OpenSSF Scorecard is a tool to help open source projects reduce software supply-chain risks. Scorecard analyzes projects against a series of heuristics and generates scores from 0–10 for the project…
Read More
The compromise of VoIP provider 3CX is just one of the latest incidents to highlight gaps in software supply chain security - and the need for a new approach to…
Read More
In this post, we will explore how Yahoo leverages Sigstore, in concert with Athenz, an open source platform for managing X.509 certificates, as an internal Certificate Authority, to sign and verify…
Read More
Open source vulnerability scanners now increasingly support OpenVEX, helping open source users reduce the pain of managing vulnerabilities and the burden of false positives. These new integrations with OpenVEX can…
Read More
OpenRefactory is working alongside Alpha-Omega's principals to report security vulnerabilities at scale in open source projects. It works with the maintainers to get the vulnerabilities fixed.
Read More
A few weeks ago, the OpenSSF Best Practices Working Group published the Source Code Management (SCM) Best Practices guide. This guide is the result of a collaboration of multiple leading…
Read More
In our increasingly digitized world, data reigns supreme. Alongside traditional valuable information like customer records and bank details, data on interactions and activity has become more valuable to companies. As…
Read More
While several articles have been published about how to run your own Sigstore instance, it’s useful to understand how the public good instance is administered – both in terms of…
Read More
Prossimo continues to advance the functionality and scalability of the Rustls TLS library and the Rust for Linux effort thanks to $530,000 in funding from the OpenSSF’s Alpha-Omega project. This…
Read More
Early adopters of SBOM have proposed new standards as well as updates to existing standards to specify the status of each vulnerability alongside the SBOM itself. In this context, existing…
Read More