Help Measure CRA Awareness: Take the 2026 Cyber Resiliency Survey

Tag

Community

Dec 17
Love0
December Newsletter - OpenSSF

OpenSSF Newsletter – December 2025

By Newsletter

Welcome to the December 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

🎁 2025 OpenSSF Annual Report

🎁 Free OpenSSF and Linux Foundation Education Courses

☃️ Recap: OpenSSF Community Day Korea 2025

☃️ KubeCon Keynote Recap

☃️ OpenSSF at OSPOlogyLive Europe

☃️ New podcast episodes (#46–47): AI, open source & collaboration (Jay White, Microsoft) and supply chain security in academia (Justin Cappos, NYU)

❄️ Alpha-Omega strengthened SBOM tooling and FreeBSD security

❄️ Gemara site launched

❄️ SecurityCon NA session videos now online

❄️ SLSA v1.2 adds a new Source Track

❄️ OpenBao v2.4.4 released

❄️ Upcoming events: FOSDEM (31 Jan & 1 Feb 2026), Open Source SecurityCon (23 March 2026), KubeCon+CloudNativeCon Europe (23-26, March 2026)

2025 OpenSSF Annual Report

2025 OpenSSF Annual Report

Discover how the open source security community moved forward in 2025. The OpenSSF Annual Report highlights major achievements in education, tooling, vulnerability management, research, and global collaboration with insights from leadership and working groups. It’s a powerful look at how far we’ve come and where we’re headed as we work together to strengthen the security of open source software.

Download the 2025 OpenSSF Annual Report and explore the progress, impact, and vision shaping the future of open source security.

Blogs: What’s New in the OpenSSF Community?

From Beginner to Builder: Free OpenSSF and Linux Foundation Education Courses

From Beginner to Builder: Free OpenSSF and Linux Foundation Education Courses

Level up your open source security skills with this practical roundup from Ejiro Oghenekome and Sal Kimmich, CSM, a curated list of free, self-paced Linux Foundation Education and OpenSSF courses built for developers who want to contribute with confidence. From secure coding and threat modeling to OpenSSF Scorecard automation, SBOMs/signatures, and even essential context like ethics, inclusion, and new regulations, this blog post maps out clear learning paths you can start right away, before (or alongside) your next contribution. Read the blog.

Recap: OpenSSF Community Day Korea 2025

Recap: OpenSSF Community Day Korea 2025

OpenSSF Community Day Korea 2025, held on November 4 in Seoul, brought developers and security engineers together for practical sessions on open source and software supply chain security. Talks spanned CI/CD hardening, SBOM-driven tooling, Linux kernel testing, post-quantum cryptography, and AI/ML security, all framed by OpenSSF’s pillars of Education, Policy, Projects, and Community. The event marked a strong start for a growing OpenSSF community in Korea, with public, private, and academic stakeholders aligning around the message that securing open source is shared work. Read the recap blog.

KubeCon Keynote Recap: “Supply Chain Reaction” and Why the OSPS Baseline Matters More Than Ever

KubeCon Keynote Recap: “Supply Chain Reaction” and Why the OSPS Baseline Matters More Than Ever

How can a Kubernetes cluster with zero known vulnerabilities still be compromised?

In their KubeCon keynote “Supply Chain Reaction: A Cautionary Tale in K8s Security,” Stacey Potter (Community Manager, OpenSSF) and Adolfo García Veytia (Founder and Engineer, Carabiner Systems) walked through a realistic incident where a compromised compiler image injected a crypto-mining payload long before workloads reached the cluster, bypassing traditional defenses. They showed how tools like SLSA, Sigstore, Kyverno, and Ampel help secure the entire software lifecycle, and why the new Open Source Project Security (OSPS) Baseline with its eight control families and three maturity levels gives projects a practical, stepwise framework to resist invisible supply-chain attacks. 

The talk makes a clear case: adopting the OSPS Baseline is now essential for any open source project that wants real, preventative supply-chain security. Learn more.

OpenSSF Projects in Less Than 5 Minutes

Short on time but curious about open source security tools? This video series features quick interviews with OpenSSF maintainers, giving you a fast, developer-focused look at the projects, standards, and initiatives they’re building. Hear directly from the people behind the code and discover which tools you might want to try next. Watch the videos here.

