Help Measure CRA Awareness: Take the 2026 Cyber Resiliency Survey

Tag

Community

Jul 30
Love0

OpenSSF Newsletter – July 2025

By Newsletter

Welcome to the July 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Submit Your Proposal: OpenSSF Community Day Korea

The Call for Proposals for OpenSSF Community Day Korea is closing Aug 3! If you have insights, tools, research, or community stories to share around open source software security, now is the time to submit your talk. The event takes place on November 4, 2025, in Seoul, South Korea, and brings together developers, researchers, and security professionals from across the open source and security ecosystems.

Whether your focus is on AI and security, vulnerability management, education, or tooling, we welcome submissions in a variety of formats, from quick 5-minute talks to extended 20-minute sessions. Deadline to submit: August 3, 2025, at 23:59 KST / 06:59 PST.

Share your expertise and help shape the future of open source security. We look forward to seeing you in Seoul!

Blogs:

New: Cyber Resilience Act (CRA) Brief Guide for OSS Developers

In our recent blog post, David A. Wheeler introduces the Cyber Resilience Act (CRA) Brief Guide for OSS Developers, a practical overview created by the OpenSSF to help open source developers understand and prepare for the EU’s new cybersecurity regulation. Although the CRA officially applies only within the EU, its global impact is significant due to the international nature of software distribution. The blog clarifies when the CRA does or does not apply to OSS, outlines potential risks for non-compliance, and highlights available resources including free training and community support to help developers build secure, compliant software. Read the full blog.

Recap: OpenSSF Community Day Japan 2025

OpenSSF Community Day Japan 2025 brought together developers, researchers, government, and industry leaders in Tokyo to advance open source software security. The event featured keynotes, technical sessions, and a live incident response exercise focused on secure development, tool adoption, and supply chain integrity.

Read the full blog for session videos, slides, and key takeaways.

Recap: OpenSSF Community Day North America 2025

OpenSSF Community Day NA 2025 brought together a diverse open source security community in Denver for a packed day of insights, tools, and collaboration. From real-world deployments of SBOM, Sigstore, and GUAC to securing AI pipelines and exploring the new AStRA control plane framework, sessions moved beyond awareness into action. 

Read the full blog for recordings, slides, key takeaways and ways to get involved.

On-Demand Webinar: Cybersecurity Skills, Simplified

The on-demand webinar Cybersecurity Skills, Simplified: A Framework That Works brings together experts from IBM, Intel, Linux Foundation Education, and OpenSSF to address a critical challenge: making cybersecurity a shared responsibility across all roles. The panel introduces the Cybersecurity Skills Framework, an open, flexible tool that helps teams identify, map, and improve security skills organization-wide. With insights on setting security OKRs, scaling training, and creating accessible learning pathways, this webinar offers practical guidance for anyone looking to strengthen their team’s security posture. Learn more.

What’s in the SOSS? An OpenSSF Podcast:

#35 – S2E12 Building India’s Open Source Security Community: From Developer Nation to Security Champions

In this episode of What’s in the SOSS?, host CRob sits down with Ram Iyengar, OpenSSF’s India community representative, to explore the evolving landscape of open source security in India. Ram shares his journey from professor to evangelist, the launch of LF India, and the challenges of inspiring a security-first mindset in one of the world’s largest developer populations. The episode covers everything from building local community momentum to hosting regional events and video series, offering listeners both practical insights and a personal look at the passionate effort behind India’s growing open source security movement.

#34 – S2E11 From Lockpicking to Leadership: Tabatha DiDomenico on Security, Open Source, and Building Community

In this episode of What’s in the SOSS? host Yesenia Yser sits down with Tabatha DiDomenico, open source security engineer, community leader, and president of BSides Orlando for a compelling conversation about her unconventional path into open source, the power of community, and the often-overlooked impact of DevRel. From her first experience with Netscape to shaping security strategy at G-Research and OpenSSF, Tabatha reflects on how curiosity, volunteering, and intentional advocacy have fueled her journey. Whether you are new to open source or a longtime contributor, this episode offers heartfelt insights, practical advice, and a powerful reminder: community is everything.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

  • The Security-Focused Guide for AI Code Assistant Instructions that is being developed by the Best practices and the AI/ML WGs is now in final draft, under PR here.
  • Zarf released version v0.58.0 including image push & pull and SDK enhancements.
  • OpenBao recently released v2.3.1 with support for namespaces, CEL for JWT authentication and PKI issuance, and SSH multi-issuer support. The community is making progress on per-namespace sealing, HSM/KMS backed key material, and horizontal scalability, and just kicked off a UI working group.

