Newsletter – Page 2 – Open Source Security Foundation

Jul 23

OpenSSF Newsletter – July 2024

By OpenSSF Newsletter

Welcome to the July 2024 edition of the OpenSSF Newsletter, with our latest information on what’s been happening lately and what’s on our radar.

DOWNLOAD: What’s in the SOSS? An OpenSSF Podcast!
REGISTER: Secure Open Source Software (SOSS) Fusion Conference
JOIN: Attend an upcoming Working Group meeting

An Open Source Approach to Threat Mitigation in AWS

AnOpenSourceApproach

Securing cloud environments is a top priority for organizations today. Leveraging open source tools like Falco, combined with AWS Lambda, provides powerful solutions for monitoring and responding to security threats. Learn how Falco and Falco Talon can automate threat detection and response, ensuring robust cloud security.

A Deep Dive into SBOMit and Attestations

SBOMit and Attestations

December 2023 saw the launch of SBOMit, a project that helps enhance the reliability and integrity of SBOMs (Software Bills of Materials). It does so by including, along with SBOMs, a series of in-toto attestations that are produced while the software is being created. SBOMit is hosted under the OpenSSF Security Tooling Working Group.

But why are these attestations important for SBOMs and how do they work?

Read the blog to learn more.

Improving OpenSSF Scorecard Scores: StepSecurity Automation for Four Key Checks

ImprovingOpenSSFScorecardScores

Implementing security best practices is essential for open source maintainers to ensure their projects are secure and free from vulnerabilities. However, many maintainers find this task complex and time-consuming when done manually. The OpenSSF Scorecard offers an automated heuristic of how well key security processes are implemented in a project.

Chainguard Enhances Security With OSV Advisory Feed

OSV

In today’s rapidly evolving open source ecosystem, managing vulnerabilities efficiently is crucial. To address this, Chainguard is now publishing its security advisory feed in the Open Source Vulnerabilities (OSV) format. This integration aims to simplify vulnerability management and enhance security for users of open source software.

Why are Organizations Struggling to Implement Secure Software Development?

Cover_Secure_Software_Development_Education_2024_Survey

The Secure Software Development Education 2024 Survey, conducted through a partnership between the Open Source Security Foundation (OpenSSF) and Linux Foundation (LF) Research, examines the secure software development education needs of professionals in this field.

Learn How To Develop Secure Software!

Developing_Secure_Software

The Open Source Security Foundation (OpenSSF), in partnership with Linux Foundation Training & Certification, offers a free online training course, Developing Secure Software (LFD121). Those who complete the course and pass the final exam will earn a free certificate of completion valid for two years.

AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 1

AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability1

Could artificial intelligence (AI) practically help find and fix vulnerabilities in a scalable way? We don’t know for certain, but there’s hope that it could. In this article, we’ll look at a competition to encourage the development of AI-enabled tools that will automatically find and fix vulnerabilities.

The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development

StateofEducationReport

Linux Foundation Research and the Open Source Security Foundation (OpenSSF) are pleased to release a new report titled “Secure Software Development Education 2024 Survey: Understanding Current Needs.” Based on a survey of nearly 400 software development professionals, the analysis explores the current state of secure software development and underscores the urgent need for formalized industry education and training programs.

AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 2

AIxCCChallenge_Part2

In part 1, we discussed the Artificial Intelligence Cyber Challenge (AIxCC), a two-year competition to create AI systems that find software vulnerabilities and develop fixes to them. We also discussed a specific vulnerability in the Linux kernel, called needle, as an example of the kind of vulnerability we’d like such tools to find and fix. In part 1 we discussed how such tools might be able to find vulnerabilities. Now let’s talk a little bit about how they might fix them. Real competitors in AIxCC might do things differently; this article simply helps us understand what they’re trying to do.

Recognizing Excellence in OSS Community: Golden Egg Award Nominations Are Now Open!

GoldenEggAwardEU

The Open Source Security Foundation (OpenSSF) is thrilled to announce that nominations for the Golden Egg Award are now open! This award honors individuals who have made outstanding contributions to the open source security community. After its successful debut at SOSS Community Day North America, the award is back to recognize more exceptional individuals at SOSS Community Day Europe this September. If you know someone who has demonstrated exceptional dedication and impact in our community, now is the time to nominate them for this esteemed recognition.

