Join us at Open Source SecurityCon Europe on March 23, 2026

Category

Newsletter

Feb 26
Love0

OpenSSF Newsletter – February 2026

By Newsletter

TL;DR:

đŸ‡łđŸ‡± Open Source SecurityCon Europe → Agenda live and registration open

đŸŽ™ïž Securing Agentic AI in Practice → March 17 Tech Talk on AI/ML security in action

📖 Compiler Annotations Guide → Practical C/C++ hardening without rewrites

🏆 Security Slam 2026 → 30-day challenge to level up project security

đŸ‡ȘđŸ‡ș CRA in Practice @ FOSDEM → Turning regulation into actionable steps

📩 Package Repository Security Forum → Cross-ecosystem collaboration in action

đŸŽ™ïž What’s in the SOSS? → CFP tips and a 4-part AIxCC deep dive

6 min read

Join Us at Open Source SecurityCon Europe 2026 in Amsterdam

Planning to attend KubeCon + Cloud Native Con Europe in March? Don’t miss OpenSSF’s co-located 1-day event! This gathering will bring together a diverse community, including software developers, security engineers, public sector experts, CISOs, CIOs, and tech pioneers, to explore challenges and opportunities in modern security. Collaborate with peers and discover the essential tools, knowledge, and strategies needed to ensure a safer, more secure future.

The agenda is live! Read the blog to learn what not to miss in Amsterdam and to see highlights from SecurityCon North America.

Read the blog | Register now | View the agenda

Mark Your Calendar For the Upcoming Tech Talk: Securing Agentic AI in Practice: From OpenSSF Guidance to Real-World Implementation

Tech Talk: Securing Agentic AI in Practice: From OpenSSF Guidance to Real-World ImplementationJoin us for the first OpenSSF Tech Talk of the year, focusing on agentic artificial intelligence (AI) security.

In this session, we will explore how the OpenSSF AI/ML Security Working Group is developing open guidance and frameworks to help secure AI and machine learning systems, and how that work translates into real-world practice. Using SAFE MCP and other solutions from OpenSSF member companies as examples, we will highlight community-driven efforts to improve the security of agentic AI systems, the problems they address, the design tradeoffs involved, and the lessons learned so far.

We will also feature OpenSSF’s free course, Secure AI/ML Driven Software Development (LFEL1012), which gives attendees a clear path to build practical skills and contribute to this rapidly evolving field.

Register and mark your calendar for March 17 at 1:00 p.m. ET. Additional speaker information will be shared soon.

Fill Out All The Margins 📖: OpenSSF Releases Compiler Annotations Guide for C and C++

OpenSSF has released a new Compiler Annotations Guide for C and C++ to help developers improve memory safety, diagnostics, and overall software security by using compiler-supported annotations. The guide explains how annotations in GCC and Clang/LLVM can make code intent explicit, strengthen static analysis, reduce false positives, and enable more effective compile-time and run-time protections. As memory-safety issues continue to drive a significant share of vulnerabilities in C and C++ systems, the guide offers practical, real-world guidance for applying low-friction hardening techniques that improve security without requiring large-scale rewrites of existing codebases. 

Read the blog

Security Slam 2026

Security Slam 2026 is a 30-day security hygiene challenge running from February 20 to March 20, culminating in an awards ceremony at KubeCon + CloudNativeCon Europe. Hosted by OpenSSF in partnership with CNCF TAG Security & Compliance and Sonatype, the event encourages projects to use practical security tools, including OpenSSF resources, to strengthen their security posture based on their maturity level. Participants can earn recognition, badges, and plaques for completing milestones, reinforcing a community-driven effort to improve open source software security at scale. 

Read the blog to learn more | Register now to receive reminders and instructions

EU Cyber Resilience Act (CRA) in Practice @ FOSDEM 2026: From Awareness to Action

At FOSDEM 2026, the CRA in Practice DevRoom brought together open source and industry leaders to turn the EU Cyber Resilience Act from policy discussion into practical action. Through case studies and panels, speakers shared concrete approaches to vulnerability management, SBOMs, VEX, risk assessment, and the steward role. 

Read the blog

Advancing Package Repository Security Through Collaboration

On February 2, OpenSSF convened the Package Manager Security Forum, bringing together maintainers and registry operators from major ecosystems to address shared challenges in package repository security. Discussions highlighted common concerns around identity and account security, governance and abuse handling, transparency, and long-term sustainability. The session reinforced that package ecosystem risks are interconnected and that improving security requires cross-ecosystem coordination, shared frameworks, and continued collaboration through OpenSSF’s neutral convening role.

Read the recap

Getting an OpenSSF Baseline Badge with the Best Practices Badge System

Is your open source project meeting the “minimum definition” of security? The OpenSSF has officially integrated the Open Source Project Security Baseline (OSPS Baseline) into its Best Practices Badge Program.

In our latest blog, David A. Wheeler explains how you can quickly identify and meet essential security requirements to earn a Baseline Badge.

What’s in the SOSS? An OpenSSF Podcast:

#50 – S3E2 Demystifying the CFP Process with KubeCon North America Keynote Speakers

Stacey Potter and Adolfo “Puerco” García Veytia share practical, behind-the-scenes advice on submitting conference talks, fresh off their KubeCon keynote. They break down how CFP review committees work, what makes an abstract stand out, common mistakes to avoid, and why authenticity matters more than polish. The episode also tackles imposter syndrome and encourages new and diverse voices to shape the future of open source through speaking.

#51 – S3E3 AIxCC Part 1: From Skepticism to Success with Andrew Carney

Andrew Carney from DARPA explains the vision and results behind the two-year AI Cyber Challenge (AIxCC), which tasked teams with building AI systems that can automatically find and patch vulnerabilities in open source software. Despite early skepticism, competitors identified more than 80% of seeded vulnerabilities and generated effective patches at surprisingly low compute costs. The episode looks at what comes next as these cyber reasoning systems move from competition to real-world adoption.

#52 – S3E4 AIxCC Part 2: How Team Atlanta Won by Blending Traditional Security and LLMs

Professor Taesoo Kim of Georgia Tech describes how Team Atlanta combined fuzzing, symbolic execution, and large language models to win AIxCC. Initially skeptical of AI, the team shifted its strategy mid-competition and discovered that hybrid approaches produced the strongest results. The conversation also covers commercialization efforts, integration with OSS-Fuzz, and how the experience reshaped academic security research.

#53 – S3E5 AIxCC Part 3: Trail of Bits’ Hybrid Approach with Buttercup

Michael Brown of Trail of Bits discusses Buttercup, the second-place AIxCC system that pairs large language models with conventional software analysis tools. The team focused on using AI for well-scoped tasks like patch generation while relying on fuzzers for proof-of-vulnerability. Now fully open source and able to run on a laptop, Buttercup is actively maintained and positioned for broader enterprise and community use.

#54 – S3E6 AIxCC Part 4: Cyber Reasoning Systems in the Real World

CRob and Jeff Diecks wrap up the AIxCC series by exploring how competition teams are applying their systems to real open source projects such as the Linux kernel and CUPS. They introduce the OSS-CRS initiative, which aims to standardize and combine components from multiple cyber reasoning systems, and share lessons learned about responsibly reporting AI-generated findings. The episode highlights how collaboration through OpenSSF’s AI/ML Security Working Group and Cyber Reasoning Systems SIG is shaping the next phase of AI-driven security.

