Guest blog opportunities are open to members, with limited exceptions for active contributors and thought leaders. Share your insights on open source security with our community.
OpenSSF Blog
Dec 13, 2023 |
In Blog
Introducing SBOMit: Adding Verification to SBOMs
We’re happy to announce the launch of SBOMit – a tool to add in-toto attestations to SBOMs (Software Bills of Material). The SBOMit specification is a SBOM-format independent method for attesting components with additional verification information. Read more.
Dec 12, 2023 |
In Blog
OpenSSF End Users Working Group: Representing the Interests of Open Source Software Consumers
This month’s spotlight focuses on the OpenSSF End Users Working Group, which aims to ensure that the distinct and impactful voice of end users is heard in the development and delivery of the technical vision of The Open Source Security Foundation (OpenSSF). It represents the interests of public and private… Read more.
Dec 11, 2023 |
In Blog
OpenSSF Responds to the CISA RFC on Software Identification Ecosystem Analysis
The OpenSSF has submitted a response to the Software Identification Ecosystem Option Analysis by the US Cybersecurity and Infrastructure Security Agency (CISA). This comes in light of CISA's announcement regarding the publication of the "Software Identification Ecosystem Option Analysis," a white paper delving into options for software identification. Read more.
Dec 5, 2023 |
Finding And Fixing Bugs in Open Source Software at Scale with a Grant from Alpha-Omega
OpenRefactory is working alongside Alpha-Omega's principals to report security vulnerabilities at scale in open source projects. It works with the maintainers to get the vulnerabilities fixed. Read more.
Dec 3, 2023 |
OpenSSF Announces New Members, Guiding Software Security Principles at OpenSSF Day Japan
The Open Source Security Foundation (OpenSSF), a cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), announced new members from leading technology firms and a new set of Secure Software Development Guiding Principles at OpenSSF Day Japan. Read more.
Dec 3, 2023 |
In Blog
OpenSSF Releases Top 10 Secure Software Development Guiding Principles
Today, we are excited to announce version 1.0 of the Secure Software Development Guiding Principles. These 10 principles describe a series of foundational practices that, if followed, can help provide better assurance and security for organizations leveraging them. Though aspirational, they provide a set of core practices that producers and… Read more.
Nov 29, 2023 |
In Blog
Strengthening the Fort 🏰: OpenSSF Releases Compiler Options Hardening Guide for C and C++
In the fast-changing landscape of cybersecurity, OpenSSF has taken a significant step towards enhancing the security of C and C++ software. This effort addresses a persistent class of software defects that have affected software, including open source software (OSS), since the dawn of the Internet. By releasing a comprehensive "Compiler… Read more.
Nov 28, 2023 |
In Blog
Cybersecurity in Energy Infrastructure: The Value of Open Source Software
LF Energy and OpenSSF released a new whitepaper on how open source software is critical to the innovation and transformation of our energy infrastructure. Contrary to common misconceptions, OSS offers not just affordability and adaptability but also a robust shield against cyber threats. Read more.
Nov 27, 2023 |
In Blog
OpenSSF introduces guide to becoming a CVE Numbering Authority as an Open Source project
The Open Source Security Foundation (OpenSSF) is excited to announce a new guide for Open Source projects that are interested in issuing and managing their own CVE IDs through the CVE Numbering Authority (CNA) program. The guide is available on GitHub and will be kept up-to-date with changes to CNA… Read more.
Nov 21, 2023 |
Sigstore: Simplifying Code Signing for Open Source Ecosystems
This month’s spotlight focuses on the Sigstore project. Digital signatures play a critical role in the software supply chain, by providing verifiable attributes of authentication, integrity, and non-repudiation of artifacts as they are distributed between consumers and producers. By ensuring that the origin of the software can be reliably traced… Read more.