Clarifying Sigstore Terms of Use
The primary activity for The Linux Foundation projects is open collaboration on technical challenges that deliver tangible improvements for developers, companies, industries, and society at large. The focus we’ve always…
Read More
OpenSSF Day North America Agenda Now Live
The OpenSSF Day North America agenda is now live! We will be hosting a full day of interesting session presentations, panels, and lightning talks on May 10th during Open Source…
Read More
The Role of Foundations in Securing OSS
Security used to be something of an afterthought in software development. Security was clunky or inconvenient, often because it was a ‘bolt-on’. That has rapidly changed over the last two…
Read More
SBOM Everywhere Update and Python SPDX-Tools
SBOM Everywhere is a Special Interest Group (SIG) within the Security Tooling Working Group of the OpenSSF. In September we funded work on the SPDX Python library and are now…
Read More
Improving Open Source Security through Collaboration: March 2023 OpenSSF Town Hall Highlights
Thanks to everyone who attended our recent Town Hall on March 16th where we gave an update on initiatives at the OpenSSF, shared presentations about various initiatives at the OpenSSF,…
Read More
Improving Supply Chain Security: IBM as a user and a contributor to Open Source Security Foundation Scorecard
Scorecard is becoming a key part of IBM’s review and curation of the open-source software in our products and services. IBM is committed to helping address the systemic security issues…
Read More
New SLSA++ Survey Reveals Real-World Developer Approaches to Software Supply Chain Security
Answering even basic questions about software supply chain security has been surprisingly hard. For instance, how widespread are the different practices associated with software supply chain security? And do software…
Read More
Draft Version 1.0 of SLSA Open for Comments
Supply-chain Levels for Software Artifacts (SLSA, pronounced “salsa”) is an OpenSSF project that provides specifications for software supply chain security, established by industry consensus. SLSA’s framework is organized into a…
Read More
Why Open Source is Infrastructure, and Why it Matters
A new report by the Atlantic Council’s Cyber Statecraft Initiative helps draw light on the question on what "open source as infrastructure" really means, and why it matters: Avoiding the…
Read More
How to Make High-Quality SBOMs
The widespread use of software bill of materials (SBOMs) arguably depends on SBOM quality—that SBOMs contain sufficient and accurate information for the intended user to achieve their goals. But, until…
Read More
See you at the next OpenSSF Town Hall on March 16th
Are you interested in addressing open source software (OSS) security risk? Software Bill of Materials (SBOMs)? Diversity, Equity, and Inclusion (DEI) in OSS security? If so, plan to join us…
Read More
Inaugural OpenSSF Hong Kong Meetup on March 1
We’re delighted to announce the first-ever Open Source Security Foundation (OpenSSF) Meetup in Hong Kong! Whether you’re a member of technical staff or a business executive, if you want to hear the…
Read More
Congratulations to Newly Elected OpenSSF Governing Board Members
We are excited to welcome newly elected Governing Board members of the OpenSSF: Tracy Miranda from Chainguard, Duane O'Brien from Indeed, and Stephen Chin from JFrog. The OpenSSF Governing Board…
Read More
OpenSSF Day at Open Source Summit North America Call for Proposals
We’re pleased to announce we are hosting OpenSSF Day at Open Source Summit North America on Wednesday, May 10th and the call for proposals is now open. The full day program…
Read More
Spotlight on OpenSSF Board Member: Vincent Danen, Vice President of Product Security, Red Hat
Join us for a conversation with OpenSSF Board Member, Vincent Danen. In this series, we are shining the spotlight on individuals who play a pivotal leadership role in setting the…
Read More
Join Us at the First OSS Security Meetup in Tokyo, Japan
We are excited to present at the first ever OSS Security Meetup in Japan, on February 28 in Tokyo, hosted by Open Source Security Foundation (OpenSSF) Members. We aim to…
Read More
Independent Security Audit Impact Report
Security audits are an extremely effective tool for improving the security of critical projects. In 2022, OpenSSF and Google sponsored a number of security audits and associated work via strategic…
