Mar 25

OpenSSF Newsletter – March 2025

By OpenSSF Newsletter

Welcome to the March 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR

This month, the OpenSSF invites you to participate in global Community Days and explore new initiatives to strengthen open source security throughout 2025. Tune in to the latest podcast episode highlighting key insights from leaders at Intel and GitHub, learn about the recent Policy Summit in Washington, D.C., and enroll in the new, free cybersecurity course designed specifically for software development managers. Plus, stay informed about exciting project updates and upcoming community events!

Join us at OpenSSF Community Day Events in North America, India, Japan, and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Denver, Colorado – June 26, 2025
Tokyo, Japan – June 18, 2025
Hyderabad, India – August 4, 2025
Amsterdam, Netherlands – August 28, 2025

✅ Secure your spot – Register today!

✅ Have insights to share? Submit to speak before CFP closes!

✅ Support the mission – Become a sponsor!

Join us in shaping a safer and more secure digital world.

2025 OpenSSF Content Themes: Strengthening Open Source Security Throughout the Year

Content_theme

Cybersecurity is an ongoing challenge, and OpenSSF is leading efforts to strengthen open source security in 2025. This blog outlines the key content themes for the year, from strengthening OSS ecosystems to enhancing security tools and addressing vulnerabilities. Each month, OpenSSF will explore these critical topics through events, expert discussions, and blog contributions. Stay updated on these discussions and learn how you can contribute to OpenSSF’s mission.

What’s in the SOSS? An OpenSSF Podcast is back for Season 2!

In Season 2’s first episode, CRob chats with Arun Gupta (Intel, OpenSSF Governing Board Chair) and Zach Steindler (GitHub, OpenSSF TAC Chair) about lessons learned in open source security from 2024 and what’s ahead for 2025.

How the Mission, Vision, Values, Strategy, and Roadmap (MVVSR) framework is shaping OpenSSF’s focus
The biggest security challenges faced in 2024, from supply chain attacks to SBOM adoption
Exciting initiatives for 2025—including making security more accessible to open source maintainers

Join the conversation and get insights into the future of open source security. Listen now and stay tuned as we announce our new co-host!

OpenSSF Hosts 2025 Policy Summit in Washington, D.C. to Tackle Open Source Security Challenges

The OpenSSF successfully hosted the 2025 Policy Summit in Washington, D.C., bringing together industry leaders and security experts to address open source security challenges. The event featured keynotes, panel discussions, and breakout sessions focused on AI security, software supply chain governance, and policy recommendations for secure OSS consumption.

“The OpenSSF is committed to tackling the most pressing security challenges facing the consumption of open source software in critical infrastructure and beyond ” said Steve Fernandez, General Manager, OpenSSF.

Discussions highlighted the importance of industry-led security initiatives, collaboration with policymakers, and the need for standardized security frameworks. Following the summit, OpenSSF will refine security guidance and best practices to enhance open source software security globally. Learn more about the event, key takeaways, OpenSSF’s Vision, and how to get involved in shaping open source security policy.

NEW FREE COURSE: Security for Software Development Managers (LFD125)

Security for Software Development Managers course

The OpenSSF and Linux Foundation Education have launched a new, free cybersecurity e-Learning course, Security for Software Development Managers (LFD125). Designed for those who manage or aspire to manage developer teams, this course covers critical security concepts needed to build resilient applications. Participants will learn how to identify vulnerabilities, implement proactive security measures, and guide their teams in creating secure software. Security for Software Development Managers (LFD125) is a self-paced, 2-hour course that includes access to a discussion forum for engagement with experts and peers. Upon successful completion, participants receive a digital badge and certificate.

Enroll today and strengthen your leadership skills in software security!

News from OpenSSF Community Meetings and Projects

Zarf released version v0.49.1 including bug fixes and enhanced logging.
Security Tooling WG had a discussion about the possibility of OpenBao becoming an OpenSSF project.
Global Cyber Policy WG is working to establish a “steward.md” file for OSS projects to declare what organization is the steward of the project.
Security Baseline has added an FAQ page to the website.
Securing Software Repositories WG is working on package yanking guidance for repositories.
Vulnerability Disclosure WG will host a purl + CPE workshop at VulnCon.
Model Signing project is working toward a v1 release.
Memory Safety SIG completed a PR for OpenSSF Scorecard that checks if the code uses non memory safe practices for the repository languages.
SLSA has published onboarding instructions for the SLSA Source PoC and invites any feedback via GitHub issues.

In the News

Meet OpenSSF at These Upcoming Events!

FIRST VulnCon 2025: April 7-10, 2025
RSA Conference: April 28 – May 1, 2025
OpenSSF Community Day Japan: June 18, 2025
OpenSSF Community Day North America 2025: June 26, 2025
OpenSSF Community Day India 2025: August 4, 2025
DefCon 2025: August 7-10, 2025
OpenSSF Community Day Europe 2025: August 28, 2025

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Month!

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!

Regards,

The OpenSSF Team

Feb 26

Love0

OpenSSF Newsletter – February 2025

By OpenSSF Newsletter

Welcome to the February 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Learn more:
- Open Source Software in Public Policy
- EU Cyber Resilience Act (CRA)

Join us at OpenSSF Community Day Events in North America and Europe 2025!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Denver, Colorado – June 26, 2025
Amsterdam, Netherlands – August 28, 2025

✅ Secure your spot – Register today!
✅ Have insights to share? Submit to speak before CFP closes!
✅ Support the mission – Become a sponsor!

Join us in shaping a safer and more secure digital world.

OpenSSF Announces Initial Release of the Open Source Project Security Baseline

The Open Source Security Foundation (OpenSSF) has announced the initial release of the Open Source Project Security Baseline (OSPS Baseline)—a new initiative designed to help open source projects enhance their security posture through tiered best practices. The OSPS Baseline aligns with global cybersecurity frameworks, including the EU Cyber Resilience Act (CRA) and NIST Secure Software Development Framework (SSDF), making it easier for maintainers and contributors to adopt practical security measures.

With adoption commitments from projects like GUAC, OpenVEX, bomctl, and Open Telemetry, the OSPS Baseline is already helping open source communities strengthen their security foundations. This release marks a significant step toward providing maintainers with clear, actionable security guidance that grows alongside their projects. Learn more.

