Skip to main content

Register for Open Source SecurityCon 2025

search
All Posts By

OpenSSF

Apr 28
Love0

Introducing Package Analysis: Scanning open source packages for malicious behavior

By Blog

By Caleb Brown and David A. Wheeler, on behalf of Securing Critical Projects Working Group

Today we’re pleased to announce the initial prototype version of the Package Analysis project, an OpenSSF project addressing the challenge of identifying malicious packages in popular open source repositories. In just one month of analysis, the project identified more than 200 malicious packages uploaded to PyPI and npm. 

The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run? The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously. This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem. Though the project has been in development for a while, it has only recently become useful following extensive modifications based on initial experiences.

The vast majority of the malicious packages we detected are dependency confusion and typosquatting attacks. The packages we found usually contain a simple script that runs during an install and calls home with a few details about the host. These packages are most likely the work of security researchers looking for bug bounties, since most are not exfiltrating meaningful data except the name of the machine or a username, and they make no attempt to disguise their behavior. Still, any one of these packages could have done far more to hurt the unfortunate victims who installed them, so Package Analysis provides a countermeasure to these kinds of attacks.

There are lots of opportunities for involvement with this project, and we welcome anyone interested in contributing to the future goals of:

  • detecting differences in package behavior over time;
  • automating the processing of the Package Analysis results;
  • storing the packages themselves as they are processed for long-term analysis; 
  • and improving the reliability of the pipeline.

Check out our GitHub Project and Milestones for more opportunities, and feel free to get involved on the OpenSSF Slack. This project is one of the efforts of the OpenSSF Securing Critical Projects Working Group. You can also explore other OpenSSF projects like SLSA and Sigstore, which expand beyond the security of packages themselves to address package integrity across the supply chain.

Apr 19
Love1

Your Favorite Software Repositories, Now Working Together

By Blog

Authors: Dustin Ingram (Google), Jacques Chester (Shopify)

A software repository is a critical component of any open source ecosystem: it provides a trusted central channel to publish, store and distribute open-source third-party software to all consumers. Package indexes and package managers exist for almost every software ecosystem, and share many of the same goals, features and threats.

But these repositories and related tooling have been developed independently, with little knowledge sharing between them over the years. This means the same problems get solved repeatedly, mostly in isolation. As it becomes more important to increase the overall security of these critical repositories, it has also become important for these repositories to collaborate and share knowledge.

Today, we’re announcing the creation of the Securing Software Repositories Working Group, a community collaboration with a focus on the maintainers of software repositories, software registries, and tools (like package managers) that rely on them, at various levels including system, language, plugin, extensions and container systems.

We’ve brought together many of the key maintainers, contributors and stakeholders of software repositories that are critical to many open source ecosystems, including Java, Node.js, Ruby, Rust, PHP, and Python, to participate in the group.

This working group provides a forum to share experiences and to discuss shared problems, risks and threats. It also provides a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure our respective software repositories, such as Sigstore.

You can learn more about the working group’s objectives in our repository and charter, join our meetings via the public OSSF calendar, or find us on the OpenSSF Slack in the #securing_software_repos channel. If you maintain or operate a software repository system of any kind, please join in!

Mar 30
Love1

Free Developing Secure Software Training Course From OpenSSF Now Available

By Blog

Log4Shell, SolarWinds Compromise, Heartbleed – cybersecurity breaches have become household names in recent years. These issues are costing organizations billions of dollars in prevention and remediation costs, yet at the same time they are becoming ever more common. Reacting to breaches after the fact is useful, but not enough; such reactions fail to protect users in the first place. Security needs to instead be baked into software before it’s released. Unfortunately, most software developers don’t know how to do this.

To alleviate this issue and improve access to cybersecurity training for everyone from developers to operations teams to end users, the Open Source Security Foundation (OpenSSF) has partnered with Linux Foundation Training & Certification to release a new, free, online training course, Developing Secure Software. Those who complete the course and pass the final exam will earn a certificate of completion valid for two years.

Geared towards software developers, DevOps professionals, software engineers, web application developers, and others interested in learning how to develop secure software, this course focuses on practical steps that can be taken, even with limited resources, to improve information security. The goal is to make it easier to create and maintain systems that are much harder to successfully attack, reduce the damage when attacks are successful, and speed the response so that any latent vulnerabilities can be rapidly repaired.

