Guest Blog

A few weeks ago, the OpenSSF Best Practices Working Group published the Source Code Management (SCM) Best Practices guide. This guide is the result of a collaboration of multiple leading security community members under the OpenSSF umbrella. The SCM Best Practices guide provides a comprehensive set of recommendations for securing SCM platforms like GitHub and GitLab. It also includes a list of tools that can assist in reviewing source code repositories. One example is Legitify, which helps detect all misconfigurations and security issues described throughout the project’s document.

In our increasingly digitized world, data reigns supreme. Alongside traditional valuable information like customer records and bank details, data on interactions and activity has become more valuable to companies. As data has become critical, it is also more at risk from theft or attacks like ransomware. According to IBM, the average data breach cost worldwide is now more than US $4.4M.

While several articles have been published about how to run your own Sigstore instance, it’s useful to understand how the public good instance is administered – both in terms of configuration and also policies and best practices.

Prossimo continues to advance the functionality and scalability of the Rustls TLS library and the Rust for Linux effort thanks to $530,000 in funding from the OpenSSF’s Alpha-Omega project. This funding will further Prossimo’s efforts to bring memory safety to critical components of the Internet and further OpenSSF’s Alpha-Omega project’s mission to protect society by improving the security of open source software.

Early adopters of SBOM have proposed new standards as well as updates to existing standards to specify the status of each vulnerability alongside the SBOM itself. In this context, existing practices such as VDR, CSAF, and emerging standards VEX and OpenVEX are playing a key role.

Securing the open source ecosystem isn’t a passive act. It calls for proactive participation through regular code reviews, vulnerability assessments, or simply staying updated with the latest security protocols. Every user, every developer, and every enthusiast has a role to play.

If you’re not using automation to monitor the security risks from your dependency tree, chances are your project is vulnerable. Although these vulnerabilities may not be malicious, they can still allow malicious actors to target your users or their data.

At Open Source Summit North America earlier this year as a 10th grader, Nathan Naveen, gave a talk about OpenSSF Criticality Score. Nathan takes a look at why understanding tools like the Criticality Score is a valuable skill for anyone involved in open source contributions, no matter your age.

While many in the industry realize the value of having a software bill of materials, creators still need to generate high-fidelity SBOMs, and software consumers must ingest and enforce actions based on a given SBOM for it to be a useful endeavor. Otherwise, we’re just adding more to the pile of potentially useful but not entirely actionable data that plagues many cybersecurity programs. As the supply chain for software continues to grow in complexity, and as attacks on those components grow, SBOMs will provide the groundwork to manage how those assets get protected at scale.

Fuzz Introspector is an open source tool that at its core provides insights and suggestions for improvements on how a given project is being fuzzed. In this blog post we present background information and updates on Fuzz Introspector, which is developed in a collaboration between OpenSSF and Google’s OSS-Fuzz.