Does the EU CRA affect my business?

DoestheEUCRAAffectMyBusiness

The European Union’s Cyber Resilience Act (CRA), which came into effect on December 10, 2024, introduces significant cybersecurity requirements for products sold or commercially available in the EU market. With wide-ranging impacts set to take effect by November 2026, businesses must assess whether they fall under the CRA’s scope and take necessary steps for compliance.

This blog provides key insights into how the CRA applies to Products with Digital Elements (PDEs), its implications for manufacturers, businesses, and open source projects, and what steps organizations need to consider. While some view it as an added burden, cybersecurity professionals see it as an opportunity to strengthen security practices across the software supply chain.

If you develop software, hardware, or services that interact with digital products in the EU, understanding the CRA is critical. Read the full blog to determine if the CRA affects your business and how you can prepare for compliance.

Securing Public Sector Supply Chains is a Team Sport

Everyone is increasingly aware that software supply chain security is critical, but the challenges in the public sector come with added complexity—stringent policies, high-risk exposure, and slow approval processes. In this blog, Daniel Moch (Lockheed Martin) explores the unique security hurdles faced by public sector organizations and how the open source community, alongside OpenSSF, can help mitigate them.

From SLSA Provenance and VEX adoption to reputation-based contributor scoring, the blog outlines practical ways to enhance supply chain transparency and security. Read on to discover how collaborative efforts can make software security stronger for everyone. Read the blog here.

Linux Foundation Europe and OpenSSF Launch Initiative to Prepare Maintainers, Manufacturers, and Open Source Stewards for Global Cybersecurity Legislation

CRA Press Release

Linux Foundation Europe and OpenSSF have launched a global initiative to help open source communities navigate the EU Cyber Resilience Act (CRA) and worldwide cybersecurity regulations. The effort will focus on cybersecurity standards, compliance frameworks, and tooling to support maintainers and manufacturers. Learn more about this collaborative effort and how to get involved. Read the announcement here.

Alpha-Omega 2024 Annual Report

Alpha-Omega’s 2024 Annual Report highlights major strides in open source security, including $6 million in grants to strengthen critical projects like the Linux kernel, Python Software Foundation, and RubyGems. Through funding, security audits, and scaled vulnerability fixes, Alpha-Omega has helped build a sustainable security culture across the open source ecosystem. Discover the impact of these investments and the vision for 2025 in the full report. Read the blog and full report here.

News from OpenSSF Community Meetings and Projects:

Help OpenSSF improve by taking 5 minutes to fill out our Community Survey.
GUAC published its 2024 in review.
Global Cyber Policy WG had in-person meetups at FOSDEM. Notes here. They are setting up a new meeting series and drafting a mission statement for the EU CRA Standardization SIG https://doodle.com/group-poll/participate/dL0rpGWd.
SLSA completed and merged updates to its governance document.
gittuf released version 0.9.0.
SBOM Everywhere SIG SIG previewed using AI tooling to help update the SBOM Landscape catalog.
OpenSSF Scorecard has a new donation submission for an Azure Pipelines task.
Central now performs Sigstore Signature Validation (Java) https://central.sonatype.org/news/20250128_sigstore_signature_validation_via_portal/
Securing Software Repositories WG is hiring a technical writer to create guidance on when to allow a previously published package to be deleted from software repositories.
Three Working Groups submitted new quarterly updates to the TAC: BEAR, Vulnerability Disclosure, and Supply Chain Integrity.
Protobom added Allen Shearin as a maintainer.
Security Baseline has two open pull requests to refactor the baseline compiler, extending the cli to support more use cases and making the loader and generator easier to use.

In the News:

Meet OpenSSF at These Upcoming Events!

OpenSSF Policy Summit DC 2025: March 4, 2025
OpenSSF Community Day North America 2025: June 26, 2025
OpenSSF Community Day Europe 2025: August 28, 2025

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Month!

Regards,

The OpenSSF Team

Jan 23

Love0

OpenSSF Newsletter – January 2025

By OpenSSF Newsletter

Welcome to the January 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Submit to Speak: OpenSSF Community Day
Suggest a Speaker: Podcast
Follow: LinkedIn, X, Mastodon, and BlueSky

Call for Proposals: OpenSSF Community Day NA 2025!

The CFP is now open for OpenSSF Community Day North America 2025, happening June 26 in Denver, CO! Share your insights, success stories, and innovations with the open source security community.

Key Dates:

CFP Closes: March 23, 2025
Event Date: June 26, 2025

Submit 5-, 10-, 15-, or 20-minute talks on topics like AI and ML in security, supply chain resilience, regulatory compliance, and more. First-time speakers welcome!

Submit Your Proposal Now

We Need Your Input!

Take a short survey to help the OpenSSF, LF Research, and LF Europe assess the open source community’s readiness for the EU Cyber Resilience Act and other emerging regulatory challenges. Your insights will shape best practices and prepare the ecosystem for what’s ahead.

Take the survey

Bonus for participating:

Get a 35% discount on any Linux Foundation e-learning course or certification exam (valid until May 1, 2025).

Added bonus: For every completed survey, LF Research will donate to the Linux Foundation’s Travel Fund, supporting open source developers and community members in attending events they might otherwise miss.

Your participation helps strengthen our community—thank you! The survey closes Friday, Jan. 24, 2025.

CRA Stewards and Manufacturers Workshop: Key Takeaways and Next Steps

Last month the Linux Foundation Europe and the OpenSSF teams held a workshop focused on the implications of the recently published Regulation (EU) 2024/2847, commonly known as the Cyber Resilience Act or CRA. The 2024 Stewards and Manufacturers Workshop in Amsterdam was a highly successful event where members from across the Linux Foundation, other upstream open source foundations, community experts, and government officials came together to get a common understanding of the obligations of both Manufacturers and Stewards, and how each group needs to collaborate together as the legislation starts to go into effect over the next three years.

Learn more

What’s in the SOSS? Podcast #23 – Kusari’s Michael Lieberman Talks GUAC, SLSA and Securing the Open Source Supply Chain

In the latest episode of What’s in the SOSS?, CRob chats with Michael Lieberman, CTO and co-founder of Kusari, about supply chain security in the open source ecosystem. They discuss Michael’s journey in open source, his work with SLSA and GUAC, practical tips for addressing SBOMs, and his vision for the future of OSS security. Michael also shares advice for aspiring contributors and thoughts on what’s next for supply chain security.

