Skip to main content
Category

Blog

OpenSSF Year in Review 2022

OpenSSF Year in Review

By Blog

The OpenSSF is a thriving, diverse, nonstop community. Across more than 30 different active software projects and other technical initiatives, we’ve been able to have the kind of reach and impact we need to put a dent in the global software security challenges we all know are only getting more intense and more costly. Today we are pleased to announce the publication of our first-ever annual report. 

Read More
Open Source Software Security

Engaging Policy Makers and the Ecosystem on Open Source Software Globally

By Blog

Throughout 2022, the Linux Foundation and OpenSSF in particular have been at the heart of a number of important conversations concerning the open source software (OSS) community and sustainability of the ecosystem. A large part of our global engagement efforts have been focused on collaborating with leaders in the public and private sector to further the ecosystem understanding of open source software security.

Read More
OpenSSF Day Japan December 5

Takeaways from OpenSSF Day Japan

By Blog

On December 5th during Open Source Summit Japan, the Open Source Security Foundation (OpenSSF) hosted OpenSSF Day Japan 2022, a half-day event dedicated to exploring ongoing efforts to improve the security of open source software (OSS). Throughout the day, contributors and thought leaders shared their ideas and experiences with OSS security through sessions on subjects like security best practices, vulnerability discovery, securing critical projects, and the future of OSS security.

Read More
Log4Shell Retrospective

Avoiding the Next Log4Shell: Learning from the Log4j Event, One Year Later

By Blog

Log4Shell, a vulnerability in the widely-used open source Java logging library Log4j, was disclosed in December 2021, roughly two months after I took the helm of the Open Source Security Foundation (OpenSSF). As I said back then, open source software (OSS) foundations must work together to prevent the next Log4Shell scramble, and the same remains true today. One year later, let’s take stock of what else we’ve learned: the core issues around software supply chain security and vulnerability disclosure, the unique nature of securing OSS, and the best techniques for improving OSS security moving forward.

Read More
Alpha-Omega First Year in Review

Alpha-Omega Project First Year In Review, Plus New Funding Pledge

By Alpha-Omega, Blog

Alpha-Omega is an OpenSSF project, established in February 2022, with a mission to protect society by improving the security of open source software through direct maintainer engagement and expert analysis, trying to build a world where critical open source projects are secure and that security vulnerabilities are found and fixed quickly. During our first year, we helped fund important security work for some of the most important open source projects and have begun to see the impact of that work. We’re happy to share our first annual report, which describes what we’ve accomplished, what we’ve learned, and the impact we hope to have in 2023.

Read More
Comparing Approaches to Measuring Criticality and Risk at the OpenSSF

Apples and apples? Comparing Approaches to Measuring Criticality and Risk at the OpenSSF

By Blog

Presenting a comparative study of the different approaches used to measure criticality and risk by a set of OpenSSF projects. Criticality is the measure of how important a package is across the global software ecosystem based on how many packages depend upon it. By combining criticality with the measure of a project’s security posture, or the risk that there may be as-yet-undiscovered vulnerabilities in software, we can prioritize the application of resources that might reduce the overall risk to the software landscape most efficiently. This work has been taken from The State of Dependency Management, the inaugural research report from Station 9, Endor Labs’ research team.

Read More
OpenSSF S2C2F

OpenSSF Expands Supply Chain Integrity Efforts with S2C2F

By Blog

A robust strategy around securing how developers consume and manage open source software (OSS) dependencies when building software is essential. The Secure Supply Chain Consumption Framework (S2C2F) is a consumption-focused/consumer-focused framework that uses a threat-based, risk-reduction approach to mitigate real world threats in Open Source Software (OSS). Today, we are pleased to announce that it has been adopted by the OpenSSF under the Supply Chain Integrity Working Group and formed into its own Special Interest Group (SIG).

Read More