Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea | Open Source SecurityCon

Category

Case Studies

Case Study: Ericsson’s C/C++ Compiler Options Hardening Guide and OpenSSF Collaboration

By Blog, Case Studies

Ericsson, a global leader in telecommunications and networking, has been deeply engaged in open source and software security for over a decade. Through its Open Source Program Office (OSPO), Ericsson coordinates its participation across multiple foundations and initiatives, including the Open Source Security Foundation (OpenSSF). This case study highlights Ericsson’s collaboration with the OpenSSF, with a specific focus on their C/C++ Compiler Option Hardening Guide, which has served as both an internal resource and a community contribution.

Problem

C++ remains a foundational language in many critical systems, but it’s notoriously difficult to use securely. Given the massive volume of existing C and C++ code underpinning today’s infrastructure, many organizations today face a familiar dilemma: how to improve the security of these systems without the unrealistic burden of rewriting everything in a memory-safe programming language. The team recognized the need for a pragmatic solution that could strengthen existing infrastructure.

Solution

Ericsson, together with partners found through its engagement in the OpenSSF, developed and released the C/C++ Compiler Option Hardening Guide as a practical approach to increasing software security through better compiler configurations. The guide maps out various hardening flags and compiler options, analyzing their implications on performance and security. Originally drafted by Ericsson’s product security team, the initial guide was donated to the OpenSSF and is now jointly developed in the Best Practices Working Group of the OpenSSF.

Open sourcing the guide proved invaluable. By contributing it to the OpenSSF, Ericsson gained access to a wider range of expertise—receiving high-quality feedback from compiler maintainers, Linux distribution contributors, and others across the ecosystem. These external insights not only validated Ericsson’s approach but improved the guide itself.

Results

  • The guide has been promoted internally at Ericsson and adopted or experimented with by community projects and organizations such as Wireshark, Chainguard, and the CPython project.
  • Feedback from community experts helped refine the guide, especially regarding how different compiler flags interact in real-world builds.
  • Ericsson’s work raised broader awareness about the importance of compiler-level hardening and provided a widely usable educational resource.
  • The collaborative development process reinforced the value of community feedback loops and pragmatic security practices.

Secondary Initiatives

In addition to the compiler guide, Ericsson is co-chairing the Best Practices Working Group and leading the development of a Python Secure Coding Guide therein.. The team also benefits from other OpenSSF work, such as threat modeling and participation in the AI/ML security working group.

“We’ve seen tremendous value in contributing our C/C++ Compiler Options Hardening Guide to the OpenSSF. The community feedback significantly improved the guide and validated our approach. It’s a win-win—for our internal teams and the broader open source ecosystem.” — Mikko Karikytö, Head of Product Security & CPSO 

Future Plans

Ericsson plans to continue contributing to and evolving its secure coding practices through collaboration with the OpenSSF. As part of that commitment, Ericsson encourages peers in telecom, networking, and adjacent industries to explore the C/C++ Compiler Options Hardening Guide, apply its recommendations, and contribute to its ongoing improvement.

🔹 Visit Ericsson’s Open Source Program Office (OSPO) page to learn more about their broader open source strategy.

🔹 Get involved with the OpenSSF Best Practices Working Group to shape and support secure software development practices.

About Ericsson and OpenSSF

Ericsson has been a vocal advocate for responsible open source use and software security. Its OSPO leads efforts across multiple standards bodies and open source foundations. The OpenSSF provides a vendor-neutral forum for collaboration on secure software development and supply chain security.

For more case studies, visit: https://openssf.org/case-studies/

Case Study: Kusari’s Implementation of OpenSSF Tools and Services

By Blog, Case Studies

Challenge

For many years, the software supply chain has suffered from a lack of transparency and inefficient, unsustainable security management methods such as spreadsheets, emails, and word of mouth. The severity of these challenges was highlighted during incidents like Log4Shell, where the limitations of these approaches became evident — organizations struggled to identify where Log4J was used, and many applications continue to use vulnerable versions of this library years later. Meanwhile, the costs and regulatory requirements of attacks and vulnerabilities continue to increase. The founders of Kusari, driven by their passion and personal experiences with these problems, sought to create scalable and robust security solutions for their customers and users.

Solution

To address these challenges, Kusari created and co-developed the tool GUAC (Graph for Understanding Artifact Composition). GUAC integrates data from various OpenSSF tools and specifications to secure Kusari’s platform software and infrastructure. Kusari uses AllStar to enforce best practices for source code repositories and Scorecard to assess repositories for best practice adherence and highlight areas of concern. By adopting SLSA (Supply Chain Levels for Software Artifacts), Kusari follows Level 3 practices for building projects and generating provenance. OpenVEX is used to communicate the vulnerability status of software, while S2C2F (Supply-Chain Levels for Secure Commercial Facilities) ensures rules are followed for safely ingesting open source software. GUAC aggregates data from multiple sources like Scorecard, SLSA, OpenVEX, SBOM, OSV, and deps.dev to analyze supply chain risks and ensure compliance with S2C2F rules.

According to Parth Patel, Co-founder & Chief Product Officer at Kusari, “Working with OpenSSF projects is an invaluable part of building Kusari – both as a company and an enterprise platform. Participating in open source communities allows us to shape the future of software supply chain technology. The work we invest in OpenSSF communities pays off in having reliable software tools to build and integrate with the security ecosystem.”

Results

The implementation of these tools has significantly enhanced Kusari’s ability to manage and mitigate software supply chain risks. The adoption of open specifications like SLSA, S2C2F, and OpenVEX allows Kusari to generate and consume supply chain data that is broadly supported in the community. Tools like AllStar, Scorecard, and Sigstore help enforce best practices in code, build, and delivery processes. GUAC enables Kusari to ingest and analyze standardized metadata from multiple OpenSSF tools, providing a clear understanding of supply chain risks and facilitating quick responses to security incidents.

Engagement with OpenSSF Community

Kusari engages with the OpenSSF community in various capacities, including as maintainers and users of AllStar, GUAC, and SLSA, and as TAC sponsors for GitTUF, SBOMit, and S2C2F. This engagement is a way for us to innovate and give back within the open source community. Kusari is committed to helping shape and develop the future of software supply chain security. You can regularly find us in meetings with the Supply Chain Integrity Working Group; come join in. 

Benefits and Challenges

Open specifications and tools provide flexibility for integration and modification, ensuring better interoperability. Security has a long history of being closed and vendor-centric, but that’s changing. Collaboration is required to protect effectively against current and future threats. That’s why Kusari is passionate about being a creator, maintainer, contributor and user of open source security tools. 

Striking a balance between vendor support and community-driven efforts is crucial for sustainable success in open source projects. Arun Gupta, vice president and general manager of Open Ecosystem Initiatives at Intel and OpenSSF governing board chair emphasizes, “It’s vital that we foster collaboration between vendors and the open source community in a collaborative manner that respects the community. This balance is key to achieving a secure software ecosystem.”

Future Plans

Kusari plans to adopt additional OpenSSF tools such as GitTUF as they mature and looks forward to developments from SBOMit.

Conclusion

Kusari’s integration of OpenSSF tools and specifications has significantly bolstered its software supply chain security, providing scalable and efficient solutions for managing vulnerabilities. Through active participation in the OpenSSF community, Kusari continues to contribute to and benefit from the evolving landscape of open source security.