SD Times, Bad CrowdStrike Update Takes Down Windows Machines Around the World, Highlighting Importance of Gradual Roll-Outs and Software Quality
The Hacker News, Faulty CrowdStrike Update Crashes
Help Net Security, Developers Secure Coding Practices
Techopedia, Google, Nvidia, OpenAI and Others Team Up to Improve AI Security
TechCentral (Ireland), One in three software development professionals unaware of secure practices
Help Net Security, Most GitHub Actions Workflows Are Insecure in Some Way
Inside Cybersecurity, Open Source Group Calls for Prioritizing Cyber Awareness in Software Developer Training, Education
Dark Reading, The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development
Cybersecurity Dive, Nearly 1 in 3 Software Development Professionals Unaware of Secure Practices
citybiz, The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development
ITOps Times, Siren – ITOps Times Open Source Project of the Week
CSO, Top 10 Open Source Software Risks — and How to Mitigate Them
Techstrong TV, The Ins and Outs of Applying to GSoC
SD Times, Companies Still Need to Work on Security Fundamentals to Win in the Supply Chain Security Fight
GovInfoSecurity, How CISA Plans to Measure Trust in Open-Source Software

Meet OpenSSF at These Upcoming Events!

Black Hat USA: Aug. 7-8, 2024
DEF CON: Aug. 8 – 11, 2024
SOSS Community Day Europe: Sept. 19, 2024
SOSS Fusion Conference: Oct. 22-23, 2024
- Sponsorships available

Get Involved in OpenSSF

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, and LinkedIn

See You Next Month

We want to get you the information you most want to see in your inbox. Have suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org and see you next month!

Regards,

The OpenSSF Team

Jun 18

Love0

OpenSSF Newsletter – June 2024

By OpenSSF Newsletter

Welcome to the June 2024 edition of the OpenSSF Newsletter, with our latest information on what’s been happening lately and what’s on our radar.

DOWNLOAD: What’s in the SOSS? An OpenSSF Podcast!
REGISTER: Secure Open Source Software (SOSS) Fusion Conference
JOIN: Attend an upcoming Working Group meeting

Call for Proposals: Submit to Speak at SOSS Fusion

We’re looking for proposals in the form of session presentations, panels, keynote sessions, and lightning talks. Submit to speak on any one of the following topics:

- OSPO: Security and Open Source Program Offices
- Maintainer Roles: Maintainer and Contributor roles in Securing Open Source Software
- Dev: Secure Open Source Software Integration in the Software Development Lifecycle
- Public Policy: Regulations to Improve the Security of Open Source Software
- End Users: Secure Open Source Software Supply Chains
- Dependencies: Understanding the OSS in Your Stack
- AI for Security: Leveraging AI to Secure Open Source Software
- Security for AI: Starting with Security for Open Source AI

Learn more about all suggested topics.

The Call for Proposals closes Friday, July 12, at 11:59 PM EDT.

SUBMIT TO SPEAK

OpenSSF Joins Open Source Consortium To Define E.U. CRA Security Specifications

The Open Source Security Foundation (OpenSSF), a project of the Linux Foundation focused on improving the security of open source software, is proud to announce its collaboration with the Eclipse Foundation and a leading open source consortium to work on the European Union’s (E.U.) Cyber Resilience Act (CRA).

Introducing Artifact Attestations—Now in Public Beta

There’s an increasing need across enterprises and the open source ecosystem to have a verifiable way to link software artifacts back to their source code and build instructions. And with more than 100 million developers building on GitHub, we want to ensure that developers have the tools needed to help.

The Opportunity for DEI Participation in the Security Industry (And OpenSSF)

At Secure Open Source Software (SOSS) Community Day North America 2024, we held a panel discussion on DEI (Diversity, Equity and Inclusion) at Open Source Security Foundation (OpenSSF). In preparing for this discussion we had a lot of conversations and realized we each had diverse perspectives.

Beyond the OpenSSF: An Introduction to Other Security Efforts Across the Linux Foundation

The Open Source Security Foundation (OpenSSF)’s mission is to strengthen the open source software ecosystem through a collaborative initiative across industry. But did you know about the other initiatives focusing on strengthening open source security, happening across the Linux Foundation?

