Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea

search
Tag

Newsletter

Jul 30
Love0

OpenSSF Newsletter – July 2025

By Newsletter

Welcome to the July 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Submit Your Proposal: OpenSSF Community Day Korea

The Call for Proposals for OpenSSF Community Day Korea is closing Aug 3! If you have insights, tools, research, or community stories to share around open source software security, now is the time to submit your talk. The event takes place on November 4, 2025, in Seoul, South Korea, and brings together developers, researchers, and security professionals from across the open source and security ecosystems.

Whether your focus is on AI and security, vulnerability management, education, or tooling, we welcome submissions in a variety of formats, from quick 5-minute talks to extended 20-minute sessions. Deadline to submit: August 3, 2025, at 23:59 KST / 06:59 PST.

Share your expertise and help shape the future of open source security. We look forward to seeing you in Seoul!

Blogs:

New: Cyber Resilience Act (CRA) Brief Guide for OSS Developers

In our recent blog post, David A. Wheeler introduces the Cyber Resilience Act (CRA) Brief Guide for OSS Developers, a practical overview created by the OpenSSF to help open source developers understand and prepare for the EU’s new cybersecurity regulation. Although the CRA officially applies only within the EU, its global impact is significant due to the international nature of software distribution. The blog clarifies when the CRA does or does not apply to OSS, outlines potential risks for non-compliance, and highlights available resources including free training and community support to help developers build secure, compliant software. Read the full blog.

Recap: OpenSSF Community Day Japan 2025

OpenSSF Community Day Japan 2025 brought together developers, researchers, government, and industry leaders in Tokyo to advance open source software security. The event featured keynotes, technical sessions, and a live incident response exercise focused on secure development, tool adoption, and supply chain integrity.

Read the full blog for session videos, slides, and key takeaways.

Recap: OpenSSF Community Day North America 2025

OpenSSF Community Day NA 2025 brought together a diverse open source security community in Denver for a packed day of insights, tools, and collaboration. From real-world deployments of SBOM, Sigstore, and GUAC to securing AI pipelines and exploring the new AStRA control plane framework, sessions moved beyond awareness into action. 

Read the full blog for recordings, slides, key takeaways and ways to get involved.

On-Demand Webinar: Cybersecurity Skills, Simplified

The on-demand webinar Cybersecurity Skills, Simplified: A Framework That Works brings together experts from IBM, Intel, Linux Foundation Education, and OpenSSF to address a critical challenge: making cybersecurity a shared responsibility across all roles. The panel introduces the Cybersecurity Skills Framework, an open, flexible tool that helps teams identify, map, and improve security skills organization-wide. With insights on setting security OKRs, scaling training, and creating accessible learning pathways, this webinar offers practical guidance for anyone looking to strengthen their team’s security posture. Learn more.

What’s in the SOSS? An OpenSSF Podcast:

#35 – S2E12 Building India’s Open Source Security Community: From Developer Nation to Security Champions

In this episode of What’s in the SOSS?, host CRob sits down with Ram Iyengar, OpenSSF’s India community representative, to explore the evolving landscape of open source security in India. Ram shares his journey from professor to evangelist, the launch of LF India, and the challenges of inspiring a security-first mindset in one of the world’s largest developer populations. The episode covers everything from building local community momentum to hosting regional events and video series, offering listeners both practical insights and a personal look at the passionate effort behind India’s growing open source security movement.

#34 – S2E11 From Lockpicking to Leadership: Tabatha DiDomenico on Security, Open Source, and Building Community

In this episode of What’s in the SOSS? host Yesenia Yser sits down with Tabatha DiDomenico, open source security engineer, community leader, and president of BSides Orlando for a compelling conversation about her unconventional path into open source, the power of community, and the often-overlooked impact of DevRel. From her first experience with Netscape to shaping security strategy at G-Research and OpenSSF, Tabatha reflects on how curiosity, volunteering, and intentional advocacy have fueled her journey. Whether you are new to open source or a longtime contributor, this episode offers heartfelt insights, practical advice, and a powerful reminder: community is everything.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

  • The Security-Focused Guide for AI Code Assistant Instructions that is being developed by the Best practices and the AI/ML WGs is now in final draft, under PR here.
  • Zarf released version v0.58.0 including image push & pull and SDK enhancements.
  • OpenBao recently released v2.3.1 with support for namespaces, CEL for JWT authentication and PKI issuance, and SSH multi-issuer support. The community is making progress on per-namespace sealing, HSM/KMS backed key material, and horizontal scalability, and just kicked off a UI working group.

