Apr 4, 2023 |
In Blog
Taking the Pulse of Leading Software Repositoriesā Security
Each software repository faces a challenging task to protect producers and consumers of open-source software. They must defend against a variety of threats, juggling a complex menu of options to harden their systems and procedures against attackers. The OpenSSF Securing Software Repository Working Group (SSR WG) last year surveyed the… Read more.
Mar 30, 2023 |
Clarifying Sigstore Terms of Use
The primary activity for The Linux Foundation projects is open collaboration on technical challenges that deliver tangible improvements for developers, companies, industries, and society at large. The focus weāve always taken is on open source code as a starting point for truly great outcomes that improve the technologies we -… Read more.
Mar 29, 2023 |
In Blog
OpenSSF Day North America Agenda Now Live
The OpenSSF Day North America agenda is now live! We will be hosting a full day of interesting session presentations, panels, and lightning talks on May 10th during Open Source Summit North America in Vancouver, Canada. Plan to join us to discuss the latest and greatest in ongoing efforts to… Read more.
Mar 28, 2023 |
The Role of Foundations in Securing OSS
Security used to be something of an afterthought in software development. Security was clunky or inconvenient, often because it was a ābolt-onā. That has rapidly changed over the last two years. Now, the world has finally realised that security needs to be ābaked-inā, not ābolted-onā.Ā Meaningful and impactful improvements can be… Read more.
Mar 27, 2023 |
In Blog
SBOM Everywhere Update and Python SPDX-Tools
SBOM Everywhere is a Special Interest Group (SIG) within the Security Tooling Working Group of the OpenSSF. In September we funded work on the SPDX Python library and are now happy to report the recent 0.7.0 release of the Python SPDX-Tools package, which is available to download on GitHub and… Read more.
Mar 22, 2023 |
In Blog
Improving Open Source Security through Collaboration: March 2023 OpenSSF Town Hall Highlights
Thanks to everyone who attended our recent Town Hall on March 16th where we gave an update on initiatives at the OpenSSF, shared presentations about various initiatives at the OpenSSF, and participants had an opportunity to ask questions to panelists. If you were unable to attend, here are a few… Read more.
Mar 20, 2023 |
Improving Supply Chain Security: IBM as a user and a contributor to Open Source Security Foundation Scorecard
Scorecard is becoming a key part of IBMās review and curation of the open-source software in our products and services. IBM is committed to helping address the systemic security issues in modern SW supply chains and believes an important part of this effort is to help the open-source ecosystem improve… Read more.
Mar 15, 2023 |
New SLSA++ Survey Reveals Real-World Developer Approaches to Software Supply Chain Security
Answering even basic questions about software supply chain security has been surprisingly hard. For instance, how widespread are the different practices associated with software supply chain security? And do software professionals view these practices as useful or not? Easy or hard? To help answer these and related questions, Chainguard, the… Read more.
Mar 9, 2023 |
In Blog
Draft Version 1.0 of SLSA Open for Comments
Supply-chain Levels for Software Artifacts (SLSA, pronounced āsalsaā) is an OpenSSF project that provides specifications for software supply chain security, established by industry consensus. SLSAās framework is organized into a series of levels that describe increasing security rigor. Version 0.1 of the SLSA specification has been out for some time.… Read more.
Mar 8, 2023 |
Why Open Source is Infrastructure, and Why it Matters
A new report by the Atlantic Councilās Cyber Statecraft Initiative helps draw light on the question on what "open source as infrastructure" really means, and why it matters: Avoiding the success trap: Toward policy for open-source software as infrastructure. Read more.