News from OpenSSF Community Meetings and Projects:

Upcoming community meetings

In the News:

  • The OpenSSF was featured in a Technology Magazine Q&A. CRob discusses OpenSSF’s goals, OSSAfrica, the BEAR Working Group, Security Baseline, and much more. This conversation was also covered by AI Magazine. 

Meet OpenSSF at These Upcoming Events!

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to


See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Jan 29
Love0

OpenSSF Newsletter – January 2026

By Newsletter

Welcome to the January 2026 edition of the OpenSSF Newsletter. This issue highlights new research, community priorities, and upcoming events across the open source security ecosystem.

TL;DR:

📊 2026 Cyber Resiliency Survey → Measure the awareness of CRA

🧭 OpenSSF 2026 Themes → What’s ahead and how to get involved

🔎 OSS Africa, VEX, AI & OSPS Baseline → Practical blogs and podcast highlights

🌍 Events & Community → GVIP Summit, EU Policy Summit, FOSDEM, Open Source SecurityCon Europe, CFPs, and project updates

OpenSSF and Linux Foundation Research: 2026 Cyber Resiliency Survey

As cybersecurity legislation such as the EU Cyber Resilience Act (CRA) takes effect, open source communities are beginning to feel its impact, from maintainers and contributors to organizations that rely on open source every day. Building on last year’s inaugural study, Linux Foundation Research and OpenSSF are again inviting the community to share perspectives through a new survey focused on awareness and readiness for cybersecurity regulation.

Your perspective matters. By participating, you help strengthen shared understanding, surface real community needs, and support the open source ecosystem as it navigates emerging regulatory challenges. Take the Survey.

OpenSSF at FOSDEM 2026: From Policy to Practical Security

OpenSSF is heading to Brussels for FOSDEM 2026 and Open Source Week, building on last year’s momentum around practical open source security, CRA readiness, and community-driven solutions. Expect strong presence across policy and technical devrooms, a joint booth with Linux Foundation Europe (K2-A-03), and active participation in key events like the GVIP Summit and EU Open Source Policy Summit. The focus this year: turning regulation and security best practices into real, usable tooling and guidance for maintainers and projects. Read the blog.

OpenSSF’s 2026 Themes: A Community Roadmap for Securing the Future of Open Source

Curious about what security topics will shape the open source world in 2026 and how you can be part of it? Read about OpenSSF’s quarterly themes from AI and ML security to vulnerability transparency, global policy alignment, and Baseline adoption. This blog also highlights key events, community activities, and how to get involved. Read more.

Signal in the Noise: An Industry-Wide Perspective on the State of VEX

Key stakeholders, Aubrey Olandt (Red Hat), Brandon Lum (Google), Charl de Nysschen (Google), Christoph Plutte (Ericsson), Georg Kunz (Ericsson), Jonathan Douglas (Microsoft), Jautau “Jay” White (Microsoft), Martin Prpič (Red Hat), and Rao Lakkakula (Microsoft) look at how VEX is developing across the software industry. VEX provides structured, machine-readable statements about whether a vulnerability affects a product. It can reduce false positives and cut down the workload for security teams, but adoption is still uneven. This report reviews the main VEX formats CSAF, OpenVEX, CycloneDX, and SPDX and highlights gaps in tooling, trust, and distribution. Read more.

Catching Malicious Package Releases Using a Transparency Log

In this guest blog from Trail of Bits, learn how transparency logs like Rekor, combined with tools such as rekor-monitor, help package maintainers spot tampering and unauthorized signatures in real time. With support from OpenSSF, new improvements make monitoring easier, more reliable, and ready for production, an important step toward securing the open source software supply chain.

Read the full blog to see how transparency logs work, why they matter, and what’s coming next.

AI, Software Development, Security, Tips, and the Future (Part 1 & 2)

How is AI really changing software development today? In “AI, Software Development, Security, Tips, and the Future (Part 1)”, David A. Wheeler notes that AI use during software development has become the norm because “productivity is king,” even though AI-generated results are frequently wrong, and discusses the security risks around development environments and insecure generated code. In Part 2, he continues by offering practical tips on how developers can better use AI, touches on licensing and “vibe coding,” and looks toward the future, explaining that AI won’t replace developers anytime soon, but will increase both attack and defense capabilities in software security. If you haven’t read both blogs yet, they provide a clear, realistic view of how AI is affecting software today and what developers should be thinking about next.

Your Guide to the OpenSSF OSPS Baseline for More Secure Open Source Projects

BaselineGuideWhat does good security actually look like for open source projects? This new blog walks through the community-developed OSPS Baseline, a catalog of practical security controls that helps projects understand expectations, improve over time, and meet users where they are. With FOSS in up to 96% of modern codebases and relied on across nearly every industry, the blog explains why shared security practices matter and how the Baseline connects to standards like NIST SSDF, the EU Cyber Resilience Act, and ISO 27001. It also links to keynotes, a tech talk, a podcast, a real project case study, and FAQs so you can see how the Baseline works in practice. Read the blog.

Collecting Badges, Building Bridges: Representing OpenSSF and Linux Foundation Across Europe

How does it feel to represent a global open source security community across Europe? In his blog, Madalin Neag reflects on attending key open source, cybersecurity, and standardization meetings on behalf of OpenSSF throughout 2025. He describes how each conference badge represents conversations, collaboration, and the growing understanding that open source security is becoming an essential part of Europe’s cybersecurity future. The blog highlights the connections formed between maintainers, policymakers, standards groups, and community leaders, and shows how work in open source security bridges policy and practice across many different environments. Read more.

Strengthening Open Source Security Through Community: Introducing OSSAfrica

OSSAfrica is a new community-led initiative working to strengthen open source security across Africa by connecting contributors, maintainers, developers, and security practitioners. Operating as a Special Interest Group under the OpenSSF BEAR Working Group, OSSAfrica focuses on community building, security awareness, locally relevant solutions, and creating clear pathways for African contributors to engage in global open source security efforts. Learn why this work matters, what’s being built, and how you can get involved. Read the blog.

Preserving Open Source Sustainability While Advancing CRA Compliance

This blog looks at how voluntary security attestation models under the EU Cyber Resilience Act could unintentionally shift risk and responsibility onto open source developers. It argues that CRA compliance should stay focused on downstream manufacturers and rely on automation and verifiable security metadata rather than upstream attestations that could undermine open source sustainability.

What’s in the SOSS? An OpenSSF Podcast:

#47 – S2E24 Teaching the Next Generation: Software Supply Chain Security in Academia with Justin Cappos

This episode goes inside academia with NYU’s Justin Cappos, who explains why universities struggle to teach software supply chain security and how his course is producing highly skilled professionals. He and Yesenia Yser talk about curriculum, real-world open source collaboration, and how the Linux Foundation’s Academic Computing Acceleration Program could reshape security education.

#48 – S2E25 2025 Year End Wrap Up: Celebrating 5 Years of Open Source Security Impact!

CRob and Yesenia close out the year with a special wrap-up celebrating OpenSSF’s fifth anniversary and a huge year in open source security. They look back at new free training courses, highlights from the DARPA AI Cyber Challenge, standout interviews, major projects such as, OSPS Baseline and AI model signing, and community conversations across SBOMs and supply chain security. With nearly 12,000 downloads and big plans for Season 3, this episode is a fun look at how far the community has come and what’s ahead in 2026.

