Skip to main content

📩 Stay Updated! Follow us on LinkedIn and join our mailing list for the latest news!

All Posts By

OpenSSF

OpenSSF Welcomes New Members and Introduces New Initiatives at SOSS Community Day Japan

By Blog, Press Release

Growing Member Base and New Initiatives Continue to Advance Open Source Software Security

TOKYO, JAPAN – October 30, 2024 – The Open Source Security Foundation (OpenSSF), a global cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), is excited to announce new members from leading technology, security, and research firms. The OpenSSF is also thrilled to host Secure Open Source Software (SOSS) Community Day at Open Source Summit Japan 2024, bringing together community members, maintainers, and contributors from across the globe.

New general member commitments from Arm, embraceable AI and Fujitsu along with new associate member commitments from Ruby Central and Trifecta Tech further strengthen the support for open source software security. With backing from these new organizations, the OpenSSF heads into the final quarter of 2024 with a robust member base dedicated to promoting a strong, vibrant, and secure open source software ecosystem.

“The addition of our newest members to the OpenSSF highlights the growing global commitment to strengthening open source software security,” said Arun Gupta, Vice President and General Manager, Developer Programs at Intel and OpenSSF Governing Board Chair. “By joining forces, we can address security challenges, foster innovative solutions, and build a safer digital future for everyone. With the support of these new members, we are further enabled to drive forward our shared mission.”

To celebrate its growing community, the OpenSSF is hosting SOSS Community Day Japan at Open Source Summit Japan 2024. SOSS Community Day Japan is an opportunity for community members from across the open source security ecosystem to come together and share ideas. With an agenda packed with sessions led by industry experts, the event will cover critical topics like education, innovation, tooling, vulnerabilities, and threats, showcasing the ongoing efforts of the OpenSSF community to enhance open source software security.

General Member Quotes

Arm

“At Arm, we recognize that collaboration is key to advancing the security of the global software ecosystem. By joining OpenSSF, we look forward to contributing to its mission of raising the bar on open source software security and underscoring our dedication to fostering standardization across the industry to give developers the confidence and tools they need to innovate.”

— Andrew Wafaa, Senior Director and Fellow, Software Communities, Arm

embraceable AI

“Security in the realm of AI is not just a feature; it’s the foundation of trust. As we empower enterprises with intelligent services, we prioritize safeguarding data and ensuring privacy, so our clients can innovate fearlessly.”  

— Dr.-Ing. Christian Gilcher, General Manager, embraceable AI 

Fujitsu

“Fujitsu is proud to have achieved conformance with OpenChain ISO/IEC 18974, demonstrating our commitment to open source compliance and excellence. Our next step is to join the OpenSSF. We take our dedication a step further to enhance the security and trustworthiness of the global software supply chain. Open source software is a key driver of innovation, and we look forward to collaborating with the OpenSSF community to ensure the resilience and transparency of the technologies shaping our future.”

— Teppei Asaba, Senior Director, Mission Critical System Business Unit, Fujitsu Limited

Associate Member Quotes

Ruby Central

“Joining OpenSSF aligns perfectly with Ruby Central’s commitment to advancing the security of open source ecosystems. By collaborating with OpenSSF and its community of forward-thinking organizations, we’re excited to bring our expertise from the Ruby ecosystem and work together on solutions that enhance the security and sustainability of open source software for all developers.”

— Marty Haught, Interim Open Source Lead, Ruby Central

Trifecta Tech

“We are excited to join the OpenSSF as an associate member as we continue to actively contribute to the security of the open source software we all rely on. Trifecta Tech Foundation is a non-profit working on safer software for the underlying infrastructure of the Internet and vital systems for water, energy, and communication. We develop and maintain open source software and contribute to open standards for these essential systems. Our projects include memory-safe alternatives to critical pieces of software like sudo, the Network Time Protocol, and zlib.”

