This talk will look at OpenSSF projects as well as other open source security projects involved in the production and consumption of software as well as the tools and frameworks for ingesting and analyzing the data around the secure production and consumption of software.

We will look at how software production focused tools and frameworks like SLSA, Scorecard, and SBOM generation tools can have their metadata ingested by tools like GUAC and Clomonitor which can then be used to prove compliance with security consumption frameworks like S2C2F.

The talk will then look at how building software supply chain security architectures and putting the pieces together are what are a key bit to building the open source security sandwich.