Register for the free course: Secure AI/ML-Driven Software Development (LFEL1012)

search
Tag

Community

Aug 21
Love0

OpenSSF Newsletter – August 2025

By Newsletter

Welcome to the August 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

🎉 OpenSSF Turns 5.

✨ New MLSecOps whitepaper.

🔍 Case Study: GUAC security validated in <1hr w/Baseline.

đź“ť Blogs: OpenSSF Community and Working Groups, AI security, AIxCC wins.

🎙 Podcasts: OSTIF audits, CRA in Erlang Community.

🎓 Free security courses.

📅 Events: OpenSSF Community Day Europe, Linux Foundation Europe Member Summit, Open Source in Finance Forum New York, Linux Foundation Europe Roadshow, European Open Source Security Forum (link coming soon), OpenSSF Community Day Korea, Open Source SecurityCon 2025 

🎉 Celebrating Five Years of OpenSSF: A Journey Through Open Source Security

August 2025 marks five years since the official formation of the Open Source Security Foundation (OpenSSF). From uniting global efforts to securing open source software, to launching initiatives like Sigstore, OpenSSF Scorecard, Alpha-Omega, SLSA, and the OSPS Baseline, OpenSSF has moved from ideas to impact – shaping the future of software supply chain security.

This milestone isn’t just a celebration of what we have accomplished, but of the community we have built together. Here’s to five years of uniting communities, hardening the software supply chain, and driving a safer digital future.

Read the full blog to explore the journey, voices, and vision that continue to shape OpenSSF’s impact.

✨Community Highlight: Whitepaper: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security

We want to give a shout out to Sarah Evans (Dell Technologies), Andrey Shorov (Ericsson) and the entire AI/ML Security Working Group for their outstanding contributions through OpenSSF, advancing secure AI/ML practices and delivering industry leadership in building robust AI/ML pipeline security.

Their new whitepaper, “Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security,” expands on Ericsson’s MLSecOps framework into a comprehensive, visual, “layer-by-layer” guide. It shows how to apply open source tools like SLSA, Sigstore, and OpenSSF Scorecard to secure the ML lifecycle offering mapped risks, security controls, reference architecture, and practical tools.

This is a must-read for anyone designing, developing, deploying, or securing AI/ML systems.

Read the whitepaper and the blog to see how OpenSSF members are shaping the future of trustworthy AI.

🔍Case Study: How LFX Insights and OSPS Baseline Validated GUAC’s Security in Under an Hour

How can a project like GUAC validate its strong security posture in under an hour?

Kusari used LFX Insights integrated with the OpenSSF OSPS Baseline to run a rapid, automated assessment of GUAC’s security posture. In less than an hour, evidence of strong security practices was compiled automatically, results were presented in a clear visual format, and findings were instantly aligned to major frameworks like NIST SSDF and the EU Cyber Resilience Act. The result was faster trust, reduced workload, and a smoother path for adoption.

Project leaders and community voices including Mike Lieberman (Kusari), Ben Cotton (Kusari), Eddie Knight (Sonatype), and Mihai Maruseac (Google) emphasized the value of this approach. They highlighted how OSPS Baseline makes security proof more visible, reduces repetitive effort, saves time for maintainers, and builds confidence among OSPO leads and end users.

Read the full case study to see how LFX Insights and OSPS Baseline created a blueprint for faster, more credible security assurance.

Blogs: What’s New at the OpenSSF Community?

Here you will find a snapshot of what’s new on the OpenSSF blog. For more stories, ideas, and updates, visit the blog section on our website.

Case Study: Google Secures Machine Learning Models with sigstore

As machine learning evolves, so do the threats-data poisoning, model tampering, and unverifiable origins are real risks. Google’s Open Source Security Team, sigstore, and OpenSSF created the OMS specification, integrating it into hubs like NVIDIA NGC and Kaggle. Models are automatically signed, tied to the author’s identity, verified for authenticity, and logged for a complete audit trail. This blueprint offers a path to a verified ML ecosystem. 

“If we reach a state where all claims about ML systems and metadata are tamperproof, tied to identity, and verifiable by the tools ML developers already use—we can inspect the ML supply chain immediately in case of incidents.” — Mihai Maruseac, Staff Software Engineer, Google

Read the case study.

What’s it like to speak, volunteer, parent, and explore nature – all in one week at OSS Summit NA 2025?