#49 – S3E1 Why Marketing Matters in Open Source: Introducing Co-Host Sally Cooper

In this Season 3 premiere, What’s in the SOSS? welcomes Sally Cooper as an official co-host. Sally shares her path from technical training and documentation to marketing leadership at OpenSSF, and explains why marketing matters in open source communities. Joined by CRob and Yesenia Yser, the conversation explores personas, personal branding, trust, and how marketing helps great projects get discovered, supported, and sustained. The episode also offers a preview of OpenSSF’s 2026 marketing themes and practical ways for newcomers to get involved.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to


See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Dec 17
Love0
December Newsletter - OpenSSF

OpenSSF Newsletter – December 2025

By Newsletter

Welcome to the December 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

🎁 2025 OpenSSF Annual Report

🎁 Free OpenSSF and Linux Foundation Education Courses

☃ Recap: OpenSSF Community Day Korea 2025

☃ KubeCon Keynote Recap

☃ OpenSSF at OSPOlogyLive Europe

☃ New podcast episodes (#46–47): AI, open source & collaboration (Jay White, Microsoft) and supply chain security in academia (Justin Cappos, NYU)

❄ Alpha-Omega strengthened SBOM tooling and FreeBSD security

❄ Gemara site launched

❄ SecurityCon NA session videos now online

❄ SLSA v1.2 adds a new Source Track

❄ OpenBao v2.4.4 released

❄ Upcoming events: FOSDEM (31 Jan & 1 Feb 2026), Open Source SecurityCon (23 March 2026), KubeCon+CloudNativeCon Europe (23-26, March 2026)

2025 OpenSSF Annual Report

2025 OpenSSF Annual Report

Discover how the open source security community moved forward in 2025. The OpenSSF Annual Report highlights major achievements in education, tooling, vulnerability management, research, and global collaboration with insights from leadership and working groups. It’s a powerful look at how far we’ve come and where we’re headed as we work together to strengthen the security of open source software.

Download the 2025 OpenSSF Annual Report and explore the progress, impact, and vision shaping the future of open source security.

Blogs: What’s New in the OpenSSF Community?

From Beginner to Builder: Free OpenSSF and Linux Foundation Education Courses

From Beginner to Builder: Free OpenSSF and Linux Foundation Education Courses

Level up your open source security skills with this practical roundup from Ejiro Oghenekome and Sal Kimmich, CSM, a curated list of free, self-paced Linux Foundation Education and OpenSSF courses built for developers who want to contribute with confidence. From secure coding and threat modeling to OpenSSF Scorecard automation, SBOMs/signatures, and even essential context like ethics, inclusion, and new regulations, this blog post maps out clear learning paths you can start right away, before (or alongside) your next contribution. Read the blog.

Recap: OpenSSF Community Day Korea 2025

Recap: OpenSSF Community Day Korea 2025

OpenSSF Community Day Korea 2025, held on November 4 in Seoul, brought developers and security engineers together for practical sessions on open source and software supply chain security. Talks spanned CI/CD hardening, SBOM-driven tooling, Linux kernel testing, post-quantum cryptography, and AI/ML security, all framed by OpenSSF’s pillars of Education, Policy, Projects, and Community. The event marked a strong start for a growing OpenSSF community in Korea, with public, private, and academic stakeholders aligning around the message that securing open source is shared work. Read the recap blog.

KubeCon Keynote Recap: “Supply Chain Reaction” and Why the OSPS Baseline Matters More Than Ever

KubeCon Keynote Recap: “Supply Chain Reaction” and Why the OSPS Baseline Matters More Than Ever

How can a Kubernetes cluster with zero known vulnerabilities still be compromised?

In their KubeCon keynote “Supply Chain Reaction: A Cautionary Tale in K8s Security,” Stacey Potter (Community Manager, OpenSSF) and Adolfo García Veytia (Founder and Engineer, Carabiner Systems) walked through a realistic incident where a compromised compiler image injected a crypto-mining payload long before workloads reached the cluster, bypassing traditional defenses. They showed how tools like SLSA, Sigstore, Kyverno, and Ampel help secure the entire software lifecycle, and why the new Open Source Project Security (OSPS) Baseline with its eight control families and three maturity levels gives projects a practical, stepwise framework to resist invisible supply-chain attacks. 

The talk makes a clear case: adopting the OSPS Baseline is now essential for any open source project that wants real, preventative supply-chain security. Learn more.

OpenSSF Projects in Less Than 5 Minutes

Short on time but curious about open source security tools? This video series features quick interviews with OpenSSF maintainers, giving you a fast, developer-focused look at the projects, standards, and initiatives they’re building. Hear directly from the people behind the code and discover which tools you might want to try next. Watch the videos here.

OpenSSF at OSPOlogyLive Europe

Madalin Neag, EU Policy Advisor, OpenSSF giving a talk at OSPOlogyLive Europe

Madalin Neag, EU Policy Advisor at OpenSSF participated in OSPOlogyLive Europe, where he presented The Cybersecurity Skills Framework presentation and discussed why securing software requires investing in people and shared security knowledge, not just technology. The session highlighted OpenSSF’s leadership in building practical, role-based security capabilities across engineering teams. The framework provides a clear, actionable map for identifying security skill gaps and prioritizing capability development across the software ecosystem. It also demonstrated how organizations can use a common language for security skills to systematically improve their cybersecurity posture.”

What’s in the SOSS? An OpenSSF Podcast:

#47 – S2E24 Teaching the Next Generation: Software Supply Chain Security in Academia with Justin Cappos

On the latest episode of What’s in the SOSS, host Yesenia Yser sits down with Justin Cappos, professor at NYU Tandon School of Engineering, to discuss why software supply chain security is still missing from many university curricula and how hands on, open source first education can better prepare students for real world security work.

The conversation explores gaps in traditional computer science education, the importance of teaching open source collaboration, and how initiatives like the Linux Foundation’s Academic Computing Accreditation Program are helping institutions modernize security education.

🎧 Listen to the episode and learn more about the Academic Computing Accreditation Program: https://www.linuxfoundation.org/academic-computing-accreditation

#46 – S2E23 Securing the Future: AI, Open Source, and Collaboration with Jay White (Microsoft)

In this episode of What’s in the SOSS? Jay White from Microsoft’s Azure office of the CTO joins to talk about his path into open source and how it led him to focus on AI, machine learning, and security. He explains how model signing and transparency are becoming core to trustworthy AI, and shares ongoing work in OpenSSF and the Coalition for Secure AI (CoSAI) to build standards for AI supply chain security. The conversation touches on the challenges of cultural representation in AI models, why collaboration across companies and communities is essential, and how practitioners can get involved. Jay also reflects on the importance of community building and continuous learning as AI and open source evolve together.

News from OpenSSF Community Meetings and Projects:

In the News:

  • Dark Reading published expert commentary from Christopher Robinson after speaking to him about OpenSSF’s work categorizing 150,000 malicious npm packages. CRob notes the importance of MFA and artifact signing to verify that code is secure here: “Infamous Shai-hulud Worm Resurfaces From the Depths.”
  • In a Forbes article about the value of inclusive and resilient financial systems, Christopher Robinson of OpenSSF and Michael Lieberman of Kusari are included for their thoughts on secure fintech systems. Both suggest that open source software can play an important role in the future of finance, down to the code, and the Open Software Security Baseline is referenced in the article, “Secure By Design: Financial Systems For Climate Resilience.”
  • This month VMblog published Christopher Robinson’s cybersecurity predictions for 2026. CRob points out the importance of MLSecOps, SBOMs, and more in the article, “Five cybersecurity predictions for 2026.” 

