Welcome to the December 2024 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

• Lead:  2025 Tech Talk
• Download: Annual Report
• Follow: LinkedIn, X, Mastodon, and BlueSky

Thank You for an Amazing 2024!

As 2024 comes to a close, we want to take a moment to express our deepest gratitude for the dedication, collaboration, and innovation you have brought to the OpenSSF community this year. Together, we achieved remarkable milestones—from expanding our global membership and launching impactful education initiatives to advancing critical security projects and fostering collaborations with public and private sectors. Your contributions have strengthened our shared mission to secure the open source ecosystem and build a safer, more reliable digital future.

As we look forward to 2025, we’re excited to continue fostering a vibrant and inclusive community, deepening collaborations, and driving meaningful change together. We appreciate your role in this journey.

Wishing you a safe and joyful holiday season!

Download report

The Open Source Software Stewards and Manufacturers Workshop and the EU Cyber Resilience Act (CRA)

In December, the Linux Foundation Europe and the OpenSSF hosted the Open Source Software Stewards and Manufacturers Workshop in Amsterdam, focusing on the implications of the EU Cyber Resilience Act (CRA). The event brought together industry leaders, community experts, and government officials to align on CRA obligations and foster collaboration for compliance.

Key outcomes included the formation of the Global Cyber Policy Working Group and three workstreams: CRA Readiness & Awareness, CRA Tooling & Processes, and CRA Standardization.

Details on how to participate and learn more:

• Global Cyber Policy Working Group (WG):
  Git repo
  Mailing List
  Slack Channel

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 1

Published as Regulation (EU) 2024/2847 in the Official Journal of the European Union, the Cyber Resilience Act (CRA) entered into force (EIF) on December 10, 2024. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their remote data processing, put on the European market to follow this regulation. This new blog series will cover the implementation of the CRA and its relevance to open source software.

In Part 1, we will provide a general overview of the CRA and highlight LF Europe and the OpenSSF’s current activities in relation to the implementation.

Learn more

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 2

In Part 1, we provided a general overview of the CRA and highlighted OpenSSF’s current activities related to its implementation. In Part 2, we’ll take a closer look at the three-year implementation timeline and what lies ahead. 

Read more

Shaping the Future of Generative AI: A Focus on Security

The Shaping the Future of Generative AI report, sponsored by LF AI & Data and CNCF, highlights how organizations prioritize security, cost, and performance as they adopt GenAI. Security remains a top concern, particularly in sectors like finance and healthcare, where privacy and regulatory compliance are critical.

The Open Source Security Foundation (OpenSSF) AI/ML Working Group plays a vital role in this landscape, focusing on initiatives like model signing with Sigstore to enhance trust and security in AI systems. This blog ties together insights from the report and OpenSSF’s ongoing efforts to address security challenges in GenAI adoption.

• Read the full report
• Explore the blog

Open Source Usage Trends and Security Challenges Revealed in New Study

The Linux Foundation and Harvard released Census III, a groundbreaking study analyzing Free and Open Source Software (FOSS) usage and security challenges. Findings reveal trends like the rise of cloud-specific packages, increased reliance on Rust, and the critical role of a small group of contributors.

Learn more

Download report

 

Honda and Guidewire Join the Open Source Security Foundation (OpenSSF)

At the inaugural SOSS Community Day India, OpenSSF welcomed Honda and Guidewire Software as new members, expanding its growing global network to 126 organizations. The event highlights India’s thriving open source ecosystem and brings together leaders to collaborate on securing the software we all depend on.

Learn more

SigstoreCon 2024: Advancing Software Supply Chain Security

On November 12, 2024, the software security community gathered in Salt Lake City for SigstoreCon: Supply Chain Day, co-located with KubeCon North America 2024. The one-day conference brought together developers, maintainers, and security experts to explore how Sigstore is transforming software supply chain security through simplified signing and verification of digital artifacts.

Read more

News from OpenSSF Community Meetings and Projects:

• Global Cyber Policy WG: The new group had its sandbox application approved by the TAC.
• Bomctl welcomed Patrick Kwiatkowski as its newest maintainer.
• GUAC v0.12.0 was released, with added support for querying OCI registries and collecting end-of-life information. The group also held a meeting to discuss an air-gapped GUAC deployment.
• SLSA submitted a graduation application to the TAC and is expecting to release v1.1 soon.
• EDU.SIG highlighted a series of updates that have been made to the LFD121 course in recent weeks.
• Security Baseline is now visible at a web url: https://baseline.openssf.org/.
• TAC held discussions about improving the Technical Initiative funding process in 2025.
• Sigstore: The playlist from Sigstorecon is available on YouTube.
• Vulnerability Disclosures WG discussed ideas to help reduce slop security reports.
• SBOMit is planning an SBOMit Summit stay tuned for more details.
• Model Signing SIG seeks feedback on the proposed model card metadata spreadsheet.
• Zarf has PRs in progress for zarf package preview and show manifests.
• C/C++ Best Practices discussed the proposal for hardened C++ Standard Library.
• Securing Software Repositories WG members published blog posts on the Ultralytics compromise.
• Memory Safety SIG gave an overview of a new Rust/C++ Interop initiative. The group is also collaborating to add a Memory Safety Scorecard Check.
• Scorecard expects a patch release upcoming with a collection of minor updates and fixes. The group also has an Azure DevOps task PoC working for running Scorecard.
• Minder published a README update with information and resources to help get started with writing rules and profiles for Minder.

In the News:

• Infosecurity Magazine: Security Risks Persist in Open Source Ecosystem
• SC Media: Study Highlights Challenges, Priorities in Securing Open Source Software
• DevOps.com: Linux Foundation Report Spotlights Open Source Software Package Challenges
• SecurityInfoWatch: Open-Source Usage Trends and Security Challenges Revealed in New Study
• Linux Security: Leveraging Insights from the Linux Foundation’s Census III Report for More Secure Linux Administration
• Developer Tech News: Linux Foundation Releases ‘Census III’ Open Source Report
• IT Week: Linux Foundation: 96% of Modern Applications Use Open Source
• Digitalk: Study: 96% of Modern Applications Use Open Source

Meet OpenSSF at These Upcoming Events!

• FOSDEM, Brussels: February 1, 2025
• OpenSSF Policy Summit DC 2025: March 4, 2025

You’re invited to…

• Join a Working Group or Project
• Chat with us on Slack
• Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Year! 

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you in 2025! 

Regards,

The OpenSSF Team