— Erik Jonkers, Chair, Trifecta Tech Foundation

New Initiatives 

In addition to welcoming new members, OpenSSF is excited to announce several new initiatives aimed at bolstering open source software security.

Minder: contributed by Stacklok, is now a sandbox project within OpenSSF. Minder simplifies the integration and use of powerful security tools like OSV, OpenSSF Scorecard, and Sigstore, allowing developers and security teams to establish policies on code repositories and dependencies, reducing risk before and after code is merged.

bomctl: A format-agnostic Software Bill of Materials (SBOM) tooling project introduced in September 2024, aimed at enhancing SBOM generation and management across various formats.

Zarf: created by Defense Unicorns, launched in July 2024, Zarf is a free, open source tool enabling continuous software delivery on systems disconnected from the internet, facilitating secure software distribution in air-gapped environments.

These new initiatives demonstrate the OpenSSF’s continued dedication to fostering innovation and providing tools to enhance open source software security across diverse use cases.

Additional Resources

  • View the complete list of OpenSSF members.
  • To learn more about the OpenSSF community, including information about membership, contribution, project participation, and more, contact us.

###

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit openssf.org.

About the Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page. Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Tanner
Look Left Marketing
openssf@lookleftmarketing.com

What’s in the SOSS? Podcast #18 – Canonical’s Stephanie Domas and Security Insight from a Self-Described “Tinkerer”

By Podcast

Summary

In this episode, CRob talks to Stephanie Domas, CISO at Canonical, the creators of the popular operating system Ubuntu. Having started her career with over 10 years of ethical hacking, reverse engineering and advanced vulnerability analysis, Stephanie has a deep knowledge and passion for the hacker mindset.

Conversation Highlights

  • 01:14: Stephanie shares how she got her start in security
  • 05:41 Interesting things Stephanie has discovered since becoming more directly involved with open source
  • 08:20 The challenge of instilling trust into those who consume open source
  • 12:42 Stephanie answers CRob’s rapid-fire questions
  • 14:07 Stephanie’s advice to those getting into cybersecurity
  • 15:43 Stephanie’s call to action for listeners

Transcript

Stephanie Domas soundbite (00:01)
For those who aren’t in security community yet, if you have that protector personality and you like to help and you like to make sure things are great when people use them, security may be for you, right? Those tinkerers and those protectors make such phenomenal security people. If those are you, we need you in security.

CRob (00:18)
Hello everybody, I’m CRob. I do security stuff on the internet. I’m also a community leader within the OpenSSF. And we have this nice little podcast you’re listening to called What’s in the SOSS? Where I get to talk to the most amazing people that work within and around open source software. And today we have a special treat. We have Stephanie Domas. She’s the CISO of Canonical. And she’s also a former teammate of mine and a fellow Ohioan. Stephanie, welcome to the show.

Stephanie Domas (00:52)
Thank you, CRob, it’s nice to see you again and thanks for inviting me.

CRob (00:55)
You’re very welcome. It’s nice to be seen. Gotta couple questions here. We’re going to have some fun questions later on, but let’s start off. Why don’t you describe to vthe audience kind of who you are? What’s your origin story and kind of what led you to this point where you’re working with one of the major commercial open source distributions today?

Stephanie Domas (01:14)
Yeah, absolutely. So the story of Stephanie and so it all starts back in middle school. And I won’t go, I won’t make this a huge long story, but I do think it’s, it’s, I don’t know, it’s colorful background, right? So back in middle school, right? I started to get into PC gaming, like all good nerds were at that time. And I, you know, hypothetically started to get very interested in how the cracked versions of things that I was hypothetically downloading worked.

And so while I was a consumer of these things, I really wanted to understand, you know, how were people figuring out where to patch? How were people figuring out how to change these games so I had more money or I had new powers. And so this led me on this spiral of just really wanting to understand how computers worked, right? So it all started with just how, how was this even happening? And so I kept digging deeper and deeper. And before, you know, I was in university studying electrical and computer engineering, and I was focused on processors.

