Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea | Open Source SecurityCon

search
Category

Blog

May 30
Love0

Member Spotlight: Trail of Bits – Driving Open Source Security Through Standards, Prototypes, and Policy

By Blog

Trail of Bits is a leading cybersecurity research, engineering, and consulting firm that works with some of the most security-conscious organizations in the world—including Facebook, government agencies like DARPA, and prominent cryptocurrency protocols. Founded in 2012, each part of the company focused on open sourcing their work- tools,research, and audits wherever possible. Trail of Bits also maintains a dedicated research division focused on advancing industry-wide security practices, with specialized teams focused on securing open source infrastructure that both their clients and the broader technology ecosystem depend upon.

Key Contributions

Trail of Bits’ work spans both policy and practice, often bridging emerging security needs with real-world implementation. Here are a few of the ways they’ve made an impact:

  1. PEP 740 – Index-Hosted Attestations for PyPI
    In 2023, Trail of Bits authored and implemented PEP 740, which introduced support for digitally signed attestations for Python packaging. This new security feature helps developers verify the integrity and origin of packages—an important step toward a more secure and trustworthy software supply chain, and already more than 270,000 package distributions have already been uploaded with attestations. 
  2. Drafting Project Lifecycle Metadata Standards
    More recently, Trail of Bits drafted a new Python Enhancement Proposal that introduces lifecycle metadata—markers like “active,” “archived,” or “maintenance only”—that could be surfaced through PyPI’s API. While still under discussion, this draft shows their continued push to improve transparency and project health visibility for the broader Python ecosystem.
  3. OpenSSF Scorecard Dashboard Prototype
    In collaboration with OpenSSF, Trail of Bits built a prototype dashboard to help visualize OpenSSF Scorecard metrics across projects and over time. While the dashboard is not yet in public use, it provided valuable insights during development—including identification of a non-functioning Scorecard check—and helped shape conversations about visibility tooling and adoption patterns.
  4. Tooling and Publications
    Trail of Bits builds and open sources custom security tools across multiple domains—including static and dynamic analysis, AI/ML security, and fuzzing capabilities—maintaining them for public use and community benefit. This dedication to open source resources extends to their publication practices, where Trail of Bits regularly shares client audits, testing methodologies, and research through detailed blog posts and comprehensive handbooks that have become essential references in the security community. 
  5. Contributions to Secure Standards
    Their work spans other critical areas of open source security, including contributions to Sigstore, Homebrew build provenance (via Alpha-Omega), and other OpenSSF working groups. They continue to advocate for secure defaults and verifiable development practices across the OSS ecosystem.

Why It Matters

As open source continues to serve as the backbone of digital infrastructure, organizations like Trail of Bits play a vital role in making it more secure, reliable, and transparent. Their ability to influence both upstream policy (like PEPs) and downstream implementation (like OpenSSF Scorecard and Sigstore) helps move the entire ecosystem forward.

Looking Ahead

Trail of Bits remains actively engaged in exploring new opportunities for impact—whether that’s contributing technical guidance, launching prototypes, or leading standards discussions. Their work reflects the spirit of OpenSSF collaboration: practical, community-oriented, and always evolving.

Learn More

Visit trailofbits.com to explore their research and tooling.
To get involved in OpenSSF projects or working groups, visit openssf.org.

May 15
Love0

Case Study: Ericsson’s C/C++ Compiler Options Hardening Guide and OpenSSF Collaboration

By Blog, Case Studies

Ericsson, a global leader in telecommunications and networking, has been deeply engaged in open source and software security for over a decade. Through its Open Source Program Office (OSPO), Ericsson coordinates its participation across multiple foundations and initiatives, including the Open Source Security Foundation (OpenSSF). This case study highlights Ericsson’s collaboration with the OpenSSF, with a specific focus on their C/C++ Compiler Option Hardening Guide, which has served as both an internal resource and a community contribution.

Problem

C++ remains a foundational language in many critical systems, but it’s notoriously difficult to use securely. Given the massive volume of existing C and C++ code underpinning today’s infrastructure, many organizations today face a familiar dilemma: how to improve the security of these systems without the unrealistic burden of rewriting everything in a memory-safe programming language. The team recognized the need for a pragmatic solution that could strengthen existing infrastructure.