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here! Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Dec 19
Love0

OpenSSF Newsletter – December 2024

By Newsletter

Welcome to the December 2024 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Thank You for an Amazing 2024!

OpenSSFAnnualReport

As 2024 comes to a close, we want to take a moment to express our deepest gratitude for the dedication, collaboration, and innovation you have brought to the OpenSSF community this year. Together, we achieved remarkable milestones—from expanding our global membership and launching impactful education initiatives to advancing critical security projects and fostering collaborations with public and private sectors. Your contributions have strengthened our shared mission to secure the open source ecosystem and build a safer, more reliable digital future.

As we look forward to 2025, we’re excited to continue fostering a vibrant and inclusive community, deepening collaborations, and driving meaningful change together. We appreciate your role in this journey.

Wishing you a safe and joyful holiday season!

Download report

The Open Source Software Stewards and Manufacturers Workshop and the EU Cyber Resilience Act (CRA)

In December, the Linux Foundation Europe and the OpenSSF hosted the Open Source Software Stewards and Manufacturers Workshop in Amsterdam, focusing on the implications of the EU Cyber Resilience Act (CRA). The event brought together industry leaders, community experts, and government officials to align on CRA obligations and foster collaboration for compliance.

Key outcomes included the formation of the Global Cyber Policy Working Group and three workstreams: CRA Readiness & Awareness, CRA Tooling & Processes, and CRA Standardization.

Details on how to participate and learn more:

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 1

UnderstandingCRA1

Published as Regulation (EU) 2024/2847 in the Official Journal of the European Union, the Cyber Resilience Act (CRA) entered into force (EIF) on December 10, 2024. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their remote data processing, put on the European market to follow this regulation. This new blog series will cover the implementation of the CRA and its relevance to open source software.

In Part 1, we will provide a general overview of the CRA and highlight LF Europe and the OpenSSF’s current activities in relation to the implementation.

Learn more

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 2

CRABlog2
In Part 1, we provided a general overview of the CRA and highlighted OpenSSF’s current activities related to its implementation. In Part 2, we’ll take a closer look at the three-year implementation timeline and what lies ahead. 

Read more

Shaping the Future of Generative AI: A Focus on Security

GenAIstudy

The Shaping the Future of Generative AI report, sponsored by LF AI & Data and CNCF, highlights how organizations prioritize security, cost, and performance as they adopt GenAI. Security remains a top concern, particularly in sectors like finance and healthcare, where privacy and regulatory compliance are critical.

The Open Source Security Foundation (OpenSSF) AI/ML Working Group plays a vital role in this landscape, focusing on initiatives like model signing with Sigstore to enhance trust and security in AI systems. This blog ties together insights from the report and OpenSSF’s ongoing efforts to address security challenges in GenAI adoption.

Open Source Usage Trends and Security Challenges Revealed in New Study

Census III Report

The Linux Foundation and Harvard released Census III, a groundbreaking study analyzing Free and Open Source Software (FOSS) usage and security challenges. Findings reveal trends like the rise of cloud-specific packages, increased reliance on Rust, and the critical role of a small group of contributors.

Learn more

Download report

 

Honda and Guidewire Join the Open Source Security Foundation (OpenSSF)


At the inaugural SOSS Community Day India, OpenSSF welcomed Honda and Guidewire Software as new members, expanding its growing global network to 126 organizations. The event highlights India’s thriving open source ecosystem and brings together leaders to collaborate on securing the software we all depend on.

Learn more

SigstoreCon 2024: Advancing Software Supply Chain Security

SigstoreCon

On November 12, 2024, the software security community gathered in Salt Lake City for SigstoreCon: Supply Chain Day, co-located with KubeCon North America 2024. The one-day conference brought together developers, maintainers, and security experts to explore how Sigstore is transforming software supply chain security through simplified signing and verification of digital artifacts.

Read more

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

You’re invited to…

See You Next Year! 

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you in 2025! 

Regards,

The OpenSSF Team