The Open Source Security Foundation (OpenSSF) community is working diligently to improve the security of the open source ecosystem. This is no small mission, so we are excited to share all of the work that is happening. In case you missed our recent Town Hall meeting, the resources can be found here.
First off, we’re excited to announce 10 new members have joined the OpenSSF. The commitments from companies industry-wide demonstrate the priority to secure the open source software that runs our business and our lives. Our newest members join at least 35 other companies and include Accurics, Anchore, Bloomberg Finance, Cisco Systems, Codethink, Cybertrust Japan, OpenUK, ShiftLeft, Sontaype and Tidelift.
Working Group Progress
Our working groups are where the work gets done, and contributors from across the industry have made important progress in recent months.
The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication. Its latest work includes:
- OSS Vulnerability Disclosure good practices whitepaper, targeting September to publish.
- Setting up a call with the CVE Board to hear about the changes to the program and provide them feedback from our perspective
- Ongoing talks with CERT-CC about their open sourcing their VINCE vulnerability coordination tool
The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers. Its latest work includes:
- A resource page that collects relevant security good practices, tools, resources, etc. to start advertising to OSS devs
- Rosetta Stone-style resource that shows similarities and gaps between relevant secure development frameworks/regulations
- yConnecting NIST 800-53 requirements provided by CRE project to SKF to share with developers using that tool for learning
- Scorecard 2.0 – Google Online Security Blog: Measuring Security Risks in Open Source Software: Scorecards Launches V2 (googleblog.com)
About the OpenSSF
The OpenSSF is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come.
For more information and to learn how to get involved, including information about participating in working groups and advisory forums, please visit https://openssf.org/getinvolved.