Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea

search
Category

Blog

Jun 13
Love0

Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership

By Blog, Case Studies

Organization: Open Source Technology Improvement Fund, Inc. (OSTIF)
Contributor: Amir Montazery, Managing Director
Website: ostif.org

Problem

Critical open source software (OSS) projects—especially those that are long-standing and widely adopted—often lack the resources and systematic support needed to regularly review and improve their security posture. Many of these projects are maintained by small teams with limited bandwidth, making it challenging to conduct comprehensive security audits and implement best practices. The risk of undetected vulnerabilities in these projects presents a growing concern for the broader software ecosystem.

Action

To address this gap, OSTIF leverages its OpenSSF membership to conduct rigorous security audits of critical OSS projects. Using a curated process rooted in industry best practices, OSTIF delivers structured security engagements that improve real-world outcomes for maintainers and users alike.

Through active participation in OpenSSF’s Securing Critical Projects working group and Alpha-Omega initiatives since their inception, and through strategic partnership with organizations like Eclipse Foundation, OSTIF receives targeted funding and support to carry out its mission. These collaborations help prioritize high-impact projects and streamline audit administration—despite the inherent complexity of managing funding approvals and coordination. 

It’s pivotal that these important projects receive customized work. Each open source project is unique and so are its security needs, making standardization of audits difficult. OSTIF is able to invest time and expertise in scoping and organizing engagements to be tailored to the project’s best interests, necessities, and budget to generate effective investment in open source security.

OSTIF also incorporates other OpenSSF tools and services such as the OpenSSF Scorecard and the broader Securing Critical Projects Set, which complement its robust audit methodology and offer additional layers of insight into project health. In an ecosystem that is varied and complex, having security resources that can be applied to all projects contextually to generate impactful and sustainable security outcomes is incredibly valuable to all stakeholders, especially OSTIF.

Results

OSTIF’s work has demonstrated the effectiveness of formal security audits in strengthening OSS project resilience. As a member of OpenSSF, OSTIF has been able to expand its reach, increase audit throughput, and reinforce the security practices of some of the open source community’s most essential projects. Since 2021, OSTIF has facilitated numerous engagements funded by OpenSSF. In March of 2025, OSTIF published the results of the audit of RSTUF with OpenSSF’s funding and support. Additionally, 2 more Alpha-Omega funded engagements will be published later this year.

“OSTIF is grateful for the support from OpenSSF, particularly for funding security audits both directly and via Project Alpha-Omega, to help improve the security of critical OSS projects.”
 — Amir Montazery, Managing Director, OSTIF

In addition to the technical improvements achieved through audits, OSTIF’s OpenSSF membership has fostered valuable connections with project maintainers, security experts, and funders—creating a collaborative ecosystem dedicated to open source security. Building a community around security audits is a goal of OSTIFs; by sharing resources and providing a platform for researchers to present audit findings through meetups, their goal is to grow expertise and access to security knowledge of the average open source user. 

Key Benefits

  • Enhanced security posture of widely-used OSS projects.
  • Strategic collaboration with OpenSSF working groups.
  • Access to funding and expert networks.
  • Improved audit administration through community support.

Biggest Challenge

  • Navigating administrative processes and funding approval cycles for new audit projects.
  • Funding multi-year programs and engagements. 

To learn more about OSTIF’s work, visit their 2024 Annual Report. Visit their website at ostif.org or follow them on LinkedIn to stay up to date with audit releases.

May 30
Love0

Member Spotlight: Trail of Bits – Driving Open Source Security Through Standards, Prototypes, and Policy

By Blog

Trail of Bits is a leading cybersecurity research, engineering, and consulting firm that works with some of the most security-conscious organizations in the world—including Facebook, government agencies like DARPA, and prominent cryptocurrency protocols. Founded in 2012, each part of the company focused on open sourcing their work- tools,research, and audits wherever possible. Trail of Bits also maintains a dedicated research division focused on advancing industry-wide security practices, with specialized teams focused on securing open source infrastructure that both their clients and the broader technology ecosystem depend upon.

Key Contributions

Trail of Bits’ work spans both policy and practice, often bridging emerging security needs with real-world implementation. Here are a few of the ways they’ve made an impact:

  1. PEP 740 – Index-Hosted Attestations for PyPI
    In 2023, Trail of Bits authored and implemented PEP 740, which introduced support for digitally signed attestations for Python packaging. This new security feature helps developers verify the integrity and origin of packages—an important step toward a more secure and trustworthy software supply chain, and already more than 270,000 package distributions have already been uploaded with attestations. 
  2. Drafting Project Lifecycle Metadata Standards
    More recently, Trail of Bits drafted a new Python Enhancement Proposal that introduces lifecycle metadata—markers like “active,” “archived,” or “maintenance only”—that could be surfaced through PyPI’s API. While still under discussion, this draft shows their continued push to improve transparency and project health visibility for the broader Python ecosystem.
  3. OpenSSF Scorecard Dashboard Prototype
    In collaboration with OpenSSF, Trail of Bits built a prototype dashboard to help visualize OpenSSF Scorecard metrics across projects and over time. While the dashboard is not yet in public use, it provided valuable insights during development—including identification of a non-functioning Scorecard check—and helped shape conversations about visibility tooling and adoption patterns.
  4. Tooling and Publications
    Trail of Bits builds and open sources custom security tools across multiple domains—including static and dynamic analysis, AI/ML security, and fuzzing capabilities—maintaining them for public use and community benefit. This dedication to open source resources extends to their publication practices, where Trail of Bits regularly shares client audits, testing methodologies, and research through detailed blog posts and comprehensive handbooks that have become essential references in the security community. 
  5. Contributions to Secure Standards
    Their work spans other critical areas of open source security, including contributions to Sigstore, Homebrew build provenance (via Alpha-Omega), and other OpenSSF working groups. They continue to advocate for secure defaults and verifiable development practices across the OSS ecosystem.

