The use of SBOMs is becoming increasingly essential in managing software supply chains. The main consumption use case is for evaluating dependencies known-vulnerabilities risk, by mapping the dependencies listed in…
Weāve been discussing the creation of SBOMs for over ten years, but has it gotten us any closer to hardening our software development practices? SBOMs provide critical supply chain data,…
The goal of the Best Practices Working Group is to provide open source developers with recommendations on best practices around development and security. This working group focuses on providing developers…
Each software repository faces a challenging task to protect producers and consumers of open-source software. They must defend against a variety of threats, juggling a complex menu of options to…
The primary activity for The Linux Foundation projects is open collaboration on technical challenges that deliver tangible improvements for developers, companies, industries, and society at large. The focus weāve always…
Security used to be something of an afterthought in software development. Security was clunky or inconvenient, often because it was a ābolt-onā. That has rapidly changed over the last two…
SBOM Everywhere is a Special Interest Group (SIG) within the Security Tooling Working Group of the OpenSSF. In September we funded work on the SPDX Python library and are now…
Scorecard is becoming a key part of IBMās review and curation of the open-source software in our products and services. IBM is committed to helping address the systemic security issues…
Answering even basic questions about software supply chain security has been surprisingly hard. For instance, how widespread are the different practices associated with software supply chain security? And do software…
Supply-chain Levels for Software Artifacts (SLSA, pronounced āsalsaā) is an OpenSSF project that provides specifications for software supply chain security, established by industry consensus. SLSAās framework is organized into a…