Skip to main content

📣 Submit your proposal: OpenSSF Community Days: Japan | India | Europe

search
Category

Blog

Oct 29
Love0

OpenSSF Welcomes New Members and Introduces New Initiatives at SOSS Community Day Japan

By Blog, Press Release

Growing Member Base and New Initiatives Continue to Advance Open Source Software Security

TOKYO, JAPAN – October 30, 2024 – The Open Source Security Foundation (OpenSSF), a global cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), is excited to announce new members from leading technology, security, and research firms. The OpenSSF is also thrilled to host Secure Open Source Software (SOSS) Community Day at Open Source Summit Japan 2024, bringing together community members, maintainers, and contributors from across the globe.

New general member commitments from Arm, embraceable AI and Fujitsu along with new associate member commitments from Ruby Central and Trifecta Tech further strengthen the support for open source software security. With backing from these new organizations, the OpenSSF heads into the final quarter of 2024 with a robust member base dedicated to promoting a strong, vibrant, and secure open source software ecosystem.

“The addition of our newest members to the OpenSSF highlights the growing global commitment to strengthening open source software security,” said Arun Gupta, Vice President and General Manager, Developer Programs at Intel and OpenSSF Governing Board Chair. “By joining forces, we can address security challenges, foster innovative solutions, and build a safer digital future for everyone. With the support of these new members, we are further enabled to drive forward our shared mission.”

To celebrate its growing community, the OpenSSF is hosting SOSS Community Day Japan at Open Source Summit Japan 2024. SOSS Community Day Japan is an opportunity for community members from across the open source security ecosystem to come together and share ideas. With an agenda packed with sessions led by industry experts, the event will cover critical topics like education, innovation, tooling, vulnerabilities, and threats, showcasing the ongoing efforts of the OpenSSF community to enhance open source software security.

General Member Quotes

Arm

“At Arm, we recognize that collaboration is key to advancing the security of the global software ecosystem. By joining OpenSSF, we look forward to contributing to its mission of raising the bar on open source software security and underscoring our dedication to fostering standardization across the industry to give developers the confidence and tools they need to innovate.”

— Andrew Wafaa, Senior Director and Fellow, Software Communities, Arm

embraceable AI

“Security in the realm of AI is not just a feature; it’s the foundation of trust. As we empower enterprises with intelligent services, we prioritize safeguarding data and ensuring privacy, so our clients can innovate fearlessly.”  

— Dr.-Ing. Christian Gilcher, General Manager, embraceable AI 

Fujitsu

“Fujitsu is proud to have achieved conformance with OpenChain ISO/IEC 18974, demonstrating our commitment to open source compliance and excellence. Our next step is to join the OpenSSF. We take our dedication a step further to enhance the security and trustworthiness of the global software supply chain. Open source software is a key driver of innovation, and we look forward to collaborating with the OpenSSF community to ensure the resilience and transparency of the technologies shaping our future.”

— Teppei Asaba, Senior Director, Mission Critical System Business Unit, Fujitsu Limited

Associate Member Quotes

Ruby Central

“Joining OpenSSF aligns perfectly with Ruby Central’s commitment to advancing the security of open source ecosystems. By collaborating with OpenSSF and its community of forward-thinking organizations, we’re excited to bring our expertise from the Ruby ecosystem and work together on solutions that enhance the security and sustainability of open source software for all developers.”

— Marty Haught, Interim Open Source Lead, Ruby Central

Trifecta Tech

“We are excited to join the OpenSSF as an associate member as we continue to actively contribute to the security of the open source software we all rely on. Trifecta Tech Foundation is a non-profit working on safer software for the underlying infrastructure of the Internet and vital systems for water, energy, and communication. We develop and maintain open source software and contribute to open standards for these essential systems. Our projects include memory-safe alternatives to critical pieces of software like sudo, the Network Time Protocol, and zlib.”

— Erik Jonkers, Chair, Trifecta Tech Foundation

New Initiatives 

In addition to welcoming new members, OpenSSF is excited to announce several new initiatives aimed at bolstering open source software security.

Minder: contributed by Stacklok, is now a sandbox project within OpenSSF. Minder simplifies the integration and use of powerful security tools like OSV, OpenSSF Scorecard, and Sigstore, allowing developers and security teams to establish policies on code repositories and dependencies, reducing risk before and after code is merged.

bomctl: A format-agnostic Software Bill of Materials (SBOM) tooling project introduced in September 2024, aimed at enhancing SBOM generation and management across various formats.