The OSS Security Adventure: Exploring the Frontlines of OSS Security through SOSS Policy Summit, RSA Conference, and Japan Meetup

OpenSSF is making waves globally, with our footprint evident in discussions and events across continents. Join us on an “OSS Security Adventure” as we delve into our impactful presence at the SOSS Policy Summit in Brussels, the RSA Conference in San Francisco, and our engaging meetup in Tokyo.

What’s in the SOSS? Podcast #6 – A Man Called CRob: Introducing the Newest Co-host of What’s in the SOSS?

Introducing our new co-host for “What’s in the SOSS?” podcast, Christopher Robinson (CRob). As the Director of Security Communications at Intel Corporation and Chair of OpenSSF’s Technical Advisory Committee, CRob’s 25 years of experience in various sectors will enrich our podcast discussions. The latest episode features his day-to-day activities, podcast vision, and advice for those entering cybersecurity.

Listen Here

OpenSSF Case Study: Enhancing Open Source Security with Sigstore at Stacklok

Stacklok Case Study

Stacklok, founded by Kubernetes co-creator Craig McLuckie and Sigstore creator Luke Hinds, enhances open source software security using Sigstore. By integrating Sigstore into their products, Trusty and Minder, Stacklok helps developers and maintainers secure their software supply chains with tools for artifact signing and verification. This case study highlights Stacklok’s commitment to making open source software safer and their contributions to the OpenSSF community.

Ubuntu Security Notices Now Available in OSV

In today’s rapidly evolving open source ecosystem, managing vulnerabilities efficiently is crucial. That’s why we’re excited to share that Canonical is now issuing Ubuntu Security Notices (USNs) in the open source OSV format. This collaboration aims to simplify vulnerability management and enhance security for our users.

OpenSSF Tech Talk: Proactive Supply Chain Security with GUAC

GUACTechTalkHighlight

In this Tech Talk, you will meet the GUAC maintainers as they cover the project and its recent release, roadmap plans, and how you can contribute. Cybersecurity threats are constantly and quickly changing, but GUAC can help you stay ahead.

Check out this blog for a summary of the tech talk highlights and watch experts discuss its benefits & real-world uses. Slides & recording are available.

Watch Now

Enhance Your Software Development Skills with OpenSSF’s Free Courses

OpenSSF offers two comprehensive, free courses designed to help software developers improve their skills in secure software development and supply chain security.

Developing Secure Software (LFD121)

This course covers the fundamentals of developing secure software and is available on the Linux Foundation Training & Certification platform. It is entirely online, self-paced, and takes about 14-18 hours to complete. Both the course and the certificate of completion are free. Upon finishing the course and passing the final exam, participants will earn a certificate valid for two years.

Securing Your Software Supply Chain with Sigstore (LFS182)

This course teaches software developers, DevOps engineers, security engineers, and software maintainers how to use Sigstore’s toolkit to enhance software supply chain security. It covers the use of Cosign, Fulcio, and Rekor tools and is available on the Linux Foundation Training & Certification platform. The course is free, online, self-paced, and takes about 8 hours to complete. Familiarity with Linux terminals, command line tools, and intermediate cloud computing and DevOps concepts is recommended.

Learn More

In the News

Politico, Trying to tame crypto
CyberWire Daily podcast, The secrets of a dark web drug lord
DevOps.com, OpenSSF Siren: Security for One, Security for All
SC Media, New OpenSSF initiative provides threat intelligence on open source projects
Help Net Security, Authelia: Open-source authentication and authorization server
CyberScoop, Omkhar Arasaratnam on open source security; AI dogfighting
Redefining Cybersecurity Podcast, Why the Industry Needs OpenSSF | A Conversation with Omkhar Arasaratnam, Adrianne Marcum, Arun Gupta, and Christopher Robinson | Redefining CyberSecurity with Sean Martin
SecurityWeek, Fireside Chat: Bennett Pursell on the OpenSSF Siren Threat Intel Project
SecurityBrief UK, OpenSSF joins forces with Eclipse Foundation for EU CRA initiative
KubeFM, Stack security: cluster policies, secrets management, and building trust
CSO, Third-party software supply chain threats continue to plague CISOs
InfoRiskToday, NIST Unveils Plan to Restore National Vulnerability Database
The New Stack, Commonhaus Foundation Launches at Critical Time for OSS
tl;dr sec newsletter, [tl;dr sec] #233 – Awesome Detection Engineering, Security GPTs, How to Build a Cybersecurity Start-up
TechTarget, Be prepared for open source software risks
Computer Weekly, Building a more secure, and sustainable, open source ecosystem
The New Stack, What Developers Can Grok From the Latest PyPI Package Attack
HackerNoon, How a Malicious Xz Utils Update Nearly Caused a Catastrophic Cyberattack on Linux Systems Worldwide
SC Magazine, The State of AppSec in 2024: Expanded use, expanded attack surface
The New Stack, XZ Security Incident: The Importance of Reputation in Security