This course starts by discussing the basics of cybersecurity, such as what risk management really means. It discusses how to consider security as part of the requirements of a system, and what potential security requirements you might consider. It then focuses on how to design software to be secure, including various secure design principles that will help you avoid bad designs and embrace good ones. It also considers how to secure your software supply chain, that is, how to more securely select and acquire reused software (including open source software) to enhance security. 

The course also focuses on key implementation issues and practical steps that you can take to counter the most common kinds of attacks. Discussion follows on how to verify software for security, including various static and dynamic analysis approaches, as well as how to apply them (e.g., in a continuous integration pipeline). It also discusses more specialized topics, such as the basics of how to develop a threat model and how to apply various cryptographic capabilities. The course content mirrors that in the Secure Software Development program we offer with edX, but in a single course instead of three.

The self-paced course can be completed in about 14-18 hours and includes quizzes to test the knowledge gained. Upon completion, participants will receive a digital badge verifying that they have been successful in all required coursework and have learned the material. This digital badge can be added to resumes and social media profiles. 

Enroll today to start improving your cybersecurity skills and practices!

Mar 01
Love1

Open Source Security Foundation Attracts New Commitments, Advances Key Initiatives in Weeks Since White House Security Summit

By Press Release

SAN FRANCISCO, March 1, 2022, The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important open source security initiatives, today announced 20 new organizations have joined OpenSSF to help identify and fix security vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. It is also announcing the latest milestones achieved across a variety of its technical initiatives, all of which underscore the cross-industry momentum that is taking place as a result of increasing awareness in the wake of recent security incidents and since the recent White House Open Source Security Summit and recent Congressional hearings. 

“The time is now for this community to make real progress on software security. Since open source is the foundation on which all software is built, the work we do at OpenSSF with contributions from companies and individuals from around the world is fundamental to that progress,” said Brian Behlendorf, executive director at OpenSSF. “We’ve never had more support or focus on building, sustaining, and securing the software that underpins all of our lives, and we’re happy to be the neutral forum where this can happen.” 

New Premier Member commitments come from 1Password, Citi, Coinbase, Huawei Technologies, JFrog, and Wipro. New General Member commitments come from Accuknox, Alibaba Cloud, Block, Inc, Blockchain Technology Partners, Catena Cyber, Chainguard, Cloudsmith, DeployHub, MongoDB, NCC Group, ReversingLabs, Spotify, Teleport, and Wingtecher Technology. New Associate Members include MITRE and OpenUK. For a complete review of the OpenSSF member roster, please visit: https://openssf.org/about/members/

These commitments come on the heels of the recent White House Open Source Security Summit, where the Linux Foundation and OpenSSF represented hundreds of its project communities and discussed how best to support software security and open source security posture going forward. This summit was a major milestone in the Linux Foundation’s engagement with the public sector and underscored its position supporting not only the projects it hosts but all of the world’s most critical open source infrastructure. 

Since the OpenSSF announced initial commitments in October, the community has continued to advance the OpenSSF mission. Some selected highlights include:

New Alpha-Omega Project Launches with $5m Investment to Improve OSS Security Posture

OpenSSF also recently announced the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. It is initially supported by Microsoft and Google with a combined investment of $5 million. The Project improves global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

Automated Security Tool, Scorecards, Increases Scans from 50,000 to 1 Million Projects

Scorecards is an OpenSSF project that helps open source users understand the risks of the dependencies they consume. OpenSSF members GitHub and Google recently announced Scorecards v4, which includes Scorecards GitHub Workflow Action to automate the identification of how changes to a project affected its security. It also includes License Check to detect the presence of a project license and Dangerous-Workflow check to detect dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows. The Scorecards project has also increased the scale of scans from 50,000 projects to one million projects. These software projects are identified as most critical based on their number of direct dependencies, giving a more detailed view of the ecosystem and strengthening supply chain security as users see improved coverage of their dependencies. 

Project Sigstore Sees Massive Contribution, Adoption to Sign, Verify and Protect OSS 

Sigstore recently released a project update that reported nearly 500 contributors, 3,000 commits, and over one million entries in Rekor. For more information on what is driving this adoption, please visit the Sigstore blog.

