08.08.2026 –, TR209
Building a sovereign, open-source cloud platform for telecommunications environments is more challenging than it seems. The telco use case involves addressing the need for an evolving security architecture. Once teams commit to SBOM compliance, a long tail of previously invisible vulnerabilities suddenly becomes visible.
This talk will demonstrate how utilising an open-source toolkit can help teams establish a solid foundation for compliance and security hardening on telco cloud platforms. Tools such as Syft, Grype, DefectDojo, the OpenSSF Scorecard and GitHub for Open Source can help development and security teams establish an integrated CI/CD pipeline for DevSecOps, gain visibility into the security posture of your project, deliver a verifiable SBOM to end users and automate dependency monitoring and management.
We will walk through how component scanning and SBOM management can reduce unresolved vulnerabilities by 80%. Integrating security tooling into the CI/CD pipeline reduces time to resolution and enhances the developer experience. Ingesting the scan findings and artefacts into a centralised platform enables faster triage, prioritisation and resolution of vulnerabilities in a methodological manner. We will also demonstrate how open source tooling feeds into compliance and sovereignty for telco deployments.
Attendees will learn how to design an SBOM-native release workflow and how to triage an SBOM without stopping delivery. They will also discover why open source and digital sovereignty go hand in hand. They will also learn how to turn security compliance from a bottleneck into a competitive advantage and understand why open source is the only foundation that makes digital sovereignty possible.
Brian Su is a developer advocate at Bigstack, a cloud-native infrastructure company that developed CubeCOS, an open-source unified cloud operating system (OS) designed to run virtual machine (VM) and Kubernetes workloads on a single platform. With a background in systems engineering and customer infrastructure, Brian focuses on making complex distributed systems accessible through technical content, documentation, and developer resources.
Brian is actively involved in the CubeCOS open-source community and contributes to developer onboarding. Brian guides internal security pipeline provisioning, maintains secure code operations, and supports enterprise deployments across hybrid and air-gapped environments.
To stay sharp, Brian also maintain a personal homelab to experiment with the latest infrastructure and security tooling.