OpenSSF Newsletter – August 2024 – Open Source Security Foundation

Welcome to the August 2024 edition of the OpenSSF Newsletter, with our latest information on what’s been happening lately and what’s on our radar.

Take: Developing Secure Software (LFD121)
Attend: SOSS Community Day EU
Sponsor: SOSS Fusion

Celebrating Excellence: An Interview with Golden Egg Award Winner Christopher “CRob” Robinson

GoldenEggAwardCRob

We sat down with CRob, the recent Golden Egg Award winner for OpenSSF Community Engagement, to discuss his journey in the open source world. As the chair of the Vulnerability Disclosure Working Group and the Technical Advisory Council (TAC), CRob has played a pivotal role in creating essential security guides and fostering a collaborative, engaged community.

SOSS Fusion 2024 CFP Results: A Look at Our Diverse and Engaging Program

SOSS Fusion 24 CFP Results

As the Call for Proposals (CFP) for the Secure Open Source Software (SOSS) Fusion Conference wrapped up, we wanted to share some insights about the submissions that highlight how Fusion will be a premier event in open source security. SOSS Fusion brings together the brightest minds in software development and cybersecurity to secure the open source software that we all depend on.

SOSS Community Day EU Agenda Now Live!

SOSSCDEU_Agenda

We’re thrilled to announce that the agenda for Secure Open Source Software (SOSS) Community Day EU on September 19, 2024, is now live! Join us for a day filled with insightful technical talks, engaging panels, and more. SOSS Community Day EU will be co-located with the Open Source Summit Europe in Vienna, Austria.

Datadog Joins Open Source Security Foundation (OpenSSF)

DatadogJoinsOpenSSF

Datadog has joined the Open Source Security Foundation (OpenSSF) as a premier member, reinforcing its commitment to enhancing the security of the open source software supply chain. This collaboration aims to advance initiatives that fortify software integrity and foster industry-wide cooperation, with Datadog’s CISO, Emilio Escobar, joining the OpenSSF board to help steer strategic direction.

How to Make Programming Language Package Repositories More Secure

Open source package repositories (like npm, PyPI, RubyGems, and others) serve out billions of packages per day. Most of the software we all use includes packages from these repositories, making them a critical part of securing software.

So how do we all make these package repositories more secure?

Neo Malware: Malicious Open Source Packages

This blog highlights the growing threat of malicious open source packages targeting software supply chains and introduces the OpenSSF’s Malicious Packages Repository as a key initiative to combat these risks. It underscores the importance of advanced security measures and community collaboration to safeguard the future of open source software.

New Guide for Package Repositories to Adopt Trusted Publishers

The Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group (WG) has just released a new guide for maintainers of open source software repositories. The guide details a new security capability named “Trusted Publishers” which utilizes the OpenID Connect standard (OIDC) to authenticate with a package repository without the use of long-lived secrets thus avoiding many related security and operational challenges.

OSS Security Adventure: Recap of Recent Security-Focused Events Featuring OpenSSF

RecentSecurityEvents

In July, Open Source Security Foundation (OpenSSF) participated in three key events that highlight its dedication to enhancing open source software security for the global public good: the United Nations OSPOs for Good 2024 Conference and the What’s Next for Open Source? Workshops both in New York City, as well as the OECD Global Forum on Digital Security for Prosperity (GFDSP) in Seoul, South Korea.

What’s Next for Open Source? Workshop Highlights and Calls to Action to Inspire Progress for Global Sustainability

What's Next for Open Source? Workshop Highlights and Calls to Action to Inspire Progress for Global Sustainability

In July, a historic moment took place for open source, where it took center stage at the two-day “OSPOs for Good” symposium at the United Nations. Co-hosted by Kenya and Germany, experts from the worlds of open source, government, and NGOs came together to learn and share how open source is being used to address global challenges, including the 17 Sustainable Development Goals (SDGs).

Call for Proposals: SOSS Community Day Japan 2024

We are excited to announce that the OpenSSF is hosting Security of Open Source Software (SOSS) Community Day Japan 2024, scheduled for Wednesday, October 30, 2024. This one-day event will take place in Tokyo, Japan, and the call for proposals (CFP) is now open.

Mitigating Attack Vectors in GitHub Workflows

Mitigating attack vectors in GitHub Workflows

The blog discusses the various attack vectors in GitHub workflows and provides strategies to mitigate these risks. It emphasizes the importance of restricting permissions, avoiding running untrusted code on privileged workflows, and using secure practices like hash pinning and dependency updates to enhance security in GitHub projects.

Announcing SigstoreCon: Supply Chain Day!

Join us for SigstoreCon: Supply Chain Day! Co-located with Kubecon NA 2024 in Salt Lake City, attendees will learn about simplifying signing and verification for digital artifacts using Sigstore, as well as related software supply chain efforts such as SLSA, The Update Framework, binary transparency, and more! CFP deadline is September 13.

GUAC v0.8.0 Released

GUACv0.8.0

GUAC v0.8.0 is now available. This release brings support for license information, node deletion, and many other improvements.

A Bird’s-Eye View of LFD 121 (Developing Secure Software) — and Why Every Developer Should Take It

LFD121Blog

The Linux Foundation and OpenSSF offer LFD 121: Developing Secure Software, a free, self-paced course that equips developers with essential tools for building secure software. This comprehensive course covers secure design, implementation, and verification, ensuring developers stay up-to-date with the latest security practices.

The Register: DARPA, ARPA-H award $14m to 7 AIxCC semifinalists, with a catch
CyberScoop: Zero trust: How the ‘Jia Tan’ hack complicated open-source software
Washington Post: Hackers race to win millions in contest to thwart cyberattacks with AI
SearchSecurity: Highlights from CloudNativeSecurityCon 2024
PYMNTS: Meta’s Open-Source AI Model Sparks Industry Debate on Commerce’s Future
InfoWorld: Focusing open source on security, not ideology
The Hacker News: Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide
Dark Reading: Tech Giants Agree to Standardize AI Security
Cincinnati Business Courier: CVG airport, Cincinnati Children’s impacted by global Microsoft outage
Dark Reading: The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development

Meet OpenSSF at These Upcoming Events!

Open Source Summit Europe: Sept. 16-18, 2024
SOSS Community Day Europe: Sept. 19, 2024
SOSS Fusion Conference: Oct. 22-23, 2024
- Sponsorships available
Open Source Summit Japan: Oct. 28-29, 2024
SOSS Community Day Japan: Oct. 30, 2024

Get Involved in OpenSSF

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, and LinkedIn

See You Next Month

We want to get you the information you most want to see in your inbox. Have suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!

Regards,

The OpenSSF Team

OpenSSF Newsletter – August 2024

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get the latest announcements, event info, and the community news in your inbox