-
Notifications
You must be signed in to change notification settings - Fork 167
FOSDEM 2025 Application Security Dev Room Proposal
From small startups to pan-EU platforms, developers need new application security approaches that will empower them to build the next generation of secure applications and dynamic infrastructure. Europe’s open source builders are leading the charge. This devroom will showcase cutting-edge, open source approaches to policy as code. Popular CNFC projects like Cedar, OpenFGA, and Open Policy Agent (OPA) that collectively have millions of downloads will feature prominently. But the dev room will also welcome other projects and approaches that enable security policy centralization.
- Michael Schwartz, BD of the Janssen Project
- Andres Aguiar, OpenFGA Contributor
- Lucas Käldström, Cedar, Kubernetes Contributor
- Dimitrij Drus, OWASP Contributor
FOSDEM already hosts:
- a Security devroom—broad in scope, covering everything from kernel hardening to cryptography
- an Identity & Access Management (IAM) devroom—valuable, but largely focused on enterprise workforce and operations, not developer-centric policy engineering
Yet there is no dedicated space for developers building the next generation of application-level authorization.
The recent expansion in authorization engines, like OPA, Cedar, OpenFGA, SpiceDB, Oso and Cerbos, the community is clearly hungry for:
- Centralized, reusable policy engines that work across microservices, APIs, and data layers
- Strong audit and compliance controls baked into infrastructure
- Shared best practices for testing, analyzing, and scaling policy as code
This devroom fills that gap by focusing squarely on developer tooling, open specifications, and real code.
We invite proposals that explore:
- New policy languages and analyzers (Cedar, Rego, FGA schemas, etc.)
- Policy-driven microservices, Kubernetes admission control, and WASM enforcement
- Advanced use cases such as multi-issuer token evaluation, fine-grained data access, or AI/agent governance
- Debugging, testing, and formal analysis of policies
- Integration patterns with CI/CD, service meshes, and cloud platforms
A full-day track of lightning talks, deep dives, and demos led by core maintainers and community practitioners.
Expected speakers and MCs include contributors from Janssen/Cedarling, AWS Cedar, OpenFGA, and OWASP, ensuring both vendor diversity and technical depth.
The audience spans:
- Developers embedding policy engines in their apps
- Platform engineers designing multi-tenant architectures
- Security engineers seeking higher assurance and observability
By convening these communities, we aim to:
- Accelerate cross-project collaboration (schemas, APIs, and tooling)
- Encourage contributions to open policy standards and runtimes
- Strengthen the open source security ecosystem with reusable building blocks
Developers increasingly face the same questions across projects:
- How do I express permissions once and enforce everywhere?
- How can I audit decisions for compliance and debugging?
- How do I test and prove correctness of policies?
Today those answers are scattered across disparate security or IAM tracks. This devroom creates a focused forum where the policy-as-code community can meet, share, and build the next generation of open source application security together.