Eman Abu Ishgair shares her experience attending the Open Source Summit North America in Denver as a speaker, volunteer, and new community member during OpenSSF Community Day. From co-presenting “The Open Source SDLC Control Plane: Building the Supply Chain Security Sandwich” with Michael Lieberman, CTO and Co-founder at Kusari and Governing Board member, to volunteering at the OpenSSF booth, connecting with collaborators, attending talks on SBOM, Signing, and Securing AI pipelines, and exploring Colorado’s natural wonders with her children, Eman’s week was full of learning, community, and inspiration.

Read the full blog to experience her journey and discover how you can get involved with OpenSSF.

How does the OpenSSF welcome maintainers, security engineers, students, and others to its open, global community?

Ejiro Oghenekome and Sal Kimmich share how OpenSSF serves as the global hub for collaborative work on securing the software supply chain, with no gatekeepers and open participation for all. The blog explains how to join Slack, attend meetings, contribute via GitHub, and explore working groups like AI/ML Security, BEAR, Global Cyber Policy, Security Tooling, Vulnerability Disclosures, Securing Software Repositories, ORBIT, Securing Critical Projects, and Supply Chain Integrity. Every OpenSSF group welcomes newcomers, with many paths to contribute, no matter your background.

Read the blog to discover where your skills fit and how to start contributing today.

Securing AI: The Next Cybersecurity Battleground

The AI wave is here, and it’s only getting bigger. It ushers in a pivotal new cybersecurity battleground: securing AI. In this blog, Hugo Huang, expert in Cloud Computing and Business Models spearheading joint innovation between Canonical and Google, shares findings from a security survey. The report highlights three top challenges in 2025-lack of standardized frameworks, shadow AI, and the talent gap. Building resilient AI systems needs concrete security measures across the AI lifecycle, with open source as the pivotal enabler. 

Read the full blog.

OpenSSF at Black Hat USA 2025 & DEF CON 33: AIxCC Highlights, Big Wins, and the Future of Securing Open Source

blackhatPanel

Image source: Christopher “CRob” Robinson (OpenSSF), Stephanie Domas (Canonical), and Anant Shrivastava (Cyfinoid Research) hosted a standing-room-only “Ask Me Anything About FOSS” panel at Black Hat USA 2025

The Open Source Security Foundation marked a strong presence at Black Hat USA 2025 and DEF CON 33, engaging with security leaders, showcasing initiatives, and fostering collaboration to advance open source security. At DEF CON, the spotlight was on the AI Cyber Challenge (AIxCC), a DARPA and ARPA-H competition to develop AI-enabled software that can identify and patch vulnerabilities. Trail of Bits, an OpenSSF General Member, earned second place with Buttercup, their open source Cyber Reasoning System. 

Read the full blog for more details.

What’s in the SOSS? An OpenSSF Podcast:

#37 – S2E14 Open Source Security: OSTIF’s 10-Year Journey of Collaborative Audits – Derek Zimmer and Amir Montezari, Open Source Technology Improvement Fund (OSTIF)

In this episode of What’s in the SOSS, Derek Zimmer and Amir Montezary from the Open Source Technology Improvement Fund (OSTIF) share their decade-long mission of providing security resources to open source projects. They focus on collaborative, maintainer-centric security audits that improve project security posture through expert third-party reviews. These engagements are designed to be supportive, impactful, and efficient. Listen to the full episode to hear OSTIF’s 10-year journey and how they help projects strengthen security.

#36 – S2E13 From Compliance to Community: Meeting CRA Requirements Together – Jonatan Männchen (CISO, Erlang Ecosystem Foundation), Ulf Riehm (Product Owner, Herrmann Ultraschall), and Michael Winser (Alpha-Omega)

In this episode of What’s in the SOSS?, CRob talks with Jonatan Männchen (CISO, Erlang Ecosystem Foundation), Ulf Riehm (Product Owner, Herrmann Ultraschall), and Michael Winser (Alpha-Omega). The conversation explores the critical importance of security in open source, especially with the CRA. Hear how the Erlang community brings in experts, fosters collaboration, and builds trust. Listen to the full episode to learn why manufacturers invest in upstream projects and how other ecosystems can follow this approach.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in Europe and South Korea!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Jul 30
Love0

OpenSSF Newsletter – July 2025

By Newsletter

Welcome to the July 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Submit Your Proposal: OpenSSF Community Day Korea

The Call for Proposals for OpenSSF Community Day Korea is closing Aug 3! If you have insights, tools, research, or community stories to share around open source software security, now is the time to submit your talk. The event takes place on November 4, 2025, in Seoul, South Korea, and brings together developers, researchers, and security professionals from across the open source and security ecosystems.

