Welcome to the November 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.
TL;DR:
✅ Cyber week: Free + discounted security courses to level up fast
✅ EU CRA insights and OSS security guidance from Open Source Security Week in Belgium
✅ OSS security best practices for finance from OSFF NYC
✅ New OpenSSF members, awards, and project milestones
✅ New podcast episodes (#44-45): OSPS Security Baseline and SBOM Chaos and Software Sovereignty
✅ SBOM Coffee Club reviewed OWASP AIBOM
✅ Zarf v0.65.1 adds broader K8s support & hosts Tech talk
✅ OpenBao advancing read-replication
✅ Upcoming events: FOSDEM (31 Jan & 1 Feb 2026), Open Source SecurityCon (23 March 2026), KubeCon+CloudNativeCon Europe (23-26, March 2026)
Level Up Your Open Source Security Skills for Cyber Week
OpenSSF and Linux Foundation Education are committed to making world-class security training accessible to everyone. Whether you are securing critical open source projects, preparing for new regulations, or building foundational expertise, you can start today with free e-learning courses and earn digital badges along the way. Explore offerings like Developing Secure Software (LFD121), Security for Software Development Managers (LFD125), Understanding the EU Cyber Resilience Act (LFEL1001), Secure AI/ML-Driven Software Development (LFEL1012), and many others designed to strengthen software resilience across the ecosystem.
If you are ready to go deeper, Cyber Week kicks off December 1. This brings the biggest savings of the year from Linux Foundation Education. From certification bundles to instructor-led courses and subscription packages, you can save up to 65 percent and accelerate your career heading into 2026.
Visit LF Education starting on December 1st to grab the best savings of the year!
Start learning for free. Level up for less. Strengthen the security of the open source world.
Blogs: What’s New in the OpenSSF Community?
Recap: Open Source Security Week in Belgium – Highlights from Ghent to Brussels
At the end of October, Linux Foundation Europe, OpenSSF, and CEPS hosted a week of open source security activities across Ghent and Brussels. Developers, maintainers, policymakers, and security experts came together to break down the Cyber Resilience Act, share practical readiness guidance, and align on how Europe can strengthen software security without slowing open collaboration. From technical workshops to policy-driven discussions, the week highlighted both the challenges ahead and the growing support available to the community. Read the full recap for key takeaways, reflections, and ways to get involved.
Building Security in Open Source for Financial Services: OpenSSF at Open Source Finance Forum (OSFF) NYC
OpenSSF joined the Open Source in Finance Forum (OSFF) NYC to highlight how financial institutions can confidently rely on open source while managing real security risks. Through sessions on AI security, project security baselines, and stabilizing vulnerability data pipelines, OpenSSF showed how collaboration between maintainers, regulators, and industry engineers leads to practical solutions that strengthen the software powering today’s financial systems. Read the full recap to explore the key takeaways and resources shared at OSFF.
Tech Talk Recap: Simplifying DevSecOps in Air-Gapped Environments with Zarf
In the latest OpenSSF Tech Talk, we focused on a significant hurdle in software supply chain security: managing software delivery and upkeep within air-gapped and restricted network environments. You can now view the recording on the OpenSSF YouTube channel, and the presentation slides are accessible here.
OpenSSF Announces Key Membership Growth and Golden Egg Award Winners at Open Source SecurityCon North America
The Open Source Security Foundation (OpenSSF) announced new and expanded memberships at Open Source SecurityCon North America, welcoming Target Corporation and Thread AI, and celebrating OSTIF’s upgrade to general member status. The community also recognized standout contributors with the latest Golden Egg Awards and highlighted recent progress across learning resources, tooling, and global events. Read the blog to learn more about the membership updates, award winners, and milestones from the past quarter.
Here you will find a snapshot of what’s new on the OpenSSF blog. For more stories, ideas, and updates, visit the blog section on our website.
What’s in the SOSS? An OpenSSF Podcast:
#44 – S2E21 A Deep Dive into the Open Source Project Security (OSPS) Baseline
In this episode of What’s in the SOSS? CRob, Ben Cotton, and Eddie Knight take a practical look at the Open Source Project Security (OSPS) Baseline, a shared security checklist designed to help maintainers communicate the current state of their project’s security practices. They break down how the baseline fits into real workflows, why clear documentation builds trust, and how downstream users benefit when expectations are aligned. The conversation also explores integrations with other OpenSSF efforts, lessons from the GUAC case study, and what’s ahead as the community continues to refine the framework and expand tooling support.
#45 – S2E22 SBOM Chaos and Software Sovereignty with Canonical’s Stephanie Domas
In this episode of What’s in the SOSS, CRob talks with Stephanie Domas, Chief Security Officer at Canonical, about the hidden challenges shaping today’s open source ecosystem. Stephanie breaks down why third party patches disrupt SBOM accuracy, how software sovereignty is influencing global procurement, and what the EU CRA means for enterprises working with upstream dependencies. She also shares insights on memory safe upgrades in Ubuntu’s next LTS and why transparency, collaboration, and community support are critical to building trust in open source.
News from OpenSSF Community Meetings and Projects:
- OpenSSF hosted a stand at GitHub Universe to share updates on the Open Source Project Security Baseline and highlight our free courses available through LF Education.
- The SBOM Coffee Club (meetings every Monday at 11 am ET) discussed the OWASP AIBOM Project.
- Zarf released Version v0.65.1 which includes an alpha feature for broader Kubernetes distribution support.
- OpenBao has an open PR for read replication that is currently moving through the review process.
- DeployHub, contributor to the Ortelius open source project, has joined the Catalyst Campus SDA TAP Lab to work with U.S. Space Force partners on bringing its SBOM-based post-deployment vulnerability detection tech to space, defense, air-gapped, and edge environments. Read more.
- Alpha-Omega published new updates showcasing how its funding is strengthening open source security, including Documenting Package Manager Data: Insights from ecosyste.ms and Strengthening FreeBSD’s Software Supply Chain: Year Two of Alpha-Omega Support to improve third-party dependencies and SBOM accuracy.
In the News:
- Dark Reading, 150,000 Packages Flood NPM Registry in Token Farming Campaign
- The Register, Crims poison 150K+ npm packages with token-farming malware
- Announcement: OpenSSF Announces Key Membership Growth and Golden Egg Award Winners at Open Source SecurityCon North America
Meet OpenSSF at These Upcoming Events!
Connect with the OpenSSF Community at these key events:
- FOSDEM 2026 – January 31 & February 1, 2026
- Open Source SecurityCon Europe – March 23, 2026
- KubeCon Europe – March 23 – 26, 2026
Ways to Participate:
There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.
You’re invited to…
- Join a Working Group or Project
- Chat with us on Slack
- Follow us on X, Mastodon, Bluesky, and LinkedIn
See You Next Month!
We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!
Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!
Regards,
The OpenSSF Team