Feb 20, 2024 |
In Blog
OpenSSF Responds to US CISA RFI on Cybersecurity Risk and Secure by Design Software
OpenSSF has submitted a response to the Request For Information (RFI) on Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software issued by the US Cybersecurity and Infrastructure Security Agency (CISA). We have provided insightful feedback on making software secure by design, highlighting the critical… Read more.
Feb 16, 2024 |
Scaling Up Supply Chain Security: Implementing Sigstore for Seamless Container Image Signing
In this post, we will explore how Yahoo leverages Sigstore, in concert with Athenz, an open source platform for managing X.509 certificates, as an internal Certificate Authority, to sign and verify container images. Read more.
Feb 16, 2024 |
Alpha-Omega 2023 Annual Report
In 2023, Alpha-Omega provided ten grants to eight organizations totaling over $2.8 million dollars, with an average grant size of just over $350,000. In partnership with OpenSSF, Alpha-Omega's mission is to catalyze sustainable security improvements within the most critical open source projects and ecosystems. As a Directed Fund with three… Read more.
Feb 14, 2024 |
In Blog
Linux Kernel Achieves CVE Numbering Authority Status
The Linux kernel has achieved a significant milestone in open source software security. It has been authorized as a CVE Numbering Authority (CNA) by the CVE Program. Being a CNA enables the Linux kernel team to manage the vulnerabilities with more accuracy and higher quality in the future. As Linux… Read more.
Feb 13, 2024 |
In Blog
Announcing the First Ever SOSS Fusion Conference: How You Can Get Involved
We are thrilled to announce the first event Secure Open Source Software (SOSS) Fusion Conference 2024, a two-day conference hosted by the OpenSSF in Atlanta, GA. Set to take place on October 22-23, 2024, at The Hotel at Avalon, this event is dedicated to Securing Open Source Software (SOSS). The… Read more.
Feb 12, 2024 |
OpenSSF Participates in Department of Commerce Consortium Dedicated to AI Safety
The Open Source Security Foundation (OpenSSF) is participating in the Biden-Harris Administration’s first-ever Consortium Dedicated to AI Safety, led by the US Department of Commerce. We join over 200 leading artificial intelligence (AI) stakeholders in supporting the development and deployment of trustworthy and safe AI along with other Linux Foundation… Read more.
Feb 8, 2024 |
In Blog
OpenSSF Securing Software Repositories Working Group Releases Principles for Package Repository Security
Today, the OpenSSF Securing Software Repositories Working Group released v0.1 of Principles for Package Repository Security, a framework for package repositories to assess their current security capabilities and to help roadmap future improvements. Read more.
Feb 6, 2024 |
In Blog
Time is of the Essence to Mitigate Vulnerabilities like Leaky Vessels
Time is of the essence to mitigate vulnerabilities like the recent Leaky Vessels in order to reduce the chance of the vulnerabilities being exploited by attackers. As noted in Leaky Vessels: Docker and runc container breakout vulnerabilities, “Snyk security researcher Rory McNamara, with the Snyk Security Labs team, identified four… Read more.
Feb 6, 2024 |
In Blog
Post-Quantum Cryptography Alliance Launch
Today the Linux Foundation announced the launch of the Post-Quantum Cryptography Alliance (PQCA), an open and collaborative initiative to drive the advancement and adoption of post-quantum cryptography. The OpenSSF looks forward to closely collaborating with PQCA, so that high-assurance implementations of post-quantum algorithms will be widely adopted along with the… Read more.
Feb 5, 2024 |
In Blog
CVE-2023-6246 Root Access Vulnerability in glibc
The CVE-2023-6246 vulnerability in glibc can allow an attacker to escalate their local unprivileged access to the full root privilege level. CVEs like this highlight the significance of the initiatives that OpenSSF has been championing like Memory Safe Languages, Tools, and Coordinated Vulnerability Disclosure. Read more.