Read More
Talking OSS Security in Europe this February
This February, along with many others, we'll be discussing Open Source Software (OSS) Security in Europe - first in Brussels during the Open Source Policy Summit and then at FOSDEM,…
Read More
10 Sessions Not to Miss at CloudNativeSecurityCon
Next week we’re heading to the first ever standalone CloudNativeSecurityCon North America put on by the Cloud Native Computing Foundation (CNCF) in Seattle, WA that brings together application developers and…
Read More
Spotlight on OpenSSF Board Member: Tracy Ragan, CEO, DeployHub
Join us for a conversation with OpenSSF Board Member, Tracy Ragan. In this new series, we are shining the spotlight on individuals who play a pivotal leadership role in setting…
Read More
OpenSSF Year in Review
The OpenSSF is a thriving, diverse, nonstop community. Across more than 30 different active software projects and other technical initiatives, we’ve been able to have the kind of reach and…
Read More
Engaging Policy Makers and the Ecosystem on Open Source Software Globally
Throughout 2022, the Linux Foundation and OpenSSF in particular have been at the heart of a number of important conversations concerning the open source software (OSS) community and sustainability of…
Read More
Takeaways from OpenSSF Day Japan
On December 5th during Open Source Summit Japan, the Open Source Security Foundation (OpenSSF) hosted OpenSSF Day Japan 2022, a half-day event dedicated to exploring ongoing efforts to improve the…
Read More
Avoiding the Next Log4Shell: Learning from the Log4j Event, One Year Later
Log4Shell, a vulnerability in the widely-used open source Java logging library Log4j, was disclosed in December 2021, roughly two months after I took the helm of the Open Source Security…
Read More
Alpha-Omega Project First Year In Review, Plus New Funding Pledge
Alpha-Omega is an OpenSSF project, established in February 2022, with a mission to protect society by improving the security of open source software through direct maintainer engagement and expert analysis,…
Read More
Apples and apples? Comparing Approaches to Measuring Criticality and Risk at the OpenSSF
Presenting a comparative study of the different approaches used to measure criticality and risk by a set of OpenSSF projects. Criticality is the measure of how important a package is…
Read More
Free OpenSSF Developing Secure Software Training Course Now Available in Japanese
The Linux Foundation Training & Certification team, in partnership with the Open Source Software Foundation (OpenSSF), are pleased to announce the launch of one of our post popular training courses…
Read More
Join Us For OpenSSF Day at Open Source Summit Japan
After two successful OpenSSF Days this year at Open Source Summit North America and Europe, we’re excited for our third and final OpenSSF Day of 2022 at Open Source Summit…
Read More
Contributor Q&A with Christopher “CRob” Robinson, Director of Security Communications, Intel Corporation
Meet Christopher "CRob" Robinson, Director of Security Communications, Intel Corporation. Working Group (WG) & Special Interest Group (SIG) facilitator, Technical Advisory Council (TAC) member, Committee member (Governance, Public Policy), Project(s)…
Read More
OpenSSF Expands Supply Chain Integrity Efforts with S2C2F
A robust strategy around securing how developers consume and manage open source software (OSS) dependencies when building software is essential. The Secure Supply Chain Consumption Framework (S2C2F) is a consumption-focused/consumer-focused…
Read More
SigstoreCon Highlights
In the motor city, the community hosted the first-ever Sigstore event, SigstoreCon, in co-location with KubeCon + CloudNativeCon North America. Event highlights included the announcement of Sigstore general availability, an…
Read More
Meet a Maintainer: Naveen Srinivasan, Software Engineer, Endor Labs
Meet Naveen Srinivasan, Software Engineer, Endor Labs. Maintainers play a vital role in the OpenSSF. Naveen is a software engineer at Endor Labs. He was awarded the Google Open Source…
Read More
Meet a Maintainer: Luke Hinds, Security Engineering Lead, OCTO, Red Hat
Meet Luke Hinds, Security Engineering Lead, OCTO, Red Hat. Maintainers play a vital role in the OpenSSF and the Linux Foundation and we think you should get a chance to…
Read More
Sigstore Announces General Availability at SigstoreCon