And so I was very interested in essentially this, the brain of the computer, right? How is it doing it? Because at the end of the day, when I started to peel back the layers of cracks and the key gens, it all came back to trying to manipulate how the computer worked. And so I found this super interesting. And so, you know, I went to college, I started to get really interested in the cyber side of things, right? So when my university didn’t have a cyber program, I was still very interested in trying to peel back that onion.

And so I started, I joined an ethical hacking team. I participated in Capture the Flags or CTS and I was very fortunate that that first role I landed outside of college was on a security research team. And so I got to spend seven years just doing really fascinating security research. And given my focus was processors, as you can guess, my focus was on x86. So I did a tremendous amount of x86 security research for a number of years. And while that was immensely fun, at a certain point, I felt like I wanted to have a bigger impact on the world. And while my research was like interesting, right? I didn’t feel like I was having that big impact. And so I kind of did two things, right? I one decided to go do a startup and not just a startup, but I wanted to do it in an industry where I felt like cybersecurity was really, really weak. Right. And so I went and did a medical device cybersecurity startup. I felt like that, that industry, because of the impact for patient harm had this really high need for security and yet not a lot of security people were focused in the area.

And so I did a startup that, to this day is still having, I think, a profound impact on that community. And then I also started teaching because I wanted to give back, have a bigger impact. And so I started to adjunct at my alma mater, which is the Ohio State University, teaching a bunch of software and security courses and assembly. And, you know, I eventually started transitioning. I also started teaching at your traditional security conferences like Black Hat and DEF CON and DerbyCon. And then given my background in processors, I obviously ended up at Intel, which is where we had the privilege of meeting.

And so I got to be there for three years as the chief security technology strategist. And that was a ton of fun, right? Given Intel’s large impact across the world’s compute, right? I got to sort of fulfill my desire of driving impact across the world’s compute. And then last September, I had the honor of joining Canonical as their first CISO. And that’s really exciting for me because as you know, we all know listening to this, right? That just open source is such this beautiful thing where we’re capturing the world’s creativity as code. And while Canonical is the maintainer of dozens of open source projects, we are obviously most commonly known for Ubuntu.

And I’m also this fundamental believer that while a lot of people think of security as sort of guarding gates or building fences, it is all of that. But I actually believe it’s so much more that that security is also about building bridges and enabling compute that couldn’t have happened otherwise without security. And so I’m still on that mission to improve the world’s compute by doing amazing things in security. And so I’m so excited to be at Canonical to be a part of bringing that sort of how can security be an enabler to the world’s compute through open source.

CRob (05:14)
Nice. Well, you said something interesting that I want to circle back to in a future episode. I want to talk about DerbyCon, which was one of my favorite conferences ever.

Stephanie Domas (05:23)
I was so sad when they closed down.

CRob (05:25)
I know! #TrevorForget! But you know it being new to open source. What’s one of the most interesting differences that you’ve encountered kind of in your journey here and as you’ve gotten to know the culture around Canonical and the broader upstream open source?

Stephanie Domas (05:41)
Yeah, so this is a super fascinating thing for me because before joining Canonical, while I had been a consumer of open source and Ubuntu had been one of my daily drivers for, I don’t know, 15 years, basically, since they started doing security research, I wasn’t actually that familiar with or hadn’t really dug into the unique nuances of how you actually drive security into open source. And so that was obviously one of the first things that needed to happen in a transition here.

And so one of the really fascinating things to me was there are so many common practices in how you drive security into software, right? Commonly captured as things like your SDLC and SDLC best practices. And a lot of that is just, I don’t know, it’s relatively mature, right? Here’s all the things you need to do. And so one of the things that was super fascinating to me and is still just like a constant source of interest for me is how you translate all of those SDLC practices into open source. There’s so many nuances associated with one, it being open source, right? The fact that there are so many contributors and community members, but also one of the things that has been really eye-opening to me in the open source space is because it’s open source, you have so much more, you have much more complex dependency systems in the software, right?