Meet OpenSSF at These Upcoming Events!

- CloudNativeSecurityCon: June 26-27, 2024
- OSPOs for Good 2024 Conference: July 9-10, 2024
- What’s Next for Open Source?: Jul 11, 2024
- Black Hat USA: Aug. 7-8, 2024
- DEF CON: Aug. 8 – 11, 2024
- SOSS Community Day Europe: Sept. 19, 2024
- SOSS Fusion Conference: Oct. 22-23, 2024
  - CFP now open
  - Sponsorships available

Get Involved in OpenSSF

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, and LinkedIn

See You Next Month

We want to get you the information you most want to see in your inbox. Have suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org and see you next month!

Regards,

The OpenSSF Team

May 22

Love0

OpenSSF Newsletter – May 2024

By OpenSSF Newsletter

Welcome to the May 2024 edition of the OpenSSF Newsletter, with our latest information on what’s been happening lately and what’s on our radar.

DOWNLOAD: What’s in the SOSS? An OpenSSF Podcast!
REGISTER: Secure Open Source Software (SOSS) Fusion Conference
JOIN: Attend an upcoming Working Group meeting

Enhancing Open Source Security: Introducing Siren by OpenSSF

Introducing SIren

In the rapidly changing landscape of cybersecurity threats, collaboration and information sharing are essential. Now, more than ever, the open source community needs a centralized platform to exchange threat intelligence efficiently. Introducing Siren, a threat intelligence sharing platform hosted by Open Source Security Foundation (OpenSSF), a groundbreaking initiative aims to strengthen the defenses of open source projects globally.

Join Our Upcoming OpenSSF Tech Talk: Proactive Supply Chain Security with GUAC

Guac

Don’t miss our upcoming Tech Talk, “Proactive Supply Chain Security with GUAC,” on June 6, 2024, at 10 AM PT/1 PM ET. In this Tech Talk, you will meet the GUAC maintainers as they cover the project and its recent release, roadmap plans, and how you can contribute.

Cybersecurity threats are constantly and quickly changing, but GUAC can help you stay ahead.

Call for Proposals: Submit to Speak at SOSS Community Day Europe

SOSS Community Day EU

Join us in Vienna, Austria, for the Secure Open Source Software (SOSS) Community Day Europe 2024. This enriching event will bring together members from across the security and open source ecosystem to exchange ideas and advancements. Formerly known as OpenSSF Days, SOSS Community Days reflect our broader commitment to fortifying the security of open source software. The Call for Proposals (CFPs) is open until June 16.

Unlock the Keys to Improved Software Security

Unlock the Keys

In today’s digital world, software security is under constant threat. Attackers exploit vulnerabilities, typosquatting, dependency confusion, and even infiltrate developer accounts. To combat these threats, developers must adopt robust security measures.

Read David A. Wheeler’s latest blog, based on his talk at the Open Source Summit North America (OSS NA) 2024, which outlines essential steps for enhancing software security. He highlights the increasing threat of supply chain attacks, both in open and closed source software, and provides practical guidance from the Open Source Security Foundation (OpenSSF).

Recap of SOSS Community Day North America 2024

SOSSCDNA1

On April 15, 2024, Secure Open Source Software (SOSS) Community Day North America (NA) brought together the open source community in Seattle to delve into discussions surrounding the challenges, overarching solutions, ongoing initiatives, and triumphs in fortifying the open source software (OSS) supply chain. Alongside dedicated SOSS contributors and thought leaders, we embarked on an in-depth exploration of topics such as security best practices, vulnerability discovery, securing critical projects, and the evolving landscape of OSS security.