Today at SigstoreCon, the Sigstore community announced the general availability of its free software signing service giving open source communities access to production-grade stable services for artifact signing and verification.…
Read More
OpenSSF Project Alpha-Omega Invests in the OpenJS Foundation and jQuery to Help Secure the Consumer Web
Today, we’re excited to share that the Open Source Security Foundation (OpenSSF) Project Alpha-Omega is committing $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and…
Read More
Report Finds OpenSSF Scorecards Are Highly Effective Measures to Assess Project Security
Projects adopting the practices set out by the OpenSSF in its Security Score, including adopting a dependency update tool that ensures rapid updating of vulnerable dependencies, will improve their project's…
Read More
Contributor Q&A with Melba Lopez, STSM – Supply Chain Security, IBM
Meet Melba Lopez, STSM - Supply Chain Security, IBM. Contributors play an important role in the OpenSSF and the Linux Foundation, so we want to give you a chance to…
Read More
Meet a Maintainer: Q&A with Priya Wadhwa, Software Engineer, Chainguard
Meet Priya Wadhwa, Software Engineer, Chainguard. Maintainers play a vital role in the OpenSSF and the Linux Foundation and we think you should get a chance to meet some of…
Read More
Securing Open Source Software is Securing Critical Infrastructure
Securing critical OSS components and infrastructure is an important part of securing critical infrastructure. When we consider open source critical infrastructure we must keep in mind that not all OSS…
Read More
New Meet a Maintainer Series: Q&A with Azeem Shaikh, Senior Software Engineer, Google
Meet Azeem Shaikh, Senior Software Engineer, Google. Maintainers play a vital role in the OpenSSF and the Linux Foundation and we think you should get a chance to meet some…
Read More
How OSPOs Can Be a Key Lever for Open Source Sustainability and Security
A well-designed Open Source Program Office (OSPO), when present, is the center of competency for an organization’s open source operations and structure. Here are a dozen ways OSPOs can be…
Read More
OpenSSF Day at Open Source Summit Europe Highlights
Along the River Liffey in Dublin, Ireland we hosted OpenSSF Day EU at the Open Source Summit Europe earlier this month where community members gathered together to discuss the challenges,…
Read More
The United States Securing Open Source Software Act: What You Need to Know
The Securing Open Source Software Act is in response to the Log4Shell vulnerability discovered in late November 2021. What is the Securing Open Source Software Act about? On 21st September…
Read More
First-Ever SigstoreCon at KubeCon + CloudNativeCon North America 2022
This year SigstoreCon will be hosted for the first time! The one-day event will take place on October 25, in Detroit Michigan, in co-location with KubeCon + CloudNativeCon North America.…
Read More
Funding Python SPDX Development with the OpenSSF and SBOM Everywhere
SBOM Everywhere, as the name suggests, is working towards bringing SBOMs to all of open source in a way that is non disruptive. The first effort of the SBOM Everywhere…
Read More
Coordination is Key! The OpenSSF’s CVD Guide for Finders
The Vulnerability Disclosures Working Group is proud to unveil the next evolution in improving open source coordination of vulnerability disclosures by crafting a new guide focused on the Security researcher…
Read More
Introducing New Concise Guides for Developing More Secure Software and Evaluating Open Source Software
In response to the growing concern around open source software development, OpenSSF’s Best Practices for Open Source Developers Working Group (WG) has been diligently working with concerned members and community…
Read More
Alpha-Omega Project Announces Over $1.5M in Grants to Critical Open Source Projects and New Omega Analysis Toolchain
As part of the OpenSSF’s continued investment in critical open-source projects, we are happy to announce new partnerships and tooling from the Alpha-Omega Project. Alpha-Omega will sponsor critical security work…
Read More
Introducing the New OpenSSF End Users Working Group
OpenSSF is excited to announce its newest WG (Working Group), the End Users WG. This WG will focus on representing and addressing the challenges enterprises face when adopting (and using)…
Read More
Show Off Your Security Score: Announcing Scorecards Badges
