Welcome to the May 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.
TL;DR:
Here’s a quick summary of this month’s highlights: the OpenSSF Tech Talk showed how the Security Baseline helps projects enhance compliance and resilience; the Best Practices WG released the guide “Simplifying Software Component Updates” to prevent API‐compatibility vulnerabilities; the CFP for Community Day Europe (Amsterdam, August 28) closes May 26; the Cybersecurity Skills Framework offers a free, customizable way to align job roles with practical security skills (webinar June 11); Ericsson’s C/C++ Compiler Hardening Guide, now jointly maintained with OpenSSF, demonstrates the power of community-driven security practices; three fresh podcast episodes are live (#29 Stacey Potter, #30 GitHub’s SOS Fund, and #31 Cybersecurity Framework Launch); and our community continues to buzz with WG updates, upcoming Community Days in Tokyo, Denver, Hyderabad, Amsterdam and Seoul, and CFP for Open Source SecurityCon.
Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness
The Linux Foundation and OpenSSF have released the Cybersecurity Skills Framework, a customizable global reference guide that aligns IT job roles with practical cybersecurity competencies. The framework defines foundational, intermediate, and advanced proficiency levels mapped to standards like DoD 8140, CISA NICE, and ICT e-CF, enabling organizations to assess and build security capabilities across job roles.
Developed through global research and community feedback, the framework empowers enterprise leaders to close skills gaps, strengthen security culture, and systematically reduce cyber risk. Listen to the podcast, attend the webinar on Wednesday, June 11 at 11:00 am EDT. Learn more.
OpenSSF Tech Talk Recap: Using Security Baseline to Navigate Standards and Regulations
The Open Source Security Foundation (OpenSSF) hosted a Tech Talk titled “How to Use the OSPS Baseline to Better Navigate Standards and Regulations” to help maintainers, contributors, and organizations apply the OSPS Baseline in real-world projects. This session offered practical guidance on enhancing compliance, reducing risk, and building more resilient open source software. Learn more.
New Guide on Simplifying Software Component Updates
The Open Source Security Foundation (OpenSSF) Best Practices Working Group has released the new guide Simplifying Software Component Updates. This guide by David A. Wheeler (The Linux Foundation) and Georg Kunz (Ericsson) gives software producers and consumers practical steps to simplify component compatibility. Applying the principles in this guide will eliminate many vulnerabilities in software. Backward-incompatible changes to an application programmer interface (API) often lead to unaddressed security vulnerabilities. Read the blog.
Call for Proposals for OpenSSF Community Day Europe Open Through 26 May, 2025
OpenSSF Community Day Europe takes place on Thursday, 28 August in Amsterdam, Netherlands, co-located with Open Source Summit EU. This event brings together contributors, maintainers, practitioners, and researchers to collaborate on securing the open source software we all rely on. Submit your proposals by 26 May 2025 on topics such as AI and ML in security, cyber resilience and supply chain security, OSS signatures and verification, real-world case studies, regulatory compliance, and enhanced security tooling. Learn more.
Case Study: Ericsson’s C/C++ Compiler Options Hardening Guide and OpenSSF Collaboration
This case study highlights Ericsson’s collaboration with the OpenSSF on the C/C++ Compiler Options Hardening Guide, a pragmatic resource that maps compiler hardening flags to their performance and security impacts. Originally drafted by Ericsson’s product security team and donated to the OpenSSF, the guide is now maintained in the OpenSSF Best Practices Working Group. Community feedback from compiler maintainers, Linux distribution contributors, and projects like Wireshark, Chainguard, and CPython has refined its recommendations, leading to internal adoption at Ericsson and broader ecosystem uptake.
Ericsson’s work demonstrates how open sourcing practical security guidance and engaging the community can drive real improvements in C/C++ code hardening across the industry. Read the case study.
What’s in the SOSS? An OpenSSF Podcast:
#29 – S2E06 “Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey Potter”: Meet Stacey Potter, OpenSSF’s new Community Manager, as she shares her journey into open source and her community first mindset.
#30 S2E07 “Scaling Security: Inside the GitHub Securing Open Source Software Fund”: Kevin Crosby and Xavier René-Corail from GitHub discuss the Securing Open Source SOS Fund, its $10K stipends, lessons from cohort 1, and maintainer month.
#31 – S2E08 “Cybersecurity Framework Launch”: Delve into the development of the Cybersecurity Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.
News from OpenSSF Community Meetings and Projects:
- RSTUF reached the 1.0.0 release candidate milestone for its core services
- Best Practices WG published a guide for Simplifying Software Component Updates
- Security Baseline added mappings to OWASP SAMM
- Zarf released version v0.54.0 including improvements to image uploads and general OCI enhancements
- Global Cyber Policy WG is collaborating on a response to the European Commission’s public consultation on the EU Cybersecurity Act
- ORBIT WG will hold its first bi-weekly meeting on Thursday at 1 pm EDT
- Security Tooling WG voted to approve the creation of a new SIG: Reliable Software Decomposition
- Securing Software Repositories and Global Cyber Policy working groups presented their quarterly updates to the TAC
In the News:
- InfoSecurity Magazine: OpenSSF Publishes Security Framework for Open Source Software
- SecurityWeek: OpenSSF Releases Security Baseline for Open Source Projects
- DevOps.com: OpenSSF Defines Baseline for Securing Open Source Software
- silicon ANGLE: Linux Foundation Debuts Cybersecurity Skills Framework to Address Enterprise Talent Gaps
- Help Net Security: Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed
Meet OpenSSF at These Upcoming Events!
Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!
OpenSSF Community Days bring together security and open source experts to drive innovation in software security.
- Tokyo, Japan – June 18, 2025
- Denver, Colorado – June 26, 2025
- Hyderabad, India – August 4, 2025
- Amsterdam, Netherlands – August 28, 2025
- Seoul, South Korea – November 4, 2025
Connect with the OpenSSF Community at these key events:
- RSA Conference: April 28 – May 1, 2025
- Open Source Summit NA: June 23 – 25, 2025
- DefCon 2025: August 7-10, 2025
- Open Source Summit EU: August 25 – 27, 2025
- Open Source in Finance Forum (OSFF): October 21-22, 2025
- Open Source SecurityCon 2025: November 10, 2025
Ways to Participate:
There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.
You’re invited to…
- Join a Working Group or Project
- Chat with us on Slack
- Follow us on X, Mastodon, Bluesky, and LinkedIn
See You Next Month!
We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!
Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!
Regards,
The OpenSSF Team