The “Great MFA Distribution” Distributes Codes to Claim Free Hardware Security Tokens to Almost 1000 Top OSS Developers

In the pursuit of encouraging wider adoption of multi-factor authentication (MFA) by developers of critical open source projects, The Securing Critical Projects Working Group coordinated the distribution of nearly 1000 codes for free MFA tokens (graciously donated by Google and Github) to developers of the 100 most critical open source projects. This dsiribution is a small but critical step in avoiding supply chain attacks based on stolen credentials of key developers.

To join OpenSSF and/or contribute to these important initiatives, please visit: https://openssf.org/

Premier Member Quotes

1Password

“We’re proud to be among like-minded organizations and individuals that share a collective commitment to improving the security posture of open source software,” said Pedro Canahuati, Chief Technology Officer at 1Password. “Much of the technology we use today is built on open source software. Given 1Password’s human-centric approach to building user-friendly applications, it’s important to us that its integrity and security is protected.”

Citi

“The security of open source software and its supply chain is an essential aspect to Citi. We have worked with the open source community on bolstering security in these areas, and we look forward to strengthening this mission by joining the Open Source Security Foundation,” said Jonathan Meadows, Head of Cloud & Application Security Engineering, Citibank.

Coinbase

“Coinbase is the world’s most trusted cryptocurrency exchange, and the security of our open source dependencies — as well as the broader crypto ecosystem — is paramount. The OpenSSF’s goals align with our own, and Coinbase is proud to be contributing to increasing the security of open source software for the benefit of all,” said Jordan Harband, Staff Developer Relations Engineer, Coinbase.

Huawei Technologies

“The importance of open source software security is well recognized by the customer, industry, and government. It is time for the community to take strategic, continuous, effective, and efficient actions to advance the open source software security posture.  We are very glad to see OpenSSF launching initiatives (Scorecard, Alpha-Omega, SigStore, etc.) to improve the open source software security directly,” said Dr. Kai Chen, Chief Security Strategist, Huawei. “Huawei commits to strengthen investment on cybersecurity and to maintain a global, secure and resilient  open source software supply chain.”

JFrog

“Open source software is the foundation of today’s modern systems that run enterprises and government organizations alike – making software part of a nation’s critical infrastructure,” said Stephen Chin, VP of Developer Relations, JFrog. “JFrog is honored to be part of OpenSSF to accelerate innovation and advancement in supply chain security. Projects coming out of OpenSFF help make JFrog’s liquid software vision a secure reality.”

Wipro

“With the increasing adoption of open source software and its growing importance in enabling innovation and transformation comes commensurate cybersecurity risks. The community needs a concerted effort to address them. We are excited to join the governing board of OpenSSF to collaborate with other members on defining and building set of solutions and frameworks and best practices to help ensure the integrity of the open source software supply chain and contribute our domain expertise, breadth of resources and global reach to this important effort,”  said Subha Tatavarti, CTO, Wipro Limited.

General Member Quotes

Accuknox

“In the Shift Left, DevSecOps Developer-led adoption of Security Tools and platforms an OpenSource led approach is imperative. We are thrilled to see OpenSSF launching path-breaking initiatives to help end-users and technology providers harness the power of open source and contribute to the collective knowledge capital,” said Nat Natraj, co-founder, CEO, AccuKnox.

Alibaba Cloud

“Open Source software has become a key software supply chain of IT, and Open Source software security has a huge impact on infrastructure security. Alibaba Cloud, as the world’s leading cloud vendor that always puts security and data privacy as the priority, is keeping investing in security research. For a long time, the public has felt that open source software is very safe because of transparency, all software developers can review the code, find and fix vulnerabilities. But In fact, there are many widely used open-source software that is still possible to have security bugs that have not been noticed for a long time. It is great to have an organization like OpenSSF, which can connect so many great companies and open source communities to advance open source security for all.  As a member of Open Source Security Foundation, we’re looking forward to collaborating with OpenSSF to strengthen the Open Source security,” said Xin Ouyang, Head of Alibaba Cloud Security, Alibaba Cloud.

Block, Inc.

