Newsletter

Community Updates

Metrics & Metadata WG

The Working Group “Metrics & Metadata” (formerly “Identifying Security Threats”) started three years ago by releasing the first version of the paper “Threats, Risks, and Mitigations in the Open Source Ecosystem” to help open source maintainers and contributors identify threats in the development cycles of a project and evaluate risks in the open source ecosystem. 

Keeping in mind this purpose, the Working Group has continued to work on projects that could help open source consumers to better evaluate the health of open source projects. 

We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part. 

Working Group Calendar: Metrics & Metadata WG meeting on Tuesday @ 6 PM (UTC) every 2 weeks.

Slack Channel: #wg_metrics_and_metadata

GitHub Repositories:

• ossf/wg-metrics-and-metadata
• ossf/security-insights-spec
• ossf/si-tooling

Projects:

• SECURITY INSIGHTS Specification
• Risk Assessment Dashboard SIG

Luigi Gubello (Co-Lead of Metrics & Metadata Working Group)

Micheal Scovetta (Co-Lead of Metrics & Metadata Working Group)

Last Updates:

• We have improved the Docker container to run the SECURITY INSIGHTS Validator (ossf/si-tooling) by making it easier to use.
• We have published a GitHub Action (luigigubello/security-insights-validator-ga) to run the SECURITY INSIGHTS Validator directly in the GitHub Workflows.
• We are actively working on the release v1.1 of the SECURITY INSIGHTS specification.

Everyone is welcome, and we appreciate contributions, questions, feedback, and help because they assist us in improving our work. 🌸 Don’t be afraid if you don’t work in the info security field; we genuinely value contributions from individuals with diverse backgrounds 🦄.

OpenSSF Supports White House’s Efforts to Build More Secure and Measurable Software

The US Office of the National Cyber Director (ONCD) report Back to the Building Blocks: A Path Toward Secure and Measurable Software, was released today. The report provides valuable insights into strategies to improve software security. This paper emphasizes the importance of proactive measures in mitigating vulnerabilities by examining pivotal principles such as memory safety, measurements, and metrics to help enhance software security. The OpenSSF supports efforts like this from the public sector, which improve the security of open source software.  Read more.

SOSS Community Day North America (NA) Agenda Live

We’re excited to announce that the agenda for Secure Open Source Software (SOSS) Community Day NA on April 15, 2024 is now available! Join us for a day of technical talks, panels, and a Table Top Exercise (TTX). SOSS Community Day is co-located with Open Source Summit North America in Seattle, WA.  Read more.

Golden Egg Award: Celebrating Exceptional Contributions in the OpenSSF Community

In Open Source Security Foundation (OpenSSF), we shine a light on those who go above and beyond in enriching our community. The Golden Egg Awards recognize individuals as the driving force behind innovation. Read more.

In the Headlines

• TechTarget, Linkerd paywall prompts online debate, CNCF TOC review, Beth Pariseau
• Security Boulevard, A demand for real consequences: Sonatype’s response to CISA’s Secure by Design, Brian Fox
• InfoQ, Sigstore: Secure and Scalable Infrastructure for Signing and Verifying Software

Don’t Forget…

Community Updates

SOSS Task Force – Trusted Repository Security Initiative (TRSI-TF)

Advocating for Transparent and Secure Practices

• Embrace Transparency and Security: Advocate for open, secure practices to foster a trusted, innovative environment.
• Champion Trusted Communities: Join a proactive network using the “Scorecard” to elevate security in package ecosystems.
• Innovate with the DNS System: Help forge a layered trust system, enhancing security across repositories.
• Vet Beyond the Norm: Be part of a vanguard validating security beyond DNS, setting the highest standards.

To join, simply fill out this Doodle Poll to show your interest!

Open Source Security Integration and Enhancement Task Force (OSSIE-TF)

Fortifying the Backbone of Software Supply Chains

• Unite for Security Standards: Help craft universal security protocols and guidelines to protect package managers and users against prevalent threats.
• Collaborate for a Safer Ecosystem: Work alongside diverse package managers and dedicated working groups to exchange vital threat intelligence, strengthening our collective defense.
• Specialize in Threat Modeling: Take on the challenge of differentiating between malicious threats and vulnerabilities within top repositories. Your insights will safeguard platforms like NPM, PyPI, Gradle, Maven, and more.
• Together, let’s build a secure and resilient software infrastructure.

To join, simply fill out this Doodle Poll to show your interest!

End User Group – OpenSSF End User Working Group

Driving OpenSSF Mission for Better Security

• Mission: Ensure the End User’s distinct and impactful voice is heard in the development and delivery of the technical vision of the Open Source Security Foundation.
• Objectives:
  • Represents the interests of public and private sector organizations that primarily consume open source.
  • Ensures the use cases for end user consumption of Open Source software are factored into OSSF programs.
  • Provides resources to develop and implement efficient strategies, processes, tools, and best practices that secure software supply chains.
  • Aims to educate other consumers on the risks associated with supply chain security.
• OpenSSF Community Calendar Events:
  • End User WG meeting on Thursday @ 9 am CST every 2 weeks
  • End User WG -Refining Architecture and Threat Modelling meeting every Monday @ 11.30 am CST every week.

• Communication Channels
  • Slack
  • Github issues
• Work & Progress:
  • Ingestion Manifesto blog
  • Threat Modeling blog
  • Putting together a detailed threat modeling document

Please join our team and work with us to identify threats, provide guidance on ingestion of open source software from an end user’s perspective. Let us together raise awareness of these issues and provide detailed guidance on how to mitigate threats with the Open Source supply chain to make it secure.

Reach out to operations@openssf.org if interested to participate and join our End User WG group.

Announcing the First Ever SOSS Fusion Conference: How You Can Get Involved

OpenSSF Participates in Department of Commerce Consortium Dedicated to AI Safety

The Open Source Security Foundation (OpenSSF) is participating in the Biden-Harris Administration’s first-ever Consortium Dedicated to AI Safety, led by the US Department of Commerce. We join over 200 leading artificial intelligence (AI) stakeholders in supporting the development and deployment of trustworthy and safe AI along with other Linux Foundation (LF) projects including LF AI & Data, SPDX, and C2PA. 

 

Linux Kernel Achieves CVE Numbering Authority Status

The Linux kernel has achieved a significant milestone in open source software security. It has been authorized as a CVE Numbering Authority (CNA) by the CVE Program. Being a CNA enables the Linux kernel team to manage the vulnerabilities with more accuracy and higher quality in the future.  As Linux Foundation Fellow Greg Kroah-Hartman pointed out in his blog: “This announcement is just the first step, allowing us to be the manager of the CVE allocation process for Linux.”

 

Scaling Up Supply Chain Security: Implementing Sigstore for Seamless Container Image Signing

In this case study, we will explore how Yahoo leverages Sigstore, in concert with Athenz, an open source platform for managing X.509 certificates, as an internal Certificate Authority, to sign and verify container images.

 

Alpha-Omega 2023 Annual Report

In 2023, Alpha-Omega provided ten grants to eight organizations totalling over $2.8 million dollars, with an average grant size of just over $350,000. Together with OpenSSF, Alpha-Omega’s mission is to catalyze sustainable security improvements within the most critical open source projects and ecosystems. Read the blog for key highlights from 2023.

 

In the Headlines

• The Hacker News: CISA and OpenSSF Release Framework for Package Repository Security
• Security Boulevard: The Principles for Package Repository Security: An Overview

Don’t Forget…