The Open Source Security Foundation (OpenSSF) is proud to announce the release of version 1.0 of Supply-chain Levels for Software Artifacts (SLSA). SLSA is an OpenSSF project that provides specifications for software supply chain security, established by community expert consensus. The stable release of the SLSA 1.0 Build Track lowers the barrier of entry for…
Itās important to distinguish the term āsourceā (any source of a good or service) from the term āvendorā (a source who is paid and has a contractual relationship), especially when discussing software. Hereās why.
The use of SBOMs is becoming increasingly essential in managing software supply chains. The main consumption use case is for evaluating dependencies known-vulnerabilities risk, by mapping the dependencies listed in the SBOM to CVEs. In this blog post, we propose using SBOMs alongside OpenSSF Scorecard to evaluate a product's risk.
Join us for a conversation with OpenSSF Board Member, Brian Fox. In this series, we are shining the spotlight on individuals who play a pivotal leadership role in setting the course for how we secure the open source software supply chain.
Weāve been discussing the creation of SBOMs for over ten years, but has it gotten us any closer to hardening our software development practices? SBOMs provide critical supply chain data, but we are simply not using the data to drive our supply chain decisions. Requiring SBOM generation alone is not the answer. What is the…
The goal of the Best Practices Working Group is to provide open source developers with recommendations on best practices around development and security. This working group focuses on providing developers with guidance and tools in order with an easy way to learn and apply them and has been part of the OpenSSF since the very…
Each software repository faces a challenging task to protect producers and consumers of open-source software. They must defend against a variety of threats, juggling a complex menu of options to harden their systems and procedures against attackers. The OpenSSF Securing Software Repository Working Group (SSR WG) last year surveyed the maintainers of 11 leading software…
The primary activity for The Linux Foundation projects is open collaboration on technical challenges that deliver tangible improvements for developers, companies, industries, and society at large. The focus weāve always taken is on open source code as a starting point for truly great outcomes that improve the technologies we - and the world - depend…
The OpenSSF Day North America agenda is now live! We will be hosting a full day of interesting session presentations, panels, and lightning talks on May 10th during Open Source Summit North America in Vancouver, Canada. Plan to join us to discuss the latest and greatest in ongoing efforts to secure the open-source software supply…
Security used to be something of an afterthought in software development. Security was clunky or inconvenient, often because it was a ābolt-onā. That has rapidly changed over the last two years. Now, the world has finally realised that security needs to be ābaked-inā, not ābolted-onā.Ā Meaningful and impactful improvements can be achieved in OSS security engineering…