Because it’s open source and because there’s a sense of community and because everyone sort of develops a library that does something and then everyone else consumes it, right? You get much more of these really complex interdependencies and upstreams and downstreams that just simply don’t exist in proprietary software. And so when you start trying to apply your traditional SDLC practices to this, a lot of it doesn’t fit. And so it’s an interesting paradigm of there are known good things to do and they don’t quite translate into open source. Some of them do, but a lot of them don’t. And so that’s been a really interesting journey for me to try and figure out what can we take, what doesn’t fit, how could we make it fit, how can we still achieve some of the same outcomes in this open source and really immensely complex dependency trees.

CRob (07:40)
It’s a great challenge that I’m glad that we have folks such as yourself helping try to drive this. And that kind of touches onto our next question. You’ve spent time within traditional large enterprises and generally with those types of companies, you’ve got well-defined boundaries and regulations and policies and whatnot. And part of Canonical’s job is making open source consumable for those types of customers. Talk a little bit about some of the processes that might work in an enterprise that can help instill trust into folks’ open source software consumption.

Stephanie Domas (08:20)
Yeah, so this one’s super fascinating as well because there’s open source and then there’s open source that is enterprise-ready. And while sometimes that means at the high level, right, it’s things like, it’s resilient, it’s been tested, maybe it’s supported. But I would say that’s actually kind of just cracking the surface of this, right? At the end of the day, you know, Canonical sits at this sort of in-between enterprise and open source. And some of the really interesting things, especially you see in the security space, is this desire for these companies to translate what they know as secure practices into the open source space.

And so I also mentioned in the last question, right, the SDLC, right? The number of questionnaires we get from customers that say, do you have an SDLC? Does it meet all these requirements? And it’s their standard questionnaire, right? It’s all those standard best practices I just talked about. And it’s really, really hard to say yes to those and feel like you can write like a real solid checkbox in that line. And so just giving like a super nerdy example is something that’s just been on my mind recently. So I’m going to throw out some nerd numbers here. So the OMB memorandum, M-22-18, right? I see you shaking your head and I know people can’t see this.

CRob (09:33)
Oh, I’m familiar with it.

Stephanie Domas (09:35)
The thing is just, this is, this is a real big thing right now and it is requiring software manufacturers to fill out a repository for software attestation art, sorry a secure software development attestation form to then file in the repository for software access stations and artifacts. This form is derived from the NIST SSDF, which is the NIST secure software development framework, SP 218. I’m throwing so many numbers at us right now, but the whole point is, right, this is an example of sort of what I talked about in the last question where enterprises have these known ways of doing things and then this SSDF is a common accepted way of doing secure development lifecycle, but a lot of it, well, not all of it translates cleanly to open source.

And so now you have these memorandums coming out asking software developers to fill out this form. And some of the questions in there, I would say at least half of the questions inside of it are around the development machines, right? Was the development done on a machine that is isolated? Was the development done on a machine that follows security best practices? Well, how on earth am I supposed to answer that question for open source? Do I answer with the mindset of just Canonical developers, in which case I can give a straight answer? Do I answer with the community members? And the form that they’ve developed has no area for you to explain nuance. You’re either in alignment with the form or you answer no and they consider you sort of out of alignment and you are considered to need to put together a plan for how you get in alignment.

And so things like this are really interesting in sitting in that intersection between enterprises and open source because a lot of these sort of regulations and efforts of what these enterprises are looking for, right? The checkboxes they need to get in order to be able to them satisfy their customers don’t translate. And so we sit at that intersection of trying to, you know, one, make it your traditional enterprise ready with resilience and testing and code coverage and all of those great things.

But also the really interesting part of the really complex part that I think a lot of the community members maybe don’t appreciate how chaotic it is, is how you translate all of these regulations and these internal NIST frameworks that all the customers want checkboxes for into how you meet those in an open source space in a way that you can say with confidence, right, we want to have confidence when we say, yes, we meet this is really, really difficult to do. And yeah, so that memorandum is on my mind a lot right now because we’re attempting to go through that process right now. And again, it’s like, how do I answer this question when I don’t control community members’ laptops, right?