Whether your focus is on AI and security, vulnerability management, education, or tooling, we welcome submissions in a variety of formats, from quick 5-minute talks to extended 20-minute sessions. Deadline to submit: August 3, 2025, at 23:59 KST / 06:59 PST.

Share your expertise and help shape the future of open source security. We look forward to seeing you in Seoul!

Blogs:

New: Cyber Resilience Act (CRA) Brief Guide for OSS Developers

In our recent blog post, David A. Wheeler introduces the Cyber Resilience Act (CRA) Brief Guide for OSS Developers, a practical overview created by the OpenSSF to help open source developers understand and prepare for the EU’s new cybersecurity regulation. Although the CRA officially applies only within the EU, its global impact is significant due to the international nature of software distribution. The blog clarifies when the CRA does or does not apply to OSS, outlines potential risks for non-compliance, and highlights available resources including free training and community support to help developers build secure, compliant software. Read the full blog.

Recap: OpenSSF Community Day Japan 2025

OpenSSF Community Day Japan 2025 brought together developers, researchers, government, and industry leaders in Tokyo to advance open source software security. The event featured keynotes, technical sessions, and a live incident response exercise focused on secure development, tool adoption, and supply chain integrity.

Read the full blog for session videos, slides, and key takeaways.

Recap: OpenSSF Community Day North America 2025

OpenSSF Community Day NA 2025 brought together a diverse open source security community in Denver for a packed day of insights, tools, and collaboration. From real-world deployments of SBOM, Sigstore, and GUAC to securing AI pipelines and exploring the new AStRA control plane framework, sessions moved beyond awareness into action. 

Read the full blog for recordings, slides, key takeaways and ways to get involved.

On-Demand Webinar: Cybersecurity Skills, Simplified

The on-demand webinar Cybersecurity Skills, Simplified: A Framework That Works brings together experts from IBM, Intel, Linux Foundation Education, and OpenSSF to address a critical challenge: making cybersecurity a shared responsibility across all roles. The panel introduces the Cybersecurity Skills Framework, an open, flexible tool that helps teams identify, map, and improve security skills organization-wide. With insights on setting security OKRs, scaling training, and creating accessible learning pathways, this webinar offers practical guidance for anyone looking to strengthen their team’s security posture. Learn more.

What’s in the SOSS? An OpenSSF Podcast:

#35 – S2E12 Building India’s Open Source Security Community: From Developer Nation to Security Champions

In this episode of What’s in the SOSS?, host CRob sits down with Ram Iyengar, OpenSSF’s India community representative, to explore the evolving landscape of open source security in India. Ram shares his journey from professor to evangelist, the launch of LF India, and the challenges of inspiring a security-first mindset in one of the world’s largest developer populations. The episode covers everything from building local community momentum to hosting regional events and video series, offering listeners both practical insights and a personal look at the passionate effort behind India’s growing open source security movement.

#34 – S2E11 From Lockpicking to Leadership: Tabatha DiDomenico on Security, Open Source, and Building Community

In this episode of What’s in the SOSS? host Yesenia Yser sits down with Tabatha DiDomenico, open source security engineer, community leader, and president of BSides Orlando for a compelling conversation about her unconventional path into open source, the power of community, and the often-overlooked impact of DevRel. From her first experience with Netscape to shaping security strategy at G-Research and OpenSSF, Tabatha reflects on how curiosity, volunteering, and intentional advocacy have fueled her journey. Whether you are new to open source or a longtime contributor, this episode offers heartfelt insights, practical advice, and a powerful reminder: community is everything.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

  • The Security-Focused Guide for AI Code Assistant Instructions that is being developed by the Best practices and the AI/ML WGs is now in final draft, under PR here.
  • Zarf released version v0.58.0 including image push & pull and SDK enhancements.
  • OpenBao recently released v2.3.1 with support for namespaces, CEL for JWT authentication and PKI issuance, and SSH multi-issuer support. The community is making progress on per-namespace sealing, HSM/KMS backed key material, and horizontal scalability, and just kicked off a UI working group.

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here! Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team