Oct 20, 2023 |
In Blog
SLSA Tech Talk Highlights
Earlier this month we held a Tech Talk on Securing the Software Supply Chain: An In-Depth Exploration of SLSA. SLSA, or Supply-chain Levels for Software Artifacts, is an OpenSSF project that provides a security framework to improve the integrity and security of packages and infrastructure. You can watch the Tech… Read more.
Oct 18, 2023 |
In Blog
OpenSSF Day Japan Agenda Now Live
The OpenSSF Day Japan agenda is now live! We have a great day of session presentations, panels, and lightning talks lined up on December 4th, colocated with Open Source Summit Japan in Tokyo, Japan. Plan to join us to discuss the latest and greatest in ongoing efforts to secure the… Read more.
Oct 17, 2023 |
In Blog
OpenSSF Welcomes New Governing Board Chair, Arun Gupta
The OpenSSF is pleased to welcome new Governing Board Chair, Arun Gupta who was elected by the OpenSSF Governing Board and will serve from October 2023 to October 2024. Join us for a conversation with new OpenSSF Board Chair, Arun Gupta. Read more.
Oct 16, 2023 |
In Blog
Reflections on 2023 Milestones from Two-Term Board Chair, Jamie Thomas
Like the open source ecosystem itself, the OpenSSF has grown and evolved during a very busy 2023. It’s no longer debatable, everyone depends upon open source software today. Two-Term OpenSSF Board Chair, Jamie Thomas, reflects on 2023 milestones. Read more.
Oct 13, 2023 |
In Blog
US Government Fact Sheet on Improving Security of Open Source Software in Operational Technology and Industrial Control Systems (OT / ICS)
This week, CISA, FBI, NSA, and the US Department of the Treasury released guidance on Improving Security of Open Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS) to assist with better management of risk from OSS use in OT/ICS and increase resilience when using available resources.… Read more.
Oct 12, 2023 |
In Blog
Introducing OpenSSF’s Malicious Packages Repository
Today, the OpenSSF Package Analysis team is excited to announce the launch of our Malicious Packages repository, the first open source system for collecting and publishing cross-ecosystem reports of malicious packages. This repository is a response to the rising incidence of attacks that include malicious open source packages. Read more.
Oct 11, 2023 |
In Blog
OpenSSF introduces the Specification Security Insights 1.0
The OpenSSF is thrilled to announce the release of version 1.0 for the Security Insights Specification. Security Insights provides a mechanism for maintainers to provide information about their projects' security processes in a machine-processable way. Formatted as a YAML file, it ensures easy readability and editing by humans as well… Read more.
Oct 10, 2023 |
In Blog
HTTP/2 Rapid Reset Vulnerability Highlights Need for Rapid Response
Open Source Software is used in critical infrastructure worldwide. As vulnerabilities like Looney Tunables, Rapid Reset, and the forthcoming cURL vulnerabilities are discovered, organizations must have a well-practiced incident response plan. We believe in risk-based responses based on business criticality. A well-informed inventory based on SBOMs is key to this… Read more.
Oct 9, 2023 |
In Blog
Recap of OpenSSF Day Europe
On September 18, 2023, we hosted OpenSSF Day Europe at the Open Source Summit Europe in Bilbao, Spain. Throughout the day, we hosted a number of sessions around the state of open source software security, discussed current initiatives and what’s next. If you weren’t able to attend, check out our… Read more.
Oct 3, 2023 |
Running Sigstore as a Managed Service: A Tour of Sigstore’s Public Good Instance
While several articles have been published about how to run your own Sigstore instance, it’s useful to understand how the public good instance is administered – both in terms of configuration and also policies and best practices. Read more.