OpenSSF Newsletter – July 2024 – Open Source Security Foundation

Welcome to the July 2024 edition of the OpenSSF Newsletter, with our latest information on what’s been happening lately and what’s on our radar.

DOWNLOAD: What’s in the SOSS? An OpenSSF Podcast!
REGISTER: Secure Open Source Software (SOSS) Fusion Conference
JOIN: Attend an upcoming Working Group meeting

An Open Source Approach to Threat Mitigation in AWS

AnOpenSourceApproach

Securing cloud environments is a top priority for organizations today. Leveraging open source tools like Falco, combined with AWS Lambda, provides powerful solutions for monitoring and responding to security threats. Learn how Falco and Falco Talon can automate threat detection and response, ensuring robust cloud security.

A Deep Dive into SBOMit and Attestations

SBOMit and Attestations

December 2023 saw the launch of SBOMit, a project that helps enhance the reliability and integrity of SBOMs (Software Bills of Materials). It does so by including, along with SBOMs, a series of in-toto attestations that are produced while the software is being created. SBOMit is hosted under the OpenSSF Security Tooling Working Group.

But why are these attestations important for SBOMs and how do they work?

Read the blog to learn more.

Improving OpenSSF Scorecard Scores: StepSecurity Automation for Four Key Checks

ImprovingOpenSSFScorecardScores

Implementing security best practices is essential for open source maintainers to ensure their projects are secure and free from vulnerabilities. However, many maintainers find this task complex and time-consuming when done manually. The OpenSSF Scorecard offers an automated heuristic of how well key security processes are implemented in a project.

Chainguard Enhances Security With OSV Advisory Feed

OSV

In today’s rapidly evolving open source ecosystem, managing vulnerabilities efficiently is crucial. To address this, Chainguard is now publishing its security advisory feed in the Open Source Vulnerabilities (OSV) format. This integration aims to simplify vulnerability management and enhance security for users of open source software.

Why are Organizations Struggling to Implement Secure Software Development?

Cover_Secure_Software_Development_Education_2024_Survey

The Secure Software Development Education 2024 Survey, conducted through a partnership between the Open Source Security Foundation (OpenSSF) and Linux Foundation (LF) Research, examines the secure software development education needs of professionals in this field.

Learn How To Develop Secure Software!

Developing_Secure_Software

The Open Source Security Foundation (OpenSSF), in partnership with Linux Foundation Training & Certification, offers a free online training course, Developing Secure Software (LFD121). Those who complete the course and pass the final exam will earn a free certificate of completion valid for two years.

AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 1

AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability1

Could artificial intelligence (AI) practically help find and fix vulnerabilities in a scalable way? We don’t know for certain, but there’s hope that it could. In this article, we’ll look at a competition to encourage the development of AI-enabled tools that will automatically find and fix vulnerabilities.

The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development

StateofEducationReport

Linux Foundation Research and the Open Source Security Foundation (OpenSSF) are pleased to release a new report titled “Secure Software Development Education 2024 Survey: Understanding Current Needs.” Based on a survey of nearly 400 software development professionals, the analysis explores the current state of secure software development and underscores the urgent need for formalized industry education and training programs.

AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 2

AIxCCChallenge_Part2

In part 1, we discussed the Artificial Intelligence Cyber Challenge (AIxCC), a two-year competition to create AI systems that find software vulnerabilities and develop fixes to them. We also discussed a specific vulnerability in the Linux kernel, called needle, as an example of the kind of vulnerability we’d like such tools to find and fix. In part 1 we discussed how such tools might be able to find vulnerabilities. Now let’s talk a little bit about how they might fix them. Real competitors in AIxCC might do things differently; this article simply helps us understand what they’re trying to do.

Recognizing Excellence in OSS Community: Golden Egg Award Nominations Are Now Open!

GoldenEggAwardEU

The Open Source Security Foundation (OpenSSF) is thrilled to announce that nominations for the Golden Egg Award are now open! This award honors individuals who have made outstanding contributions to the open source security community. After its successful debut at SOSS Community Day North America, the award is back to recognize more exceptional individuals at SOSS Community Day Europe this September. If you know someone who has demonstrated exceptional dedication and impact in our community, now is the time to nominate them for this esteemed recognition.

SD Times, Bad CrowdStrike Update Takes Down Windows Machines Around the World, Highlighting Importance of Gradual Roll-Outs and Software Quality
The Hacker News, Faulty CrowdStrike Update Crashes
Help Net Security, Developers Secure Coding Practices
Techopedia, Google, Nvidia, OpenAI and Others Team Up to Improve AI Security
TechCentral (Ireland), One in three software development professionals unaware of secure practices
Help Net Security, Most GitHub Actions Workflows Are Insecure in Some Way
Inside Cybersecurity, Open Source Group Calls for Prioritizing Cyber Awareness in Software Developer Training, Education
Dark Reading, The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development
Cybersecurity Dive, Nearly 1 in 3 Software Development Professionals Unaware of Secure Practices
citybiz, The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development
ITOps Times, Siren – ITOps Times Open Source Project of the Week
CSO, Top 10 Open Source Software Risks — and How to Mitigate Them
Techstrong TV, The Ins and Outs of Applying to GSoC
SD Times, Companies Still Need to Work on Security Fundamentals to Win in the Supply Chain Security Fight
GovInfoSecurity, How CISA Plans to Measure Trust in Open-Source Software

Meet OpenSSF at These Upcoming Events!

Black Hat USA: Aug. 7-8, 2024
DEF CON: Aug. 8 – 11, 2024
SOSS Community Day Europe: Sept. 19, 2024
SOSS Fusion Conference: Oct. 22-23, 2024
- Sponsorships available

Get Involved in OpenSSF

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, and LinkedIn

See You Next Month

We want to get you the information you most want to see in your inbox. Have suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org and see you next month!

Regards,

The OpenSSF Team

OpenSSF Newsletter – July 2024

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get the latest announcements, event info, and the community news in your inbox