Listen Now

Have a subject idea or know someone inspiring we should feature? Email us at marketing@openssf.org!

SOSS Community Day India 2024: Wrap Up

SOSSIndiaWrapUp

Towards the end of 2024, we hosted the inaugural SOSS Community Day India, and we’re thrilled to share that it was a resounding success! This remarkable event brought together some of the most active open source contributors in the industry for a day filled with sharing, learning, and collaboration

What made this gathering truly special was being co-located with KubeCon + CloudNativeCon India 2024. With over 350 registrations (and a waiting list, no less!), we saw a truly varied set of personas join us for this unforgettable experience. Engineers, legal professionals, CXOs, and students all came together to share their expertise, showcase their projects, and learn from one another.

Learn more

Accelerating OpenSSF Adoption: Unlocking Scorecard Insights with a Centralized Dashboard

Open source components power 90% of modern applications but pose security risks like vulnerabilities and supply chain attacks. The OpenSSF Scorecard evaluates projects on critical security metrics, while the new Ortelius OpenSSF Dashboard aggregates these results at the application level, providing transparency and actionable insights to secure your software.

Discover how these tools can help you trust your dependencies and strengthen open source security.

Learn more

Predictions for Open Source Security in 2025: AI, State Actors, and Supply Chains

Predictionsof2025

Open source software powers nearly all modern applications, yet its vulnerabilities make it a prime target for cyberattacks. High-profile incidents like the xz Utils backdoor highlight growing threats from state actors and cybercriminals. The rise of AI tools like GenAI amplifies these risks, enabling scaled phishing campaigns and fake contributors to erode trust.

To protect open source as a global asset, greater investment, improved governance, and faster patching are critical.

Learn more

News from OpenSSF Community Meetings and Projects:

Global Cyber Policy WG is planning an in-person meetup for those attending FOSDEM. Doodle poll is here.
Vulnerability Disclosures: The VulnCon CFP deadline has been extended to Jan 31, 2025
Security Baseline reviewed 7 open PRs and 5 were merged. Two current open PRs: #130 & #116. Moving to a Pilot program stay tuned for more details.
Sigstore: Cosign has a new release coming soon, and Ruby 3.4 added support for attestations. Several from the project will be at FOSDEM.
EDU.SIG continues to collaborate on Developer Manager training & Security Architecture training.
C/C++ Compiler Options Best Practices has three PRs in active review: #706, #694, & #284.
Securing Software Repositories submitted a TAC funding request for a technical writer for package yanking guidance.
Minder held its first community meeting and covered the goals of the project, results from the recent “Ruleathon”, and feature requests. Minder will have a “Provider Deep Dive” presentation at the Jan. 27 Minder Monday meeting.
DevRel discussed 2025 goals including an OpenSSF Reference Architecture, event participation, editorial focus, and recruitment.
Memory Safety SIG the team working on OpenSSF Scorecard probes provided a demo.
OpenSSF Scorecard is reviewing a PR for GitHub git compatibility mode.
gittuf is planning to advance from Alpha to Beta status soon.

In the News:

Darkreading: The Shifting Landscape of Open Source Security
Security Boulevard: Census III Study Spotlights Ongoing Open Source Software Security Challenges
Help Net Security: What Open Source Means for Cybersecurity
Risky Biz News: Risky Bulletin: CISA Sent 2,100+ Pre-ransomware Alerts This Year
Good Tech: Open Source Trends and Challenges Revealed in New Study
SecurityExpress.info: 96% of Codebases Use Open Source: Census III Reveals FOSS Reliance
SecurityInfoWatch: Open-Source Usage Trends and Security Challenges Revealed in New Study
Darkreading: Lessons From the Largest Software Supply Chain Incidents

Meet OpenSSF at These Upcoming Events!

FOSDEM, Brussels: February 1, 2025
OpenSSF Policy Summit DC 2025: March 4, 2025
OpenSSF Community Day North America 2025: June 26, 2025

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Month!

Regards,

The OpenSSF Team

Dec 19

Love0

OpenSSF Newsletter – December 2024

By OpenSSF Newsletter

Welcome to the December 2024 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Lead: 2025 Tech Talk
Download: Annual Report
Follow: LinkedIn, X, Mastodon, and BlueSky

Thank You for an Amazing 2024!

OpenSSFAnnualReport

As 2024 comes to a close, we want to take a moment to express our deepest gratitude for the dedication, collaboration, and innovation you have brought to the OpenSSF community this year. Together, we achieved remarkable milestones—from expanding our global membership and launching impactful education initiatives to advancing critical security projects and fostering collaborations with public and private sectors. Your contributions have strengthened our shared mission to secure the open source ecosystem and build a safer, more reliable digital future.

As we look forward to 2025, we’re excited to continue fostering a vibrant and inclusive community, deepening collaborations, and driving meaningful change together. We appreciate your role in this journey.

Wishing you a safe and joyful holiday season!

Download report

The Open Source Software Stewards and Manufacturers Workshop and the EU Cyber Resilience Act (CRA)

In December, the Linux Foundation Europe and the OpenSSF hosted the Open Source Software Stewards and Manufacturers Workshop in Amsterdam, focusing on the implications of the EU Cyber Resilience Act (CRA). The event brought together industry leaders, community experts, and government officials to align on CRA obligations and foster collaboration for compliance.

Key outcomes included the formation of the Global Cyber Policy Working Group and three workstreams: CRA Readiness & Awareness, CRA Tooling & Processes, and CRA Standardization.

Details on how to participate and learn more:

Global Cyber Policy Working Group (WG):
Git repo
Mailing List
Slack Channel

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 1

UnderstandingCRA1

Published as Regulation (EU) 2024/2847 in the Official Journal of the European Union, the Cyber Resilience Act (CRA) entered into force (EIF) on December 10, 2024. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their remote data processing, put on the European market to follow this regulation. This new blog series will cover the implementation of the CRA and its relevance to open source software.