CRob (12:11)
Yeah, it’s a lot of really interesting challenges. I could spend hours talking about SDLC too. I’m really excited again that we have folks that are bringing, kind of live in both worlds. You’re bridging the gap between enterprise and community and trying to help make a successful translation. I really appreciate that. And I also appreciate we’re at the time of the show where we’re going to do the rapid fire round!

Stephanie Domas (12:35)
Woo!

CRob (12:36)
All right, I got a series of fun questions and let’s see how you do. There are no wrong answers. First question, spicy or mild food?

Stephanie Domas (12:46)
My gosh, so mild. I am absolutely a wimp with spices.

CRob (12:49)
(Laughs) Alright, fair enough. Next question. What’s your favorite flavor of ice cream?

Stephanie Domas (12:55)
Vanilla.

CRob (12:56)
Vanilla? Alright. French vanilla? Vanilla bean?

Stephanie Domas (13:00)
(Laughs) I am not fancy enough for that one. My palate is not refined enough to know the difference.

CRob (13:06)
(Laugs) Very nice. All right. Vi or Emacs?

Stephanie Domas (13:12)
Vi, definitely.

CRob (13:14)
Yes, hooray! There are no wrong answers except if you pick Emacs.

Stephanie Domas (13:18)
Yes, my Vimrc file is complicated and every time I move computers and I haven’t moved it, it’s very painful. So it’s got a lot of customization, I won’t lie.

CRob (13:31)
Excellent. And last question from rapid-fire: tabs or spaces?

Stephanie Domas (13:36)
My gosh, I’m gonna get some enemies here. I’m a tabs person.

CRob (13:39)
Yeah? very nice. Again, there are no wrong answers. Everyone has their own way of working. That’s great. Thank you for sharing our little fun segment. And as we wind down, what advice do you have? You mentioned that you’ve been a teacher and you’ve given a lot of your time to try to help bring up the next generation of folks. Well, what advice do you have for people that are getting into either open source development or cybersecurity?

Stephanie Domas (14:07)
Yeah, I guess so. I’ll focus on the cybersecurity one and I’m going to get a bit of like social emotional on us here instead of technical. But my advice, my high level advice is just assume the best in your community team members until you are given a reason to otherwise. I see so many times some new vulnerability comes out or some new incident or a breach happens and I see people in the community kind of they jump to assuming negligence or assuming that people are dumb and you see statements like how could they not have done X, like that’s so obvious and it makes me really sad because I feel like most people in the community actually are really trying to do the right thing.

They are on limited resources. They have to make tough decisions and sometimes literally things just fall through the cracks and so I see people get burnout because, not because they’re not trying to do the right things because they’re trying to do the right thing, and people don’t aren’t appreciating that they’re trying to do the right thing right so we’re going to. It’s going to be a high-level one of be good to your fellow security members. And if you’re in a position to offer help to them, somebody who happens to be in the spotlight, is firefighting, is involved somehow in a breach or an incident. Instead of sitting there and trying to judge them offer to help them, even if it’s just to offer a shoulder for them to have somebody to not yell at them for a moment, send them a digital coffee, something. So assume the best in your security team members until they give you a reason to not.

CRob (15:31)
I love it. More empathy for everybody, I think, will make the world a much happier place. And finally, do you have a call to action for our listeners? Something you want to inspire them to do next?

Stephanie Domas (15:43)
Just, I know this is one, it’s also kind of cheesy. It’s just, I don’t know, just always be curious in how stuff works, right? I think there’s so many different reasons why people get into security. I got into it because I was a tinkerer and because I’m curious. If that’s your passion, right, follow that. I would also say the other really big one I see is people who have this protector personality. So if you feel like, for those who aren’t in the security community yet, right, if you ever, if you feel that protector personality and you like to help and you like to make sure things are great when people use them, right? Like security may be for you, right? Those tinkers and those protectors make such phenomenal security people. If those are you, right? We need you in security.