“Block is very excited to join with other industry leaders to help step up the quality of open source security.  I strongly believe that as an industry, it is our priority to address security concerns in a supply chain that we all use.  We may compete on products, but we should never compete on security, and OSSF is a fantastic example of this idea,” said Jim Higgins, CISO of Block.

Blockchain Technology Partners

“Open source software is mainstream and underpins much of the world’s critical infrastructure as well as powering enterprises across the globe. Against this backdrop, OpenSSF’s mission to secure the open source supply chain is fundamental to our future,” said Duncan Johnston-Watt, CEO and Co-founder of Blockchain Technology Partners. “Collaboration is key to OpenSSF’s success, and so we are delighted to contribute to this initiative which complements our existing involvement in the Hyperledger Foundation, CNCF, and LF Energy.”

Catena Cyber

“Open source leads to a massive sharing of knowledge. Beyond the quantity of information, the quality of it becomes important to bring value to society,” said Philippe Antoine, CEO of Catenacyber. “We are glad to join OpenSSF to contribute to improving the cybersecurity of open source projects through fuzzing and other means. Let’s fix all the bugs!”

Chainguard

“Making the software lifecycle secure by default is increasingly critical as open source has become the digital backbone of the world. A vibrant, open software security ecosystem is essential to that mission. We are excited to be members of the Open Source Security Foundation and to continue working with the community to make the software lifecycle secure by default,” said Tracy Miranda, head of open source at Chainguard.

Cloudsmith

“Having a single source of truth for software artifacts has never been more vital to supply chains, especially for the open-source community. OSS engineers need trust and provenance, and a trusted source for secure end-to-end software delivery, from build through to production. At Cloudsmith, our mission is to evolve the cloud-native supply chain, making it simple for the OSS community to secure their software delivery at scale through Continuous Packaging. We are thrilled to join OpenSSF, and we look forward to being part of the continued mission to improve the security posture of open source software universally,” said Alan Carson, CEO at Cloudsmith.

DeployHub

“At DeployHub, we have been laser-focused on tracking the consumption of microservices, including their versions. These relationships make up our new application-level Software Bill of Materials (SBOMS). There is no better place to have this supply chain conversation than the OpenSSF,” explains Tracy Ragan, CEO DeployHub.

MongoDB

“As all industries increasingly rely upon open source software to deliver digital experiences, it is our collective responsibility to help maintain a vibrant and secure ecosystem,” said Lena Smart, Chief Information Security Officer, MongoDB. “You can have all the tools in the world, but at the end of the day, it is people across multiple organizations around the world working together that will ensure an expansive cybersecurity program. One of MongoDB’s values is “Build Together,” and we’re excited to join and further cross-industry collaboration to move the security of open source software forward.”

NCC Group

“Even if your code is perfectly secure, chances are it has vulnerable dependencies. And the number of unpatched vulnerabilities “in the wild” outpaces the speed at which the security community can patch or even identify them. Security, as it is practiced now, doesn’t scale at the rate needed to keep things at least as secure as they were yesterday, and we have compelling reasons to expect this to get even worse for defenders. However, through harnessing dedicated investment and coordinating industry-wide efforts to improve the security of the most critical open source components and find scalable interventions for the entire ecosystem, we have an opportunity to improve software security at a massive scale. But we can only do this together, and it is for this reason that NCC Group is excited to contribute to the work of OpenSSF,” said Jennifer Fernick, SVP & Global Head of Research at cybersecurity consulting firm NCC Group.

ReversingLabs

“The software supply chain has become a major risk vector for new threats, including those from the open source ecosystem. The inherent dependencies and complexities of the modern software supply chain means that companies often lack visibility and the ability to track each component through the entire software development process. Recognizing these challenges, ReversingLabs is pleased to join the OpenSSF and offer its contributions to the community that help drive the automation of more comprehensive software bills of material and mitigate software supply chain and package release risks,” said Mario Vuksan, CEO and Co-founder, ReversingLabs.

Spotify 

“As a technical community we all have a responsibility to improve the security and trust of an open source ecosystem that so many of us rely upon. Spotify has always relied on open source software, and contributes to the community through projects like Backstage. We believe open source software forms the backbone of our industry and we look forward to supporting the foundation’s goal of ensuring everyone can depend on a healthy and secure software ecosystem,” said Tyson Singer, VP, Head of Technology and Platforms at Spotify.