OpenSSF at OSPOlogyLive Europe

Madalin Neag, EU Policy Advisor, OpenSSF giving a talk at OSPOlogyLive Europe

Madalin Neag, EU Policy Advisor at OpenSSF participated in OSPOlogyLive Europe, where he presented The Cybersecurity Skills Framework presentation and discussed why securing software requires investing in people and shared security knowledge, not just technology. The session highlighted OpenSSF’s leadership in building practical, role-based security capabilities across engineering teams. The framework provides a clear, actionable map for identifying security skill gaps and prioritizing capability development across the software ecosystem. It also demonstrated how organizations can use a common language for security skills to systematically improve their cybersecurity posture.”

What’s in the SOSS? An OpenSSF Podcast:

#47 – S2E24 Teaching the Next Generation: Software Supply Chain Security in Academia with Justin Cappos

On the latest episode of What’s in the SOSS, host Yesenia Yser sits down with Justin Cappos, professor at NYU Tandon School of Engineering, to discuss why software supply chain security is still missing from many university curricula and how hands on, open source first education can better prepare students for real world security work.

The conversation explores gaps in traditional computer science education, the importance of teaching open source collaboration, and how initiatives like the Linux Foundation’s Academic Computing Accreditation Program are helping institutions modernize security education.

🎧 Listen to the episode and learn more about the Academic Computing Accreditation Program: https://www.linuxfoundation.org/academic-computing-accreditation

#46 – S2E23 Securing the Future: AI, Open Source, and Collaboration with Jay White (Microsoft)

In this episode of What’s in the SOSS? Jay White from Microsoft’s Azure office of the CTO joins to talk about his path into open source and how it led him to focus on AI, machine learning, and security. He explains how model signing and transparency are becoming core to trustworthy AI, and shares ongoing work in OpenSSF and the Coalition for Secure AI (CoSAI) to build standards for AI supply chain security. The conversation touches on the challenges of cultural representation in AI models, why collaboration across companies and communities is essential, and how practitioners can get involved. Jay also reflects on the importance of community building and continuous learning as AI and open source evolve together.

News from OpenSSF Community Meetings and Projects:

In the News:

  • Dark Reading published expert commentary from Christopher Robinson after speaking to him about OpenSSF’s work categorizing 150,000 malicious npm packages. CRob notes the importance of MFA and artifact signing to verify that code is secure here: “Infamous Shai-hulud Worm Resurfaces From the Depths.”
  • In a Forbes article about the value of inclusive and resilient financial systems, Christopher Robinson of OpenSSF and Michael Lieberman of Kusari are included for their thoughts on secure fintech systems. Both suggest that open source software can play an important role in the future of finance, down to the code, and the Open Software Security Baseline is referenced in the article, “Secure By Design: Financial Systems For Climate Resilience.”
  • This month VMblog published Christopher Robinson’s cybersecurity predictions for 2026. CRob points out the importance of MLSecOps, SBOMs, and more in the article, “Five cybersecurity predictions for 2026.” 

Meet OpenSSF at These Upcoming Events!

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Nov 25
Love0
November Newsletter - OpenSSF

OpenSSF Newsletter – November 2025

By Newsletter

Welcome to the November 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Cyber week: Free + discounted security courses to level up fast

✅ EU CRA insights and OSS security guidance from Open Source Security Week in Belgium

✅ OSS security best practices for finance from OSFF NYC

✅ New OpenSSF members, awards, and project milestones

✅ New podcast episodes (#44-45): OSPS Security Baseline and SBOM Chaos and Software Sovereignty

✅ SBOM Coffee Club reviewed OWASP AIBOM

Zarf v0.65.1 adds broader K8s support & hosts Tech talk

OpenBao advancing read-replication

✅ Upcoming events: FOSDEM (31 Jan & 1 Feb 2026), Open Source SecurityCon (23 March 2026), KubeCon+CloudNativeCon Europe (23-26, March 2026)

Level Up Your Open Source Security Skills for Cyber Week

Cyber week - OpenSSF

OpenSSF and Linux Foundation Education are committed to making world-class security training accessible to everyone. Whether you are securing critical open source projects, preparing for new regulations, or building foundational expertise, you can start today with free e-learning courses and earn digital badges along the way. Explore offerings like Developing Secure Software (LFD121), Security for Software Development Managers (LFD125), Understanding the EU Cyber Resilience Act (LFEL1001), Secure AI/ML-Driven Software Development (LFEL1012), and many others designed to strengthen software resilience across the ecosystem.