Meet OpenSSF at These Upcoming Events!

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to


See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Nov 25
Love0
November Newsletter - OpenSSF

OpenSSF Newsletter – November 2025

By Newsletter

Welcome to the November 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

✅ Cyber week: Free + discounted security courses to level up fast

✅ EU CRA insights and OSS security guidance from Open Source Security Week in Belgium

✅ OSS security best practices for finance from OSFF NYC

✅ New OpenSSF members, awards, and project milestones

✅ New podcast episodes (#44-45): OSPS Security Baseline and SBOM Chaos and Software Sovereignty

✅ SBOM Coffee Club reviewed OWASP AIBOM

✅ Zarf v0.65.1 adds broader K8s support & hosts Tech talk

✅ OpenBao advancing read-replication

✅ Upcoming events: FOSDEM (31 Jan & 1 Feb 2026), Open Source SecurityCon (23 March 2026), KubeCon+CloudNativeCon Europe (23-26, March 2026)

Level Up Your Open Source Security Skills for Cyber Week

Cyber week - OpenSSF

OpenSSF and Linux Foundation Education are committed to making world-class security training accessible to everyone. Whether you are securing critical open source projects, preparing for new regulations, or building foundational expertise, you can start today with free e-learning courses and earn digital badges along the way. Explore offerings like Developing Secure Software (LFD121), Security for Software Development Managers (LFD125), Understanding the EU Cyber Resilience Act (LFEL1001), Secure AI/ML-Driven Software Development (LFEL1012), and many others designed to strengthen software resilience across the ecosystem.

If you are ready to go deeper, Cyber Week kicks off December 1. This brings the biggest savings of the year from Linux Foundation Education. From certification bundles to instructor-led courses and subscription packages, you can save up to 65 percent and accelerate your career heading into 2026.

Visit LF Education starting on December 1st to grab the best savings of the year!

Start learning for free. Level up for less. Strengthen the security of the open source world.

Blogs: What’s New in the OpenSSF Community?

Recap: Open Source Security Week in Belgium – Highlights from Ghent to Brussels

Open Source Security events in Belgium - October

At the end of October, Linux Foundation Europe, OpenSSF, and CEPS hosted a week of open source security activities across Ghent and Brussels. Developers, maintainers, policymakers, and security experts came together to break down the Cyber Resilience Act, share practical readiness guidance, and align on how Europe can strengthen software security without slowing open collaboration. From technical workshops to policy-driven discussions, the week highlighted both the challenges ahead and the growing support available to the community. Read the full recap for key takeaways, reflections, and ways to get involved.

Building Security in Open Source for Financial Services: OpenSSF at Open Source Finance Forum (OSFF) NYC

OpenSSF at Open Source in Finance Forum - New York 2025 - Recap blog

OpenSSF joined the Open Source in Finance Forum (OSFF) NYC to highlight how financial institutions can confidently rely on open source while managing real security risks. Through sessions on AI security, project security baselines, and stabilizing vulnerability data pipelines, OpenSSF showed how collaboration between maintainers, regulators, and industry engineers leads to practical solutions that strengthen the software powering today’s financial systems. Read the full recap to explore the key takeaways and resources shared at OSFF.

Tech Talk Recap: Simplifying DevSecOps in Air-Gapped Environments with Zarf

Tech Talk Recap: Simplifying DevSecOps in Air-Gapped Environments with Zarf

In the latest OpenSSF Tech Talk, we focused on a significant hurdle in software supply chain security: managing software delivery and upkeep within air-gapped and restricted network environments. You can now view the recording on the OpenSSF YouTube channel, and the presentation slides are accessible here.

OpenSSF Announces Key Membership Growth and Golden Egg Award Winners at Open Source SecurityCon North America

The Open Source Security Foundation (OpenSSF) announced new and expanded memberships at Open Source SecurityCon North America, welcoming Target Corporation and Thread AI, and celebrating OSTIF’s upgrade to general member status. The community also recognized standout contributors with the latest Golden Egg Awards and highlighted recent progress across learning resources, tooling, and global events. Read the blog to learn more about the membership updates, award winners, and milestones from the past quarter.

Here you will find a snapshot of what’s new on the OpenSSF blog. For more stories, ideas, and updates, visit the blog section on our website.

What’s in the SOSS? An OpenSSF Podcast:

#44 – S2E21 A Deep Dive into the Open Source Project Security (OSPS) Baseline

In this episode of What’s in the SOSS? CRob, Ben Cotton, and Eddie Knight take a practical look at the Open Source Project Security (OSPS) Baseline, a shared security checklist designed to help maintainers communicate the current state of their project’s security practices. They break down how the baseline fits into real workflows, why clear documentation builds trust, and how downstream users benefit when expectations are aligned. The conversation also explores integrations with other OpenSSF efforts, lessons from the GUAC case study, and what’s ahead as the community continues to refine the framework and expand tooling support.

#45 – S2E22 SBOM Chaos and Software Sovereignty with Canonical’s Stephanie Domas

In this episode of What’s in the SOSS, CRob talks with Stephanie Domas, Chief Security Officer at Canonical, about the hidden challenges shaping today’s open source ecosystem. Stephanie breaks down why third party patches disrupt SBOM accuracy, how software sovereignty is influencing global procurement, and what the EU CRA means for enterprises working with upstream dependencies. She also shares insights on memory safe upgrades in Ubuntu’s next LTS and why transparency, collaboration, and community support are critical to building trust in open source.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to


See You Next Month!

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Sep 29
Love0

OpenSSF Newsletter – September 2025

By Newsletter

Welcome to the September 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

🎉 Big week in Amsterdam: Recap of OpenSSF at OSSummit + OpenSSF Community Day Europe.

đŸ„š Golden Egg Awards shine on five amazing community leaders.

✹ Fresh resources: AI Code Assistant tips and SBOM whitepaper.

đŸ€ Trustify + GUAC = stronger supply chain security.

🌍 OpenSSF Community Day India: 230+ open source enthusiasts packed the room.

🎙 New podcasts: AI/ML security + post-quantum race.

🎓 Free courses to level up your security skills.

📅 Mark your calendar and join us for Community Events.

Celebrating the Community: OpenSSF at Open Source Summit and OpenSSF Community Day Europe Recap

From August 25–28, 2025, the Linux Foundation hosted Open Source Summit Europe and OpenSSF Community Day Europe in Amsterdam, bringing together developers, maintainers, researchers, and policymakers to strengthen software supply chain security and align on global regulations like the EU Cyber Resilience Act (CRA). The week included strong engagement at the OpenSSF booth and sessions on compliance, transparency, proactive security, SBOM accuracy, and CRA readiness. 

OpenSSF Community Day Europe celebrated milestones in AI security, public sector engagement, and the launch of Model Signing v1.0, while also honoring five community leaders with the Golden Egg Awards. Attendees explored topics ranging from GUAC+Trustify integration and post-quantum readiness to securing GitHub Actions, with an interactive Tabletop Exercise simulating a real-world incident response. 