Press Release: OpenSSF Taps Bruce Schneier to Discuss AI and OSS Security During Keynote at SOSS Fusion Conference 2024

Keynote Announced

The Open Source Security Foundation (OpenSSF) announced that internationally renowned technologist Bruce Schneier will serve as the keynote speaker for its inaugural Secure Open Source Software (SOSS) Fusion Conference 2024. Early registration is open for the event, which will take place from Oct. 22 – 23, 2024, in Atlanta, GA.

Register by Aug. 9 for special early bird giveaways! Gain access to interactive workshops, in-depth discussions and valuable sessions about securing open source software

Spotlight on the OpenSSF AI/ML Working Group

AI/ML Working Group

What do open source software, security, and AI/ML have in common? In this blog, Mihai Maruseac and Jay White from the OpenSSF AI/ML Working Group delve into this intersection. Almost a year ago, experts at the confluence of security and AI/ML united under the OpenSSF umbrella to form this group. Their mission is to secure AI/ML, addressing the rapid spread of AI technology and the increasing frequency of security incidents in AI-related products.

Discover how this working group is tackling the unique challenges posed by the intersection of these critical fields.

Beyond Scores with OpenSSF Scorecard: Granular Structured Results for Custom Policy Enforcement

Beyond Scores with OpenSSF Scorecard

In this blog, By Adam Korczynski, David Korczynski, Spencer Schrock, Laurent Simon present the OpenSSF Scorecard, a tool to help open source projects reduce software supply-chain risks. The Scorecard analyzes projects based on a series of heuristics, generating scores from 0 to 10—where 0 indicates high-risk practices and 10 signifies adherence to security best practices. These individual scores are combined into an overall Scorecard score.

The broad scope of Scorecard supports various use cases, from risk management to policy-driven decision making. This blog post focuses on a specific use case that allows Scorecard to be tailored to each consumer’s unique requirements through a novel feature called “structured results.” Learn how structured results can enhance your project’s security assessment and policy enforcement.

Join Us at SOSS Fusion 2024 in Atlanta

SOSS Fusion 24

Don’t miss SOSS Fusion 2024, taking place October 22-23. This event brings together nearly 500 professionals from diverse sectors—ranging from software development to cybersecurity.

Here’s what you can expect:

Expert-led Sessions: Engage with industry leaders through Lightning Talks, presentations, and keynotes, covering key tech trends in AI, Containers, Microservices, and IoT.
Unmatched Networking: Connect with top technical minds during our renowned “hallway track,” fostering collaborations to solve current and future challenges.
All-Inclusive Access: Register by August 9 for just $399, which includes access to all sessions, breakfast, breaks, and exclusive evening events.

Experience the future of technology and security at SOSS Fusion 2024!

Sponsor

News from CNCF: CloudNativeSecurity Con

Discover the forefront of cybersecurity in cloud-native environments at CloudNativeSecurityCon, the premier conference showcasing cutting-edge trends, best practices, and innovative solutions. Engage with industry experts and professionals as we delve into the dynamic landscape of securing cloud-native infrastructure and applications. Exciting news: schedule is now live! Don’t miss out—secure your spot by registering today!

In the News

SC Media UK, Node.js 22 is now available
Dark Reading, Attacker Social-Engineered Backdoor Code Into XZ Utils
InfoQ, SSH Backdoor from Compromised XZ Utils Library
SDxCentral, Red Hat builds DevSecOps trust in the software supply chain
Smarttech, Cybersecurity Week in Review (19/04/24)
IT Brew, Backdoor attempt on xz Utils likely one of several open-source sabotage attempts, foundations say
Security Boulevard, Key Areas Where Open-Source Security Needs to Evolve
Devmio, Women in Tech: “Be curious, be willing to work hard, and be willing to speak up”
O’Reilly Radar, Radar Trends to Watch: May 2024
Gizmodo, Open-Source Cybersecurity Is a Ticking Time Bomb
Infosecurity Magazine, RSAC: Three Strategies to Boost Open-Source Security
Quartz, Open-source cybersecurity could derail the internet as we know it

Meet OpenSSF at These Upcoming Events!