Zarf: created by Defense Unicorns, launched in July 2024, Zarf is a free, open source tool enabling continuous software delivery on systems disconnected from the internet, facilitating secure software distribution in air-gapped environments.

These new initiatives demonstrate the OpenSSF’s continued dedication to fostering innovation and providing tools to enhance open source software security across diverse use cases.

Additional Resources

  • View the complete list of OpenSSF members.
  • To learn more about the OpenSSF community, including information about membership, contribution, project participation, and more, contact us.

###

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit openssf.org.

About the Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page. Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Tanner
Look Left Marketing
openssf@lookleftmarketing.com

Oct 24
Love0

Case Study: Kusari’s Implementation of OpenSSF Tools and Services

By Blog, Case Studies

Challenge

For many years, the software supply chain has suffered from a lack of transparency and inefficient, unsustainable security management methods such as spreadsheets, emails, and word of mouth. The severity of these challenges was highlighted during incidents like Log4Shell, where the limitations of these approaches became evident — organizations struggled to identify where Log4J was used, and many applications continue to use vulnerable versions of this library years later. Meanwhile, the costs and regulatory requirements of attacks and vulnerabilities continue to increase. The founders of Kusari, driven by their passion and personal experiences with these problems, sought to create scalable and robust security solutions for their customers and users.

Solution

To address these challenges, Kusari created and co-developed the tool GUAC (Graph for Understanding Artifact Composition). GUAC integrates data from various OpenSSF tools and specifications to secure Kusari’s platform software and infrastructure. Kusari uses AllStar to enforce best practices for source code repositories and Scorecard to assess repositories for best practice adherence and highlight areas of concern. By adopting SLSA (Supply Chain Levels for Software Artifacts), Kusari follows Level 3 practices for building projects and generating provenance. OpenVEX is used to communicate the vulnerability status of software, while S2C2F (Supply-Chain Levels for Secure Commercial Facilities) ensures rules are followed for safely ingesting open source software. GUAC aggregates data from multiple sources like Scorecard, SLSA, OpenVEX, SBOM, OSV, and deps.dev to analyze supply chain risks and ensure compliance with S2C2F rules.

According to Parth Patel, Co-founder & Chief Product Officer at Kusari, “Working with OpenSSF projects is an invaluable part of building Kusari – both as a company and an enterprise platform. Participating in open source communities allows us to shape the future of software supply chain technology. The work we invest in OpenSSF communities pays off in having reliable software tools to build and integrate with the security ecosystem.”

Results

The implementation of these tools has significantly enhanced Kusari’s ability to manage and mitigate software supply chain risks. The adoption of open specifications like SLSA, S2C2F, and OpenVEX allows Kusari to generate and consume supply chain data that is broadly supported in the community. Tools like AllStar, Scorecard, and Sigstore help enforce best practices in code, build, and delivery processes. GUAC enables Kusari to ingest and analyze standardized metadata from multiple OpenSSF tools, providing a clear understanding of supply chain risks and facilitating quick responses to security incidents.

Engagement with OpenSSF Community

Kusari engages with the OpenSSF community in various capacities, including as maintainers and users of AllStar, GUAC, and SLSA, and as TAC sponsors for GitTUF, SBOMit, and S2C2F. This engagement is a way for us to innovate and give back within the open source community. Kusari is committed to helping shape and develop the future of software supply chain security. You can regularly find us in meetings with the Supply Chain Integrity Working Group; come join in. 

Benefits and Challenges

Open specifications and tools provide flexibility for integration and modification, ensuring better interoperability. Security has a long history of being closed and vendor-centric, but that’s changing. Collaboration is required to protect effectively against current and future threats. That’s why Kusari is passionate about being a creator, maintainer, contributor and user of open source security tools. 

Striking a balance between vendor support and community-driven efforts is crucial for sustainable success in open source projects. Arun Gupta, vice president and general manager of Open Ecosystem Initiatives at Intel and OpenSSF governing board chair emphasizes, “It’s vital that we foster collaboration between vendors and the open source community in a collaborative manner that respects the community. This balance is key to achieving a secure software ecosystem.”

Future Plans

Kusari plans to adopt additional OpenSSF tools such as GitTUF as they mature and looks forward to developments from SBOMit.

Conclusion

Kusari’s integration of OpenSSF tools and specifications has significantly bolstered its software supply chain security, providing scalable and efficient solutions for managing vulnerabilities. Through active participation in the OpenSSF community, Kusari continues to contribute to and benefit from the evolving landscape of open source security.

 

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved
Close Menu