These gatherings highlighted the community’s progress and ongoing commitment to strengthening open source security. Read more.

OpenSSF Celebrates Global Momentum, AI/ML Security Initiatives and Golden Egg Award Winners at Community Day Europe

At OpenSSF Community Day Europe, the Open Source Security Foundation honored this year’s Golden Egg Award recipients. Congratulations to Ben Cotton (Kusari), Kairo de Araujo (Eclipse Foundation), Katherine Druckman (Independent), Eddie Knight (Sonatype), and Georg Kunz (Ericsson) for their inspiring contributions.

With exceptional community engagement across continents and strategic efforts to secure the AI/ML pipeline, OpenSSF continues to build trust in open source at every level.

Read the full press release to explore the achievements, inspiring voices, and what’s next for global open source security.

Blogs: What’s New in the OpenSSF Community?

Here you will find a snapshot of what’s new on the OpenSSF blog. For more stories, ideas, and updates, visit the blog section on our website.

Open Source Friday with OpenSSF – Global Cyber Policy Working Group

On August 15, 2025, GitHub’s Open Source Friday series spotlighted the OpenSSF Global Cyber Policy Working Group (WG) and the OSPS Baseline in a live session hosted by Kevin Crosby, GitHub. The panel featured OpenSSF’s Madalin Neag (EU Policy Advisor), Christopher Robinson (CRob) (Chief Security Architect) and David A. Wheeler (Director of Open Source Supply Chain Security) who discussed how the Working Group helps developers, maintainers, and policymakers navigate global cybersecurity regulations like the EU Cyber Resilience Act (CRA). 

The conversation highlighted why the WG was created, how global policies affect open source, and the resources available to the community, including free training courses, the CRA Brief Guide, and the Security Baseline Framework. Panelists emphasized challenges such as awareness gaps, fragmented policies, and closed standards, while underscoring opportunities for collaboration, education, and open tooling. 

As the CRA shapes global standards, the Working Group continues to track regulations, engage policymakers, and provide practical support to ensure the open source community is prepared for evolving cybersecurity requirements. Learn more and watch the recording.

Improving Risk Management Decisions with SBOM Data

SBOMs are becoming part of everyday software practice, but many teams still ask the same question: how do we turn SBOM data into decisions we can trust? 

Our new whitepaper, “Improving Risk Management Decisions with SBOM Data,” answers that by tying SBOM information to concrete risk-management outcomes across engineering, security, legal, and operations. It shows how to align SBOM work with real business motivations like resiliency, release confidence, and compliance. It also describes what “decision-ready” SBOMs look like, and how to judge data quality. To learn more, download the Whitepaper.

Trustify joins GUAC

GUAC and Trustify are combining under the GUAC umbrella to tackle the challenges of consuming, processing, and utilizing supply chain security metadata at scale. With Red Hat’s contribution of Trustify, the unified community will serve as the central hub within OpenSSF for building and using supply chain knowledge graphs, defining standards, developing shared infrastructure, and fostering collaboration. Read more.

Recap: OpenSSF Community Day India 2025

On August 4, 2025, OpenSSF hosted its second Community Day India in Hyderabad, co-located with KubeCon India. With 232 registrants and standing-room-only attendance, the event brought together open source enthusiasts, security experts, engineers, and students for a full day of learning, collaboration, and networking.

The event featured opening remarks from Ram Iyengar (OpenSSF Community Engagement Lead, India), followed by technical talks on container runtimes, AI-driven coding risks, post-quantum cryptography, supply chain security, SBOM compliance, and kernel-level enforcement. Sessions also highlighted tools for policy automation, malicious package detection, and vulnerability triage, as well as emerging approaches like chaos engineering and UEFI secure boot.

The event highlighted India’s growing role in global open source development and the importance of engaging local communities to address global security challenges. Read more.

New OpenSSF Guidance on AI Code Assistant Instructions

In our recent blog, Avishay Balter, Principal SWE Lead at Microsoft and David A. Wheeler, Director, Open Source Supply Chain Security at OpenSSF introduce the OpenSSF “Security-Focused Guide for AI Code Assistant Instructions.” AI code assistants can speed development but also generate insecure or incorrect results if prompts are poorly written. The guide, created by the OpenSSF Best Practices and AI/ML Working Groups with contributors from Microsoft, Google, and Red Hat, shows how clear and security-focused instructions improve outcomes. It stands as a practical resource for developers today, while OpenSSF also develops a broader course (LFEL1012) on using AI code assistants securely. 

This effort marks a step toward ensuring AI helps improve security instead of undermining it. Read more.

Open Infrastructure Is Not Free: A Joint Statement on Sustainable Stewardship

Public package registries and other shared services power modern software at global scale, but most costs are carried by a few stewards while commercial-scale users often contribute little. Our new open letter calls for practical models that align usage with responsibility — through partnerships, tiered access, and value-add options — so these systems remain strong, secure, and open to all.

Signed by: OpenSSF, Alpha-Omega, Eclipse Foundation (Open VSX), OpenJS Foundation, Packagist (Composer), Python Software Foundation (PyPI), Rust Foundation (crates.io), Sonatype (Maven Central).

Read the open letter.

What’s in the SOSS? An OpenSSF Podcast:

#38 – S2E15 Securing AI: A Conversation with Sarah Evans on OpenSSF’s AI/ML Initiatives

In this episode of What’s in the SOSS, Sarah Evans, Distinguished Engineer at Dell Technologies, discusses extending secure software practices to AI. She highlights the AI Model Signing project, the MLSecOps whitepaper with Ericsson, and efforts to identify new personas in AI/ML operations. Tune in to hear how OpenSSF is shaping the future of AI security.

#39 – S2E16 Racing Against Quantum: The Urgent Migration to Post-Quantum Cryptography with KeyFactor’s Crypto Experts

In this episode of What’s in the SOSS, host Yesenia talks with David Hook and Tomas Gustavsson from Keyfactor about the race to post-quantum cryptography. They explain quantum-safe algorithms, the importance of crypto agility, and why sectors like finance and supply chains are leading the way. Tune in to learn the real costs of migration and why organizations must start preparing now before it’s too late.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day in South Korea!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to


See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Aug 21
Love0

OpenSSF Newsletter – August 2025

By Newsletter

Welcome to the August 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

🎉 OpenSSF Turns 5.

✹ New MLSecOps whitepaper.

🔍 Case Study: GUAC security validated in <1hr w/Baseline.

📝 Blogs: OpenSSF Community and Working Groups, AI security, AIxCC wins.

🎙 Podcasts: OSTIF audits, CRA in Erlang Community.

🎓 Free security courses.

📅 Events: OpenSSF Community Day Europe, Linux Foundation Europe Member Summit, Open Source in Finance Forum New York, Linux Foundation Europe Roadshow, European Open Source Security Forum (link coming soon), OpenSSF Community Day Korea, Open Source SecurityCon 2025 

🎉 Celebrating Five Years of OpenSSF: A Journey Through Open Source Security

August 2025 marks five years since the official formation of the Open Source Security Foundation (OpenSSF). From uniting global efforts to securing open source software, to launching initiatives like Sigstore, OpenSSF Scorecard, Alpha-Omega, SLSA, and the OSPS Baseline, OpenSSF has moved from ideas to impact – shaping the future of software supply chain security.

