OpenSSF Newsletter – October 2025

Welcome to the October 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR

✅ New free course: Secure AI/ML-Driven Software Development (LFEL1012)

✅ Tech Talks: Upcoming: Simplifying DevSecOps in Air-Gapped Environments with Zarf

✅ SBOMs evolving under CRA toward unified, actionable frameworks

✅ Recap: Securing the AI/ML lifecycle

✅ OpenSSF Scorecard audit completed

✅ Sigstore Rekor dataset released on BigQuery

✅ New podcast episodes (#40-43) on AI, SBOMs, and open source security

✅ OSPS Baseline & Model Signing updates released

✅ Upcoming events: Seoul (Nov 4), Lyon (Nov 5-6), SecurityCon (Nov 10)

A New Course on Secure AI/ML-Driven Software Development

The Open Source Security Foundation (OpenSSF) has announced a new free course, Secure AI/ML-Driven Software Development (LFEL1012).

As AI and ML become central to software development, this course helps developers understand and address the security risks that come with AI code assistants from exposure to untrusted content and access to private data, to external communication threats.

Designed for anyone developing software, the one-hour course offers a pragmatic, real-world approach to using AI securely in development while maintaining best practices.

Take the course and explore more free OpenSSF learning resources, including Developing Secure Software (LFD121) and Understanding the EU Cyber Resilience Act (LFEL1001). Learn more.

Tech Talk: Simplifying DevSecOps in Air-Gapped Environments with Zarf

Register for this new Tech Talk as it will introduce Zarf, an OpenSSF project that simplifies software delivery in airgapped and semi-connected environments. You will see how Zarf’s declarative packaging strategy keeps Kubernetes and cloud-native workloads running smoothly even without internet access.

• Learn how Zarf, an OpenSSF project, simplifies DevSecOps in airgapped and semi-connected environments
• See a live demo of declarative packaging for Kubernetes and cloud-native workloads without internet access
• Leave with practical steps and resources to start using Zarf for secure and resilient software delivery

SBOMs in the Era of the CRA: Toward a Unified and Actionable Framework

The Software Bill of Materials (SBOM) has evolved from a best practice into a legal and operational requirement under the EU Cyber Resilience Act (CRA). In this blog, authors Madalin Neag (EU Policy Advisor, OpenSSF), Kate Stewart (VP, Dependable Embedded Systems, Linux Foundation), and David A. Wheeler (Director, Open Source Supply Chain Security, OpenSSF) explains how global policy momentum from the CRA to the U.S. CISA Minimum Elements is driving SBOMs toward greater interoperability, automation, and actionable security intelligence. They highlight the role of open standards like SPDX and CycloneDX, supported by OpenSSF tools such as Protobom, BomCTL, and SBOMit, which enable organizations to automate SBOM creation, validation, and lifecycle management. The blog highlights that SBOMs must no longer serve merely as compliance artifacts but as dynamic cybersecurity assets that enhance transparency, trust, and real-time risk management across the global software supply chain. Read more.

Blogs: What’s New in the OpenSSF Community?

Here you will find a snapshot of what’s new on the OpenSSF blog. For more stories, ideas, and updates, visit the blog section on our website.

Recap: OpenSSF Tech Talk on Securing the AI Lifecycle

On September 24, the Open Source Security Foundation (OpenSSF) hosted a Tech Talk with experts from Dell Technologies, Google, and Intel on securing the AI/ML lifecycle through open source.

Sarah Evans (Dell Technologies) shared the Visualizing Secure MLOps whitepaper, Mihai Maruseac (Google) discussed model signing and supply chain risks, and Marcela Melara (Intel) presented new work on provenance and GPU-based integrity.

The session emphasized the “three T’s” of AI security – Trust, Transparency, and Tooling and highlighted the need for community collaboration to secure AI development. To learn more, check out the recap blog.

KubeCon + CloudNativeCon North America 2025 Co-Located Event Deep Dive: Open Source SecurityCon

Security is no longer just a consideration,  it’s a necessity. Join the community, building a safer open source future.

Co-located with KubeCon + CloudNativeCon North America, Open Source SecurityCon brings together developers, security engineers, and open source contributors to strengthen trust in open source. Through expert-led sessions and hands-on activities, participants will explore AI security, supply chain security, and security policy shaping the future of secure software for everyone. Learn more and attend the sessions.

OpenSSF Scorecard Audit is Complete!

The Open Source Technology Improvement Fund (OSTIF) has completed a security audit of the OpenSSF Scorecard, an open source tool that helps projects continually assess security risks.

