Skip to main content
All Posts By

OpenSSF

OpenSSF May Newsletter

OpenSSF Newsletter – May 2024

By Newsletter

Welcome to the May 2024 edition of the OpenSSF Newsletter, with our latest information on what’s been happening lately and what’s on our radar.

Enhancing Open Source Security: Introducing Siren by OpenSSF

Introducing SIren

In the rapidly changing landscape of cybersecurity threats, collaboration and information sharing are essential. Now, more than ever, the open source community needs a centralized platform to exchange threat intelligence efficiently. Introducing Siren, a threat intelligence sharing platform hosted by Open Source Security Foundation (OpenSSF), a groundbreaking initiative aims to strengthen the defenses of open source projects globally.

Read More

Join Our Upcoming OpenSSF Tech Talk: Proactive Supply Chain Security with GUAC

Guac

Don’t miss our upcoming Tech Talk, “Proactive Supply Chain Security with GUAC,” on June 6, 2024, at 10 AM PT/1 PM ET. In this Tech Talk, you will meet the GUAC maintainers as they cover the project and its recent release, roadmap plans, and how you can contribute.

Cybersecurity threats are constantly and quickly changing, but GUAC can help you stay ahead.

Register Today

Call for Proposals: Submit to Speak at SOSS Community Day Europe

SOSS Community Day EU

Join us in Vienna, Austria, for the Secure Open Source Software (SOSS) Community Day Europe 2024. This enriching event will bring together members from across the security and open source ecosystem to exchange ideas and advancements. Formerly known as OpenSSF Days, SOSS Community Days reflect our broader commitment to fortifying the security of open source software. The Call for Proposals (CFPs) is open until June 16.

Read More

Unlock the Keys to Improved Software Security

Unlock the Keys

In today’s digital world, software security is under constant threat. Attackers exploit vulnerabilities, typosquatting, dependency confusion, and even infiltrate developer accounts. To combat these threats, developers must adopt robust security measures.

Read David A. Wheeler’s latest blog, based on his talk at the Open Source Summit North America (OSS NA) 2024, which outlines essential steps for enhancing software security. He highlights the increasing threat of supply chain attacks, both in open and closed source software, and provides practical guidance from the Open Source Security Foundation (OpenSSF).

Read More

Recap of SOSS Community Day North America 2024

SOSSCDNA1

On April 15, 2024, Secure Open Source Software (SOSS) Community Day North America (NA) brought together the open source community in Seattle to delve into discussions surrounding the challenges, overarching solutions, ongoing initiatives, and triumphs in fortifying the open source software (OSS) supply chain. Alongside dedicated SOSS contributors and thought leaders, we embarked on an in-depth exploration of topics such as security best practices, vulnerability discovery, securing critical projects, and the evolving landscape of OSS security.

Read More

Press Release: OpenSSF Taps Bruce Schneier to Discuss AI and OSS Security During Keynote at SOSS Fusion Conference 2024

Keynote Announced

The Open Source Security Foundation (OpenSSF) announced that internationally renowned technologist Bruce Schneier will serve as the keynote speaker for its inaugural Secure Open Source Software (SOSS) Fusion Conference 2024. Early registration is open for the event, which will take place from Oct. 22 – 23, 2024, in Atlanta, GA.

Register by Aug. 9 for special early bird giveaways! Gain access to interactive workshops, in-depth discussions and valuable sessions about securing open source software

Read More

Spotlight on the OpenSSF AI/ML Working Group

AI/ML Working Group

What do open source software, security, and AI/ML have in common? In this blog, Mihai Maruseac and Jay White from the OpenSSF AI/ML Working Group delve into this intersection. Almost a year ago, experts at the confluence of security and AI/ML united under the OpenSSF umbrella to form this group. Their mission is to secure AI/ML, addressing the rapid spread of AI technology and the increasing frequency of security incidents in AI-related products.

Discover how this working group is tackling the unique challenges posed by the intersection of these critical fields.

Read More

Beyond Scores with OpenSSF Scorecard: Granular Structured Results for Custom Policy Enforcement

Beyond Scores with OpenSSF Scorecard

In this blog, By Adam Korczynski, David Korczynski, Spencer Schrock, Laurent Simon present the OpenSSF Scorecard, a tool to help open source projects reduce software supply-chain risks. The Scorecard analyzes projects based on a series of heuristics, generating scores from 0 to 10—where 0 indicates high-risk practices and 10 signifies adherence to security best practices. These individual scores are combined into an overall Scorecard score.

The broad scope of Scorecard supports various use cases, from risk management to policy-driven decision making. This blog post focuses on a specific use case that allows Scorecard to be tailored to each consumer’s unique requirements through a novel feature called “structured results.” Learn how structured results can enhance your project’s security assessment and policy enforcement.