Why It Matters

As open source continues to serve as the backbone of digital infrastructure, organizations like Trail of Bits play a vital role in making it more secure, reliable, and transparent. Their ability to influence both upstream policy (like PEPs) and downstream implementation (like OpenSSF Scorecard and Sigstore) helps move the entire ecosystem forward.

Looking Ahead

Trail of Bits remains actively engaged in exploring new opportunities for impact—whether that’s contributing technical guidance, launching prototypes, or leading standards discussions. Their work reflects the spirit of OpenSSF collaboration: practical, community-oriented, and always evolving.

Learn More

Visit trailofbits.com to explore their research and tooling.
To get involved in OpenSSF projects or working groups, visit openssf.org.

May 15
Love0

Case Study: Ericsson’s C/C++ Compiler Options Hardening Guide and OpenSSF Collaboration

By Blog, Case Studies

Ericsson, a global leader in telecommunications and networking, has been deeply engaged in open source and software security for over a decade. Through its Open Source Program Office (OSPO), Ericsson coordinates its participation across multiple foundations and initiatives, including the Open Source Security Foundation (OpenSSF). This case study highlights Ericsson’s collaboration with the OpenSSF, with a specific focus on their C/C++ Compiler Option Hardening Guide, which has served as both an internal resource and a community contribution.

Problem

C++ remains a foundational language in many critical systems, but it’s notoriously difficult to use securely. Given the massive volume of existing C and C++ code underpinning today’s infrastructure, many organizations today face a familiar dilemma: how to improve the security of these systems without the unrealistic burden of rewriting everything in a memory-safe programming language. The team recognized the need for a pragmatic solution that could strengthen existing infrastructure.

Solution

Ericsson, together with partners found through its engagement in the OpenSSF, developed and released the C/C++ Compiler Option Hardening Guide as a practical approach to increasing software security through better compiler configurations. The guide maps out various hardening flags and compiler options, analyzing their implications on performance and security. Originally drafted by Ericsson’s product security team, the initial guide was donated to the OpenSSF and is now jointly developed in the Best Practices Working Group of the OpenSSF.

Open sourcing the guide proved invaluable. By contributing it to the OpenSSF, Ericsson gained access to a wider range of expertise—receiving high-quality feedback from compiler maintainers, Linux distribution contributors, and others across the ecosystem. These external insights not only validated Ericsson’s approach but improved the guide itself.

Results

  • The guide has been promoted internally at Ericsson and adopted or experimented with by community projects and organizations such as Wireshark, Chainguard, and the CPython project.
  • Feedback from community experts helped refine the guide, especially regarding how different compiler flags interact in real-world builds.
  • Ericsson’s work raised broader awareness about the importance of compiler-level hardening and provided a widely usable educational resource.
  • The collaborative development process reinforced the value of community feedback loops and pragmatic security practices.

Secondary Initiatives

In addition to the compiler guide, Ericsson is co-chairing the Best Practices Working Group and leading the development of a Python Secure Coding Guide therein.. The team also benefits from other OpenSSF work, such as threat modeling and participation in the AI/ML security working group.

“We’ve seen tremendous value in contributing our C/C++ Compiler Options Hardening Guide to the OpenSSF. The community feedback significantly improved the guide and validated our approach. It’s a win-win—for our internal teams and the broader open source ecosystem.” — Mikko Karikytö, Head of Product Security & CPSO 

Future Plans

Ericsson plans to continue contributing to and evolving its secure coding practices through collaboration with the OpenSSF. As part of that commitment, Ericsson encourages peers in telecom, networking, and adjacent industries to explore the C/C++ Compiler Options Hardening Guide, apply its recommendations, and contribute to its ongoing improvement.

🔹 Visit Ericsson’s Open Source Program Office (OSPO) page to learn more about their broader open source strategy.

🔹 Get involved with the OpenSSF Best Practices Working Group to shape and support secure software development practices.

About Ericsson and OpenSSF

Ericsson has been a vocal advocate for responsible open source use and software security. Its OSPO leads efforts across multiple standards bodies and open source foundations. The OpenSSF provides a vendor-neutral forum for collaboration on secure software development and supply chain security.

For more case studies, visit: https://openssf.org/case-studies/

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved