It’s the end of 2023, and the end of another big year for the Open Source Security Foundation (OpenSSF)! The OpenSSF is a cross-industry initiative of the Linux Foundation that is focused on sustainably securing the development, maintenance, and consumption of the open source software (OSS) that we all depend on through collaboration, best practices, and innovative solutions. We are a thriving, diverse, nonstop community. We’re pleased to share with you our annual report for this year, which highlights our many accomplishments throughout 2023 and our plans for the future.
OpenSSF Annual Report
The OpenSSF annual report brings you the top highlights of the year, updates from a dozen Working Groups (WGs) and Projects, messages from our General Manager, incoming and outgoing Chairs of the Governing Board (GB), Chair of the Technical Council Advisory Council (TAC), community engagement efforts, featured headlines in the news, and more. Throughout 2023, we’ve continued to strengthen our partnerships and advance the state of open source software security.Â
2023 Year in Review
A few select highlights from 2023 include:
- Software Security Education: More than 22K software developers enrolled in our courses on the fundamentals of developing secure software and 1,000+ in our course on securing your software supply chain with Sigstore.Â
- Security Guides: Multiple guides were released aiding developers, consumers, and the security community in bolstering security measures including our:
- Source Code Management Platform Configuration Best Practices
- Guide to Becoming a CVE Numbering Authority as an Open Source Project
- Compiler Options Hardening Guide for C and C++.Â
- OSS Security Evaluation: OpenSSF Scorecard automatically assesses OSS projects against various software security criteria, and we now run a weekly Scorecard scan of over one million OSS projects.
- Improved OSS Infrastructure & Tooling: Sigstore is used for signing releases of CPython, Kubernetes Artifacts, and as part of npm package provenance. Over 52 million entries have been recorded for signatures within Sigstore’s public signature transparency log, spanning over 22,000 unique OSS projects including Kubernetes, CPython, LLVM, KNative, Istio, and ArgoCD.
- Vulnerability Finding and Reporting: With over $13.2M provided by Amazon Web Services, Microsoft, and Google, the Alpha-Omega project works to catalyze sustainable security improvements within the most critical open source projects and ecosystems.
- Research & Publications: We partnered with LF Research on an OpenSSF software security awareness survey and published a joint whitepaper with LF Energy on Cybersecurity in Energy Infrastructure.Â
- Public Sector Engagement: We gathered US Government officials with industry leaders at Secure Open Source Software Summit in September to collaborate on securing critical infrastructure. OpenSSF announced it is serving as challenge advisor on the DARPA AI Cyber Challenge (AIxCC), and we responded to the Request For Information (RFI) on open source software (OSS) security and memory safe programming languages from the US federal government.
- Community Building & Outreach: We brought together the global open source community at OpenSSF Day North America in Vancouver, Canada; OpenSSF Day Europe in Bilbao, Spain; and OpenSSF Day Japan, in Tokyo, Japan in addition to many other ways we built a strong community dedicated to securing OSS across many channels from in-person events to online platforms.
Check out the OpenSSF Annual Report for more detailed information about 2023 highlights and milestones.
Looking ahead
In the upcoming year, we will focus on a few key areas to advance the mission of the OpenSSF, including fostering an inclusive community; improving open source security through partnerships with government, industry, and academia; and maintaining transparency in our organization’s operations. We look forward to continuing to work to secure the open source software community, together!