Welcome to the December 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.
TL;DR:
🎁 2025 OpenSSF Annual Report
🎁 Free OpenSSF and Linux Foundation Education Courses
☃️ Recap: OpenSSF Community Day Korea 2025
☃️ KubeCon Keynote Recap
☃️ OpenSSF at OSPOlogyLive Europe
☃️ New podcast episodes (#46–47): AI, open source & collaboration (Jay White, Microsoft) and supply chain security in academia (Justin Cappos, NYU)
❄️ Alpha-Omega strengthened SBOM tooling and FreeBSD security
❄️ Gemara site launched
❄️ SecurityCon NA session videos now online
❄️ SLSA v1.2 adds a new Source Track
❄️ OpenBao v2.4.4 released
❄️ Upcoming events: FOSDEM (31 Jan & 1 Feb 2026), Open Source SecurityCon (23 March 2026), KubeCon+CloudNativeCon Europe (23-26, March 2026)
2025 OpenSSF Annual Report
Discover how the open source security community moved forward in 2025. The OpenSSF Annual Report highlights major achievements in education, tooling, vulnerability management, research, and global collaboration with insights from leadership and working groups. It’s a powerful look at how far we’ve come and where we’re headed as we work together to strengthen the security of open source software.
Download the 2025 OpenSSF Annual Report and explore the progress, impact, and vision shaping the future of open source security.
Blogs: What’s New in the OpenSSF Community?
From Beginner to Builder: Free OpenSSF and Linux Foundation Education Courses
Level up your open source security skills with this practical roundup from Ejiro Oghenekome and Sal Kimmich, CSM, a curated list of free, self-paced Linux Foundation Education and OpenSSF courses built for developers who want to contribute with confidence. From secure coding and threat modeling to OpenSSF Scorecard automation, SBOMs/signatures, and even essential context like ethics, inclusion, and new regulations, this blog post maps out clear learning paths you can start right away, before (or alongside) your next contribution. Read the blog.
Recap: OpenSSF Community Day Korea 2025
OpenSSF Community Day Korea 2025, held on November 4 in Seoul, brought developers and security engineers together for practical sessions on open source and software supply chain security. Talks spanned CI/CD hardening, SBOM-driven tooling, Linux kernel testing, post-quantum cryptography, and AI/ML security, all framed by OpenSSF’s pillars of Education, Policy, Projects, and Community. The event marked a strong start for a growing OpenSSF community in Korea, with public, private, and academic stakeholders aligning around the message that securing open source is shared work. Read the recap blog.
KubeCon Keynote Recap: “Supply Chain Reaction” and Why the OSPS Baseline Matters More Than Ever
How can a Kubernetes cluster with zero known vulnerabilities still be compromised?
In their KubeCon keynote “Supply Chain Reaction: A Cautionary Tale in K8s Security,” Stacey Potter (Community Manager, OpenSSF) and Adolfo García Veytia (Founder and Engineer, Carabiner Systems) walked through a realistic incident where a compromised compiler image injected a crypto-mining payload long before workloads reached the cluster, bypassing traditional defenses. They showed how tools like SLSA, Sigstore, Kyverno, and Ampel help secure the entire software lifecycle, and why the new Open Source Project Security (OSPS) Baseline with its eight control families and three maturity levels gives projects a practical, stepwise framework to resist invisible supply-chain attacks.
The talk makes a clear case: adopting the OSPS Baseline is now essential for any open source project that wants real, preventative supply-chain security. Learn more.
OpenSSF Projects in Less Than 5 Minutes
Short on time but curious about open source security tools? This video series features quick interviews with OpenSSF maintainers, giving you a fast, developer-focused look at the projects, standards, and initiatives they’re building. Hear directly from the people behind the code and discover which tools you might want to try next. Watch the videos here.