In Part 1, we will provide a general overview of the CRA and highlight LF Europe and the OpenSSF’s current activities in relation to the implementation.

Learn more

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 2

CRABlog2
In Part 1, we provided a general overview of the CRA and highlighted OpenSSF’s current activities related to its implementation. In Part 2, we’ll take a closer look at the three-year implementation timeline and what lies ahead.

Shaping the Future of Generative AI: A Focus on Security

GenAIstudy

The Shaping the Future of Generative AI report, sponsored by LF AI & Data and CNCF, highlights how organizations prioritize security, cost, and performance as they adopt GenAI. Security remains a top concern, particularly in sectors like finance and healthcare, where privacy and regulatory compliance are critical.

The Open Source Security Foundation (OpenSSF) AI/ML Working Group plays a vital role in this landscape, focusing on initiatives like model signing with Sigstore to enhance trust and security in AI systems. This blog ties together insights from the report and OpenSSF’s ongoing efforts to address security challenges in GenAI adoption.

Open Source Usage Trends and Security Challenges Revealed in New Study

Census III Report

The Linux Foundation and Harvard released Census III, a groundbreaking study analyzing Free and Open Source Software (FOSS) usage and security challenges. Findings reveal trends like the rise of cloud-specific packages, increased reliance on Rust, and the critical role of a small group of contributors.

Learn more

Download report

Honda and Guidewire Join the Open Source Security Foundation (OpenSSF)

At the inaugural SOSS Community Day India, OpenSSF welcomed Honda and Guidewire Software as new members, expanding its growing global network to 126 organizations. The event highlights India’s thriving open source ecosystem and brings together leaders to collaborate on securing the software we all depend on.

Learn more

SigstoreCon 2024: Advancing Software Supply Chain Security

SigstoreCon

On November 12, 2024, the software security community gathered in Salt Lake City for SigstoreCon: Supply Chain Day, co-located with KubeCon North America 2024. The one-day conference brought together developers, maintainers, and security experts to explore how Sigstore is transforming software supply chain security through simplified signing and verification of digital artifacts.

Global Cyber Policy WG: The new group had its sandbox application approved by the TAC.
Bomctl welcomed Patrick Kwiatkowski as its newest maintainer.
GUAC v0.12.0 was released, with added support for querying OCI registries and collecting end-of-life information. The group also held a meeting to discuss an air-gapped GUAC deployment.
SLSA submitted a graduation application to the TAC and is expecting to release v1.1 soon.
EDU.SIG highlighted a series of updates that have been made to the LFD121 course in recent weeks.
Security Baseline is now visible at a web url: https://baseline.openssf.org/.
TAC held discussions about improving the Technical Initiative funding process in 2025.
Sigstore: The playlist from Sigstorecon is available on YouTube.
Vulnerability Disclosures WG discussed ideas to help reduce slop security reports.
SBOMit is planning an SBOMit Summit stay tuned for more details.
Model Signing SIG seeks feedback on the proposed model card metadata spreadsheet.
Zarf has PRs in progress for zarf package preview and show manifests.
C/C++ Best Practices discussed the proposal for hardened C++ Standard Library.
Securing Software Repositories WG members published blog posts on the Ultralytics compromise.
Memory Safety SIG gave an overview of a new Rust/C++ Interop initiative. The group is also collaborating to add a Memory Safety Scorecard Check.
Scorecard expects a patch release upcoming with a collection of minor updates and fixes. The group also has an Azure DevOps task PoC working for running Scorecard.
Minder published a README update with information and resources to help get started with writing rules and profiles for Minder.

In the News:

Infosecurity Magazine: Security Risks Persist in Open Source Ecosystem
SC Media: Study Highlights Challenges, Priorities in Securing Open Source Software
DevOps.com: Linux Foundation Report Spotlights Open Source Software Package Challenges
SecurityInfoWatch: Open-Source Usage Trends and Security Challenges Revealed in New Study
Linux Security: Leveraging Insights from the Linux Foundation’s Census III Report for More Secure Linux Administration
Developer Tech News: Linux Foundation Releases ‘Census III’ Open Source Report
IT Week: Linux Foundation: 96% of Modern Applications Use Open Source
Digitalk: Study: 96% of Modern Applications Use Open Source

Meet OpenSSF at These Upcoming Events!

FOSDEM, Brussels: February 1, 2025
OpenSSF Policy Summit DC 2025: March 4, 2025

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Year!

Regards,

The OpenSSF Team

Nov 26

Love0

OpenSSF Newsletter – November 2024

By OpenSSF Newsletter

Welcome to the November 2024 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Apply: Lead a 2025 Tech Talk
Attend: SOSS Community Day India
Follow: LinkedIn, X, Mastodon, and BlueSky

The SOSS Fusion 2024 Playlist is Live!

Catch up on the highlights from SOSS Fusion 2024, The Conference for Secure Open Source Software with the full YouTube playlist. Explore keynotes, technical sessions, and workshops from industry leaders like Dan Lorenc and Cory Doctorow. Discover actionable insights and tools to secure open source software.

📺 Watch now: SOSS Fusion 2024 YouTube Playlist

Secure Your Software Supply Chain with Abhisek Datta

Join us for an insightful webinar, Policy, Security, and the Software Supply Chain, featuring security expert Abhisek Datta on November 27 from 2:00 PM – 3:00 PM. This event is hosted in the lead-up to SOSS Community Day, India, co-located with KubeCon + CloudNativeCon India 2024.

Mark your calendars and register today!

Join us in Delhi for SOSS Community Day India on December 10, 2024, co-located with KubeCon + CloudNativeCon India

Hosted by the OpenSSF, this event will bring together open source security enthusiasts to connect, collaborate, and share knowledge. Whether you’re an industry leader or a passionate technologist, this is your opportunity to dive deep into the latest open source security trends, learn from experts, and network with the vibrant open source community. Don’t miss out—register today and be part of the conversation on securing open source software!

Learn more

2025 Virtual Tech Talk Call for Proposal (CFP)

Have a topic or expertise you’d like to share? Submit your Call for Proposals (CFP) by December 13, 2024, to ensure ample time for review and planning. This is your chance to contribute, connect with peers, and inspire others in the field.

Submit your CFP

Case Study: Kusari’s Implementation of OpenSSF Tools and Services

Kusari has tackled software supply chain challenges like transparency and inefficiencies by integrating OpenSSF tools such as AllStar, Scorecard, and GUAC, while adopting open standards like SLSA and OpenVEX. These solutions have enhanced their ability to manage risks and contribute actively to the OpenSSF community.

“Participating in open source communities allows us to shape the future of software supply chain technology,” says Parth Patel, Kusari’s Co-founder.

October was Cybersecurity Awareness Month!

CybersecurityMonth
This year, the focus was on collective action across sectors to enhance cybersecurity resilience. Organizations prioritized OSS governance, developers adopted secure coding practices, and academic institutions prepared the next generation of professionals—all contributing to safer digital ecosystems.

OpenSSF supported these efforts with resources like Developing Secure Software (LFD121) and events like SOSS Fusion, which fostered collaboration and knowledge sharing.

OpenSSF Adds Minder as a Sandbox Project to Simplify the Integration and Use of Open Source Security Tools

Minder, contributed by Stacklok, simplifies the integration and use of open source security tools through a policy-based approach that spans the entire software development lifecycle. With features like noise reduction, auto-remediation, and integration with OpenSSF tools such as Sigstore, Minder empowers organizations to strengthen their security posture.

➡️ Explore Minder and see how it enhances open source security.

OpenSSF Expands Secure Development Course with Interactive Labs

The Open Source Security Foundation (OpenSSF) has enhanced its free “Developing Secure Software” course (LFD121) with hands-on labs and interactive activities. These new features provide developers with practical techniques to counter modern cyberattacks, improving engagement and knowledge retention.

With over 25,000 enrollments globally, this course offers a comprehensive learning experience covering secure design principles, implementation, and verification techniques. Developers can earn a completion certificate and access optional browser-based labs for an immersive learning experience.

➡️ Enroll in LFD121 and start building secure software today!

OpenSSF Welcomes New Members and Introduces New Initiatives at SOSS Community Day Japan

At SOSS Community Day Japan, OpenSSF celebrated its growing community with the addition of new members, including Arm, embraceable AI, Fujitsu, Ruby Central, and Trifecta Tech, furthering its mission to secure open source software.

In a recent press release, OpenSSF also announced new initiatives: Minder, a sandbox project simplifying security tool integration; bomctl, enhancing SBOM management; and Zarf, enabling secure software delivery in air-gapped environments.

Red Hat’s Collaboration with the OpenSSF and OSV.dev Yields Results: Red Hat Security Data Now Available in the OSV Format

RedHat'sCollaborationwithOpenSSF

Red Hat has partnered with OpenSSF and Google’s OSV.dev to make its security data available in the OSV format. This enhances transparency, accessibility, and integration with tools like OSV-Scanner, supporting better vulnerability management.

➡️ Learn more about this collaboration.

How We Can Learn from Open Source Software to Address the Challenges of AI

How_We_Can_Learn_from_Open_Source_Software_to_Address_the_Challenges_of_AI

AI models bring transformative potential but also risks like deepfakes, bias, and misuse. Drawing from open source principles, we can address these challenges by fostering collaboration across industry, academia, and government, securing the AI supply chain, and building “secure by default” models.

OpenSSF’s work with agencies like CISA offers a roadmap for leveraging open source security principles to improve the safety and reliability of open foundation models.

➡️ Read how open source lessons can shape a secure AI future.

The OpenSSF Armored Goose “Honk”: Advancing Open Source Security

ArmouredGooseHonk

The Open Source Security Foundation’s (OpenSSF) logo features “Honk,” an armored goose holding a shield, embodying the foundation’s mission to protect open source software. Representing adaptability, resilience, and teamwork, Honk symbolizes the innovative approaches OpenSSF employs to enhance security in the open source ecosystem.

Discover the story behind Honk and how OpenSSF champions collaboration and defense in open source security.

➡️ Learn more about Honk and join the mission.

In the News

TechCrunch: Stacklok donates its Minder supply chain security project to the OpenSSF
The New Stack Newsletter: ISSUE 441 | All Thing Open, Open Source AI, and Seeking Opportunities
Linux Insider: Tor and Tails Team Up for Better Online Privacy Protections
DZone: Making Sense of Open-Source Vulnerability Databases: NVD, OSV, and More
tl;dr sec newsletter: [tl;dr sec] #255 – AI finds 0day in SQLite, Cloud Security Tools, Auto-generate Terraform Secure Guardrails
SiliconANGLE: How Kubernetes is aiming to transform cloud-native development and security in its next era
Help Net Security: How Intel is making open source accessible to all developers
SiliconANGLE: From security challenges to AI workflows: Open-source ecosystems fuel integration and innovation across industries

Meet OpenSSF at These Upcoming Events!

Policy, Security, and the Software Supply Chain (Virtual Event): November 27, 2024
SOSS Community Day India: December 10, 2024
Open Source Software Stewards Manufacturers Workshop: December 10-11, 2024

Get Involved in OpenSSF

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, and LinkedIn

See You Next Month

Regards,

The OpenSSF Team

Oct 23

Love0

OpenSSF Newsletter – October 2024

By OpenSSF Newsletter

Welcome to the October 2024 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Take: Developing Secure Software (LFD121)
Attend: SOSS Community Day Japan
Get Involved: Participate in OpenSSF

Join us in Tokyo for SOSS Community Day Japan on October 30, 2024, co-located with the Open Source Summit Japan (October 28-29)

Recap on SOSS Community Day EU

SOSSCommunity24EU
On September 19, the OpenSSF community gathered in Vienna for SOSS Community Day EU, held alongside Open Source Summit EU. Each summit and community day is a celebration of open source excellence, showcasing the collective efforts of passionate individuals committed to making the world a safer place. We extend a heartfelt thanks to our dedicated maintainers for their continuous efforts in advancing open source security!