This milestone isn’t just a celebration of what we have accomplished, but of the community we have built together. Here’s to five years of uniting communities, hardening the software supply chain, and driving a safer digital future.

Read the full blog to explore the journey, voices, and vision that continue to shape OpenSSF’s impact.

✹Community Highlight: Whitepaper: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security

We want to give a shout out to Sarah Evans (Dell Technologies), Andrey Shorov (Ericsson) and the entire AI/ML Security Working Group for their outstanding contributions through OpenSSF, advancing secure AI/ML practices and delivering industry leadership in building robust AI/ML pipeline security.

Their new whitepaper, “Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security,” expands on Ericsson’s MLSecOps framework into a comprehensive, visual, “layer-by-layer” guide. It shows how to apply open source tools like SLSA, Sigstore, and OpenSSF Scorecard to secure the ML lifecycle offering mapped risks, security controls, reference architecture, and practical tools.

This is a must-read for anyone designing, developing, deploying, or securing AI/ML systems.

Read the whitepaper and the blog to see how OpenSSF members are shaping the future of trustworthy AI.

🔍Case Study: How LFX Insights and OSPS Baseline Validated GUAC’s Security in Under an Hour

How can a project like GUAC validate its strong security posture in under an hour?

Kusari used LFX Insights integrated with the OpenSSF OSPS Baseline to run a rapid, automated assessment of GUAC’s security posture. In less than an hour, evidence of strong security practices was compiled automatically, results were presented in a clear visual format, and findings were instantly aligned to major frameworks like NIST SSDF and the EU Cyber Resilience Act. The result was faster trust, reduced workload, and a smoother path for adoption.

Project leaders and community voices including Mike Lieberman (Kusari), Ben Cotton (Kusari), Eddie Knight (Sonatype), and Mihai Maruseac (Google) emphasized the value of this approach. They highlighted how OSPS Baseline makes security proof more visible, reduces repetitive effort, saves time for maintainers, and builds confidence among OSPO leads and end users.

Read the full case study to see how LFX Insights and OSPS Baseline created a blueprint for faster, more credible security assurance.

Blogs: What’s New at the OpenSSF Community?

Here you will find a snapshot of what’s new on the OpenSSF blog. For more stories, ideas, and updates, visit the blog section on our website.

Case Study: Google Secures Machine Learning Models with sigstore

As machine learning evolves, so do the threats-data poisoning, model tampering, and unverifiable origins are real risks. Google’s Open Source Security Team, sigstore, and OpenSSF created the OMS specification, integrating it into hubs like NVIDIA NGC and Kaggle. Models are automatically signed, tied to the author’s identity, verified for authenticity, and logged for a complete audit trail. This blueprint offers a path to a verified ML ecosystem. 

“If we reach a state where all claims about ML systems and metadata are tamperproof, tied to identity, and verifiable by the tools ML developers already use—we can inspect the ML supply chain immediately in case of incidents.” — Mihai Maruseac, Staff Software Engineer, Google

Read the case study.

What’s it like to speak, volunteer, parent, and explore nature – all in one week at OSS Summit NA 2025?

Eman Abu Ishgair shares her experience attending the Open Source Summit North America in Denver as a speaker, volunteer, and new community member during OpenSSF Community Day. From co-presenting “The Open Source SDLC Control Plane: Building the Supply Chain Security Sandwich” with Michael Lieberman, CTO and Co-founder at Kusari and Governing Board member, to volunteering at the OpenSSF booth, connecting with collaborators, attending talks on SBOM, Signing, and Securing AI pipelines, and exploring Colorado’s natural wonders with her children, Eman’s week was full of learning, community, and inspiration.

Read the full blog to experience her journey and discover how you can get involved with OpenSSF.

How does the OpenSSF welcome maintainers, security engineers, students, and others to its open, global community?

Ejiro Oghenekome and Sal Kimmich share how OpenSSF serves as the global hub for collaborative work on securing the software supply chain, with no gatekeepers and open participation for all. The blog explains how to join Slack, attend meetings, contribute via GitHub, and explore working groups like AI/ML Security, BEAR, Global Cyber Policy, Security Tooling, Vulnerability Disclosures, Securing Software Repositories, ORBIT, Securing Critical Projects, and Supply Chain Integrity. Every OpenSSF group welcomes newcomers, with many paths to contribute, no matter your background.

Read the blog to discover where your skills fit and how to start contributing today.

Securing AI: The Next Cybersecurity Battleground

The AI wave is here, and it’s only getting bigger. It ushers in a pivotal new cybersecurity battleground: securing AI. In this blog, Hugo Huang, expert in Cloud Computing and Business Models spearheading joint innovation between Canonical and Google, shares findings from a security survey. The report highlights three top challenges in 2025-lack of standardized frameworks, shadow AI, and the talent gap. Building resilient AI systems needs concrete security measures across the AI lifecycle, with open source as the pivotal enabler. 

Read the full blog.

OpenSSF at Black Hat USA 2025 & DEF CON 33: AIxCC Highlights, Big Wins, and the Future of Securing Open Source

blackhatPanel

Image source: Christopher “CRob” Robinson (OpenSSF), Stephanie Domas (Canonical), and Anant Shrivastava (Cyfinoid Research) hosted a standing-room-only “Ask Me Anything About FOSS” panel at Black Hat USA 2025

The Open Source Security Foundation marked a strong presence at Black Hat USA 2025 and DEF CON 33, engaging with security leaders, showcasing initiatives, and fostering collaboration to advance open source security. At DEF CON, the spotlight was on the AI Cyber Challenge (AIxCC), a DARPA and ARPA-H competition to develop AI-enabled software that can identify and patch vulnerabilities. Trail of Bits, an OpenSSF General Member, earned second place with Buttercup, their open source Cyber Reasoning System. 

Read the full blog for more details.

What’s in the SOSS? An OpenSSF Podcast:

#37 – S2E14 Open Source Security: OSTIF’s 10-Year Journey of Collaborative Audits – Derek Zimmer and Amir Montezari, Open Source Technology Improvement Fund (OSTIF)

In this episode of What’s in the SOSS, Derek Zimmer and Amir Montezary from the Open Source Technology Improvement Fund (OSTIF) share their decade-long mission of providing security resources to open source projects. They focus on collaborative, maintainer-centric security audits that improve project security posture through expert third-party reviews. These engagements are designed to be supportive, impactful, and efficient. Listen to the full episode to hear OSTIF’s 10-year journey and how they help projects strengthen security.

#36 – S2E13 From Compliance to Community: Meeting CRA Requirements Together – Jonatan MĂ€nnchen (CISO, Erlang Ecosystem Foundation), Ulf Riehm (Product Owner, Herrmann Ultraschall), and Michael Winser (Alpha-Omega)

In this episode of What’s in the SOSS?, CRob talks with Jonatan MĂ€nnchen (CISO, Erlang Ecosystem Foundation), Ulf Riehm (Product Owner, Herrmann Ultraschall), and Michael Winser (Alpha-Omega). The conversation explores the critical importance of security in open source, especially with the CRA. Hear how the Erlang community brings in experts, fosters collaboration, and builds trust. Listen to the full episode to learn why manufacturers invest in upstream projects and how other ecosystems can follow this approach.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in Europe and South Korea!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to


See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Jul 30
Love0

OpenSSF Newsletter – July 2025

By Newsletter

Welcome to the July 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Submit Your Proposal: OpenSSF Community Day Korea

The Call for Proposals for OpenSSF Community Day Korea is closing Aug 3! If you have insights, tools, research, or community stories to share around open source software security, now is the time to submit your talk. The event takes place on November 4, 2025, in Seoul, South Korea, and brings together developers, researchers, and security professionals from across the open source and security ecosystems.

