defensive Strategies for Addressing Open-Source Vulnerabilities - Tracy Ragan, DeployHub, Inc.
Tuesday May 19, 2026 2:45pm - 2:55pm CDT
200C (Level Two)
Open-source software is foundational to modern application development, but it has also become one of the fastest-moving and hardest attack surfaces to defend. For years, organizations have relied on “shift-left” security to catch vulnerabilities early in the lifecycle. While necessary, this approach alone is no longer sufficient. New vulnerabilities are disclosed daily, often long after software is deployed, leaving IT teams struggling to understand what is truly at risk in production and how quickly they must respond.

In this session, Tracy reframes software supply chain security around the realities of live systems. She explains why teams must move beyond offensive, prevention-only strategies and refocus on rapid detection, prioritization, and response for newly reported vulnerabilities attacking live systems. Tracy also addresses how the pursuit of a zero-vulnerability posture has driven alert fatigue and burnout among developers, security teams, and CIOs.

Attendees will learn how to manage vulnerability alert noise, shorten response times, and focus remediation, protecting open-source-driven systems without slowing delivery or exhausting the teams responsible for them.
Speakers
avatar for Tracy Ragan

Tracy Ragan

CEO, DeployHub
Tracy is a recognized expert in software supply chain security and DevSecOps, specializing in managing complex, decoupled architectures. She is the CEO of DeployHub, a scalable post-deployment vulnerability detection platform that empowers software to 'self-heal' by automatically... Read More →
Tuesday May 19, 2026 2:45pm - 2:55pm CDT
200C (Level Two)
  cdCon

3:00pm CDT

GitOps Gone Wild: Hardening Delivery Pipelines for the AI Era - Julien Semaan, Kubex & Corey McGalliard, Akamai
Tuesday May 19, 2026 3:00pm - 3:20pm CDT
200C (Level Two)
GitOps promises safety and automation, but it will faithfully ship your mistakes at scale. With AI-assisted coding and emerging autonomous agents in the loop, those mistakes now move faster than humans can fully reason about their impact.

This talk dissects real-world GitOps failures where tiny configuration changes triggered outages, overly trusted pipelines amplified risk, and AI-generated patches were merged without understanding their consequences. None of these incidents were tooling failures. They were safety failures.

We’ll show how teams put guardrails back in place by enforcing policy before merge, using progressive rollouts to contain blast radius, applying Crossplane constraints to keep infrastructure changes reversible, and adding automated verification gates that catch problems before they reach production.
Speakers
avatar for Corey McGalliard

Corey McGalliard

Engineering Manager, Akamai Cloud
My team and I power and protect life online by building an internal, opinionated Kubernetes platform that meets Akamai's change-safety, security, and compliance expectations while delivering an excellent developer experience. I'm interested in distributed computing and platform engineering... Read More →
avatar for Julien Semaan

Julien Semaan

Head of k8s Engineering @Kubex | CNCF TAG DevEx Tech Lead, Kubex
Julien is the Head of Kubernetes Engineering at Kubex and a Tech Lead with the CNCF TAG for Developer Experience. With deep roots in open source and cloud-native systems, he has been working with Kubernetes since 2017 and has led multiple product transitions to cloud-native archi... Read More →
Tuesday May 19, 2026 3:00pm - 3:20pm CDT
200C (Level Two)
  cdCon
  • Audience Experience Level Any

3:25pm CDT

Lightning Talk: Built Clean. Receipts Attached - Adolfo García Veytia, Carabiner Systems & Alex Zenla, Edera
Tuesday May 19, 2026 3:25pm - 3:35pm CDT
200C (Level Two)
Security frameworks such as SLSA require software builds to run in isolated environments to guarantee they are “free of unintended external influence”. In practice, this means full control of the runtime environment and every dependency entering a build, ensuring no malware slips into released software
But how can you verify isolation after the fact? How do you know a container image or binary was compiled in a truly hermetic environment, free from tampering processes or hidden tooling? Can you confidently prove your release used only the dependencies declared in your SBOM?
In this talk, Marina and Puerco will demonstrate practical techniques to verify build isolation and runtime characteristics. Want cryptographic proof of hermetic builds? We’ll show it. Need confidence in software components and complete SBOM coverage? Covered. Trace provenance to the exact VM that executed the build? Absolutely.
Using Cocoon, an open source build packager running inside Edera Protect isolated zones, we will verify attested machine identity via SPIFFE SVIDs, environment features, and SBOM completeness, all enforced with reusable policy code powered by technologies like in-toto, SLSA and Sigstore.
Speakers
avatar for Alex Zenla

Alex Zenla

CTO, Edera
Alex is a Founder & CTO at Edera, building technology for securing containers using hypervisors in Rust. She has contributed to many open source projects including Chromium, Chromium OS, Dart, and Ubuntu, some as early as 11 years old. Alex started in the corporate world at the age... Read More →
avatar for Adolfo Garcia Veytia

Adolfo Garcia Veytia

Founding Engineer, Carabiner Systems
Adolfo García Veytia (@puerco) is one of the Kubernetes SIG Release Technical Leads and actively works on the Release Engineering team. He specializes in improving the software that drives the automation behind the Kubernetes release process. He is also the creator of the OpenVEX... Read More →
Tuesday May 19, 2026 3:25pm - 3:35pm CDT
200C (Level Two)
  cdCon

3:35pm CDT

Lightning Talk: Where Does Your Policy Actually Live? - Dadisi Sanyika, Sol Duara, Inc.
Tuesday May 19, 2026 3:35pm - 3:45pm CDT
200C (Level Two)
Your organization has a policy requiring all artifacts to pass security scanning before deployment. Simple enough. But you use three CI systems, so Team A implements it in Jenkins with a Groovy shared library, Team B uses a GitHub Actions reusable workflow, and Team C builds it into GitLab CI includes.