- Tech Talk: Proactive Supply Chain Security with GUAC: June 6, 2024
- CloudNativeSecurityCon: June 26-27, 2024
- OSPOs for Good 2024 Conference: July 9-10, 2024
- Black Hat USA: Aug. 7-8, 2024
- DEF CON: Aug. 8 – 11, 2024
- SOSS Community Day Europe: Sept. 19, 2024

SOSS Fusion Conference: Oct. 22-23, 2024

- CFP now open
- Sponsorships available

Get Involved in OpenSSF

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, and LinkedIn

See You Next Month

We want to get you the information you most want to see in your inbox. Have suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org and see you next month!

Regards,

The OpenSSF Team

Mar 04

Love0

Week at a Glance – Mar 4

By OpenSSF Newsletter

Community Updates

Metrics & Metadata WG

The Working Group “Metrics & Metadata” (formerly “Identifying Security Threats”) started three years ago by releasing the first version of the paper “Threats, Risks, and Mitigations in the Open Source Ecosystem” to help open source maintainers and contributors identify threats in the development cycles of a project and evaluate risks in the open source ecosystem.

Keeping in mind this purpose, the Working Group has continued to work on projects that could help open source consumers to better evaluate the health of open source projects.

We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.

Working Group Calendar: Metrics & Metadata WG meeting on Tuesday @ 6 PM (UTC) every 2 weeks.

Slack Channel: #wg_metrics_and_metadata

GitHub Repositories:

ossf/wg-metrics-and-metadata
ossf/security-insights-spec
ossf/si-tooling

Projects:

SECURITY INSIGHTS Specification
Risk Assessment Dashboard SIG

Luigi Gubello (Co-Lead of Metrics & Metadata Working Group)

Micheal Scovetta (Co-Lead of Metrics & Metadata Working Group)

Last Updates:

We have improved the Docker container to run the SECURITY INSIGHTS Validator (ossf/si-tooling) by making it easier to use.
We have published a GitHub Action (luigigubello/security-insights-validator-ga) to run the SECURITY INSIGHTS Validator directly in the GitHub Workflows.
We are actively working on the release v1.1 of the SECURITY INSIGHTS specification.

Everyone is welcome, and we appreciate contributions, questions, feedback, and help because they assist us in improving our work. 🌸 Don’t be afraid if you don’t work in the info security field; we genuinely value contributions from individuals with diverse backgrounds 🦄.

OpenSSF Supports White House’s Efforts to Build More Secure and Measurable Software

Efforts to Build More Secure and Measurable Software
The US Office of the National Cyber Director (ONCD) report Back to the Building Blocks: A Path Toward Secure and Measurable Software, was released today. The report provides valuable insights into strategies to improve software security. This paper emphasizes the importance of proactive measures in mitigating vulnerabilities by examining pivotal principles such as memory safety, measurements, and metrics to help enhance software security. The OpenSSF supports efforts like this from the public sector, which improve the security of open source software. Read more.

SOSS Community Day North America (NA) Agenda Live

SOSS Community Day register now

We’re excited to announce that the agenda for Secure Open Source Software (SOSS) Community Day NA on April 15, 2024 is now available! Join us for a day of technical talks, panels, and a Table Top Exercise (TTX). SOSS Community Day is co-located with Open Source Summit North America in Seattle, WA. Read more.

Golden Egg Award: Celebrating Exceptional Contributions in the OpenSSF Community

In Open Source Security Foundation (OpenSSF), we shine a light on those who go above and beyond in enriching our community. The Golden Egg Awards recognize individuals as the driving force behind innovation. Read more.

In the Headlines

TechTarget, Linkerd paywall prompts online debate, CNCF TOC review, Beth Pariseau
Security Boulevard, A demand for real consequences: Sonatype’s response to CISA’s Secure by Design, Brian Fox
InfoQ, Sigstore: Secure and Scalable Infrastructure for Signing and Verifying Software

Don’t Forget…

Mar 04

Love0

This Week at OpenSSF – Feb 26

By OpenSSF Newsletter

Community Updates

SOSS Task Force – Trusted Repository Security Initiative (TRSI-TF)

Advocating for Transparent and Secure Practices

Embrace Transparency and Security: Advocate for open, secure practices to foster a trusted, innovative environment.
Champion Trusted Communities: Join a proactive network using the “Scorecard” to elevate security in package ecosystems.
Innovate with the DNS System: Help forge a layered trust system, enhancing security across repositories.
Vet Beyond the Norm: Be part of a vanguard validating security beyond DNS, setting the highest standards.

