OpenSSF Newsletter – June 2024 – Open Source Security Foundation

Welcome to the June 2024 edition of the OpenSSF Newsletter, with our latest information on what’s been happening lately and what’s on our radar.

DOWNLOAD: What’s in the SOSS? An OpenSSF Podcast!
REGISTER: Secure Open Source Software (SOSS) Fusion Conference
JOIN: Attend an upcoming Working Group meeting

Call for Proposals: Submit to Speak at SOSS Fusion

We’re looking for proposals in the form of session presentations, panels, keynote sessions, and lightning talks. Submit to speak on any one of the following topics:

- OSPO: Security and Open Source Program Offices
- Maintainer Roles: Maintainer and Contributor roles in Securing Open Source Software
- Dev: Secure Open Source Software Integration in the Software Development Lifecycle
- Public Policy: Regulations to Improve the Security of Open Source Software
- End Users: Secure Open Source Software Supply Chains
- Dependencies: Understanding the OSS in Your Stack
- AI for Security: Leveraging AI to Secure Open Source Software
- Security for AI: Starting with Security for Open Source AI

Learn more about all suggested topics.

The Call for Proposals closes Friday, July 12, at 11:59 PM EDT.

SUBMIT TO SPEAK

OpenSSF Joins Open Source Consortium To Define E.U. CRA Security Specifications

The Open Source Security Foundation (OpenSSF), a project of the Linux Foundation focused on improving the security of open source software, is proud to announce its collaboration with the Eclipse Foundation and a leading open source consortium to work on the European Union’s (E.U.) Cyber Resilience Act (CRA).

Introducing Artifact Attestations—Now in Public Beta

There’s an increasing need across enterprises and the open source ecosystem to have a verifiable way to link software artifacts back to their source code and build instructions. And with more than 100 million developers building on GitHub, we want to ensure that developers have the tools needed to help.

The Opportunity for DEI Participation in the Security Industry (And OpenSSF)

At Secure Open Source Software (SOSS) Community Day North America 2024, we held a panel discussion on DEI (Diversity, Equity and Inclusion) at Open Source Security Foundation (OpenSSF). In preparing for this discussion we had a lot of conversations and realized we each had diverse perspectives.

Beyond the OpenSSF: An Introduction to Other Security Efforts Across the Linux Foundation

The Open Source Security Foundation (OpenSSF)’s mission is to strengthen the open source software ecosystem through a collaborative initiative across industry. But did you know about the other initiatives focusing on strengthening open source security, happening across the Linux Foundation?

The OSS Security Adventure: Exploring the Frontlines of OSS Security through SOSS Policy Summit, RSA Conference, and Japan Meetup

OpenSSF is making waves globally, with our footprint evident in discussions and events across continents. Join us on an “OSS Security Adventure” as we delve into our impactful presence at the SOSS Policy Summit in Brussels, the RSA Conference in San Francisco, and our engaging meetup in Tokyo.

What’s in the SOSS? Podcast #6 – A Man Called CRob: Introducing the Newest Co-host of What’s in the SOSS?

Introducing our new co-host for “What’s in the SOSS?” podcast, Christopher Robinson (CRob). As the Director of Security Communications at Intel Corporation and Chair of OpenSSF’s Technical Advisory Committee, CRob’s 25 years of experience in various sectors will enrich our podcast discussions. The latest episode features his day-to-day activities, podcast vision, and advice for those entering cybersecurity.

Listen Here

OpenSSF Case Study: Enhancing Open Source Security with Sigstore at Stacklok

Stacklok Case Study

Stacklok, founded by Kubernetes co-creator Craig McLuckie and Sigstore creator Luke Hinds, enhances open source software security using Sigstore. By integrating Sigstore into their products, Trusty and Minder, Stacklok helps developers and maintainers secure their software supply chains with tools for artifact signing and verification. This case study highlights Stacklok’s commitment to making open source software safer and their contributions to the OpenSSF community.

Ubuntu Security Notices Now Available in OSV

In today’s rapidly evolving open source ecosystem, managing vulnerabilities efficiently is crucial. That’s why we’re excited to share that Canonical is now issuing Ubuntu Security Notices (USNs) in the open source OSV format. This collaboration aims to simplify vulnerability management and enhance security for our users.