CRob (16:24)
That’s awesome. Such wise words. Thank you, Stephanie. I really appreciate your time. O-H…

Stephanie Domas (16:30)
I-O!

CRob (16:31)
Yes!

Announcer (16:32)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at openssf.org/getinvolved. We’ll talk to you next time on What’s in the SOSS?

Case Study: Kusari’s Implementation of OpenSSF Tools and Services

By Blog, Case Studies

Challenge

For many years, the software supply chain has suffered from a lack of transparency and inefficient, unsustainable security management methods such as spreadsheets, emails, and word of mouth. The severity of these challenges was highlighted during incidents like Log4Shell, where the limitations of these approaches became evident — organizations struggled to identify where Log4J was used, and many applications continue to use vulnerable versions of this library years later. Meanwhile, the costs and regulatory requirements of attacks and vulnerabilities continue to increase. The founders of Kusari, driven by their passion and personal experiences with these problems, sought to create scalable and robust security solutions for their customers and users.

Solution

To address these challenges, Kusari created and co-developed the tool GUAC (Graph for Understanding Artifact Composition). GUAC integrates data from various OpenSSF tools and specifications to secure Kusari’s platform software and infrastructure. Kusari uses AllStar to enforce best practices for source code repositories and Scorecard to assess repositories for best practice adherence and highlight areas of concern. By adopting SLSA (Supply Chain Levels for Software Artifacts), Kusari follows Level 3 practices for building projects and generating provenance. OpenVEX is used to communicate the vulnerability status of software, while S2C2F (Supply-Chain Levels for Secure Commercial Facilities) ensures rules are followed for safely ingesting open source software. GUAC aggregates data from multiple sources like Scorecard, SLSA, OpenVEX, SBOM, OSV, and deps.dev to analyze supply chain risks and ensure compliance with S2C2F rules.

According to Parth Patel, Co-founder & Chief Product Officer at Kusari, “Working with OpenSSF projects is an invaluable part of building Kusari – both as a company and an enterprise platform. Participating in open source communities allows us to shape the future of software supply chain technology. The work we invest in OpenSSF communities pays off in having reliable software tools to build and integrate with the security ecosystem.”

Results

The implementation of these tools has significantly enhanced Kusari’s ability to manage and mitigate software supply chain risks. The adoption of open specifications like SLSA, S2C2F, and OpenVEX allows Kusari to generate and consume supply chain data that is broadly supported in the community. Tools like AllStar, Scorecard, and Sigstore help enforce best practices in code, build, and delivery processes. GUAC enables Kusari to ingest and analyze standardized metadata from multiple OpenSSF tools, providing a clear understanding of supply chain risks and facilitating quick responses to security incidents.

Engagement with OpenSSF Community

Kusari engages with the OpenSSF community in various capacities, including as maintainers and users of AllStar, GUAC, and SLSA, and as TAC sponsors for GitTUF, SBOMit, and S2C2F. This engagement is a way for us to innovate and give back within the open source community. Kusari is committed to helping shape and develop the future of software supply chain security. You can regularly find us in meetings with the Supply Chain Integrity Working Group; come join in. 

Benefits and Challenges

Open specifications and tools provide flexibility for integration and modification, ensuring better interoperability. Security has a long history of being closed and vendor-centric, but that’s changing. Collaboration is required to protect effectively against current and future threats. That’s why Kusari is passionate about being a creator, maintainer, contributor and user of open source security tools. 

Striking a balance between vendor support and community-driven efforts is crucial for sustainable success in open source projects. Arun Gupta, vice president and general manager of Open Ecosystem Initiatives at Intel and OpenSSF governing board chair emphasizes, “It’s vital that we foster collaboration between vendors and the open source community in a collaborative manner that respects the community. This balance is key to achieving a secure software ecosystem.”

