Community Updates
Metrics & Metadata WG
The Working Group “Metrics & Metadata” (formerly “Identifying Security Threats”) started three years ago by releasing the first version of the paper “Threats, Risks, and Mitigations in the Open Source Ecosystem” to help open source maintainers and contributors identify threats in the development cycles of a project and evaluate risks in the open source ecosystem.Â
Keeping in mind this purpose, the Working Group has continued to work on projects that could help open source consumers to better evaluate the health of open source projects.Â
We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.Â
Working Group Calendar:Â Metrics & Metadata WG meeting on Tuesday @ 6 PM (UTC) every 2 weeks.
Slack Channel:Â #wg_metrics_and_metadata
GitHub Repositories:
- ossf/wg-metrics-and-metadata
- ossf/security-insights-spec
- ossf/si-tooling
Projects:
- SECURITY INSIGHTS Specification
- Risk Assessment Dashboard SIG
Luigi Gubello (Co-Lead of Metrics & Metadata Working Group)
Micheal Scovetta (Co-Lead of Metrics & Metadata Working Group)
Last Updates:
- We have improved the Docker container to run the SECURITY INSIGHTS Validator (ossf/si-tooling) by making it easier to use.
- We have published a GitHub Action (luigigubello/security-insights-validator-ga) to run the SECURITY INSIGHTS Validator directly in the GitHub Workflows.
- We are actively working on the release v1.1 of the SECURITY INSIGHTS specification.
Everyone is welcome, and we appreciate contributions, questions, feedback, and help because they assist us in improving our work. 🌸 Don’t be afraid if you don’t work in the info security field; we genuinely value contributions from individuals with diverse backgrounds 🦄.
OpenSSF Supports White House’s Efforts to Build More Secure and Measurable Software
The US Office of the National Cyber Director (ONCD) report Back to the Building Blocks: A Path Toward Secure and Measurable Software, was released today. The report provides valuable insights into strategies to improve software security. This paper emphasizes the importance of proactive measures in mitigating vulnerabilities by examining pivotal principles such as memory safety, measurements, and metrics to help enhance software security. The OpenSSF supports efforts like this from the public sector, which improve the security of open source software.  Read more.
SOSS Community Day North America (NA) Agenda Live
We’re excited to announce that the agenda for Secure Open Source Software (SOSS) Community Day NA on April 15, 2024 is now available! Join us for a day of technical talks, panels, and a Table Top Exercise (TTX). SOSS Community Day is co-located with Open Source Summit North America in Seattle, WA.  Read more.
Golden Egg Award: Celebrating Exceptional Contributions in the OpenSSF Community
In Open Source Security Foundation (OpenSSF), we shine a light on those who go above and beyond in enriching our community. The Golden Egg Awards recognize individuals as the driving force behind innovation. Read more.
In the Headlines
- TechTarget, Linkerd paywall prompts online debate, CNCF TOC review, Beth Pariseau
- Security Boulevard, A demand for real consequences: Sonatype’s response to CISA’s Secure by Design, Brian Fox
- InfoQ, Sigstore: Secure and Scalable Infrastructure for Signing and Verifying Software
Don’t Forget…