Welcome to the January 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.
- Submit to Speak:Â OpenSSF Community Day
- Suggest a Speaker: Podcast
- Follow: LinkedIn, X, Mastodon, and BlueSky
Call for Proposals: OpenSSF Community Day NA 2025!
The CFP is now open for OpenSSF Community Day North America 2025, happening June 26 in Denver, CO! Share your insights, success stories, and innovations with the open source security community.
Key Dates:
- CFP Closes: March 23, 2025
- Event Date: June 26, 2025
Submit 5-, 10-, 15-, or 20-minute talks on topics like AI and ML in security, supply chain resilience, regulatory compliance, and more. First-time speakers welcome!
We Need Your Input!
Take a short survey to help the OpenSSF, LF Research, and LF Europe assess the open source community’s readiness for the EU Cyber Resilience Act and other emerging regulatory challenges. Your insights will shape best practices and prepare the ecosystem for what’s ahead.
Bonus for participating:
Get a 35% discount on any Linux Foundation e-learning course or certification exam (valid until May 1, 2025).
Added bonus: For every completed survey, LF Research will donate to the Linux Foundation’s Travel Fund, supporting open source developers and community members in attending events they might otherwise miss.
Your participation helps strengthen our community—thank you! The survey closes Friday, Jan. 24, 2025.Â
CRA Stewards and Manufacturers Workshop: Key Takeaways and Next Steps
Last month the Linux Foundation Europe and the OpenSSF teams held a workshop focused on the implications of the recently published Regulation (EU) 2024/2847, commonly known as the Cyber Resilience Act or CRA. The 2024 Stewards and Manufacturers Workshop in Amsterdam was a highly successful event where members from across the Linux Foundation, other upstream open source foundations, community experts, and government officials came together to get a common understanding of the obligations of both Manufacturers and Stewards, and how each group needs to collaborate together as the legislation starts to go into effect over the next three years.
What’s in the SOSS? Podcast #23 – Kusari’s Michael Lieberman Talks GUAC, SLSA and Securing the Open Source Supply Chain
In the latest episode of What’s in the SOSS?, CRob chats with Michael Lieberman, CTO and co-founder of Kusari, about supply chain security in the open source ecosystem. They discuss Michael’s journey in open source, his work with SLSA and GUAC, practical tips for addressing SBOMs, and his vision for the future of OSS security. Michael also shares advice for aspiring contributors and thoughts on what’s next for supply chain security.
Have a subject idea or know someone inspiring we should feature? Email us at marketing@openssf.org!
SOSS Community Day India 2024: Wrap Up
Towards the end of 2024, we hosted the inaugural SOSS Community Day India, and we’re thrilled to share that it was a resounding success! This remarkable event brought together some of the most active open source contributors in the industry for a day filled with sharing, learning, and collaboration
What made this gathering truly special was being co-located with KubeCon + CloudNativeCon India 2024. With over 350 registrations (and a waiting list, no less!), we saw a truly varied set of personas join us for this unforgettable experience. Engineers, legal professionals, CXOs, and students all came together to share their expertise, showcase their projects, and learn from one another.
Accelerating OpenSSF Adoption: Unlocking Scorecard Insights with a Centralized Dashboard
Open source components power 90% of modern applications but pose security risks like vulnerabilities and supply chain attacks. The OpenSSF Scorecard evaluates projects on critical security metrics, while the new Ortelius OpenSSF Dashboard aggregates these results at the application level, providing transparency and actionable insights to secure your software.
Discover how these tools can help you trust your dependencies and strengthen open source security.
Predictions for Open Source Security in 2025: AI, State Actors, and Supply Chains
Open source software powers nearly all modern applications, yet its vulnerabilities make it a prime target for cyberattacks. High-profile incidents like the xz Utils backdoor highlight growing threats from state actors and cybercriminals. The rise of AI tools like GenAI amplifies these risks, enabling scaled phishing campaigns and fake contributors to erode trust.
To protect open source as a global asset, greater investment, improved governance, and faster patching are critical.
News from OpenSSF Community Meetings and Projects:
- Global Cyber Policy WG is planning an in-person meetup for those attending FOSDEM. Doodle poll is here.
- Vulnerability Disclosures: The VulnCon CFP deadline has been extended to Jan 31, 2025
- Security Baseline reviewed 7 open PRs and 5 were merged. Two current open PRs: #130 & #116. Moving to a Pilot program stay tuned for more details.
- Sigstore: Cosign has a new release coming soon, and Ruby 3.4 added support for attestations. Several from the project will be at FOSDEM.
- EDU.SIG continues to collaborate on Developer Manager training & Security Architecture training.
- C/C++ Compiler Options Best Practices has three PRs in active review: #706, #694, & #284.
- Securing Software Repositories submitted a TAC funding request for a technical writer for package yanking guidance.
- Minder held its first community meeting and covered the goals of the project, results from the recent “Ruleathon”, and feature requests. Minder will have a “Provider Deep Dive” presentation at the Jan. 27 Minder Monday meeting.
- DevRel discussed 2025 goals including an OpenSSF Reference Architecture, event participation, editorial focus, and recruitment.
- Memory Safety SIG the team working on OpenSSF Scorecard probes provided a demo.
- OpenSSF Scorecard is reviewing a PR for GitHub git compatibility mode.
- gittuf is planning to advance from Alpha to Beta status soon.
In the News:
- Darkreading: The Shifting Landscape of Open Source Security
- Security Boulevard: Census III Study Spotlights Ongoing Open Source Software Security Challenges
- Help Net Security: What Open Source Means for Cybersecurity
- Risky Biz News: Risky Bulletin: CISA Sent 2,100+ Pre-ransomware Alerts This Year
- Good Tech: Open Source Trends and Challenges Revealed in New Study
- SecurityExpress.info: 96% of Codebases Use Open Source: Census III Reveals FOSS Reliance
- SecurityInfoWatch: Open-Source Usage Trends and Security Challenges Revealed in New Study
- Darkreading: Lessons From the Largest Software Supply Chain Incidents
Meet OpenSSF at These Upcoming Events!
- FOSDEM, Brussels: February 1, 2025
- OpenSSF Policy Summit DC 2025: March 4, 2025
- OpenSSF Community Day North America 2025: June 26, 2025
You’re invited to…
- Join a Working Group or Project
- Chat with us on Slack
- Follow us on X, Mastodon, Bluesky, and LinkedIn
See You Next Month!Â
We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!Â
Regards,
The OpenSSF Team