Future Plans

Kusari plans to adopt additional OpenSSF tools such as GitTUF as they mature and looks forward to developments from SBOMit.

Conclusion

Kusari’s integration of OpenSSF tools and specifications has significantly bolstered its software supply chain security, providing scalable and efficient solutions for managing vulnerabilities. Through active participation in the OpenSSF community, Kusari continues to contribute to and benefit from the evolving landscape of open source security.

 

OpenSSF Newsletter – October 2024

By Newsletter

Welcome to the October 2024 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Join us in Tokyo for SOSS Community Day Japan on October 30, 2024, co-located with the Open Source Summit Japan (October 28-29)

Hosted by the OpenSSF, this event will bring together open source security enthusiasts to connect, collaborate, and share knowledge. Whether you’re an industry leader or a passionate technologist, this is your opportunity to dive deep into the latest open source security trends, learn from experts, and network with the vibrant open source community. Don’t miss out—register today and be part of the conversation on securing open source software! Learn more

Recap on SOSS Community Day EU

SOSSCommunity24EU
On September 19, the OpenSSF community gathered in Vienna for SOSS Community Day EU, held alongside Open Source Summit EU. Each summit and community day is a celebration of open source excellence, showcasing the collective efforts of passionate individuals committed to making the world a safer place. We extend a heartfelt thanks to our dedicated maintainers for their continuous efforts in advancing open source security!

Recordings and photos are now available. Relive the moment as we recap some of the exciting conversations from the event! Read more

2025 Virtual Tech Talk Call for Proposal (CFP)

We are excited to invite proposals for the 2025 Virtual Tech Talk Series, providing a platform for in-depth discussions on critical initiatives to secure open source software within the OpenSSF community. These tech talks are designed to foster knowledge sharing, highlight innovative technical projects, and showcase efforts driving the future of open source security.
Have a topic or expertise you’d like to share? Submit your Call for Proposals (CFP) by December 15, 2024, to ensure ample time for review and planning. This is your chance to contribute, connect with peers, and inspire others in the field.
Submit your CFP

OpenSSF Education Tech Talk Highlights & Future Opportunities

10-10TechTalk
The OpenSSF hosted a virtual Tech Talk titled Jumpstart Your Journey: Mastering OSS Security Development with the Linux Foundation Education. This session was designed for aspiring open source professionals and newcomers eager to dive into the world of open source software (OSS) security.  Read more

Developer Relations: The Human Connection Driving Open Source Security

DeveloperRelationsTheHumanConnectionDriving OpenSourceSecurity

Open source security isn’t just about technology—it’s about the people behind it. Developer Relations (DevRel) connects developers, maintainers, and contributors, ensuring that they have the tools and support to make open source software more secure and resilient. As Katherine Druckman, Open Source Evangelist at Intel, said in her recent episode of the What’s in the SOSS? podcast: “We solve technical problems with technical solutions, but there are also so many human problems that need human solutions.” This illustrates the heart of DevRel—bringing together people to drive progress in open source security. Read more

OpenSSF SOSS Fusion Conference Kicks off with Talks from Google and Cisco Executives

SOSS-Fusion-2024-OpenSSF-SOSS-Fusion-Conference-Kicks-off-with-Talks-from-Google-and-Cisco-Executives-

The Open Source Security Foundation (OpenSSF) announced the opening of the Secure Open Source Software (SOSS) Fusion Conference in North America in Atlanta, GA. This event unites a diverse community of professionals, including public sector leaders, software developers, security engineers, students, cybersecurity experts, CISOs, CIOs, founders, and tech pioneers. With a robust agenda covering AI security, critical open source security projects, public policy, and today’s most pressing security topics, SOSS Fusion offers a comprehensive look at OpenSSF’s initiatives that’s aimed at simplifying security for developers, and will help them prepare to shape a safer digital world in 2025 and beyond. Read more

Join us for SigstoreCon: Supply Chain Day at KubeCon NA 2024

SigstoreCon
Join us for SigstoreCon: Supply Chain Day at KubeCon NA 2024 in Salt Lake City on November 12! Attendees will explore the latest advancements in digital artifact signing, with sessions on Sigstore, SLSA, The Update Framework (TUF), and more.

