-
Notifications
You must be signed in to change notification settings - Fork 167
FOSDEM 2025 Application Security Dev Room Proposal
Trust on the Internet is still ellusive. From small startups to pan-EU platforms, developers need new application security approaches that will empower them to build the next generation of secure applications and dynamic infrastructure. Europe’s open source builders are leading the charge. This devroom will showcase cutting-edge, open source approaches to policy as code. While popular CNFC projects like Cedar, OpenFGA, and Open Policy Agent (OPA) will feature prominently, the dev room also welcomes other projects and approaches.
- Michael Schwartz, BD of the Janssen Project
- Andres Aguiar, OpenFGA Contributor
FOSDEM already hosts:
- a Security devroom—broad in scope, covering everything from kernel hardening to cryptography
- an Identity & Access Management (IAM) devroom—valuable, but largely focused on enterprise workforce and operations, not developer-centric policy engineering
Yet there is no dedicated space for developers building the next generation of application-level authorization.
With 10M+ downloads of OPA alone, and robust adoption of Cedar, OpenFGA, SpiceDB, and Cerbos, the community is clearly hungry for:
- Centralized, reusable policy engines that work across microservices, APIs, and data layers
- Strong audit and compliance controls baked into infrastructure
- Shared best practices for testing, analyzing, and scaling policy as code
This devroom fills that gap by focusing squarely on developer tooling, open specifications, and real code.
We invite proposals that explore:
- New policy languages and analyzers (Cedar, Rego, FGA schemas, etc.)
- Policy-driven microservices, Kubernetes admission control, and WASM enforcement
- Advanced use cases such as multi-issuer token evaluation, fine-grained data access, or AI/agent governance
- Debugging, testing, and formal analysis of policies
- Integration patterns with CI/CD, service meshes, and cloud platforms
A full-day track of lightning talks, deep dives, and demos led by core maintainers and community practitioners.
Expected speakers and MCs include contributors from Janssen/Cedarling, AWS Cedar, OpenFGA, and OPA, ensuring both vendor diversity and technical depth.
The audience spans:
- Developers embedding policy engines in their apps
- Platform engineers designing multi-tenant architectures
- Security engineers seeking higher assurance and observability
By convening these communities, we aim to:
- Accelerate cross-project collaboration (schemas, APIs, and tooling)
- Encourage contributions to open policy standards and runtimes
- Strengthen the open source security ecosystem with reusable building blocks
Developers increasingly face the same questions across projects:
- How do I express permissions once and enforce everywhere?
- How can I audit decisions for compliance and debugging?
- How do I test and prove correctness of policies?
Today those answers are scattered across disparate security or IAM tracks.
This devroom creates a focused forum where the policy-as-code community can meet, share, and build the next generation of open source application security together.