To join, simply fill out this Doodle Poll to show your interest!

Open Source Security Integration and Enhancement Task Force (OSSIE-TF)

Fortifying the Backbone of Software Supply Chains

Unite for Security Standards: Help craft universal security protocols and guidelines to protect package managers and users against prevalent threats.
Collaborate for a Safer Ecosystem: Work alongside diverse package managers and dedicated working groups to exchange vital threat intelligence, strengthening our collective defense.
Specialize in Threat Modeling: Take on the challenge of differentiating between malicious threats and vulnerabilities within top repositories. Your insights will safeguard platforms like NPM, PyPI, Gradle, Maven, and more.
Together, let’s build a secure and resilient software infrastructure.

To join, simply fill out this Doodle Poll to show your interest!

End User Group – OpenSSF End User Working Group

Driving OpenSSF Mission for Better Security

Mission: Ensure the End User’s distinct and impactful voice is heard in the development and delivery of the technical vision of the Open Source Security Foundation.
Objectives:
- Represents the interests of public and private sector organizations that primarily consume open source.
- Ensures the use cases for end user consumption of Open Source software are factored into OSSF programs.
- Provides resources to develop and implement efficient strategies, processes, tools, and best practices that secure software supply chains.
- Aims to educate other consumers on the risks associated with supply chain security.
OpenSSF Community Calendar Events:
- End User WG meeting on Thursday @ 9 am CST every 2 weeks
- End User WG -Refining Architecture and Threat Modelling meeting every Monday @ 11.30 am CST every week.

Communication Channels
- Slack
- Github issues
Work & Progress:
- Ingestion Manifesto blog
- Threat Modeling blog
- Putting together a detailed threat modeling document

Please join our team and work with us to identify threats, provide guidance on ingestion of open source software from an end user’s perspective. Let us together raise awareness of these issues and provide detailed guidance on how to mitigate threats with the Open Source supply chain to make it secure.

Reach out to operations@openssf.org if interested to participate and join our End User WG group.

Submit to Speak at SOSS Fusion 2024

CFP Open

The Secure Open Source Software (SOSS) Fusion Conference by the OpenSSF is a leading event for open source professionals, uniting diverse experts from software developers to CISOs and tech pioneers. It’s not just an event; it’s a push toward a more secure digital future. Read more.

OpenSSF Responds to US CISA RFI on Cybersecurity Risk and Secure by Design Software

Cybersecurity Risk and Secure by Design Software

OpenSSF has submitted a response to the Request For Information (RFI) on Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software issued by the US Cybersecurity and Infrastructure Security Agency (CISA). Read more.

In the Headlines

Omkhar’s comments on Apple’s new PQ3 post-quantum encryption for iMessage appeared in TechTarget and Tech Briefly.
The Alpha-Omega annual report was covered in SD Times, Inside Dev and The CyberWire.

Don’t Forget…

Feb 20

Love0

OpenSSF Week at a Glance – Feb 20

By aliu Newsletter

Announcing the First Ever SOSS Fusion Conference: How You Can Get Involved

We are thrilled to announce the first ever Secure Open Source Software (SOSS) Fusion Conference 2024, a two-day conference hosted by the OpenSSF in Atlanta, GA. Set to take place on October 22-23, 2024, at The Hotel at Avalon, this event is dedicated to Securing Open Source Software (SOSS). The event registration is now open, and we invite you to join this event to contribute to the discussions around open source software security.

OpenSSF Participates in Department of Commerce Consortium Dedicated to AI Safety

Jan 15

Love0

OpenSSF Newsletter: January 2024

By craig Newsletter

Open Source Security Foundation(OpenSSF) – Who We Are

The OpenSSF is a diverse global community dedicated to making the world a better place through open source software. Join us in enhancing the security of open source, and together, let’s create a safer world. Check out our new video!

OpenSSF Election Results for Technical Advisory Council and Representatives to the Governing Board

We are thrilled to kick off 2024 by announcing the OpenSSF representatives to the Governing Board and the establishment of a new and expanded Technical Advisory Council elected by the community. Congratulations, and we look forward to a great year ahead!