OpenSSF at OSPOlogyLive Europe
Madalin Neag, EU Policy Advisor at OpenSSF participated in OSPOlogyLive Europe, where he presented The Cybersecurity Skills Framework presentation and discussed why securing software requires investing in people and shared security knowledge, not just technology. The session highlighted OpenSSF’s leadership in building practical, role-based security capabilities across engineering teams. The framework provides a clear, actionable map for identifying security skill gaps and prioritizing capability development across the software ecosystem. It also demonstrated how organizations can use a common language for security skills to systematically improve their cybersecurity posture.”
What’s in the SOSS? An OpenSSF Podcast:
#47 – S2E24 Teaching the Next Generation: Software Supply Chain Security in Academia with Justin Cappos
On the latest episode of What’s in the SOSS, host Yesenia Yser sits down with Justin Cappos, professor at NYU Tandon School of Engineering, to discuss why software supply chain security is still missing from many university curricula and how hands on, open source first education can better prepare students for real world security work.
The conversation explores gaps in traditional computer science education, the importance of teaching open source collaboration, and how initiatives like the Linux Foundation’s Academic Computing Accreditation Program are helping institutions modernize security education.
🎧 Listen to the episode and learn more about the Academic Computing Accreditation Program: https://www.linuxfoundation.org/academic-computing-accreditation
#46 – S2E23 Securing the Future: AI, Open Source, and Collaboration with Jay White (Microsoft)
In this episode of What’s in the SOSS? Jay White from Microsoft’s Azure office of the CTO joins to talk about his path into open source and how it led him to focus on AI, machine learning, and security. He explains how model signing and transparency are becoming core to trustworthy AI, and shares ongoing work in OpenSSF and the Coalition for Secure AI (CoSAI) to build standards for AI supply chain security. The conversation touches on the challenges of cultural representation in AI models, why collaboration across companies and communities is essential, and how practitioners can get involved. Jay also reflects on the importance of community building and continuous learning as AI and open source evolve together.
News from OpenSSF Community Meetings and Projects:
- Recent Alpha-Omega supported work includes documenting package manager data across 70+ ecosyste.ms to improve tooling and SBOM generation, and strengthening FreeBSD’s software supply chain through machine-readable dependency inventories and long-term security planning.
- Gemara now has a website published at https://gemara.openssf.org/.
- The Global Cyber Policy WG and Core Toolchain Infrastructure project provided quarterly updates to the TAC.
- The Securing Software Repositories WG is planning a Package Manager Security Forum for February 2 in Brussels.
- Videos of all sessions from Open Source SecurityCon North America are now available.
- SLSA released v1.2 with the introduction of the Source Track that covers threats from the authoring, reviewing, and management of source code.
- OpenBao released v2.4.4.
- OpenSSF will have a stand at FOSDEM and is collaborating on the CRA in Practice, SBOM and EU Policy Dev Rooms.
In the News:
- Dark Reading published expert commentary from Christopher Robinson after speaking to him about OpenSSF’s work categorizing 150,000 malicious npm packages. CRob notes the importance of MFA and artifact signing to verify that code is secure here: “Infamous Shai-hulud Worm Resurfaces From the Depths.”
- In a Forbes article about the value of inclusive and resilient financial systems, Christopher Robinson of OpenSSF and Michael Lieberman of Kusari are included for their thoughts on secure fintech systems. Both suggest that open source software can play an important role in the future of finance, down to the code, and the Open Software Security Baseline is referenced in the article, “Secure By Design: Financial Systems For Climate Resilience.”
- This month VMblog published Christopher Robinson’s cybersecurity predictions for 2026. CRob points out the importance of MLSecOps, SBOMs, and more in the article, “Five cybersecurity predictions for 2026.”
Meet OpenSSF at These Upcoming Events!
Connect with the OpenSSF Community at these key events:
- FOSDEM 2026 – January 31 & February 1, 2026
- Open Source SecurityCon Europe – March 23, 2026
- KubeCon Europe – March 23 – 26, 2026
- OpenSSF Community Day North America – May 21, 2026
Ways to Participate:
There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.
You’re invited to…
- Join a Working Group or Project
- Chat with us on Slack
- Follow us on X, Mastodon, Bluesky, and LinkedIn
See You Next Month!
We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!
Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!
Regards,
The OpenSSF Team