Throughout 2022, the Linux Foundation and OpenSSF in particular have been at the heart of a number of important conversations concerning the open source software (OSS) community and sustainability of the ecosystem. A large part of our global engagement efforts have been focused on collaborating with leaders in the public and private sector to further the ecosystem understanding of open source software security.
On December 5th during Open Source Summit Japan, the Open Source Security Foundation (OpenSSF) hosted OpenSSF Day Japan 2022, a half-day event dedicated to exploring ongoing efforts to improve the security of open source software (OSS). Throughout the day, contributors and thought leaders shared their ideas and experiences with OSS security through sessions on subjects like security best practices, vulnerability discovery, securing critical projects, and the future of OSS security.
Alpha-Omega is an OpenSSF project, established in February 2022, with a mission to protect society by improving the security of open source software through direct maintainer engagement and expert analysis, trying to build a world where critical open source projects are secure and that security vulnerabilities are found and fixed quickly. During our first year, we helped fund important security work for some of the most important open source projects and have begun to see the impact of that work. We’re happy to share our first annual report, which describes what we’ve accomplished, what we’ve learned, and the impact we hope to have in 2023.
Presenting a comparative study of the different approaches used to measure criticality and risk by a set of OpenSSF projects. Criticality is the measure of how important a package is across the global software ecosystem based on how many packages depend upon it. By combining criticality with the measure of a project’s security posture, or the risk that there may be as-yet-undiscovered vulnerabilities in software, we can prioritize the application of resources that might reduce the overall risk to the software landscape most efficiently. This work has been taken from The State of Dependency Management, the inaugural research report from Station 9, Endor Labs’ research team.
The Open Source Security Foundation (OpenSSF) announced many new members from leading technology firms in sectors that span software development, cybersecurity, data science, platform as a service, semiconductors, finance, think tanks, academics, and more, bringing the total number of OpenSSF members over one hundred.
The Linux Foundation Training & Certification team, in partnership with the Open Source Software Foundation (OpenSSF), are pleased to announce the launch of one of our post popular training courses translated into Japanese – Developing Secure Software (LFD121).
A robust strategy around securing how developers consume and manage open source software (OSS) dependencies when building software is essential. The Secure Supply Chain Consumption Framework (S2C2F) is a consumption-focused/consumer-focused framework that uses a threat-based, risk-reduction approach to mitigate real world threats in Open Source Software (OSS). Today, we are pleased to announce that it has been adopted by the OpenSSF under the Supply Chain Integrity Working Group and formed into its own Special Interest Group (SIG).
In the motor city, the community hosted the first-ever Sigstore event, SigstoreCon, in co-location with KubeCon + CloudNativeCon North America. Event highlights included the announcement of Sigstore general availability, an awards ceremony, engaging talks, and introduction of a Sigstore Landscape. If you missed out, the session recordings are now available.
Today at SigstoreCon, the Sigstore community announced the general availability of its free software signing service giving open source communities access to production-grade stable services for artifact signing and verification. Sigstore provides a set of tools designed to improve supply chain security by making it easy to sign, verify and check the software developers are building and consuming.
Projects adopting the practices set out by the OpenSSF in its Security Score, including adopting a dependency update tool that ensures rapid updating of vulnerable dependencies, will improve their project’s security and the security of the open source projects that depend on them. Dependency management is critical, because Sonatype’s research revealed that about 6 out of every 7 vulnerabilities affecting projects come from transitive dependencies.