Welcome to the April 2024 edition of the OpenSSF Newsletter, with our latest information on what’s been happening lately and what’s on our radar.
Join Us at SOSS Policy Summit EU 2024
We’re headed back to Europe on May 14 to host the Secure Open Source Software (SOSS) Policy Summit EU in Brussels, Belgium with our co-hosts, the Centre for European Policy Studies (CEPS). Governments around the world are interested in open source security supply chains, since open source makes up over 90% of code in software applications used in goods and services. Risks in this supply chain of open source digital public goods can disrupt global economies or cripple critical infrastructure. In order to support policy makers, OpenSSF hosts Policy Summits in both North America and in Europe. On May 14, we will feature speakers from the European Commission, EU Parliament, ENISA, BSI, Meta, Samsung, Ericsson, Microsoft, and SAP among others.
OpenSSF Announces New Members & Initiatives at SOSS Community Day North America
The OpenSSF welcomes new general members Ada Logics, The Boeing Company, Chainloop, Defense Unicorns, Ensignia, Hedera, and StepSecurity. With support from these new organizations, the OpenSSF heads into 2024 with 120 members that together recognize the importance of backing, maintaining, and promoting strong, vibrant, and secure open source software ecosystems.
“It brings us great pleasure to welcome our newest members to the OpenSSF,” said Omkhar Arasaratnam, the general manager of OpenSSF. “The challenge of safeguarding open source software is significant, and we eagerly anticipate collaborating with them.”
Press Release: CISA, DHS S&T and OpenSSF Announce Global Launch of Software Supply Chain Open Source Project
The Open Source Security Foundation (OpenSSF), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security (DHS) Science and Technology Directorate (S&T), today announced the launch and availability of Protobom, a new and innovative open source software supply chain tool. Protobom enables all organizations, including system administrators and software development communities, to read and generate Software Bill of Materials (SBOMs) and file data, as well as translate this data across standard industry SBOM formats. The OpenSSF has further committed to facilitating the open source and collaborative development of Protobom while encouraging the growth of an open source contributor community.
Unveiling the Golden Egg Award Winners: Celebrating Excellence in Open Source Security
The Golden Egg Awards spotlight outstanding contributions within the OpenSSF community. This year, the awards were announced at SOSS Community Day North America 2024. Christopher “CRob” Robinson won the Golden Egg Award for Community Engagement for his leadership in the Vulnerability Disclosure Working Group and the Technical Advisory Council. Additionally, Andres Freund received special recognition for promptly detecting and reporting a critical vulnerability, thereby preventing a significant security breach. The event also acknowledged several nominees from various organizations, celebrating their dedication to enhancing open source projects.
“What’s in the SOSS?” Podcast is Now Live
OpenSSF officially launched the “What’s in the SOSS?” Podcast
Get a taste of all the ingredients that make up secure open source software (SOSS) by listening to the podcast. Explore the latest trends at the intersection of AI and security, vulnerability management, and threat assessments. Each episode is packed with valuable insight designed to foster collaboration and promote stronger security practices for the open source software on which we all depend.
Join us and check out the first podcast here. Stay tuned for future episodes of “What’s in the SOSS?” as we continue to explore the world of secure open source software, bringing you insights from industry leaders and innovators.
Subscribe to “What’s in the SOSS?” on your favorite platform: Spotify, Apple Podcasts, Amazon Music.
Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
XZ Utils cyberattack likely not an isolated incident.
The recent attempted XZ Utils backdoor (CVE-2024-3094) may not be an isolated incident as evidenced by a similar credible takeover attempt intercepted by the OpenJS Foundation, home to JavaScript projects used by billions of websites worldwide. The Open Source Security (OpenSSF) and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects.
Join Us at SOSS Fusion 2024 in Atlanta
Don’t miss SOSS Fusion 2024, taking place October 22-23. This event brings together nearly 500 professionals from diverse sectors—ranging from software development to cybersecurity. Here’s what you can expect:
Expert-led Sessions: Engage with industry leaders through Lightning Talks, presentations, and keynotes, covering key tech trends in AI, Containers, Microservices, and IoT.
Unmatched Networking: Connect with top technical minds during our renowned “hallway track,” fostering collaborations to solve current and future challenges.
All-Inclusive Access: Register by August 9 for just $399, which includes access to all sessions, breakfast, breaks, and exclusive evening events.
Experience the future of technology and security at SOSS Fusion 2024!
Submit to Speak     Register    Sponsor
Leverage the OpenSSF Newsletter Within Your Organization
As a valued OpenSSF subscriber, you’re well-equipped with the latest in open source security. We encourage you to share this crucial knowledge internally by selecting and distributing relevant content from our newsletter in your organization’s internal communications.
We encourage you to share the newsletter, or snippets from it, with your co-workers through word-of-mouth and your organization’s internal newsletters. We want you to help your organization stay informed.
In the News
- InfoSec Today, Curious engineer catches backdoor in Linux compression package
- Reuters, Why a near-miss cyberattack put US officials and the tech industry on edge
- CSO Online, OWASP Top 10 OSS Risks: A guide to better open source securityÂ
- Yahoo, Open source groups say more software projects may have been targeted for sabotage
- The Hacker News, OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt
- Fortune, After a failed Linux backdoor attempt grabs headlines, open source leaders warn of more attacks
- SD Times, OpenSSF, CISA, and DHS collaborate on new open-source project for creating SBOMs
- Help Net Security, Protobom: Open source software supply chain tool
Meet OpenSSF at These Upcoming Events!
- RSA Conference: May 6-9, 2024
- SOSS Policy Summit Europe 2024: May 14, 2024
- OpenSSF Tokyo Meet-up 2024: May 13, 2024
- Black Hat USA: Aug. 7-8, 2024
- DEF CON: Aug. 8 – 11, 2024
- SOSS Community Day Europe: Sept. 19, 2024
- SOSS Fusion Conference: Oct. 22-23, 2024 (Save the date!)
Get Involved in OpenSSF
You’re invited to…
- Join a Working Group or Project
- Chat with us on Slack
- Follow us on X, Mastodon, and LinkedIn
See You Next Month
We want to get you the information you most want to see in your inbox. Have suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org and see you next month!Â
Regards,
The OpenSSF Team