Solution

Ericsson, together with partners found through its engagement in the OpenSSF, developed and released the C/C++ Compiler Option Hardening Guide as a practical approach to increasing software security through better compiler configurations. The guide maps out various hardening flags and compiler options, analyzing their implications on performance and security. Originally drafted by Ericsson’s product security team, the initial guide was donated to the OpenSSF and is now jointly developed in the Best Practices Working Group of the OpenSSF.

Open sourcing the guide proved invaluable. By contributing it to the OpenSSF, Ericsson gained access to a wider range of expertise—receiving high-quality feedback from compiler maintainers, Linux distribution contributors, and others across the ecosystem. These external insights not only validated Ericsson’s approach but improved the guide itself.

Results

  • The guide has been promoted internally at Ericsson and adopted or experimented with by community projects and organizations such as Wireshark, Chainguard, and the CPython project.
  • Feedback from community experts helped refine the guide, especially regarding how different compiler flags interact in real-world builds.
  • Ericsson’s work raised broader awareness about the importance of compiler-level hardening and provided a widely usable educational resource.
  • The collaborative development process reinforced the value of community feedback loops and pragmatic security practices.

Secondary Initiatives

In addition to the compiler guide, Ericsson is co-chairing the Best Practices Working Group and leading the development of a Python Secure Coding Guide therein.. The team also benefits from other OpenSSF work, such as threat modeling and participation in the AI/ML security working group.

“We’ve seen tremendous value in contributing our C/C++ Compiler Options Hardening Guide to the OpenSSF. The community feedback significantly improved the guide and validated our approach. It’s a win-win—for our internal teams and the broader open source ecosystem.” — Mikko Karikytö, Head of Product Security & CPSO 

Future Plans

Ericsson plans to continue contributing to and evolving its secure coding practices through collaboration with the OpenSSF. As part of that commitment, Ericsson encourages peers in telecom, networking, and adjacent industries to explore the C/C++ Compiler Options Hardening Guide, apply its recommendations, and contribute to its ongoing improvement.

🔹 Visit Ericsson’s Open Source Program Office (OSPO) page to learn more about their broader open source strategy.

🔹 Get involved with the OpenSSF Best Practices Working Group to shape and support secure software development practices.

About Ericsson and OpenSSF

Ericsson has been a vocal advocate for responsible open source use and software security. Its OSPO leads efforts across multiple standards bodies and open source foundations. The OpenSSF provides a vendor-neutral forum for collaboration on secure software development and supply chain security.

For more case studies, visit: https://openssf.org/case-studies/

May 14
Love0

Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness

By Blog, Press Release

New Customizable Global Framework Aligns IT Job Roles with Practical Cybersecurity Skills

SAN FRANCISCO, CA – May 14, 2025 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists. Produced in collaboration with the Open Source Security Foundation (OpenSSF) and Linux Foundation Education, the framework delivers actionable guidance to enterprise leaders looking to systematically reduce cyber risk.

As cybersecurity threats grow in both scale and complexity, enterprise leaders are struggling to align job roles with the practical skills needed to mount an effective defense. Despite cybersecurity being one of the top three most in-demand tech roles for enterprises, major talent readiness gaps remain. According to the Linux Foundation’s 2024 State of Tech Talent Report,  64 percent of organizations report candidates lack essential skills and it now takes an average of 10.2 months to hire and onboard new technical staff. Additional research from the Linux Foundation found that 62 percent of open source project stewards lacked dedicated personnel for security incident response, despite 74 percent maintaining formal cybersecurity reporting mechanisms.

These trends reflect a broader industry dilemma—growing awareness of cybersecurity needs without the personnel to tackle them—driven by unclear role expectations and fragmented training pathways. The Cybersecurity Skills Framework addresses these issues with a practical, globally relevant onramp that organizations can use to assess and build internal security capabilities. The framework provides leaders with an easy way to understand the cybersecurity skills needed, quickly identify knowledge gaps, and incorporate critical skills into all of their IT roles. By establishing a shared language for cybersecurity readiness, the framework prepares everyone who touches a system to take responsibility for security, not just the cybersecurity specialists: from app developers to web developers, network engineers to database engineers, solutions architects to enterprise architects.

The framework defines practical cybersecurity expectations across foundational, intermediate, and advanced proficiency levels, while mapping those skills to recognized standards such as the DoD 8140, CISA NICE Framework, and the ICT e-CF. By aligning with widely adopted standards and allowing for customization, the framework can be easily adopted across industries, regions, and organizational sizes. The framework is available in a free, easy to use web interface which allows users to select relevant job families, move skills between categories, delete any that don’t apply and add custom items they require. 