Recordings and photos are now available. Relive the moment as we recap some of the exciting conversations from the event! Read more

2025 Virtual Tech Talk Call for Proposal (CFP)

We are excited to invite proposals for the 2025 Virtual Tech Talk Series, providing a platform for in-depth discussions on critical initiatives to secure open source software within the OpenSSF community. These tech talks are designed to foster knowledge sharing, highlight innovative technical projects, and showcase efforts driving the future of open source security.
Have a topic or expertise you’d like to share? Submit your Call for Proposals (CFP) by December 15, 2024, to ensure ample time for review and planning. This is your chance to contribute, connect with peers, and inspire others in the field.
Submit your CFP

OpenSSF Education Tech Talk Highlights & Future Opportunities

10-10TechTalk
The OpenSSF hosted a virtual Tech Talk titled Jumpstart Your Journey: Mastering OSS Security Development with the Linux Foundation Education. This session was designed for aspiring open source professionals and newcomers eager to dive into the world of open source software (OSS) security. Read more

Developer Relations: The Human Connection Driving Open Source Security

Open source security isn’t just about technology—it’s about the people behind it. Developer Relations (DevRel) connects developers, maintainers, and contributors, ensuring that they have the tools and support to make open source software more secure and resilient. As Katherine Druckman, Open Source Evangelist at Intel, said in her recent episode of the What’s in the SOSS? podcast: “We solve technical problems with technical solutions, but there are also so many human problems that need human solutions.” This illustrates the heart of DevRel—bringing together people to drive progress in open source security. Read more

OpenSSF SOSS Fusion Conference Kicks off with Talks from Google and Cisco Executives

SOSS-Fusion-2024-OpenSSF-SOSS-Fusion-Conference-Kicks-off-with-Talks-from-Google-and-Cisco-Executives-

The Open Source Security Foundation (OpenSSF) announced the opening of the Secure Open Source Software (SOSS) Fusion Conference in North America in Atlanta, GA. This event unites a diverse community of professionals, including public sector leaders, software developers, security engineers, students, cybersecurity experts, CISOs, CIOs, founders, and tech pioneers. With a robust agenda covering AI security, critical open source security projects, public policy, and today’s most pressing security topics, SOSS Fusion offers a comprehensive look at OpenSSF’s initiatives that’s aimed at simplifying security for developers, and will help them prepare to shape a safer digital world in 2025 and beyond. Read more

Join us for SigstoreCon: Supply Chain Day at KubeCon NA 2024

SigstoreCon
Join us for SigstoreCon: Supply Chain Day at KubeCon NA 2024 in Salt Lake City on November 12! Attendees will explore the latest advancements in digital artifact signing, with sessions on Sigstore, SLSA, The Update Framework (TUF), and more.

Key Topics Include:

Case Studies: Real-world examples of how projects are leveraging Sigstore, SLSA, or TUF
Package Registry Adoption: Insights for maintainers adopting Sigstore/SLSA
Client Development: Learnings from building Sigstore clients
Technical Deep Dives/Research: Exploring transparency, privacy-preserving identities, and more

Don’t miss this opportunity to stay ahead in supply chain security!

View agenda

Empower Your Software Development with OpenSSF’s Free “Developing Secure Software” Course!

Learn secure software fundamentals at your own pace and earn a recognized certificate. Plus, we’ve just added new optional labs in LFD121! These hands-on exercises will help you practice countering attacks with real-world scenarios and helpful hints. Enroll here

In the News

The Register: Google’s memory safety plan includes rehab for unsafe languages
Computer Weekly: Printing vulnerability affecting Linux distros raises alarm
The Record: Experts warn of DDoS attacks using Linux printing vulnerability
Help Net Security: Open source maintainers: Key to software health and security
Cybersecurity Dive: CUPS vulnerability, a near miss, delivers another warning for open source
DevOps.com: Survey Finds Compensation Drives Better Open Source Software Security Behavior
CityBiz: OpenSSF Announces Key Themes of AI Security, Diversity and Open Source Public Policy at SOSS Fusion Conference
TechTarget: U.S. Army, Lockheed Martin detail SBOM progress

Meet OpenSSF at These Upcoming Events!

Open Source Summit Japan: October 28-29, 2024
SOSS Community Day Japan: October 30, 2024
Sigstore North America: November 12, 2024
Linux Foundation Member Summit: November 19-21, 2024

Get Involved in OpenSSF

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, and LinkedIn

See You Next Month

Regards,

The OpenSSF Team

Jul 23

Love0

OpenSSF Newsletter – July 2024

By OpenSSF Newsletter

Welcome to the July 2024 edition of the OpenSSF Newsletter, with our latest information on what’s been happening lately and what’s on our radar.

DOWNLOAD: What’s in the SOSS? An OpenSSF Podcast!
REGISTER: Secure Open Source Software (SOSS) Fusion Conference
JOIN: Attend an upcoming Working Group meeting

An Open Source Approach to Threat Mitigation in AWS

AnOpenSourceApproach

Securing cloud environments is a top priority for organizations today. Leveraging open source tools like Falco, combined with AWS Lambda, provides powerful solutions for monitoring and responding to security threats. Learn how Falco and Falco Talon can automate threat detection and response, ensuring robust cloud security.

A Deep Dive into SBOMit and Attestations

SBOMit and Attestations

December 2023 saw the launch of SBOMit, a project that helps enhance the reliability and integrity of SBOMs (Software Bills of Materials). It does so by including, along with SBOMs, a series of in-toto attestations that are produced while the software is being created. SBOMit is hosted under the OpenSSF Security Tooling Working Group.

But why are these attestations important for SBOMs and how do they work?

Read the blog to learn more.

Improving OpenSSF Scorecard Scores: StepSecurity Automation for Four Key Checks

ImprovingOpenSSFScorecardScores

Implementing security best practices is essential for open source maintainers to ensure their projects are secure and free from vulnerabilities. However, many maintainers find this task complex and time-consuming when done manually. The OpenSSF Scorecard offers an automated heuristic of how well key security processes are implemented in a project.

Chainguard Enhances Security With OSV Advisory Feed

OSV

In today’s rapidly evolving open source ecosystem, managing vulnerabilities efficiently is crucial. To address this, Chainguard is now publishing its security advisory feed in the Open Source Vulnerabilities (OSV) format. This integration aims to simplify vulnerability management and enhance security for users of open source software.

Why are Organizations Struggling to Implement Secure Software Development?

Cover_Secure_Software_Development_Education_2024_Survey

The Secure Software Development Education 2024 Survey, conducted through a partnership between the Open Source Security Foundation (OpenSSF) and Linux Foundation (LF) Research, examines the secure software development education needs of professionals in this field.