We are excited to release new features from the Scorecards project, the OpenSSF tool that helps maintainers follow best security practices. The Scorecards GitHub Action now supports a REST API…
Read More
npm Best Practices for the Supply-Chain
We are excited to announce the v1 release of the “npm Best Practices,” a new guide focused on dependency management and supply chain security for npm. This release is the…
Read More
Outcomes from Open Source Software Security Summit in Japan
On August 23rd, we at the OpenSSF and Linux Foundation Japan hosted the Open Source Security Summit Japan. We were joined by senior cybersecurity representatives from more than 20 leading…
Read More
Upleveling Everybody to Secure the OSS Supply Chain – OpenSSF August Town Hall Highlights
The August OpenSSF Town Hall brought together the open source community to hear the latest and greatest about the work going on to secure the open source software supply chain.…
Read More
Announcing OpenSSF Day at Open Source Summit Europe
We’re pleased to announce we will be hosting the second ever OpenSSF Day at Open Source Summit Europe on Tuesday, September 13th. This is your chance to find out what the…
Read More
Secure Coding Practice – A Developer’s Learning Experience of Developing Secure Software Course
My learning experience taking the “DEVELOPING SECURE SOFTWARE (LFD121)” course was positive, and I immediately started applying these learnings in my work as a software architect and developer.
Read More
Get Up to Speed with OpenSSF at Next Virtual Town Hall
At the next virtual OpenSSF Town Hall you will get an in-depth tour of several key initiatives and find out how to get involved yourself in the exciting work of…
Read More
Take Survey to Help Improve Software Supply Chain Integrity Practices
A new survey by Chainguard in collaboration with the Eclipse Foundation, the Rust Foundation and OpenSSF aims to understand the software supply chain integrity practices of a broad range of…
Read More
Join Us at the First OpenSSF Open Source Security Meetup in India
I’m very excited to present at the first ever Open Source Security Foundation (OpenSSF) meetup in India, next Thursday, July 28 in Bangalore, hosted by OpenSSF Premier Member, Wipro. Companies and…
Read More
OpenSSF Supports Movements toward Multi-Factor Authentication
By: The OpenSSF Technical Advisory Council On July 8th, 2022, the Python Package Index (PyPI) announced a security key giveaway for maintainers of critical projects, where “critical” is a label…
Read More
OpenSSF Day Videos Now Available from Open Source Summit North America
The first ever OpenSSF Day at the Open Source Summit North America (OSS NA) was a big success. On June 20th, we gathered in Austin, Texas and online to understand…
Read More
Results of Sigstore and slf4j Security Audits Including 1 High Risk Vulnerability Found and Fixed
We’re excited to report the results of two security audits, one for Sigstore and one for slf4j. The goal of security audits is to find vulnerabilities so they can be…
Read More
Free Training Course Teaches How to Secure a Software Supply Chain with Sigstore
To make it easier to use Sigstore’s toolkit to its full potential, OpenSSF and Linux Foundation Training & Certification released a free online training course, Securing Your Software Supply Chain…
Read More
State of Open Source Security 2022 from Snyk & the Linux Foundation
Snyk has teamed up with the Linux Foundation to research and report on security concerns in the open source ecosystem. The 2022 State of Open Source Security report shows that…
Read More
New Untold Stories of Open Source Podcast Features OpenSSF’s Brian Behlendorf on his Journey to Securing the FOSS Software Supply Chain
The Linux Foundation released a new podcast series, “The Untold Stories of Open Source.” Join us each week as we meet the people behind the code, discover their often unconventional…
Read More
OpenSSF Makes Secure Software Development Training Available on Organizations’ Learning Management Systems
The free "Developing Secure Software" (LFD121) online training course is now available through SCORM Connect, so that organizations with their own SCORM-compliant Learning Management Systems (LMSs) can integrate the course…
Read More
OpenSSF Funds Python and Eclipse Foundations and Acquires SOS.dev through Alpha-Omega Project