The framework was produced as a result of a global research effort, with contributions and feedback from cybersecurity educators, government advisors, framework stewards, and technical training experts, who together brought comprehensive expertise in workforce development, national defense, professional certification, and open source security.

“Cybersecurity is now a leadership issue, not just a technical one,” said Steve Fernandez, General Manager at OpenSSF. “Our framework gives organizations a straightforward way to identify gaps and prioritize the security skills that matter most, based on role and responsibility—not just checklists. It’s about building real-world resilience.”

The Cybersecurity Skills Framework provides guidance for key roles, including web and software developers, DevOps engineers, IT project managers, platform architects, GRC managers and more. Each job role is defined by its primary cybersecurity responsibilities and aligned with practical skills in areas like secure design, compliance, vulnerability management, and incident response. 

“This framework is a valuable tool for CIOs, CISOs, and enterprise learning teams,” said Clyde Seepersad, SVP and General Manager of Linux Foundation Education. “In an era of accelerating threats, leaders need clear pathways for strengthening security culture across technical teams. This resource helps organizations take a proactive approach to employee development and risk reduction.”

The Linux Foundation and OpenSSF will update the framework annually and welcome community feedback from adopters. Organizations are encouraged to adapt and extend the model to align with their specific needs, security posture, and product portfolios.

To access the full Cybersecurity Skills Framework and explore how your organization can adopt it, visit: http://cybersecurityframework.io

Join us on Wednesday, June 11 at 11:00 am EDT for a webinar discussing the Cybersecurity Skills Framework. Visit here to register.

Supporting Quotes

“As cloud native adoption grows, so does the complexity of managing security across distributed systems. The Cybersecurity Skills Framework offers a clear, actionable resource for teams working in modern environments to assess skills, reduce risk, and embed security into every stage of the software lifecycle.”

– Chris Aniszczyk, CTO, CNCF

“As the cybersecurity landscape grows more complex, particularly with the rapid rise in AI technologies, security can no longer be siloed. Businesses must champion a culture of security awareness, education, and preparedness across functions. The new framework contributes to a stronger security posture by ensuring every teamfrom developers to IT leadersunderstands the specific security skills they need.”

Jamie Thomas, IBM Enterprise Security Executive

“Cybersecurity is a shared responsibility, and closing the skills gap is essential to building secure systems at scale. The OpenSSF Cybersecurity Skills Framework provides a clear, actionable roadmap for equipping technical teams with the right knowledge to protect our digital infrastructure, thus raising the bar for security readiness across the industry.”

– Arun Gupta, VP of Developer Programs, Intel / Governing Board Chair for CNCF & OpenSSF

“Cybersecurity today seems more complicated than ever. It can be difficult to keep up with the evolving cyber risk landscape and what skills internal teams need to approach and mitigate those risks. The Cybersecurity Skills Framework is a much needed blueprint for how developers should approach career development, teams plan for adapting to new risks, and organizations build training governance for the continuous evolution of their cybersecurity programs.”

–  Michael Lieberman, CTO and Co-Founder, Kusari

“The Cybersecurity Skills Framework is grounded in extensive global research and community collaboration. By surfacing practical, role-specific insights, the framework helps enterprise leaders understand where their cybersecurity capabilities stand—and where they need to grow. It’s a meaningful step toward bridging the persistent skills gap we’ve seen across sectors.”

– Hilary Carter, SVP Research at the Linux Foundation

“Security is a shared responsibility across the open source ecosystem. This framework is a powerful tool to help developers, project leaders, and enterprise teams better understand how their roles contribute to a secure software supply chain. It supports the kind of continuous learning culture that is essential to sustainable open source development.”

– Robin Bender Ginn, Executive Director, OpenJS Foundation

“The need for experienced cybersecurity practitioners continues to increase, and a clear understanding of cybersecurity roles, responsibilities, and required skills is not just beneficial – it is the foundation for a resilient and secure organization. The Linux Foundation’s Cybersecurity Skills Framework provides guidance to help leaders and practitioners understand the baseline skills needed for various roles. It serves as an excellent starting point for cybersecurity practitioners looking to enter the field or plan their career progression. Additionally, it helps leaders identify the necessary roles and skills to meet their cybersecurity demands.”

 Dave Russo, Senior Principal Program Manager, Secure Development, Red Hat

###

About the Linux Foundation 

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, LF Decentralized Trust, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved