2026-09-02 –, Conference Management Room3
This talk shares results from a security review of widely used open‑source GIS libraries using a lightweight SAST and SBOM methodology. Attendees will learn how common patterns create risk and how simple, repeatable practices can strengthen the security and resilience of geospatial tools.
As geospatial tools continue to power disaster response, environmental resilience, urban planning, and civic decision making, the software we rely on becomes part of our critical infrastructure. Yet many of the open-source GIS libraries we use every day—whether in desktop workflows, cloud pipelines, or web maps—were never designed with modern cybersecurity expectations in mind. This talk shares the results of a focused security review of several widely used open-source GIS libraries, using a lightweight methodology adapted from the Center for Internet Security's RABET-V program (https://rabetv.org) and built around industry-standard Static Application Security Testing (SAST) and Software Bills of Materials (SBOM) analysis tools.
This work takes a collaborative, community-friendly approach by scanning a curated subset of libraries for common software supply chain issues, dependency risks, and code-level patterns that could expose geospatial systems to unintended vulnerabilities. All of the findings were handled under responsible disclosure principles, with maintainers notified privately and no exploitable details shared publicly.
This session is designed for both programmers and non-programmers. For developers, you’ll walk away with concrete examples of how memory unsafe parsing, dependency chains, build configurations, and API patterns can introduce security risk—and what you can do in your own projects to reduce it. For GIS practitioners, analysts, and decision makers, the talk will aim to demystify cybersecurity concepts and show how everyday choices in tools, data sources, and deployment environments affect the trustworthiness of the maps and analyses you build and depend on.
The ultimate goals of this talk are not to raise alarm but, rather, to raise awareness of cybersecurity considerations when building and using geospatial tooling; to show how simple, repeatable scanning practices can strengthen the health of the geospatial open-source ecosystem; and to suggest how our community can come together to build safer, more resilient tools for the work ahead.
RABET-V program documentation (https://rabetv.docs.cisecurity.org/en/latest/)
Indicate what is (are) the open source project(s) essential in your talk:Given the sensitive nature of the talk, the exact open-source projects may not be publicly listed without the maintainers' permission, but the assessments will cover open-source projects in infrastructure, the Python and STAC ecosystems, and the application layer.
I make my conference contribution available under the CC BY 4.0 license. The conference contribution comprises the abstract, the text contribution for the conference proceedings, the presentation materials as well as the video recording and live transmission of the presentation:
Jared Marcotte is President of The Turnout, where he leads work on solutions at the intersection of policy and technology for public‑sector infrastructure. He helped develop the RABET‑V verification program with the Center for Internet Security, advancing fast, rigorous, repeatable security assessments for technology. His work also includes stewardship of open data standards through projects like the Voting Information Project’s nationwide structured data repository. An experienced programmer and UI/UX designer, Jared advocates for transparency, accessibility, and interoperable civic technologies that strengthen secure, open‑source ecosystems across domains.
Former Founder and CEO of Azavea. Publisher of Japan Earth Observer (JEO). Geospatial. Earth observation. Open knowledge systems.