As part of the OpenSSF’s continued investment in critical open-source projects, we are pleased to announce that the OpenSSF’s Alpha-Omega Project has committed to $800,000 in funding split equally among…
Read More
Introducing Fuzz Introspector, an OpenSSF Tool to Improve Fuzzing Coverage
We are excited to announce an initial release of Fuzz Introspector, a collaborative effort from OpenSSF members, that provides actionable insights for developers to identify fuzzing coverage blockers by analyzing…
Read More
Testimony to the US House Committee on Science and Technology
We’re pleased to share that Brian Behlendorf, OpenSSF General Manager, testified to the United States House of Representatives Committee on Science, Space, and Technology today. Brian's testimony shares the work…
Read More
Introducing Package Analysis: Scanning open source packages for malicious behavior
By Caleb Brown and David A. Wheeler, on behalf of Securing Critical Projects Working Group Today we're pleased to announce the initial prototype version of the Package Analysis project, an…
Read More
Your Favorite Software Repositories, Now Working Together
Authors: Dustin Ingram (Google), Jacques Chester (Shopify) A software repository is a critical component of any open source ecosystem: it provides a trusted central channel to publish, store and distribute…
Read More
OpenSSF Selects Node.js as Initial Project to Improve Supply Chain Security
Authors: Brian Behlendorf, OpenSSF, and Robin Bender Ginn, OpenJS Foundation Today, we’re excited to announce that Node.js is the first open source community to be supported by OpenSSF's Alpha-Omega Project.…
Read More
Free Developing Secure Software Training Course From OpenSSF Now Available
Log4Shell, SolarWinds Compromise, Heartbleed – cybersecurity breaches have become household names in recent years. These issues are costing organizations billions of dollars in prevention and remediation costs, yet at the…
Read More
Open Source is Global, So OpenSSF Must Be Too
There was once a time when we marveled at the global nature of the open source user and contributor community, when it was a thrill to get a question or…
Read More
OpenSSF Webinar: Introduction to Project Alpha-Omega
We've scheduled a webinar on February 16, 2022 at 10:00 AM US/Pacific time for anyone who wants to learn more about Project Alpha-Omega and registration is now open! Hear from…
Read More
Reducing Security Risks in Open Source Software at Scale: Scorecards Launches V4
Authors: Best Practices Working Group, Laurent Simon (Google), Azeem Shaikh (Google), and Jose Palafox (GitHub) Today, two members of the Open Source Security Foundation, Google and GitHub, are partnering to…
Read More
The OpenSSF and the Linux Foundation Address Software Supply Chain Security Challenges at White House Summit
Today marks an important moment in the Linux Foundation’s history of engagement with public sector organizations. The White House convened an important cross-section of the Open Source developer and commercial…
Read More
Open Source Foundations Must Work Together to Prevent the Next Log4Shell Scramble
As someone who has spent their entire career in open source software (OSS), the Log4Shell scramble (an industry-wide four-alarm-fire to address a serious vulnerability in the Apache Log4j package) is…
Read More
Securing Critical Open Source Projects with Multifactor Authentication
The Open Source Security Foundation (OpenSSF) Developer Best Practices Working Group has undertaken a project to improve the overall security and integrity of critical open source software projects and their…
Read More
November Town Hall Recording
On behalf of the OpenSSF community and staff, thank you to everyone who joined our quarterly town hall meeting today. If you weren't able to attend the live presentation, check…
Read More
OpenSSF Quarterly Town Hall Announcement – UPDATED
The OpenSSF community is excited to chat more in-depth about several exciting project updates and recent announcements! We hope you'll join us for our next community Town Hall, to be…
Read More
The World’s Major Technology Providers Converge to Improve the Security of Software Supply Chains
Imagine you have created an open source project that has become incredibly popular. Thousands, if not millions, of developers worldwide, rely on the lines of code that you wrote. You…
Read More
Announcing the OpenSSF Vulnerability Disclosure WG guide to disclosure for OSS projects