Read More

Join Us at SOSS Fusion 2024 in Atlanta

SOSS Fusion 24

Don’t miss SOSS Fusion 2024, taking place October 22-23. This event brings together nearly 500 professionals from diverse sectors—ranging from software development to cybersecurity. 

Here’s what you can expect:

  • Expert-led Sessions: Engage with industry leaders through Lightning Talks, presentations, and keynotes, covering key tech trends in AI, Containers, Microservices, and IoT.
  • Unmatched Networking: Connect with top technical minds during our renowned “hallway track,” fostering collaborations to solve current and future challenges.
  • All-Inclusive Access: Register by August 9 for just $399, which includes access to all sessions, breakfast, breaks, and exclusive evening events.

Experience the future of technology and security at SOSS Fusion 2024!

Register

Sponsor

News from CNCF: CloudNativeSecurity Con

Discover the forefront of cybersecurity in cloud-native environments at CloudNativeSecurityCon, the premier conference showcasing cutting-edge trends, best practices, and innovative solutions. Engage with industry experts and professionals as we delve into the dynamic landscape of securing cloud-native infrastructure and applications. Exciting news: schedule is now live! Don’t miss out—secure your spot by registering today!

In the News

Meet OpenSSF at These Upcoming Events!

Get Involved in OpenSSF

You’re invited to…

See You Next Month

We want to get you the information you most want to see in your inbox. Have suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org and see you next month! 

Regards,

The OpenSSF Team

Enhancing Open Source Security: Introducing Siren by OpenSSF

By Blog, Guest Blog

By Christopher “CRob” Robinson, Director of Security Communications, Intel Product Assurance and Security, Intel Corporation; and Bennett Pursell, Ecosystem Strategist, OpenSSF

In the ever-evolving landscape of cybersecurity threats, collaboration and information sharing are paramount. Now, more than ever, the open source community needs a centralized platform to exchange threat intelligence efficiently. Introducing Siren, a threat intelligence sharing list hosted by Open Source Security Foundation (OpenSSF), a groundbreaking initiative aimed at fortifying the defenses of open source projects worldwide.

The Need for Collective Defense

It’s estimated that open source software powers up to 90% of modern software, from web servers to mobile applications. However, with its widespread adoption comes increased scrutiny from threat actors seeking to exploit vulnerabilities for their gain. Recent attacks on projects like XZ-Utils and the OpenJS community are stark reminders of the importance of proactive security measures.

While the community has proven methods of communicating vulnerabilities to others within the community, such as the oss-security mailing lists, we do not have a means of communicating information about exploits efficiently with the broader downstream audience. 

While consumers and enterprises may have intelligence sharing structures in place, this does not always extend to the upstream open source community. OpenSSF Siren is an open source resource that fills this gap.

Introducing the OpenSSF Siren

The OpenSSF Siren is a collaborative effort to aggregate and disseminate threat intelligence specific to open source projects. Hosted by the OpenSSF, this platform provides a secure and transparent environment for sharing Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with recent cyber attacks.  Siren is intended to be a post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination.

Key features of the OpenSSF Siren include:

  • Open Source Threat Intelligence:  shared with the community about actively exploited public vulnerabilities and threats.
  • Real-Time Updates: List members receive notifications via email about emerging threats which may be relevant to their projects, enabling swift action to mitigate risks.
  • TLP:CLEAR: To facilitate effective unrestricted transparent communication, the list follows the Traffic Light Protocol (TLP), Clear guidelines for the sharing and handling of intelligence.
  • Community-driven: Contributors from diverse backgrounds collaborate to enrich the intelligence database, fostering a culture of shared responsibility and collective defense.

Strengthening Open Source Security Together

By leveraging the collective knowledge and expertise of the open source community and other security experts, the OpenSSF Siren empowers projects of all sizes to bolster their cybersecurity defenses and increase their overall awareness of malicious activities. Whether you’re a developer, maintainer, or security enthusiast, your participation is vital in safeguarding the integrity of open source software.

Join us in the fight against cyber threats by becoming a member of the OpenSSF Siren today. Together, we can build a more resilient and secure open source ecosystem for generations to come.

Get Involved

Ready to take action? Here’s how you can contribute:

  1. Sign Up: Register for membership on the OpenSSF Siren to start receiving real-time threat intelligence updates.
  2. Contribute: Share your insights and experiences to enrich the intelligence database and help protect open source projects worldwide.
  3. Spread the Word: Share this initiative with your network and encourage others to join the cause.

Together, let’s make open source software secure for everyone. Join the OpenSSF Siren today and be part of the solution. You also can join the conversation within the OpenSSF’s Vulnerability Disclosure working group to engage with other community security experts that are helping demystify vulnerabilities within our open source ecosystem.