Learn How To Develop Secure Software!

Developing_Secure_Software

The Open Source Security Foundation (OpenSSF), in partnership with Linux Foundation Training & Certification, offers a free online training course, Developing Secure Software (LFD121). Those who complete the course and pass the final exam will earn a free certificate of completion valid for two years.

AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 1

AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability1

Could artificial intelligence (AI) practically help find and fix vulnerabilities in a scalable way? We don’t know for certain, but there’s hope that it could. In this article, we’ll look at a competition to encourage the development of AI-enabled tools that will automatically find and fix vulnerabilities.

The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development

StateofEducationReport

Linux Foundation Research and the Open Source Security Foundation (OpenSSF) are pleased to release a new report titled “Secure Software Development Education 2024 Survey: Understanding Current Needs.” Based on a survey of nearly 400 software development professionals, the analysis explores the current state of secure software development and underscores the urgent need for formalized industry education and training programs.

AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 2

AIxCCChallenge_Part2

In part 1, we discussed the Artificial Intelligence Cyber Challenge (AIxCC), a two-year competition to create AI systems that find software vulnerabilities and develop fixes to them. We also discussed a specific vulnerability in the Linux kernel, called needle, as an example of the kind of vulnerability we’d like such tools to find and fix. In part 1 we discussed how such tools might be able to find vulnerabilities. Now let’s talk a little bit about how they might fix them. Real competitors in AIxCC might do things differently; this article simply helps us understand what they’re trying to do.

Recognizing Excellence in OSS Community: Golden Egg Award Nominations Are Now Open!

GoldenEggAwardEU

The Open Source Security Foundation (OpenSSF) is thrilled to announce that nominations for the Golden Egg Award are now open! This award honors individuals who have made outstanding contributions to the open source security community. After its successful debut at SOSS Community Day North America, the award is back to recognize more exceptional individuals at SOSS Community Day Europe this September. If you know someone who has demonstrated exceptional dedication and impact in our community, now is the time to nominate them for this esteemed recognition.

SD Times, Bad CrowdStrike Update Takes Down Windows Machines Around the World, Highlighting Importance of Gradual Roll-Outs and Software Quality
The Hacker News, Faulty CrowdStrike Update Crashes
Help Net Security, Developers Secure Coding Practices
Techopedia, Google, Nvidia, OpenAI and Others Team Up to Improve AI Security
TechCentral (Ireland), One in three software development professionals unaware of secure practices
Help Net Security, Most GitHub Actions Workflows Are Insecure in Some Way
Inside Cybersecurity, Open Source Group Calls for Prioritizing Cyber Awareness in Software Developer Training, Education
Dark Reading, The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development
Cybersecurity Dive, Nearly 1 in 3 Software Development Professionals Unaware of Secure Practices
citybiz, The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development
ITOps Times, Siren – ITOps Times Open Source Project of the Week
CSO, Top 10 Open Source Software Risks — and How to Mitigate Them
Techstrong TV, The Ins and Outs of Applying to GSoC
SD Times, Companies Still Need to Work on Security Fundamentals to Win in the Supply Chain Security Fight
GovInfoSecurity, How CISA Plans to Measure Trust in Open-Source Software

Meet OpenSSF at These Upcoming Events!

Black Hat USA: Aug. 7-8, 2024
DEF CON: Aug. 8 – 11, 2024
SOSS Community Day Europe: Sept. 19, 2024
SOSS Fusion Conference: Oct. 22-23, 2024
- Sponsorships available

Get Involved in OpenSSF

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, and LinkedIn

See You Next Month

We want to get you the information you most want to see in your inbox. Have suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org and see you next month!

Regards,

The OpenSSF Team

Jun 18

Love0

OpenSSF Newsletter – June 2024

By OpenSSF Newsletter

Welcome to the June 2024 edition of the OpenSSF Newsletter, with our latest information on what’s been happening lately and what’s on our radar.

DOWNLOAD: What’s in the SOSS? An OpenSSF Podcast!
REGISTER: Secure Open Source Software (SOSS) Fusion Conference
JOIN: Attend an upcoming Working Group meeting

Call for Proposals: Submit to Speak at SOSS Fusion

We’re looking for proposals in the form of session presentations, panels, keynote sessions, and lightning talks. Submit to speak on any one of the following topics:

- OSPO: Security and Open Source Program Offices
- Maintainer Roles: Maintainer and Contributor roles in Securing Open Source Software
- Dev: Secure Open Source Software Integration in the Software Development Lifecycle
- Public Policy: Regulations to Improve the Security of Open Source Software
- End Users: Secure Open Source Software Supply Chains
- Dependencies: Understanding the OSS in Your Stack
- AI for Security: Leveraging AI to Secure Open Source Software
- Security for AI: Starting with Security for Open Source AI

Learn more about all suggested topics.

The Call for Proposals closes Friday, July 12, at 11:59 PM EDT.

SUBMIT TO SPEAK

OpenSSF Joins Open Source Consortium To Define E.U. CRA Security Specifications

The Open Source Security Foundation (OpenSSF), a project of the Linux Foundation focused on improving the security of open source software, is proud to announce its collaboration with the Eclipse Foundation and a leading open source consortium to work on the European Union’s (E.U.) Cyber Resilience Act (CRA).

Introducing Artifact Attestations—Now in Public Beta

There’s an increasing need across enterprises and the open source ecosystem to have a verifiable way to link software artifacts back to their source code and build instructions. And with more than 100 million developers building on GitHub, we want to ensure that developers have the tools needed to help.

The Opportunity for DEI Participation in the Security Industry (And OpenSSF)

At Secure Open Source Software (SOSS) Community Day North America 2024, we held a panel discussion on DEI (Diversity, Equity and Inclusion) at Open Source Security Foundation (OpenSSF). In preparing for this discussion we had a lot of conversations and realized we each had diverse perspectives.

Beyond the OpenSSF: An Introduction to Other Security Efforts Across the Linux Foundation

The Open Source Security Foundation (OpenSSF)’s mission is to strengthen the open source software ecosystem through a collaborative initiative across industry. But did you know about the other initiatives focusing on strengthening open source security, happening across the Linux Foundation?