Key Topics Include:

  • Case Studies: Real-world examples of how projects are leveraging Sigstore, SLSA, or TUF
  • Package Registry Adoption: Insights for maintainers adopting Sigstore/SLSA
  • Client Development: Learnings from building Sigstore clients
  • Technical Deep Dives/Research: Exploring transparency, privacy-preserving identities, and more

Don’t miss this opportunity to stay ahead in supply chain security​!

View agenda 

Register now

Empower Your Software Development with OpenSSF’s Free “Developing Secure Software” Course! 

Learn secure software fundamentals at your own pace and earn a recognized certificate. Plus, we’ve just added new optional labs in LFD121! These hands-on exercises will help you practice countering attacks with real-world scenarios and helpful hints. Enroll here

In the News

Meet OpenSSF at These Upcoming Events!

Get Involved in OpenSSF

You’re invited to…

See You Next Month

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

 

SOSS-Fusion-2024-OpenSSF-SOSS-Fusion-Conference-Kicks-off-with-Talks-from-Google-and-Cisco-Executives-

OpenSSF SOSS Fusion Conference Kicks off with Talks from Google and Cisco Executives

By Blog, Press Release

Event aims to create a more secure open source future by covering high-priority topics and offering workshops and industry expert insights

WASHINGTON — October 22, 2024 — The Open Source Security Foundation (OpenSSF) announced the opening of the Secure Open Source Software (SOSS) Fusion Conference in North America in Atlanta, GA, today. This event unites a diverse community of professionals, including public sector leaders, software developers, security engineers, students, cybersecurity experts, CISOs, CIOs, founders, and tech pioneers. With a robust agenda covering AI security, critical open source security projects, public policy, and today’s most pressing security topics, SOSS Fusion offers a comprehensive look at OpenSSF’s initiatives that’s aimed at simplifying security for developers, and will help them prepare to shape a safer digital world in 2025 and beyond. 

The OpenSSF supports a vibrant, active community developing tools and best practices to aid developers on their security journey. With 7,500-plus projects in the OpenSSF Best Practices Badge program, the foundation remains committed to educating and influencing the broader community through thought leadership in open source security. This year, OpenSSF staff and community members have presented at over 30 meaningful events, such as VulnCon, OSPOs for Good, OECD Global Forum on Digital Security for Prosperity, and Grace Hopper Celebration, among others.

This event aims to strengthen the community by bringing together industry leaders, developers, project maintainers, students, and security researchers. Together, they will exchange actionable insights and introduce state-of-the-art tools to improve the security of open source software for everyone. Participants will stay informed about the latest advancements in open source security.

“When I look at the lineup of topics at SOSS Fusion and speakers I am reminded of our amazing community. I see an excellent mixture of our seasoned members and projects alongside new and exciting voices joining us for the first time,” said CRob, chief security architect at OpenSSF. “The sessions cover important key topics ranging from AI and machine learning security, to some of our newest projects, like Zarf. This event will be valuable to attendees and will showcase the most innovative ideas and initiatives the open source community has to offer.”

Along with notable keynote sessions and workshops, the agenda will highlight key themes from Cisco, Google, Kusari, and Linux Foundation executives including:

Recorded sessions will be available on demand approximately two weeks after the event. Sign up for the OpenSSF newsletter to receive notifications about the recorded sessions, and visit the website to learn more about becoming an OpenSSF member.

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaborating and working upstream and with existing communities to advance open source security. For more information, please visit us at openssf.org.

Media Contact:

Jennifer Tanner
Look Left Marketing
openssf@lookleftmarketing.com