Skip to main content
Category

Blog

OpenSSF Makes Secure Software Development Training Available on Organizations’ Learning Management Systems

By Blog

The free “Developing Secure Software” (LFD121) online training course is now available through SCORM Connect, so that organizations with their own SCORM-compliant Learning Management Systems (LMSs) can integrate the course into their own LMSs. Making this training that is available for free through Linux Foundation Training & Certification also accessible through LMS’ where students and developers already spend time, is yet another way OpenSSF is helping developers worldwide learn how to develop secure software.

Read More

OpenSSF Funds Python and Eclipse Foundations and Acquires SOS.dev through Alpha-Omega Project

By Blog

As part of the OpenSSF’s continued investment in critical open-source projects, we are pleased to announce that the OpenSSF’s Alpha-Omega Project has committed to $800,000 in funding split equally among the Python Software Foundation (PSF) and the Eclipse Foundation to fund critical security roles. We are also happy to announce that the Secure Open Source Rewards pilot program will be managed by the Alpha-Omega Project.

Read More

Introducing Fuzz Introspector, an OpenSSF Tool to Improve Fuzzing Coverage

By Blog

We are excited to announce an initial release of Fuzz Introspector, a collaborative effort from OpenSSF members, that provides actionable insights for developers to identify fuzzing coverage blockers by analyzing functions, static call graphs, and runtime coverage information. Resolving these blockers will help unlock improved fuzzing coverage, resulting in more vulnerability discoveries and greater confidence for users in the reliability of the code they fuzz.

Read More

Testimony to the US House Committee on Science and Technology

By Blog

We’re pleased to share that Brian Behlendorf, OpenSSF General Manager, testified to the United States House of Representatives Committee on Science, Space, and Technology today. Brian’s testimony shares the work being done within the Open Source Security Foundation and broader open source software community to improve security and trustworthiness of open source software.

A copy of Brian’s written remarks are linked here.

Introducing Package Analysis: Scanning open source packages for malicious behavior

By Blog

By Caleb Brown and David A. Wheeler, on behalf of Securing Critical Projects Working Group

Today we’re pleased to announce the initial prototype version of the Package Analysis project, an OpenSSF project addressing the challenge of identifying malicious packages in popular open source repositories. In just one month of analysis, the project identified more than 200 malicious packages uploaded to PyPI and npm. 

The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run? The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously. This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem. Though the project has been in development for a while, it has only recently become useful following extensive modifications based on initial experiences.

The vast majority of the malicious packages we detected are dependency confusion and typosquatting attacks. The packages we found usually contain a simple script that runs during an install and calls home with a few details about the host. These packages are most likely the work of security researchers looking for bug bounties, since most are not exfiltrating meaningful data except the name of the machine or a username, and they make no attempt to disguise their behavior. Still, any one of these packages could have done far more to hurt the unfortunate victims who installed them, so Package Analysis provides a countermeasure to these kinds of attacks.

There are lots of opportunities for involvement with this project, and we welcome anyone interested in contributing to the future goals of:

  • detecting differences in package behavior over time;
  • automating the processing of the Package Analysis results;
  • storing the packages themselves as they are processed for long-term analysis; 
  • and improving the reliability of the pipeline.

Check out our GitHub Project and Milestones for more opportunities, and feel free to get involved on the OpenSSF Slack. This project is one of the efforts of the OpenSSF Securing Critical Projects Working Group. You can also explore other OpenSSF projects like SLSA and Sigstore, which expand beyond the security of packages themselves to address package integrity across the supply chain.

Your Favorite Software Repositories, Now Working Together

By Blog

Authors: Dustin Ingram (Google), Jacques Chester (Shopify)

A software repository is a critical component of any open source ecosystem: it provides a trusted central channel to publish, store and distribute open-source third-party software to all consumers. Package indexes and package managers exist for almost every software ecosystem, and share many of the same goals, features and threats.

But these repositories and related tooling have been developed independently, with little knowledge sharing between them over the years. This means the same problems get solved repeatedly, mostly in isolation. As it becomes more important to increase the overall security of these critical repositories, it has also become important for these repositories to collaborate and share knowledge.

Today, we’re announcing the creation of the Securing Software Repositories Working Group, a community collaboration with a focus on the maintainers of software repositories, software registries, and tools (like package managers) that rely on them, at various levels including system, language, plugin, extensions and container systems.

We’ve brought together many of the key maintainers, contributors and stakeholders of software repositories that are critical to many open source ecosystems, including Java, Node.js, Ruby, Rust, PHP, and Python, to participate in the group.

This working group provides a forum to share experiences and to discuss shared problems, risks and threats. It also provides a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure our respective software repositories, such as Sigstore.

You can learn more about the working group’s objectives in our repository and charter, join our meetings via the public OSSF calendar, or find us on the OpenSSF Slack in the #securing_software_repos channel. If you maintain or operate a software repository system of any kind, please join in!

OpenSSF Selects Node.js as Initial Project to Improve Supply Chain Security

By Blog

Authors: Brian Behlendorf, OpenSSF, and Robin Bender Ginn, OpenJS Foundation

Today, we’re excited to announce that Node.js is the first open source community to be supported by OpenSSF’s Alpha-Omega Project. Alpha-Omega is committing $300k to bolster the Node.js security team and vulnerability remediation efforts through the rest of 2022, with a focus on supporting better open source security standards and practices.

The open source software project Node.js is everywhere, and people put a lot of trust into the products and services that are built with Node.js, from NASA to Netflix. But many community-led JavaScript projects lack the time, people, and expertise for comprehensive security measures. Few companies that depend on Node.js contribute back to the project. Our hope is this can inspire more organizations that depend upon Node.js to also participate in its security efforts.

This assistance will relieve the pressure on Node.js project maintainers who are strained by market demands for new features while striving for a stable and secure codebase. Specifically, this will bring in security engineering resources from NearForm and Trail of Bits to support the Node.js Technical Steering Committee, help triage reports, steward security releases, improve security broadly for Node.js, and encourage implementing best practices in JavaScript projects across the industry.

Node.js carries a high criticality score for its influence and importance based on parameters established by industry security experts at OpenSSF. Almost 98% of the world’s 1.9 billion websites use JavaScript, the top programming language according to research by RedMonk and GitHub. Node.js – server-side JavaScript – was downloaded over 2 billion times in 2021. It’s pervasive across the industry, used in a significant portion of modern applications.

Both of us (Robin and Brian) are excited about this collaboration and the prospect of setting an example for both the OpenSSF and OpenJS communities.