The OSS Security Adventure: Exploring the Frontlines of OSS Security through SOSS Policy Summit, RSA Conference, and Japan Meetup

OpenSSF is making waves globally, with our footprint evident in discussions and events across continents. Join us on an “OSS Security Adventure” as we delve into our impactful presence at the SOSS Policy Summit in Brussels, the RSA Conference in San Francisco, and our engaging meetup in Tokyo.

What’s in the SOSS? Podcast #6 – A Man Called CRob: Introducing the Newest Co-host of What’s in the SOSS?

Introducing our new co-host for “What’s in the SOSS?” podcast, Christopher Robinson (CRob). As the Director of Security Communications at Intel Corporation and Chair of OpenSSF’s Technical Advisory Committee, CRob’s 25 years of experience in various sectors will enrich our podcast discussions. The latest episode features his day-to-day activities, podcast vision, and advice for those entering cybersecurity.

Listen Here

OpenSSF Case Study: Enhancing Open Source Security with Sigstore at Stacklok

Stacklok Case Study

Stacklok, founded by Kubernetes co-creator Craig McLuckie and Sigstore creator Luke Hinds, enhances open source software security using Sigstore. By integrating Sigstore into their products, Trusty and Minder, Stacklok helps developers and maintainers secure their software supply chains with tools for artifact signing and verification. This case study highlights Stacklok’s commitment to making open source software safer and their contributions to the OpenSSF community.

Ubuntu Security Notices Now Available in OSV

In today’s rapidly evolving open source ecosystem, managing vulnerabilities efficiently is crucial. That’s why we’re excited to share that Canonical is now issuing Ubuntu Security Notices (USNs) in the open source OSV format. This collaboration aims to simplify vulnerability management and enhance security for our users.

OpenSSF Tech Talk: Proactive Supply Chain Security with GUAC

GUACTechTalkHighlight

In this Tech Talk, you will meet the GUAC maintainers as they cover the project and its recent release, roadmap plans, and how you can contribute. Cybersecurity threats are constantly and quickly changing, but GUAC can help you stay ahead.

Check out this blog for a summary of the tech talk highlights and watch experts discuss its benefits & real-world uses. Slides & recording are available.

Watch Now

Enhance Your Software Development Skills with OpenSSF’s Free Courses

OpenSSF offers two comprehensive, free courses designed to help software developers improve their skills in secure software development and supply chain security.

Developing Secure Software (LFD121)

This course covers the fundamentals of developing secure software and is available on the Linux Foundation Training & Certification platform. It is entirely online, self-paced, and takes about 14-18 hours to complete. Both the course and the certificate of completion are free. Upon finishing the course and passing the final exam, participants will earn a certificate valid for two years.

Securing Your Software Supply Chain with Sigstore (LFS182)

This course teaches software developers, DevOps engineers, security engineers, and software maintainers how to use Sigstore’s toolkit to enhance software supply chain security. It covers the use of Cosign, Fulcio, and Rekor tools and is available on the Linux Foundation Training & Certification platform. The course is free, online, self-paced, and takes about 8 hours to complete. Familiarity with Linux terminals, command line tools, and intermediate cloud computing and DevOps concepts is recommended.

Learn More

In the News

Politico, Trying to tame crypto
CyberWire Daily podcast, The secrets of a dark web drug lord
DevOps.com, OpenSSF Siren: Security for One, Security for All
SC Media, New OpenSSF initiative provides threat intelligence on open source projects
Help Net Security, Authelia: Open-source authentication and authorization server
CyberScoop, Omkhar Arasaratnam on open source security; AI dogfighting
Redefining Cybersecurity Podcast, Why the Industry Needs OpenSSF | A Conversation with Omkhar Arasaratnam, Adrianne Marcum, Arun Gupta, and Christopher Robinson | Redefining CyberSecurity with Sean Martin
SecurityWeek, Fireside Chat: Bennett Pursell on the OpenSSF Siren Threat Intel Project
SecurityBrief UK, OpenSSF joins forces with Eclipse Foundation for EU CRA initiative
KubeFM, Stack security: cluster policies, secrets management, and building trust
CSO, Third-party software supply chain threats continue to plague CISOs
InfoRiskToday, NIST Unveils Plan to Restore National Vulnerability Database
The New Stack, Commonhaus Foundation Launches at Critical Time for OSS
tl;dr sec newsletter, [tl;dr sec] #233 – Awesome Detection Engineering, Security GPTs, How to Build a Cybersecurity Start-up
TechTarget, Be prepared for open source software risks
Computer Weekly, Building a more secure, and sustainable, open source ecosystem
The New Stack, What Developers Can Grok From the Latest PyPI Package Attack
HackerNoon, How a Malicious Xz Utils Update Nearly Caused a Catastrophic Cyberattack on Linux Systems Worldwide
SC Magazine, The State of AppSec in 2024: Expanded use, expanded attack surface
The New Stack, XZ Security Incident: The Importance of Reputation in Security

Meet OpenSSF at These Upcoming Events!

- CloudNativeSecurityCon: June 26-27, 2024
- OSPOs for Good 2024 Conference: July 9-10, 2024
- What’s Next for Open Source?: Jul 11, 2024
- Black Hat USA: Aug. 7-8, 2024
- DEF CON: Aug. 8 – 11, 2024
- SOSS Community Day Europe: Sept. 19, 2024
- SOSS Fusion Conference: Oct. 22-23, 2024
  - CFP now open
  - Sponsorships available

Get Involved in OpenSSF

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, and LinkedIn

See You Next Month

We want to get you the information you most want to see in your inbox. Have suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org and see you next month!

Regards,

The OpenSSF Team

Join us at OpenSSF Community Day Events in North America and Europe 2025!

OpenSSF Announces Initial Release of the Open Source Project Security Baseline

Does the EU CRA affect my business?

Securing Public Sector Supply Chains is a Team Sport

Linux Foundation Europe and OpenSSF Launch Initiative to Prepare Maintainers, Manufacturers, and Open Source Stewards for Global Cybersecurity Legislation

Alpha-Omega 2024 Annual Report

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

See You Next Month!

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get the latest announcements, event info, and the community news in your inbox