Welcome to the August 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.
TL;DR:
🔍 Case Study: GUAC security validated in <1hr w/Baseline.
📝 Blogs: OpenSSF Community and Working Groups, AI security, AIxCC wins.
🎙 Podcasts: OSTIF audits, CRA in Erlang Community.
📅 Events: OpenSSF Community Day Europe, Linux Foundation Europe Member Summit, Open Source in Finance Forum New York, Linux Foundation Europe Roadshow, European Open Source Security Forum (link coming soon), OpenSSF Community Day Korea, Open Source SecurityCon 2025
🎉 Celebrating Five Years of OpenSSF: A Journey Through Open Source Security
August 2025 marks five years since the official formation of the Open Source Security Foundation (OpenSSF). From uniting global efforts to securing open source software, to launching initiatives like Sigstore, OpenSSF Scorecard, Alpha-Omega, SLSA, and the OSPS Baseline, OpenSSF has moved from ideas to impact – shaping the future of software supply chain security.
This milestone isn’t just a celebration of what we have accomplished, but of the community we have built together. Here’s to five years of uniting communities, hardening the software supply chain, and driving a safer digital future.
Read the full blog to explore the journey, voices, and vision that continue to shape OpenSSF’s impact.
✨Community Highlight: Whitepaper: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security
We want to give a shout out to Sarah Evans (Dell Technologies), Andrey Shorov (Ericsson) and the entire AI/ML Security Working Group for their outstanding contributions through OpenSSF, advancing secure AI/ML practices and delivering industry leadership in building robust AI/ML pipeline security.
Their new whitepaper, “Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security,” expands on Ericsson’s MLSecOps framework into a comprehensive, visual, “layer-by-layer” guide. It shows how to apply open source tools like SLSA, Sigstore, and OpenSSF Scorecard to secure the ML lifecycle offering mapped risks, security controls, reference architecture, and practical tools.
This is a must-read for anyone designing, developing, deploying, or securing AI/ML systems.
Read the whitepaper and the blog to see how OpenSSF members are shaping the future of trustworthy AI.
🔍Case Study: How LFX Insights and OSPS Baseline Validated GUAC’s Security in Under an Hour
How can a project like GUAC validate its strong security posture in under an hour?
Kusari used LFX Insights integrated with the OpenSSF OSPS Baseline to run a rapid, automated assessment of GUAC’s security posture. In less than an hour, evidence of strong security practices was compiled automatically, results were presented in a clear visual format, and findings were instantly aligned to major frameworks like NIST SSDF and the EU Cyber Resilience Act. The result was faster trust, reduced workload, and a smoother path for adoption.
Project leaders and community voices including Mike Lieberman (Kusari), Ben Cotton (Kusari), Eddie Knight (Sonatype), and Mihai Maruseac (Google) emphasized the value of this approach. They highlighted how OSPS Baseline makes security proof more visible, reduces repetitive effort, saves time for maintainers, and builds confidence among OSPO leads and end users.
Read the full case study to see how LFX Insights and OSPS Baseline created a blueprint for faster, more credible security assurance.
Blogs: What’s New at the OpenSSF Community?
Here you will find a snapshot of what’s new on the OpenSSF blog. For more stories, ideas, and updates, visit the blog section on our website.
Case Study: Google Secures Machine Learning Models with sigstore
As machine learning evolves, so do the threats-data poisoning, model tampering, and unverifiable origins are real risks. Google’s Open Source Security Team, sigstore, and OpenSSF created the OMS specification, integrating it into hubs like NVIDIA NGC and Kaggle. Models are automatically signed, tied to the author’s identity, verified for authenticity, and logged for a complete audit trail. This blueprint offers a path to a verified ML ecosystem.
“If we reach a state where all claims about ML systems and metadata are tamperproof, tied to identity, and verifiable by the tools ML developers already use—we can inspect the ML supply chain immediately in case of incidents.” — Mihai Maruseac, Staff Software Engineer, Google
Read the case study.
What’s it like to speak, volunteer, parent, and explore nature – all in one week at OSS Summit NA 2025?
Eman Abu Ishgair shares her experience attending the Open Source Summit North America in Denver as a speaker, volunteer, and new community member during OpenSSF Community Day. From co-presenting “The Open Source SDLC Control Plane: Building the Supply Chain Security Sandwich” with Michael Lieberman, CTO and Co-founder at Kusari and Governing Board member, to volunteering at the OpenSSF booth, connecting with collaborators, attending talks on SBOM, Signing, and Securing AI pipelines, and exploring Colorado’s natural wonders with her children, Eman’s week was full of learning, community, and inspiration.
Read the full blog to experience her journey and discover how you can get involved with OpenSSF.
How does the OpenSSF welcome maintainers, security engineers, students, and others to its open, global community?
Ejiro Oghenekome and Sal Kimmich share how OpenSSF serves as the global hub for collaborative work on securing the software supply chain, with no gatekeepers and open participation for all. The blog explains how to join Slack, attend meetings, contribute via GitHub, and explore working groups like AI/ML Security, BEAR, Global Cyber Policy, Security Tooling, Vulnerability Disclosures, Securing Software Repositories, ORBIT, Securing Critical Projects, and Supply Chain Integrity. Every OpenSSF group welcomes newcomers, with many paths to contribute, no matter your background.
Read the blog to discover where your skills fit and how to start contributing today.
