All Posts By

John Mertic

July 2021 Update – New members and new resources for Best Practices and Vulnerability Disclosures underway

By Blog

The Open Source Security Foundation (OpenSSF) community is working diligently to improve the security of the open source ecosystem. This is no small mission, so we are excited to share all of the work that is happening. In case you missed our recent Town Hall meeting, the resources can be found here

New members

First off, we’re excited to announce 10 new members have joined the OpenSSF. The commitments from companies industry-wide demonstrate the priority to secure the open source software that runs our business and our lives. Our newest members join at least 35 other companies and include Accurics, Anchore, Bloomberg Finance, Cisco Systems, Codethink, Cybertrust Japan, OpenUK, ShiftLeft, Sontaype and Tidelift. 

Working Group Progress

Our working groups are where the work gets done, and contributors from across the industry have made important progress in recent months. 

Vulnerability Disclosures

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication. Its latest work includes: 

  • OSS Vulnerability Disclosure good practices whitepaper, targeting September to publish.
  • Setting up a call with the CVE Board to hear about the changes to the program and provide them feedback from our perspective
  • Ongoing talks with CERT-CC about their open sourcing their VINCE vulnerability coordination tool

Best Practices

The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers. Its latest work includes:

About the OpenSSF

The OpenSSF is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. 

For more information and to learn how to get involved, including information about participating in working groups and advisory forums, please visit https://openssf.org/getinvolved.

Open Source Ecosystem Gains New Support for Securing the World’s Most Critical and Pervasive Software

By Press Release

Open Source Security Foundation adds 10 new members from around the globe

SAN FRANCISCO, Calif., July 28, 2021 OpenSSF, a cross-industry collaboration to secure the open source ecosystem, today announced new membership commitments to advance open source security education and best practices. New members include Accurics, Anchore, Bloomberg Finance, Cisco Systems, Codethink, Cybertrust Japan, OpenUK, ShiftLeft, Sonatype and Tidelift. 

Open source software (OSS) has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source has a chain of contributors and dependencies before it ultimately reaches its end users. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency supply chain.

“The massive support we’re seeing for the OpenSSF and its initiatives is a reflection of the industry-wide commitment to secure open source software,” said Kay Williams, Governing Board Chair, OpenSSF, and Supply Chain Security Lead, Azure Office of the CTO, Microsoft. “We welcome the latest OpenSSF new members and look forward to their contributions.“

The new Scorecard 2.0 is also available now and includes new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis. The Scorecard is gaining adoption for automating analysis and trust decisions on the security posture of open source projects.

The OpenSSF is a cross-industry collaboration that brings together technology leaders to improve the security of OSS. Its vision is to create a future where participants in the open source ecosystem use and share high quality software, with security handled proactively, by default, and as a matter of course. Its working groups include Securing Critical Projects, Security Tooling, Identifying Security Threats, Vulnerability Disclosures, Digital Identity Attestation, and Best Practices.  

OpenSSF has more than 45 members and associate members contributing to working groups, technical initiatives and governing board and helping to advance open source security best practices. For more information on founding and new members, please visit: https://openssf.org/about/members/

Membership is not required to participate in the OpenSSF. For more information and to learn how to get involved, including information about participating in working groups and advisory forums, please visit https://openssf.org/getinvolved

New Member Comments

Anchore

“As maintainers of multiple open source projects and a vendor working to help organizations secure their software supply chains, the current security challenges are ever present for us. Joining the OpenSSF enables us to work across the wider community to develop best practices and ensure that everyone benefits from this coordinated industry effort,” said Neil Levine, Vice President of Product at Anchore.

Cisco

“As a global technology leader, Cisco has a responsibility to ensure the software that the world builds, deploys, and interacts with is secure to use, without compromising the user experience,” said Stephen Augustus, head of open source at Cisco. “Cisco is delighted to openly collaborate with the OpenSSF member organizations to define policy and deliver tooling that helps organizations build and run secure applications.”

Codethink

“As a software consultancy trusted by our clients to provide impartial advice when choosing software to depend on, and processes to adopt, Codethink is pleased to join the OpenSSF to help to promote Open Source solutions to our clients and secure the future of those solutions openly and collaboratively. Codethink has long been a proponent of the use of Open Source software in industry, and in promoting participation as a way to mitigate risk. With the OpenSSF, we see many possible avenues to furthering these goals to the benefit of all,” said Javier Jardón, Head of Automotive Strategy at Codethink.

Cybertrust Japan

“Cybertrust Japan, a developer of embedded Linux for industrial use,  is pleased to join the OpenSSF based on the agreement with the activities which continuously promote the security of OSS gathering community-centric and cross-industry participants.  We are looking forward to contributing to open source community through our involvement with OpenSSF and their working groups utilizing our secure technology regarding our Linux OS for IoT devices and our trust services that protect the IoT lifecycle with a trust chain.” said Yasutoshi Magara, President & CEO, Cybertrust Japan.

OpenUK

“Open Technology  plays a vital role in the global economy, powering services like cloud computing. It has a good reputation for software quality, stability and security, but inevitably there are issues discovered over time. Where open source has an advantage is how organisations collaborate, improve code and work together to manage notifications and updates to all the community members and users involved around a project‘s ecosystem. OpenUK is pleased to join the OpenSSF and help the development and adoption of best practices for companies, communities and users within the software supply chain,” said Amanda Brock, CEO and Chief Policy Officer, OpenUK

ShiftLeft

“We are honored to have been accepted into the Open Source Security Foundation, and support their vision to create a future where participants in the open source ecosystem use and share high quality software, with security handled proactively, by default, and as a matter of course,” said Chetan Conikee, CTO, ShiftLeft. “Like many of our customers, ShiftLeft has benefited greatly from leveraging open source software to build our differentiated products and features. This new juncture further strengthens our commitment of giving back to the community by empowering organizations with code, enabling them with the ability to build and run secure applications.”

Sonatype 

“As the maintainers of the largest repository of open source components in Maven Central, we have a unique view into how great the demand for open source has become in recent years. However, as that demand has grown, bad actors have recognized the power of open source and are seeking to use that against the industry. As these software supply chain attacks become more commonplace, open source developers have become the frontline of this new battle,” said Brian Fox, CTO of Sonatype.”One of our key missions at Sonatype is to help organizations continuously harness all of the good that open source has to offer, without any of the risk, and OpenSSF and its members share a similar vision. We’re thrilled to officially join OpenSSF and collectively work with other members to keep open source ecosystems safe and secure, as we all figure out how to battle both new and old attacks on the community.” 

Tidelift

“Open source has become the de facto development platform, providing the building blocks for the majority of modern applications. Yet most organizations struggle to effectively manage the health and security of their open source software supply chain. We look forward to collaborating with the members of the OSSF and our open source maintainer partners to proactively make open source software more secure for everyone.,” said Donald Fischer, CEO and co-founder, Tidelift.

About the Open Source Security Foundation (OpenSSF)

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support the open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page:  https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact

Jennifer Cloer

for the Linux Foundation

503-867-2304

jennifer@storychangesculture.com