Whether your focus is on AI and security, vulnerability management, education, or tooling, we welcome submissions in a variety of formats, from quick 5-minute talks to extended 20-minute sessions. Deadline to submit: August 3, 2025, at 23:59 KST / 06:59 PST.

Share your expertise and help shape the future of open source security. We look forward to seeing you in Seoul!

Blogs:

New: Cyber Resilience Act (CRA) Brief Guide for OSS Developers

In our recent blog post, David A. Wheeler introduces the Cyber Resilience Act (CRA) Brief Guide for OSS Developers, a practical overview created by the OpenSSF to help open source developers understand and prepare for the EU’s new cybersecurity regulation. Although the CRA officially applies only within the EU, its global impact is significant due to the international nature of software distribution. The blog clarifies when the CRA does or does not apply to OSS, outlines potential risks for non-compliance, and highlights available resources including free training and community support to help developers build secure, compliant software. Read the full blog.

Recap: OpenSSF Community Day Japan 2025

OpenSSF Community Day Japan 2025 brought together developers, researchers, government, and industry leaders in Tokyo to advance open source software security. The event featured keynotes, technical sessions, and a live incident response exercise focused on secure development, tool adoption, and supply chain integrity.

Read the full blog for session videos, slides, and key takeaways.

Recap: OpenSSF Community Day North America 2025

OpenSSF Community Day NA 2025 brought together a diverse open source security community in Denver for a packed day of insights, tools, and collaboration. From real-world deployments of SBOM, Sigstore, and GUAC to securing AI pipelines and exploring the new AStRA control plane framework, sessions moved beyond awareness into action. 

Read the full blog for recordings, slides, key takeaways and ways to get involved.

On-Demand Webinar: Cybersecurity Skills, Simplified

The on-demand webinar Cybersecurity Skills, Simplified: A Framework That Works brings together experts from IBM, Intel, Linux Foundation Education, and OpenSSF to address a critical challenge: making cybersecurity a shared responsibility across all roles. The panel introduces the Cybersecurity Skills Framework, an open, flexible tool that helps teams identify, map, and improve security skills organization-wide. With insights on setting security OKRs, scaling training, and creating accessible learning pathways, this webinar offers practical guidance for anyone looking to strengthen their team’s security posture. Learn more.

What’s in the SOSS? An OpenSSF Podcast:

#35 – S2E12 Building India’s Open Source Security Community: From Developer Nation to Security Champions

In this episode of What’s in the SOSS?, host CRob sits down with Ram Iyengar, OpenSSF’s India community representative, to explore the evolving landscape of open source security in India. Ram shares his journey from professor to evangelist, the launch of LF India, and the challenges of inspiring a security-first mindset in one of the world’s largest developer populations. The episode covers everything from building local community momentum to hosting regional events and video series, offering listeners both practical insights and a personal look at the passionate effort behind India’s growing open source security movement.

#34 – S2E11 From Lockpicking to Leadership: Tabatha DiDomenico on Security, Open Source, and Building Community

In this episode of What’s in the SOSS? host Yesenia Yser sits down with Tabatha DiDomenico, open source security engineer, community leader, and president of BSides Orlando for a compelling conversation about her unconventional path into open source, the power of community, and the often-overlooked impact of DevRel. From her first experience with Netscape to shaping security strategy at G-Research and OpenSSF, Tabatha reflects on how curiosity, volunteering, and intentional advocacy have fueled her journey. Whether you are new to open source or a longtime contributor, this episode offers heartfelt insights, practical advice, and a powerful reminder: community is everything.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

  • The Security-Focused Guide for AI Code Assistant Instructions that is being developed by the Best practices and the AI/ML WGs is now in final draft, under PR here.
  • Zarf released version v0.58.0 including image push & pull and SDK enhancements.
  • OpenBao recently released v2.3.1 with support for namespaces, CEL for JWT authentication and PKI issuance, and SSH multi-issuer support. The community is making progress on per-namespace sealing, HSM/KMS backed key material, and horizontal scalability, and just kicked off a UI working group.

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to


See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here! Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Jun 25
Love0

OpenSSF Newsletter – June 2025

By Newsletter

Welcome to the June 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Tech Talk: CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations

The recent Tech Talk, “CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations,” brought together open source leaders to explore the practical impact of the EU’s Cyber Resilience Act (CRA). With growing pressure on OSS developers, maintainers, and vendors to meet new security requirements, the session provided a clear, jargon-free overview of what CRA compliance involves. 

Speakers included CRob (OpenSSF), Adrienn Lawson (Linux Foundation), Dave Russo (Red Hat), and David A. Wheeler (OpenSSF), who shared real-world examples of how organizations are preparing for the regulation, even with limited resources. The discussion also highlighted the LFEL1001 CRA course, designed to help OSS contributors move from confusion to clarity with actionable guidance. 

Watch the session here.

Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership

The Open Source Technology Improvement Fund (OSTIF) addresses a critical gap in open source security by conducting tailored audits for high-impact OSS projects often maintained by small, under-resourced teams. Through its active role in OpenSSF initiatives and strategic partnerships, OSTIF delivers structured, effective security engagements that strengthen project resilience. By leveraging tools like the OpenSSF Scorecard and prioritizing context-specific approaches, OSTIF enhances audit outcomes and fosters a collaborative security community. Read the full case study to explore how OSTIF is scaling impact, overcoming funding hurdles, and shaping the future of OSS security.

Blogs:

✹GUAC 1.0 is Now Available

Discover how GUAC 1.0 transforms the way you manage SBOMs and secure your software supply chain. This first stable release of the “Graph for Understanding Artifact Composition” platform moves beyond isolated bills of materials to aggregate and enrich data from file systems, registries, and repositories into a powerful graph database. Instantly tap into vulnerability insights, license checks, end-of-life notifications, OpenSSF Scorecard metrics, and more. Read the blog to learn more.

✹Maintainers’ Guide: Securing CI/CD Pipelines After the tj-actions and reviewdog Supply Chain Attacks

CI/CD pipelines are now prime targets for supply chain attacks. Just look at the recent breaches of reviewdog and tj-actions, where chained compromises and log-based exfiltration let attackers harvest secrets without raising alarms. In this Maintainers’ Guide, Ashish Kurmi breaks down exactly how those exploits happened and offers a defense-in-depth blueprint from pinning actions to full commit SHAs and enforcing MFA, to monitoring for tag tampering and isolating sensitive secrets that every open source project needs today. Read the full blog to learn practical steps for locking down your workflows before attackers do.

✹From Sandbox to Incubating: gittuf’s Next Step in Open Source Security

gittuf, a platform-agnostic Git security framework, has officially progressed to the Incubating Project stage under the OpenSSF marking a major milestone in its development, community growth, and mission to strengthen the open source software supply chain. By adding cryptographic access controls, tamper-evident logging, and enforceable policies directly into Git repositories without requiring developers to abandon familiar workflows, gittuf secures version control at its core. Read the full post to see how this incubation will accelerate gittuf’s impact and how you can get involved.