Securing AI: The Next Cybersecurity Battleground
The AI wave is here, and it’s only getting bigger. It ushers in a pivotal new cybersecurity battleground: securing AI. In this blog, Hugo Huang, expert in Cloud Computing and Business Models spearheading joint innovation between Canonical and Google, shares findings from a security survey. The report highlights three top challenges in 2025-lack of standardized frameworks, shadow AI, and the talent gap. Building resilient AI systems needs concrete security measures across the AI lifecycle, with open source as the pivotal enabler.
Read the full blog.
OpenSSF at Black Hat USA 2025 & DEF CON 33: AIxCC Highlights, Big Wins, and the Future of Securing Open Source
Image source: Christopher “CRob” Robinson (OpenSSF), Stephanie Domas (Canonical), and Anant Shrivastava (Cyfinoid Research) hosted a standing-room-only “Ask Me Anything About FOSS” panel at Black Hat USA 2025
The Open Source Security Foundation marked a strong presence at Black Hat USA 2025 and DEF CON 33, engaging with security leaders, showcasing initiatives, and fostering collaboration to advance open source security. At DEF CON, the spotlight was on the AI Cyber Challenge (AIxCC), a DARPA and ARPA-H competition to develop AI-enabled software that can identify and patch vulnerabilities. Trail of Bits, an OpenSSF General Member, earned second place with Buttercup, their open source Cyber Reasoning System.
Read the full blog for more details.
What’s in the SOSS? An OpenSSF Podcast:
In this episode of What’s in the SOSS, Derek Zimmer and Amir Montezary from the Open Source Technology Improvement Fund (OSTIF) share their decade-long mission of providing security resources to open source projects. They focus on collaborative, maintainer-centric security audits that improve project security posture through expert third-party reviews. These engagements are designed to be supportive, impactful, and efficient. Listen to the full episode to hear OSTIF’s 10-year journey and how they help projects strengthen security.
In this episode of What’s in the SOSS?, CRob talks with Jonatan Männchen (CISO, Erlang Ecosystem Foundation), Ulf Riehm (Product Owner, Herrmann Ultraschall), and Michael Winser (Alpha-Omega). The conversation explores the critical importance of security in open source, especially with the CRA. Hear how the Erlang community brings in experts, fosters collaboration, and builds trust. Listen to the full episode to learn why manufacturers invest in upstream projects and how other ecosystems can follow this approach.
Education:
The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:
- Developing Secure Software (LFD121)
- Security for Software Development Managers (LFD125)
- Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)
- Securing Projects with OpenSSF Scorecard (LFEL1006)
- Securing Your Software Supply Chain with Sigstore (LFS182)
These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.
News from OpenSSF Community Meetings and Projects:
- OpenBao released v2.3.2 including addressing security vulnerabilities, bug fixes and improvements.
- Zarf released version v0.60.0 adding skeleton and feature API capabilities and fixing bugs.
- The Best Practices and AI/ML Security WGs have drafted a Security-Focused Guide for AI Code Assistant Instructions. Reviews and feedback in the form of PRs are welcome.
In the News:
- SC Media: Application Security Weekly podcast, Getting Started with Security Basics on the Way to Finding a Specialization – ASW #339
- Techstrong.ai, Navigating Software Supply Chain Security Challenges with Christopher (CRob) Robinson | Open Source Summit NA 2025
- Techstrong.ai, Techstrong TV June 30, 2025
- SiliconANGLE, Code, community and the future: 13 takeaways from Open Source Summit NA
- Efficiently Connected, Preparing for Automated Regulatory Compliance with RISC-V
- SiliconANGLE, How open-source developers can meet global cybersecurity laws — before it’s too late
- Infosecurity Magazine, NSA and CISA Urge Adoption of Memory Safe Languages for Safety
- theCUBE, CRob Robinson, OpenSSF | Open Source Summit 2025
- Linux Insider, Is a Security Baseline Enough for Open-Source Software?
- ITdaily, Linux Foundation Launches Global Cybersecurity Skills Framework
- Security Boulevard, Linux Foundation Shares Framework for Building Effective Cybersecurity Teams
- Help Net Security, Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed
- SC Media, New Cybersecurity Skills Framework seeks to bolster enterprise talent readiness
- ITOps Times, Linux Foundation and OpenSSF launch Cybersecurity Skills Framework
- SiliconANGLE, Linux Foundation debuts Cybersecurity Skills Framework to address enterprise talent gaps
- I-Programmer, Why OpenSSF’s Baseline Security For Open Source Projects Is Important
- SD Times, OpenSSF creates Project Security Baseline
- InfoQ, OpenSSF Publishes Security Baseline for Open-Source Projects
Meet OpenSSF at These Upcoming Events!
Join us at OpenSSF Community Day Events in Europe and South Korea!
OpenSSF Community Days bring together security and open source experts to drive innovation in software security.
- Amsterdam, Netherlands – August 28, 2025
- Seoul, South Korea – November 4, 2025
Connect with the OpenSSF Community at these key events:
- Open Source Summit Europe: August 25 – 27, 2025
- Open Source in Finance Forum (OSFF): October 21-22, 2025
- The Linux Foundation Member Summit: Oct 28, 2025
- The Linux Foundation Europe Roadshow: October 29, 2025
- Open Source SecurityCon 2025: November 10, 2025
Ways to Participate:
There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.
You’re invited to…
- Join a Working Group or Project
- Chat with us on Slack
- Follow us on X, Mastodon, Bluesky, and LinkedIn
See You Next Month!
We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!
Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!
Regards,
The OpenSSF Team