OpenSSF Tech Talk: Proactive Supply Chain Security with GUAC

GUACTechTalkHighlight

In this Tech Talk, you will meet the GUAC maintainers as they cover the project and its recent release, roadmap plans, and how you can contribute. Cybersecurity threats are constantly and quickly changing, but GUAC can help you stay ahead.

Check out this blog for a summary of the tech talk highlights and watch experts discuss its benefits & real-world uses. Slides & recording are available.

Watch Now

Enhance Your Software Development Skills with OpenSSF’s Free Courses

OpenSSF offers two comprehensive, free courses designed to help software developers improve their skills in secure software development and supply chain security.

Developing Secure Software (LFD121)

This course covers the fundamentals of developing secure software and is available on the Linux Foundation Training & Certification platform. It is entirely online, self-paced, and takes about 14-18 hours to complete. Both the course and the certificate of completion are free. Upon finishing the course and passing the final exam, participants will earn a certificate valid for two years.

Securing Your Software Supply Chain with Sigstore (LFS182)

This course teaches software developers, DevOps engineers, security engineers, and software maintainers how to use Sigstore’s toolkit to enhance software supply chain security. It covers the use of Cosign, Fulcio, and Rekor tools and is available on the Linux Foundation Training & Certification platform. The course is free, online, self-paced, and takes about 8 hours to complete. Familiarity with Linux terminals, command line tools, and intermediate cloud computing and DevOps concepts is recommended.

Learn More

In the News

Politico, Trying to tame crypto
CyberWire Daily podcast, The secrets of a dark web drug lord
DevOps.com, OpenSSF Siren: Security for One, Security for All
SC Media, New OpenSSF initiative provides threat intelligence on open source projects
Help Net Security, Authelia: Open-source authentication and authorization server
CyberScoop, Omkhar Arasaratnam on open source security; AI dogfighting
Redefining Cybersecurity Podcast, Why the Industry Needs OpenSSF | A Conversation with Omkhar Arasaratnam, Adrianne Marcum, Arun Gupta, and Christopher Robinson | Redefining CyberSecurity with Sean Martin
SecurityWeek, Fireside Chat: Bennett Pursell on the OpenSSF Siren Threat Intel Project
SecurityBrief UK, OpenSSF joins forces with Eclipse Foundation for EU CRA initiative
KubeFM, Stack security: cluster policies, secrets management, and building trust
CSO, Third-party software supply chain threats continue to plague CISOs
InfoRiskToday, NIST Unveils Plan to Restore National Vulnerability Database
The New Stack, Commonhaus Foundation Launches at Critical Time for OSS
tl;dr sec newsletter, [tl;dr sec] #233 – Awesome Detection Engineering, Security GPTs, How to Build a Cybersecurity Start-up
TechTarget, Be prepared for open source software risks
Computer Weekly, Building a more secure, and sustainable, open source ecosystem
The New Stack, What Developers Can Grok From the Latest PyPI Package Attack
HackerNoon, How a Malicious Xz Utils Update Nearly Caused a Catastrophic Cyberattack on Linux Systems Worldwide
SC Magazine, The State of AppSec in 2024: Expanded use, expanded attack surface
The New Stack, XZ Security Incident: The Importance of Reputation in Security

Meet OpenSSF at These Upcoming Events!

- CloudNativeSecurityCon: June 26-27, 2024
- OSPOs for Good 2024 Conference: July 9-10, 2024
- What’s Next for Open Source?: Jul 11, 2024
- Black Hat USA: Aug. 7-8, 2024
- DEF CON: Aug. 8 – 11, 2024
- SOSS Community Day Europe: Sept. 19, 2024
- SOSS Fusion Conference: Oct. 22-23, 2024
  - CFP now open
  - Sponsorships available

Get Involved in OpenSSF

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, and LinkedIn

See You Next Month

We want to get you the information you most want to see in your inbox. Have suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org and see you next month!

Regards,

The OpenSSF Team

OpenSSF Newsletter – June 2024

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get the latest announcements, event info, and the community news in your inbox