Authors: Anne Bertucio, Christopher Robinson, David Wheeler, OpenSSF Vulnerability Disclosure WG members https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md Vulnerability disclosure is the process of reporting, remediating, and communicating the details of a discovered vulnerability. This…
Read More
Introducing the Allstar GitHub App
Authors: Mike Maraya, Jeff Mendoza We’re excited to announce Allstar, a GitHub app that provides automated continuous enforcement of security best practices for GitHub projects. With Allstar, owners can check…
Read More
July 2021 Update – New members and new resources for Best Practices and Vulnerability Disclosures underway
The Open Source Security Foundation (OpenSSF) community is working diligently to improve the security of the open source ecosystem. This is no small mission, so we are excited to share…
Read More
How LF communities enable security measures required by the US Executive Order on Cybersecurity
Our communities take security seriously and have been instrumental in creating the tools and standards that every organization needs to comply with the recent US Executive Order Overview The US…
Read More
Introducing the Security Reviews Initiative
Author: Michael Scovetta, on behalf of the Identifying Security Threats Working Group In addition to the Security Metrics initiative, the OpenSSF is proud to announce the Security Reviews initiative. Security…
Read More
May 2021 Update: OpenSSF Unveils New Security Initiative
The Open Source Security Foundation (OpenSSF) community is working diligently to improve the security of the open source ecosystem. This is no small mission, so we are excited to share…
Read More
Introducing the Security Metrics Initiative
Author: Michael Scovetta, on behalf of the Identifying Security Threats Working Group The OpenSSF would like to announce the initial release of the Security Metrics initiative. The primary objective of…
Read More
Upcoming OpenSSF Town Hall on May 3, 2021
The OpenSSF community has been working diligently to improve the security of the open source ecosystem. We would like to share all of the great work that is happening and…
Read More
Upcoming OpenSSF Town Hall on February 22
The OpenSSF community has been working fast and furious since its formation last year to improve the security of the open-source ecosystem. We all know this is no small mission…
Read More
January 2021 Update: New Technical Vision Informs Working Group Progress
The OpenSSF community has been working fast and furious since its formation last year to improve the security of the open source ecosystem. We all know this is no small…
Read More
Digital Identity Attestation Roundup
Author: Kim Lewandowski, on behalf of the Digital Identity Attestation Working Group We kicked off the first Digital Identity Attestation Working Group meeting under the OpenSSF in August, 2020. The…
Read More
Introducing the OpenSSF CVE Benchmark
Author: Bas van SchaikToday, at Black Hat Europe, the Open Source Security Foundation (OpenSSF) unveiled its latest initiative: the OpenSSF CVE Benchmark. The benchmark consists of vulnerable code and metadata…
Read More
OpenSSF Town Hall Recording: Now Available!
The video recording of the Open Source Security Foundation (OpenSSF) “Public Town Hall” meeting of November 9, 2020 is now available! This meeting shares updates and celebrates accomplishments during the…
Read More
Security Scorecards for Open Source Projects
Author: Kim Lewandowski, Google Product Manager One of the first things I wanted to do when the OpenSSF launched was help people make better decisions about security when consuming open…
Read More
Announcing: Secure Software Development EdX course, Sign Up Today!
The Open Source Security Foundation (OpenSSF) has developed a trio of free courses on how to develop secure software. These courses are part of the Secure Software Development Fundamentals Professional…
Read More
OpenSSF Public Town Hall – November 9 2020, 10am Pacific
Please join us for the first-ever OpenSSF Town Hall Meeting on November 9, 2020 from 10 AM to 12 PM Pacific Time (US and Canada). In this meeting, we will…
Read More
OpenSSF seeks Security Community Individual Representative for Governing Board
The Open Source Security Foundation (OpenSSF) is accepting nominations for the Security Community Individual Representative seat on our Governing Board. The nomination period is open until October 23 2020, after…
Read More