Teleport

“The complexity of modern infrastructure has broadened attack surface areas to the point where data breaches are just about an everyday occurrence,” said Ev Kontsevoy, CEO of Teleport. “These risks have been exacerbated by the rise of remote and hybrid workplaces. With an eye on global attacks, the open source community’s commitment to improving open source security is critical to ushering in a new era of computing. Offering a solution to increase security, ease usability, and help scale enterprise development access, Teleport is pleased to be a part of the OpenSSF.” 

Wingtecher Technology

“As a fast-growing startup, Wingtecher focuses on exploring the technologies that secure various kinds of open source softwares. We are excited to join OpenSSF and ready to collaborate with the community to overcome the emerging open source security challenges worldwide,” said Vincent Li, COO Wingtecher Technology.

About OpenSSF

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit: https://openssf.org/

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Jennifer Cloer

503-867-2304

jennifer@storychangesculture.com

Feb 02
Love1

OpenSSF Webinar: Introduction to Project Alpha-Omega

By Alpha-Omega, Blog

We’ve scheduled a webinar on February 16, 2022 at 10:00 AM US/Pacific time for anyone who wants to learn more about Project Alpha-Omega and registration is now open!

Hear from Brian Behlendorf (OpenSSF GM), David A. Wheeler (OpenSSF Director of Security), and Alpha-Omega project leaders Michael Scovetta (Microsoft) and Michael Winser (Google) to learn more about near term goals, milestones, and opportunities for participation in the Alpha-Omega Project.

Register Now
Feb 01
Love1

OpenSSF Announces The Alpha-Omega Project to Improve Software Supply Chain Security for 10,000 OSS Projects

By Press Release

Following a meeting with government and industry leaders at the White House, OpenSSF is excited to announce the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. Microsoft and Google are supporting the Alpha-Omega Project with an initial investment of $5 million. This builds on previous industry-wide investments into OpenSSF aiming to improve open source software security.

Widely deployed OSS projects that are critical to global infrastructure and innovation have become top targets for adversarial attacks. Following new vulnerability disclosures, adversary attacks can be seen within hours. For example, recently discovered vulnerabilities in the widely deployed Log4j library forced many organizations into crisis as they raced to update applications using the popular library before adversaries could attack. 

The Alpha-Omega Project will improve global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

“Open source software is a vital component of critical infrastructure for modern society. Therefore we must take every measure necessary to keep it and our software supply chains secure,” said Brian Behlendorf, General Manager, OpenSSF. “Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open source projects through proactively finding, fixing, and preventing vulnerabilities.  This is the start of what we at OpenSSF hope will be a major channel for improving OSS security.”

Alpha: Focusing on the Most Critical OSS Projects

Alpha will be collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. These projects will include standalone projects and core ecosystem services. They will be selected based on the work by the OpenSSF Securing Critical Projects working group using a combination of expert opinions and data, including the OpenSSF Criticality Score and Harvard’s “Census” analysis identifying critical open source software.

For these selected projects, Alpha team members will provide tailored help to understand and address security gaps. Help can include threat modeling, automated security testing, source code audits, and support remediating vulnerabilities that are discovered. It can also include implementing best practices drawn from criteria outlined by the OpenSSF Scorecard and Best Practices Badge projects.

Alpha will track a series of important metrics providing stakeholders with a better understanding of the security of the open source project they depend on. The public will receive a transparent, standardized view of the project’s security posture and compliance with security best practices. 

Omega: Focused on the Long Tail of OSS Projects

Omega will use automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely-deployed open source projects. This will be accomplished using a combination of technology (cloud-scale analysis), people (security analysts triaging findings) and process (confidentially reporting critical vulnerabilities to the right OSS project stakeholders). Omega will have a dedicated team of software engineers continually tuning the analysis pipeline to reduce false positive rates and identify new vulnerabilities.

Omega community members will provide suggestions on how to automate detection of security vulnerabilities in the future and more generally on efficient ways to implement security best practices.

Corporate Partnerships Are Key

The value of securing the OSS ecosystem has become increasingly clear to companies and organizations of all sizes. Microsoft and Google’s support of the Alpha-Omega Project with an initial investment of $5 million and committed personnel is jump-starting the initiative. Other organizations are strongly encouraged to participate as well, whether by committing volunteers or by direct funding to expand the number of OSS projects that Alpha-Omega can reach.