Same intent. Three implementations. Three syntaxes. Three maintenance burdens.

Now an auditor asks: "Prove these are equivalent."

This lightning talk examines what happens when policy lives inside tools versus above them. We'll look at an architectural pattern in which tools emit events upward and receive decisions downward via CDEvents, while policy logic lives in a single, auditable location. The tools keep doing tool things. Nothing changes, but everything works.

You'll leave with one question worth asking in your next architecture review: "Where does our policy actually live?" The answer has implications for maintenance burden, audit readiness, and the extent to which consistent governance can scale.
Speakers
avatar for Dadisi Sanyika

Dadisi Sanyika

CEO, Sol Duara, Inc.
I am the Governing Board Chair for the Continuous Delivery Foundation (Linux sub-foundation) and the CEO of Sol Duara, Inc. Previously, at Apple, I led a team of engineers dedicated to improving the Continuous Deployment experience for teams and the community. Our contributions are... Read More →
Tuesday May 19, 2026 3:35pm - 3:45pm CDT
200C (Level Two)
  cdCon

4:20pm CDT

eBPF and Open Source Code Ensure the Security of Your Clusters CI/CD Pipeline. - Hudson Coutinho, Linker Bank
Tuesday May 19, 2026 4:20pm - 4:40pm CDT
200C (Level Two)
In this talk, I'll show how what happens DURING the build and deployment can be fatal.
Using eBPF, we created an Open Source app that monitors the kernel in real time to detect access to secrets, suspicious commands, and data exfiltration at the exact moment they occur.
In my consulting work, I've seen real-world scenarios where compromised runners handed over database secrets and cloud keys without anyone noticing.
The pipeline is a huge blind spot in current security.
Speakers
avatar for Hudson Coutinho

Hudson Coutinho

Hudson Coutinho, Devs On The Road
Bachelor's degree in Information Systems, postgraduate degree in artificial intelligence and cybersecurity.
12 years of experience accelerating the delivery, scalability, and resilience of software for national and international companies, leading high-performance multidisciplina... Read More →
Tuesday May 19, 2026 4:20pm - 4:40pm CDT
200C (Level Two)
  cdCon
  • Audience Experience Level Any

4:45pm CDT

Awards and Closing Ceremony - Mark Waite, Independent
Tuesday May 19, 2026 4:45pm - 4:55pm CDT
200C (Level Two)

Speakers
avatar for Mark Waite

Mark Waite

Independent Consultant, Self-employed

Tuesday May 19, 2026 4:45pm - 4:55pm CDT
200C (Level Two)
  cdCon
 
  • Filter By Date
    May 17 - 22, 2026
  • Filter By Venue
    Minneapolis, MN, USA
    All
    101 A-J (Level One)
    200A (Level Two)
    200B (Level Two)
    200C (Level Two)
    200D (Level Two)
    200E (Level Two)
    200F (Level Two)
    200G (Level Two)
    200H (Level Two)
    200I (Level Two)
    200J (Level Two)
    204B (Level Two)
    205C+D (Level Two)
    208A+B (Level Two)
    208C+D (Level Two)
    211A+B (Level Two)
    Ballroom Foyer (Level One)
    Ballroom Lobby (Level One)
    Mill City Museum
    Minneapolis Convention Center
    Seasons (Level Two)
    Solutions Showcase, Ballroom A+B (Level One)
    TBA
  • Filter By Type
    Ask the Experts
    cdCon
    Cloud + Orchestration
    Co-located Event
    Digital Trust
    Embedded Linux Conference
    Keynote Sessions
    Linux
    Mini Summit
    Open AI & Data
    Open Source 101
    OSS Enabling & Management
    All
    Blockchain and Distributed Ledger Technologies
    Operations Management & OSPOs
    Project Leadership
    Standards & Specifications
    Technical Documentation
    Packages + Images + Containers
    PX4 Dev Summit
    Safety-critical Software
    Special Events / Exhibits / Breaks
    Zephyr
  • Audience Experience Level
    Advanced
    Any
    Beginner
    Intermediate
  • Timezone

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning App Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Sunday, May 17
Monday, May 18
Tuesday, May 19
Wednesday, May 20
Thursday, May 21
Friday, May 22
101 A-J (Level One)
200A (Level Two)
200B (Level Two)
200C (Level Two)
200D (Level Two)
200E (Level Two)
200F (Level Two)
200G (Level Two)
200H (Level Two)
200I (Level Two)
200J (Level Two)
204B (Level Two)
205C+D (Level Two)
208A+B (Level Two)
208C+D (Level Two)
211A+B (Level Two)
Ballroom Foyer (Level One)
Ballroom Lobby (Level One)
Mill City Museum
Minneapolis Convention Center
Seasons (Level Two)
Solutions Showcase, Ballroom A+B (Level One)
TBA
  • Ask the Experts
  • cdCon
  • Cloud + Orchestration
  • Co-located Event
  • Digital Trust
  • Embedded Linux Conference
  • Keynote Sessions
  • Linux
  • Mini Summit
  • Open AI & Data
  • Open Source 101
  • OSS Enabling & Management
  • Packages + Images + Containers
  • PX4 Dev Summit
  • Safety-critical Software
  • Special Events / Exhibits / Breaks
  • Zephyr
  • Audience Experience Level
  • Advanced
  • Any
  • Beginner
  • Intermediate