If you are ready to go deeper, Cyber Week kicks off December 1. This brings the biggest savings of the year from Linux Foundation Education. From certification bundles to instructor-led courses and subscription packages, you can save up to 65 percent and accelerate your career heading into 2026.

Visit LF Education starting on December 1st to grab the best savings of the year!

Start learning for free. Level up for less. Strengthen the security of the open source world.

Blogs: What’s New in the OpenSSF Community?

Recap: Open Source Security Week in Belgium – Highlights from Ghent to Brussels

Open Source Security events in Belgium - October

At the end of October, Linux Foundation Europe, OpenSSF, and CEPS hosted a week of open source security activities across Ghent and Brussels. Developers, maintainers, policymakers, and security experts came together to break down the Cyber Resilience Act, share practical readiness guidance, and align on how Europe can strengthen software security without slowing open collaboration. From technical workshops to policy-driven discussions, the week highlighted both the challenges ahead and the growing support available to the community. Read the full recap for key takeaways, reflections, and ways to get involved.

Building Security in Open Source for Financial Services: OpenSSF at Open Source Finance Forum (OSFF) NYC

OpenSSF at Open Source in Finance Forum - New York 2025 - Recap blog

OpenSSF joined the Open Source in Finance Forum (OSFF) NYC to highlight how financial institutions can confidently rely on open source while managing real security risks. Through sessions on AI security, project security baselines, and stabilizing vulnerability data pipelines, OpenSSF showed how collaboration between maintainers, regulators, and industry engineers leads to practical solutions that strengthen the software powering today’s financial systems. Read the full recap to explore the key takeaways and resources shared at OSFF.

Tech Talk Recap: Simplifying DevSecOps in Air-Gapped Environments with Zarf

Tech Talk Recap: Simplifying DevSecOps in Air-Gapped Environments with Zarf

In the latest OpenSSF Tech Talk, we focused on a significant hurdle in software supply chain security: managing software delivery and upkeep within air-gapped and restricted network environments. You can now view the recording on the OpenSSF YouTube channel, and the presentation slides are accessible here.

OpenSSF Announces Key Membership Growth and Golden Egg Award Winners at Open Source SecurityCon North America

The Open Source Security Foundation (OpenSSF) announced new and expanded memberships at Open Source SecurityCon North America, welcoming Target Corporation and Thread AI, and celebrating OSTIF’s upgrade to general member status. The community also recognized standout contributors with the latest Golden Egg Awards and highlighted recent progress across learning resources, tooling, and global events. Read the blog to learn more about the membership updates, award winners, and milestones from the past quarter.

Here you will find a snapshot of what’s new on the OpenSSF blog. For more stories, ideas, and updates, visit the blog section on our website.

What’s in the SOSS? An OpenSSF Podcast:

#44 – S2E21 A Deep Dive into the Open Source Project Security (OSPS) Baseline

In this episode of What’s in the SOSS? CRob, Ben Cotton, and Eddie Knight take a practical look at the Open Source Project Security (OSPS) Baseline, a shared security checklist designed to help maintainers communicate the current state of their project’s security practices. They break down how the baseline fits into real workflows, why clear documentation builds trust, and how downstream users benefit when expectations are aligned. The conversation also explores integrations with other OpenSSF efforts, lessons from the GUAC case study, and what’s ahead as the community continues to refine the framework and expand tooling support.

#45 – S2E22 SBOM Chaos and Software Sovereignty with Canonical’s Stephanie Domas

In this episode of What’s in the SOSS, CRob talks with Stephanie Domas, Chief Security Officer at Canonical, about the hidden challenges shaping today’s open source ecosystem. Stephanie breaks down why third party patches disrupt SBOM accuracy, how software sovereignty is influencing global procurement, and what the EU CRA means for enterprises working with upstream dependencies. She also shares insights on memory safe upgrades in Ubuntu’s next LTS and why transparency, collaboration, and community support are critical to building trust in open source.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month!

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team