With the help of  ADA Logics with support from OpenSSF, the audit included threat modeling, manual code review, and fuzz testing across multiple Scorecard repositories. Many reported issues have already been addressed, users are encouraged to update to the latest version to benefit from these improvements.

Read the full audit report and learn how to contribute to OpenSSF Scorecard.

Announcing the Sigstore Transparency Log Research Dataset

The Google Open Source Security Team has announced a new BigQuery public dataset, rekor, an easily queryable mirror of Sigstore’s transparency log, Rekor.

Rekor records signing events in an append-only log, providing cryptographic proofs of inclusion that help software consumers and producers verify artifact integrity. The new dataset makes it easier for open source supply chain researchers to analyze how artifacts are being signed with Sigstore, answering questions such as “What is the most common CI provider used to sign artifacts?” or “How many artifacts are signed each month?” Interested to learn more? Watch the talk from OpenSSF Community Day North America or check the recap blog here.

What’s in the SOSS? An OpenSSF Podcast:

#40 – S2E17 From Manager to Open Source Security Pioneer: Kate Stewart’s Journey Through SBOM, Safety, and the Zephyr Project

In this episode of What’s in the SOSS, CRob sits down with Kate Stewart, a Linux Foundation veteran who shares her unique journey from management to open source innovation. Kate discusses her work driving safety-critical software initiatives through the Zephyr RTOS and ELISA projects, as well as her pivotal role in shaping SPDX and the evolution of Software Bill of Materials (SBOM). She breaks down SBOM types, highlights how Zephyr achieved OpenSSF Gold-level badging, and offers insights into navigating the EU Cyber Resilience Act (CRA). Tune in for a thoughtful look at how open source, safety, and security intersect in today’s regulatory landscape.

#41 – S2E18 The Remediation Revolution: How AI Agents Are Transforming Open Source Security with John Amaral

In this episode of What’s in the SOSS, CRob talks with John Amaral from Root.io about how AI and LLM technologies are reshaping open source security. They discuss the move from traditional “scan and triage” to a “fix first” approach powered by AI agents, the challenges of securing containerized environments, and how developers can use AI as both a pair programmer and security analyst. Tune in for insights on the future of AI-driven vulnerability management and the evolution from “shift left” to “shift out” security practices.

#42 – S2E19 New Education Course: Secure AI/ML-Driven Software Development (LFEL1012) with David A. Wheeler

In this episode of What’s in the SOSS, Yesenia talks with David A. Wheeler, Director of Open Source Supply Chain Security at the Linux Foundation, about the new free course Secure AI/ML-Driven Software Development (LFEL1012). David discusses the growing need for education and tools to ensure security in AI-driven development, common misconceptions about AI, and the value of digital badges for developers. Tune in to learn how this course helps developers build secure, resilient software in the age of AI.

#43 – S2E20 Building Trust in Open Source: Seth Larson’s Journey from Maintainer to Security Leader

In this episode of What’s in the SOSS, Yesenia Yser chats with Seth Larson, Security Developer-in-Residence at the Python Software Foundation, about his journey from urllib3 maintainer to open source security leader. Seth discusses how public documentation shapes trust, the importance of supporting maintainers, and making security accessible without disrupting workflows. He also shares insights on secure-by-default practices, community engagement, and even his love for retro Nintendo games.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

• Developing Secure Software (LFD121)
• Security for Software Development Managers (LFD125)
• Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)
• Secure AI/ML-Driven Software Development (LFEL1012)
• Securing Projects with OpenSSF Scorecard (LFEL1006)
• Securing Your Software Supply Chain with Sigstore (LFS182)

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

• OSPS Baseline released version 2025-10-10 adding 6 new controls to the catalog and mappings to NIST 800-161, PCIDSS, PSSCRM, SAMM and UKSSCOP.
• Model Signing released v1.1.0 (and v1.1.1 with an API bug fix). The release extends support for more signing methods and more hashing algorithms. It also adds options to customize the library and CLI.
• The Global Cyber Policy WG has shared a collection of CRA vertical standards documents that ETSI has made available for public inquiry.

In the News:

• ZDNET, David Gewirtz: The best free AI courses and certificates right now
• Reversing Labs, Jai Vijayan: The call for funding of open-source platforms

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day in South Korea!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

• Seoul, South Korea –  November 4, 2025

Connect with the OpenSSF Community at these key events:

• OSPOlogyLive Lyon: November 5-6, 2025
• Open Source SecurityCon 2025: November 10, 2025

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

• Join a Working Group or Project
• Chat with us on Slack
• Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Month!

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team