This week, CISA, FBI, NSA, and the US Department of the Treasury released guidance on Improving Security of Open Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS) to assist with better management of risk from OSS use in OT/ICS and increase resilience when using available resources. The OpenSSF supports this effort,…
Today, the OpenSSF Package Analysis team is excited to announce the launch of our Malicious Packages repository, the first open source system for collecting and publishing cross-ecosystem reports of malicious packages. This repository is a response to the rising incidence of attacks that include malicious open source packages.
The OpenSSF is thrilled to announce the release of version 1.0 for the Security Insights Specification. Security Insights provides a mechanism for maintainers to provide information about their projects' security processes in a machine-processable way. Formatted as a YAML file, it ensures easy readability and editing by humans as well as machines.
Open Source Software is used in critical infrastructure worldwide. As vulnerabilities like Looney Tunables, Rapid Reset, and the forthcoming cURL vulnerabilities are discovered, organizations must have a well-practiced incident response plan. We believe in risk-based responses based on business criticality. A well-informed inventory based on SBOMs is key to this approach.
On September 18, 2023, we hosted OpenSSF Day Europe at the Open Source Summit Europe in Bilbao, Spain. Throughout the day, we hosted a number of sessions around the state of open source software security, discussed current initiatives and what’s next. If you weren’t able to attend, check out our playlist on YouTube to view…
While several articles have been published about how to run your own Sigstore instance, it’s useful to understand how the public good instance is administered – both in terms of configuration and also policies and best practices.
The OpenSSF is pleased to welcome new Chief Architect, Dana Wang! Dana Wang is a technology leader with a track record of delivering results and making impacts at enterprise scale. Dana was formerly the Executive Director of Public Cloud Network Security at JPMorgan Chase. She led the public cloud edge network security platform engineering, service…
We are delighted to announce the 2.0 release of sigstore-python, a Python client for signing and verifying Sigstore signatures! This release has been in the works for a while and contains a number of significant improvements and breaking changes to both the sigstore CLI and Python APIs.
The Securing Critical Projects WG aims to solve the problem of insecure (and often unknown) critical projects. First, we focus on helping identify which projects are critical, which will allow discovery of projects that can benefit from additional security focus. We’ve been working on curating a set of identified open source projects that are critical…
From a software consumer perspective, how do we know where to start to address the real supply chain threats? Which risks are more critical than others? What framework or standard should be adopted quickly? Those were the questions posed in the OpenSSF End Users Working Group where engineers got together to figure out how to…