“The long tail of important open source software, the ‘Omega’ of this endeavor, is always the hardest part—it will require not only considerable funding and perseverance, but its scale will also drive extensive automation for tracking and ideally fixing vulnerabilities,” stated Eric Brewer, VP of Infrastructure and Fellow at Google. “Enabling automation will be one of the greatest improvements for open source security.”

“At Microsoft, we proudly support OpenSSF and the Alpha-Omega Project. Open source software is a key part of our technology strategy, and it’s essential that we understand the security risk that accompanies all of our software dependencies,” offered Mark Russinovich, Chief Technology Officer, Microsoft Azure. “Alpha-Omega will provide assurance and transparency for key open source projects through direct engagement with maintainers and by using state-of-the-art security tools to detect and fix critical vulnerabilities. We look forward to collaborating with industry partners and the open source community on this important initiative.” 

Learn More and Get Involved

For more information about Alpha-Omega, see https://openssf.org/community/alpha-omega/. Individuals interested in updates about Alpha-Omega can sign up through an announcements mailing list. Organizations considering sponsorship or engagement in Alpha-Omega should email memberships@openssf.org

The OpenSSF also encourages all individuals and organizations interested in Alpha-Omega to participate in its Securing Critical Projects working group

Additional Resources

  • Join the OpenSSF to take an active role in improving OSS security
  • Participate in one of six OpenSSF working groups to help improve open source security
  • Get involved in our OpenSSF events, planning committees, and Slack workspaces
  • Download our new State of Software Bill of Materials and Cybersecurity Readiness report
  • Get certified as a secure software development professional

About the Open Source Security Foundation (OpenSSF)

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at https://www.linuxfoundation.org/

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page. Linux is a registered trademark of Linus Torvalds.

Jan 19
Love1

Reducing Security Risks in Open Source Software at Scale: Scorecards Launches V4

By Blog

Authors: Best Practices Working Group, Laurent Simon (Google), Azeem Shaikh (Google), and Jose Palafox (GitHub)

Today, two members of the Open Source Security Foundation, Google and GitHub, are partnering to release Scorecards V4, featuring a new GitHub Action, an added security check, and scaled up scans of the open source ecosystem.

The Scorecards project was launched last year as an automated security tool to help open source users understand the risks of the dependencies they consume. Though the world runs on open source software, many open source projects engage in at least one risky behavior—for example, not enabling branch protection, not pinning dependencies, or not enabling automatic dependency updates. Scorecards makes it simple to evaluate a package before consuming it: a scan run with a single line of code returns individual scores from 0 to 10 rating each individual security practice (“checks”) for the project and an aggregate score for the project’s overall security. Today’s release of a Scorecards GitHub Action makes it easier than ever for developers to stay on top of their security posture.

Helping Developers

Scorecards GitHub Workflow Action

Previously, Scorecards needed to be run manually to judge how changes to a project affected its security. The new Scorecards GitHub Action automates this process: once installed, the Action runs a Scorecards scan after any repository change. Maintainers can view security alerts in GitHub’s scanning dashboard and remediate any risky supply-chain practices introduced by the change. 

As shown in the example above, each alert includes the severity of the risk (low, medium, high, or critical), the file and line where the problem occurs (if applicable), and the remediation steps to fix the issue.

Several critical open source projects have already adopted the Scorecards Action, including Envoy, distroless, cosign, rekor, kaniko. The Action is free to use and can be installed on any public repository by following these directions.

New Checks

We’re continually adding new security checks to help developers assess risks to their projects. This release adds the License check, which detects the presence of a project license, and the Dangerous-Workflow check, which detects dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows. Dangerous Workflow is the first Scorecards check with a “Critical” risk level rating, since these patterns are so easily exploited—with these workflows, a single pull request can introduce compromised code into a project. The new Scorecards check informs users of the existence of these vulnerabilities in their project and provides remediation guidance to fix the issue.

Scaling Up Data Availability

The Scorecards team runs weekly scans of a set of critical open source projects, creating snapshots of the security of the overall open source ecosystem at any given time. Over the past few months, we have increased the scale of scans from 50,000 projects to one million projects identified as most critical based on their number of direct dependencies, giving a more detailed view of the ecosystem and strengthening supply chain security as users see improved coverage of their dependencies. With Scorecards V4, the weekly scans now reflect the 0-10 rating scale for each repository rather than the pass-fail results of previous versions, adding more granularity to the data. The scan results are publicly available through the Scorecards API and on the OpenSSF metrics dashboard and Open Source Insights partner websites.

Growing the Community

Since our initial launch, we have been improving our codebase thanks to the expanding Scorecards community. In 2021, we grew to over 40 unique contributors, averaged over 16 commits per week (totalling 860 commits), and closed 270 issues. We warmly welcome new contributors; check out this list of good first-timer issues if you’d like to join in the fun. 

Here’s a few examples of projects that have adopted Scorecards:

“kaniko is a popular open source container image builder for Kubernetes, so it’s very important to maintain the security of the repository and the codebase. The ossf/scorecard Github Action takes care of this for us and continuously monitors the repository. It took less than 5 minutes to install and quickly analyzed the repo and identified easy ways to make the project more secure.” 

– Priya Wadhwa, Kaniko

“We rely on scorecards in distroless to ensure we follow secure development best practices. Secure source and config means safer base images for all our users.”

 – Appu Goundan, Distroless

“Scorecards provides us the ability to rapidly litmus test new dependencies in the Envoy project. We have found this a valuable step in vetting new dependencies for well known attributes and we have integrated Scorecards into our dependency acceptance criteria. Machine checkable properties are an essential part of a sound security process.”

 – Harvey Tuch, Envoy

Strengthening the Supply Chain 

We expect 2022 to be a year of growing awareness of the criticality of supply chain security. If your New Year’s resolution is to pay closer attention to your projects’ security, using the Scorecards GitHub Action is one of the easiest ways to get started. Just install the workflow on your repositories and follow the remediations instructions to address the issues that roll in. Each incremental improvement helps strengthen the open source ecosystem for everyone.

For additional information, head over to the release notes and, as always, please reach out with any questions or suggestions.

Jan 13
Love1

The OpenSSF and the Linux Foundation Address Software Supply Chain Security Challenges at White House Summit

By Blog

Today marks an important moment in the Linux Foundation’s history of engagement with public sector organizations. The White House convened an important cross-section of the Open Source developer and commercial ecosystem along with leaders and experts of many U.S. federal agencies to identify the challenges present in the open source software supply chain and share ideas on ways to mitigate risk and enhance resilience. 

At the meeting, the Linux Foundation and the Open Source Security Foundation (OpenSSF) represented their hundreds of communities and projects by highlighting collective cybersecurity efforts and sharing their intent to work with the administration across public and private sectors. 

Linux Foundation Executive Director Jim Zemlin said, “Safeguarding critical infrastructure includes securing the software that runs its banking, energy, defense, healthcare, and technology systems. When the security of a widely-used open source component or application is compromised, every company, every country, and every community is impacted. This isn’t a problem unique to the US government; it’s a global concern. We applaud the US government’s leadership in facilitating a stronger focus on open source software security and look forward to collaborating with the global ecosystem to make progress. In particular, the OpenSSF is our key initiative to address the broad set of open source software supply chain challenges, and it was very heartening to hear our work identified and endorsed by other participants in the meeting as a basis for further collaboration.” 

Executive Director of the Open Source Security Foundation, Brian Behlendorf commented, “During today’s meeting, we shared a set of key opportunities where, with sufficient commitments from everyone, we could make a substantial impact on the critical endeavors needed to protect and improve the security of our software supply chains. The open source ecosystem will need to work together to further cybersecurity research, training, analysis and remediation of defects found in critical open source software projects. These plans were met with positive feedback and a growing, collective commitment to take meaningful action. Following the recent log4j crisis, the time has never been more pressing for public and private collaboration to ensure that open source software components and the software supply chains they flow through demonstrate the highest cybersecurity integrity.”

Brian continued, “Through efforts such as our working groups on Best Practices, Identifying Critical Projects, Metrics and Scorecards, Project Sigstore, and more to be announced soon, the OpenSSF has already had an impact on many of the key areas discussed during today’s meeting. We are ready to further these efforts and welcome all new participants and resources that this conversation and further such conversations may bring.”

Dec 10
Love1

Securing Critical Open Source Projects with Multifactor Authentication

By Blog

The Open Source Security Foundation (OpenSSF) Developer Best Practices Working Group has undertaken a project to improve the overall security and integrity of critical open source software projects and their supply chains.  Dubbed “The Great MFA Distribution Project”, the group is putting hardware multi-factor authentication (MFA) tokens into the hands of open source software (OSS) developers and providing them simple ways to integrate them into their projects’ daily workflows. These tokens are provided through the generous donation of multi-factor authentication tokens from OpenSSF members GitHub and Google.

Supply chain integrity is more important and prescient than ever.  Supply chain attacks have increased at rates that parallel the explosive growth of open source software development techniques and code.  The OpenSSF was formed in 2020 from a broad coalition of industry and open source security experts focusing on different aspects of improving the overall quality and security of OSS through deep collaboration with communities.  As the foundation grows and evolves, so does the scope of projects the group collaborates on.  The OpenSSF’s Great MFA Distribution Project is one of several active projects focused on securing OSS.

Through the use of MFA tokens a developer, contributor, or maintainer on an OSS project can add extra assurance of their identity as they engage with code and tooling within their projects instead of just using a username/password combination.  For example, these tokens will eliminate the problem of attackers using stolen passwords to “take over” OSS developer accounts to release subverted source code or packages. This helps improve the trustworthiness of this software for downstream consumers, strengthening the chain of custody and trustworthiness.

The Great MFA Distribution project has begun reaching out to a list of identified critical OSS projects and distribution of tokens will be underway during December.  The MFA Distribution project offers no-charge hardware tokens to OSS project developers and maintainers along with simple documentation on how these tools can be integrated into daily development activities.  Details on the project can be found in the Great MFA Distribution project repository.

Oct 13
Love2

The World’s Major Technology Providers Converge to Improve the Security of Software Supply Chains

By Blog

Imagine you have created an open source project that has become incredibly popular.  Thousands, if not millions, of developers worldwide, rely on the lines of code that you wrote. You have become an accidental hero of that community — people love your code, contribute to improving it, requesting new features, and encouraging others to use it. Life is amazing, but with great power and influence comes great responsibility.

When code is buggy, people complain. When performance issues crop up in large scale implementations, it needs to be addressed. When security vulnerabilities are discovered — because no code or its dependencies are always perfect — they need to be remediated quickly to keep your community safe.  

To help open source projects better address some of the responsibilities tied to security, many communities hosted by the Linux Foundation have invested countless hours, resources, and code into some important efforts. We’ve worked to improve the security of the Linux kernel, hosted Let’s Encrypt and sigstore, helped steward the ISO standardization for SPDX, and brought together a community building metrics for OSS health and risk through the CHAOSS project — among many others.

Today, we are taking steps with many leading organizations around the world to enhance the security of software supply chains. The Linux Foundation has raised $10 million in new investments to expand and support the Open Source Security Foundation (OpenSSF) and its initiatives. This cross-industry collaboration brings together an ecosystem to collectively identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. We are also proud to announce that open source luminary, Brian Behlendorf, will serve the OpenSSF community as General Manager. 

Financial commitments for OpenSSF include Premier members such as AWS, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware. Additional commitments come from General members, including Aiven, Anchore, Apiiro, AuriStor, Codethink, Cybertrust, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift, and Wind River.

To learn more about how to join the OpenSSF or to get involved in one of its six working groups, listen in to this brief introduction from Brian Behlendorf recorded this week at KubeCon:https://www.youtube.com/embed/Mjsb6Z1Weto?feature=oembed&wmode=opaque&rel=0

In 2021, the Linux Foundation and its community will continue to support education and share resources critical to improving open source cybersecurity.  For example, this week, we also hosted SupplyChainSecurityCon, where the SLSA and sigstore projects were heavily featured.

If you are an open source software developer, user, or other community participant who just wants to help further protect the software that accelerates innovation around the world, please consider joining one of our six OpenSSF working groups, or suggest a new working group that addresses gaps in software supply chain security needs.

You can follow the latest news from OpenSSF here on our blog, Twitter (@TheOpenSSF), and LinkedIn.