✹Choosing an SBOM Generation Tool

With so many tools to build SBOMs, single-language tools like npm-sbom and CycloneDX’s language-specific generators or multi‐language options such as cdxgen, syft, and Tern, how do you know which one to pick? Nathan Naveen helps you decide by comparing each tool’s dependency analysis, ecosystem support, and CI/CD integration, and reminds us that “imperfect SBOMs are better than no SBOMs.” Read the blog to learn more.

✹OSS and the CRA: Am I a Manufacturer or a Steward?

The EU Cyber Resilience Act (CRA) introduces critical distinctions for those involved in open source software particularly between manufacturers and a newly defined role: open source software stewards. In this blog, Mike Bursell of OpenSSF breaks down what these terms mean, why most open source contributors won’t fall under either category, and how the CRA acknowledges the unique structure of open source ecosystems. If you’re wondering whether the CRA applies to your project or your role this post offers clear insights and guidance. Read the full blog to understand your position in the new regulatory landscape.

What’s in the SOSS? An OpenSSF Podcast:

#33 – S2E10 “Bridging DevOps and Security: Tracy Ragan on the Future of Open Source”: In this episode of What’s in the SOSS, host CRob sits down with longtime open source leader and DevOps champion Tracy Ragan to trace her journey from the Eclipse Foundation to her work with Ortelius, the Continuous Delivery Foundation, and the OpenSSF. CRob and Tracy dig into the importance of configuration management, DevSecOps, and projects like the OpenSSF Scorecard and Ortelius in making software supply chains more transparent and secure, plus strategies to bridge the education gap between security professionals and DevOps engineers.

 

#32 – S2E09 “Yoda, Inclusive Strategies, and the Jedi Council: A Conversation with Dr. Eden-ReneĂ© Hayes”: In this episode of What’s in the SOSS, host Yesenia Yser sits down with DEI strategist, social psychologist, and Star Wars superfan Dr. Eden-ReneĂ© Hayes to discuss the myths around DEIA and why unlearning old beliefs is key to progress. Plus, stay for the rapid-fire questions and discover if Dr. Hayes is more Marvel or DC.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

In the News:

  • ITOpsTimes – “Linux Foundation and OpenSSF launch Cybersecurity Skills Framework”
  • HelpNetSecurity – “Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed”
  • SiliconAngle“Linux Foundation debuts Cybersecurity Skills Framework to address enterprise talent gaps”
  • Security Boulevard – Linux Foundation Shares Framework for Building Effective Cybersecurity Teams
  • IT Daily – “Linux Foundation Launches Global Cybersecurity Skills Framework”
  • SC World – “New Cybersecurity Skills Framework seeks to bolster enterprise talent readiness”

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to


See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

May 22
Love0

OpenSSF Newsletter – May 2025

By Newsletter

Welcome to the May 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Here’s a quick summary of this month’s highlights: the OpenSSF Tech Talk showed how the Security Baseline helps projects enhance compliance and resilience; the Best Practices WG released the guide “Simplifying Software Component Updates” to prevent API‐compatibility vulnerabilities; the CFP for Community Day Europe (Amsterdam, August 28) closes May 26; the Cybersecurity Skills Framework offers a free, customizable way to align job roles with practical security skills (webinar June 11); Ericsson’s C/C++ Compiler Hardening Guide, now jointly maintained with OpenSSF, demonstrates the power of community-driven security practices; three fresh podcast episodes are live (#29 Stacey Potter, #30 GitHub’s SOS Fund, and #31 Cybersecurity Framework Launch); and our community continues to buzz with WG updates, upcoming Community Days in Tokyo, Denver, Hyderabad, Amsterdam and Seoul, and CFP for Open Source SecurityCon. 

Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness

The Linux Foundation and OpenSSF have released the Cybersecurity Skills Framework, a customizable global reference guide that aligns IT job roles with practical cybersecurity competencies. The framework defines foundational, intermediate, and advanced proficiency levels mapped to standards like DoD 8140, CISA NICE, and ICT e-CF, enabling organizations to assess and build security capabilities across job roles. 

Developed through global research and community feedback, the framework empowers enterprise leaders to close skills gaps, strengthen security culture, and systematically reduce cyber risk. Listen to the podcast, attend the webinar on Wednesday, June 11 at 11:00 am EDT. Learn more.

OpenSSF Tech Talk Recap: Using Security Baseline to Navigate Standards and Regulations

OSPSTechTalkRecap

The Open Source Security Foundation (OpenSSF) hosted a Tech Talk titled “How to Use the OSPS Baseline to Better Navigate Standards and Regulations” to help maintainers, contributors, and organizations apply the OSPS Baseline in real-world projects. This session offered practical guidance on enhancing compliance, reducing risk, and building more resilient open source software. Learn more.

New Guide on Simplifying Software Component Updates

NewGuideonSimplifyingSoftwareComponent Updates

The Open Source Security Foundation (OpenSSF) Best Practices Working Group has released the new guide Simplifying Software Component Updates. This guide by David A. Wheeler (The Linux Foundation) and Georg Kunz (Ericsson) gives software producers and consumers practical steps to simplify component compatibility. Applying the principles in this guide will eliminate many vulnerabilities in software. Backward-incompatible changes to an application programmer interface (API) often lead to unaddressed security vulnerabilities. Read the blog.

Call for Proposals for OpenSSF Community Day Europe Open Through 26 May, 2025

CFP

OpenSSF Community Day Europe takes place on Thursday, 28 August in Amsterdam, Netherlands, co-located with Open Source Summit EU. This event brings together contributors, maintainers, practitioners, and researchers to collaborate on securing the open source software we all rely on. Submit your proposals by 26 May 2025 on topics such as AI and ML in security, cyber resilience and supply chain security, OSS signatures and verification, real-world case studies, regulatory compliance, and enhanced security tooling. Learn more.

Case Study: Ericsson’s C/C++ Compiler Options Hardening Guide and OpenSSF Collaboration

This case study highlights Ericsson’s collaboration with the OpenSSF on the C/C++ Compiler Options Hardening Guide, a pragmatic resource that maps compiler hardening flags to their performance and security impacts. Originally drafted by Ericsson’s product security team and donated to the OpenSSF, the guide is now maintained in the OpenSSF Best Practices Working Group. Community feedback from compiler maintainers, Linux distribution contributors, and projects like Wireshark, Chainguard, and CPython has refined its recommendations, leading to internal adoption at Ericsson and broader ecosystem uptake.

Ericsson’s work demonstrates how open sourcing practical security guidance and engaging the community can drive real improvements in C/C++ code hardening across the industry. Read the case study.

What’s in the SOSS? An OpenSSF Podcast:

#29 – S2E06 “Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey Potter”: Meet Stacey Potter, OpenSSF’s new Community Manager, as she shares her journey into open source and her community first mindset.

#30 S2E07 “Scaling Security: Inside the GitHub Securing Open Source Software Fund”: Kevin Crosby and Xavier RenĂ©-Corail from GitHub discuss the Securing Open Source SOS Fund, its $10K stipends, lessons from cohort 1, and maintainer month.

#31 – S2E08 “Cybersecurity Framework Launch”: Delve into the development of the Cybersecurity Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to


See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team