Welcome to the July 2024 edition of the OpenSSF Newsletter, with our latest information on what’s been happening lately and what’s on our radar.
- DOWNLOAD: What’s in the SOSS? An OpenSSF Podcast!
- REGISTER: Secure Open Source Software (SOSS) Fusion Conference
- JOIN: Attend an upcoming Working Group meeting
An Open Source Approach to Threat Mitigation in AWS
Securing cloud environments is a top priority for organizations today. Leveraging open source tools like Falco, combined with AWS Lambda, provides powerful solutions for monitoring and responding to security threats. Learn how Falco and Falco Talon can automate threat detection and response, ensuring robust cloud security.
A Deep Dive into SBOMit and Attestations
December 2023 saw the launch of SBOMit, a project that helps enhance the reliability and integrity of SBOMs (Software Bills of Materials). It does so by including, along with SBOMs, a series of in-toto attestations that are produced while the software is being created. SBOMit is hosted under the OpenSSF Security Tooling Working Group.
But why are these attestations important for SBOMs and how do they work?Â
Read the blog to learn more.
Improving OpenSSF Scorecard Scores: StepSecurity Automation for Four Key Checks
Implementing security best practices is essential for open source maintainers to ensure their projects are secure and free from vulnerabilities. However, many maintainers find this task complex and time-consuming when done manually. The OpenSSF Scorecard offers an automated heuristic of how well key security processes are implemented in a project.
Chainguard Enhances Security With OSV Advisory Feed
In today’s rapidly evolving open source ecosystem, managing vulnerabilities efficiently is crucial. To address this, Chainguard is now publishing its security advisory feed in the Open Source Vulnerabilities (OSV) format. This integration aims to simplify vulnerability management and enhance security for users of open source software.Â
Why are Organizations Struggling to Implement Secure Software Development?
The Secure Software Development Education 2024 Survey, conducted through a partnership between the Open Source Security Foundation (OpenSSF) and Linux Foundation (LF) Research, examines the secure software development education needs of professionals in this field.Â
Learn How To Develop Secure Software!
The Open Source Security Foundation (OpenSSF), in partnership with Linux Foundation Training & Certification, offers a free online training course, Developing Secure Software (LFD121). Those who complete the course and pass the final exam will earn a free certificate of completion valid for two years.Â
AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 1
Could artificial intelligence (AI) practically help find and fix vulnerabilities in a scalable way? We don’t know for certain, but there’s hope that it could. In this article, we’ll look at a competition to encourage the development of AI-enabled tools that will automatically find and fix vulnerabilities.Â
The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development
Linux Foundation Research and the Open Source Security Foundation (OpenSSF) are pleased to release a new report titled “Secure Software Development Education 2024 Survey: Understanding Current Needs.” Based on a survey of nearly 400 software development professionals, the analysis explores the current state of secure software development and underscores the urgent need for formalized industry education and training programs.
AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 2
In part 1, we discussed the Artificial Intelligence Cyber Challenge (AIxCC), a two-year competition to create AI systems that find software vulnerabilities and develop fixes to them. We also discussed a specific vulnerability in the Linux kernel, called needle, as an example of the kind of vulnerability we’d like such tools to find and fix. In part 1 we discussed how such tools might be able to find vulnerabilities. Now let’s talk a little bit about how they might fix them. Real competitors in AIxCC might do things differently; this article simply helps us understand what they’re trying to do.
Recognizing Excellence in OSS Community: Golden Egg Award Nominations Are Now Open!
The Open Source Security Foundation (OpenSSF) is thrilled to announce that nominations for the Golden Egg Award are now open! This award honors individuals who have made outstanding contributions to the open source security community. After its successful debut at SOSS Community Day North America, the award is back to recognize more exceptional individuals at SOSS Community Day Europe this September. If you know someone who has demonstrated exceptional dedication and impact in our community, now is the time to nominate them for this esteemed recognition.
In the News
- SD Times, Bad CrowdStrike Update Takes Down Windows Machines Around the World, Highlighting Importance of Gradual Roll-Outs and Software Quality
- The Hacker News, Faulty CrowdStrike Update Crashes
- Help Net Security, Developers Secure Coding Practices
- Techopedia, Google, Nvidia, OpenAI and Others Team Up to Improve AI Security
- TechCentral (Ireland), One in three software development professionals unaware of secure practices
- Help Net Security, Most GitHub Actions Workflows Are Insecure in Some Way
- Inside Cybersecurity, Open Source Group Calls for Prioritizing Cyber Awareness in Software Developer Training, Education
- Dark Reading, The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development
- Cybersecurity Dive, Nearly 1 in 3 Software Development Professionals Unaware of Secure Practices
- citybiz, The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development
- ITOps Times, Siren – ITOps Times Open Source Project of the Week
- CSO, Top 10 Open Source Software Risks — and How to Mitigate Them
- Techstrong TV, The Ins and Outs of Applying to GSoC
- SD Times, Companies Still Need to Work on Security Fundamentals to Win in the Supply Chain Security Fight
- GovInfoSecurity, How CISA Plans to Measure Trust in Open-Source Software
Meet OpenSSF at These Upcoming Events!
- Black Hat USA: Aug. 7-8, 2024
- DEF CON: Aug. 8 – 11, 2024
- SOSS Community Day Europe: Sept. 19, 2024
- SOSS Fusion Conference: Oct. 22-23, 2024
Get Involved in OpenSSF
You’re invited to…
- Join a Working Group or Project
- Chat with us on Slack
- Follow us on X, Mastodon, and LinkedIn
See You Next Month
We want to get you the information you most want to see in your inbox. Have suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org and see you next month!Â
Regards,
The OpenSSF Team