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here! Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Jun 25
Love0

OpenSSF Newsletter – June 2025

By Newsletter

Welcome to the June 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Tech Talk: CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations

The recent Tech Talk, “CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations,” brought together open source leaders to explore the practical impact of the EU’s Cyber Resilience Act (CRA). With growing pressure on OSS developers, maintainers, and vendors to meet new security requirements, the session provided a clear, jargon-free overview of what CRA compliance involves. 

Speakers included CRob (OpenSSF), Adrienn Lawson (Linux Foundation), Dave Russo (Red Hat), and David A. Wheeler (OpenSSF), who shared real-world examples of how organizations are preparing for the regulation, even with limited resources. The discussion also highlighted the LFEL1001 CRA course, designed to help OSS contributors move from confusion to clarity with actionable guidance. 

Watch the session here.

Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership

The Open Source Technology Improvement Fund (OSTIF) addresses a critical gap in open source security by conducting tailored audits for high-impact OSS projects often maintained by small, under-resourced teams. Through its active role in OpenSSF initiatives and strategic partnerships, OSTIF delivers structured, effective security engagements that strengthen project resilience. By leveraging tools like the OpenSSF Scorecard and prioritizing context-specific approaches, OSTIF enhances audit outcomes and fosters a collaborative security community. Read the full case study to explore how OSTIF is scaling impact, overcoming funding hurdles, and shaping the future of OSS security.

Blogs:

✨GUAC 1.0 is Now Available

Discover how GUAC 1.0 transforms the way you manage SBOMs and secure your software supply chain. This first stable release of the “Graph for Understanding Artifact Composition” platform moves beyond isolated bills of materials to aggregate and enrich data from file systems, registries, and repositories into a powerful graph database. Instantly tap into vulnerability insights, license checks, end-of-life notifications, OpenSSF Scorecard metrics, and more. Read the blog to learn more.

✨Maintainers’ Guide: Securing CI/CD Pipelines After the tj-actions and reviewdog Supply Chain Attacks

CI/CD pipelines are now prime targets for supply chain attacks. Just look at the recent breaches of reviewdog and tj-actions, where chained compromises and log-based exfiltration let attackers harvest secrets without raising alarms. In this Maintainers’ Guide, Ashish Kurmi breaks down exactly how those exploits happened and offers a defense-in-depth blueprint from pinning actions to full commit SHAs and enforcing MFA, to monitoring for tag tampering and isolating sensitive secrets that every open source project needs today. Read the full blog to learn practical steps for locking down your workflows before attackers do.

✨From Sandbox to Incubating: gittuf’s Next Step in Open Source Security

gittuf, a platform-agnostic Git security framework, has officially progressed to the Incubating Project stage under the OpenSSF marking a major milestone in its development, community growth, and mission to strengthen the open source software supply chain. By adding cryptographic access controls, tamper-evident logging, and enforceable policies directly into Git repositories without requiring developers to abandon familiar workflows, gittuf secures version control at its core. Read the full post to see how this incubation will accelerate gittuf’s impact and how you can get involved.

✨Choosing an SBOM Generation Tool

With so many tools to build SBOMs, single-language tools like npm-sbom and CycloneDX’s language-specific generators or multi‐language options such as cdxgen, syft, and Tern, how do you know which one to pick? Nathan Naveen helps you decide by comparing each tool’s dependency analysis, ecosystem support, and CI/CD integration, and reminds us that “imperfect SBOMs are better than no SBOMs.” Read the blog to learn more.

✨OSS and the CRA: Am I a Manufacturer or a Steward?

The EU Cyber Resilience Act (CRA) introduces critical distinctions for those involved in open source software particularly between manufacturers and a newly defined role: open source software stewards. In this blog, Mike Bursell of OpenSSF breaks down what these terms mean, why most open source contributors won’t fall under either category, and how the CRA acknowledges the unique structure of open source ecosystems. If you’re wondering whether the CRA applies to your project or your role this post offers clear insights and guidance. Read the full blog to understand your position in the new regulatory landscape.

What’s in the SOSS? An OpenSSF Podcast:

#33 – S2E10 “Bridging DevOps and Security: Tracy Ragan on the Future of Open Source”: In this episode of What’s in the SOSS, host CRob sits down with longtime open source leader and DevOps champion Tracy Ragan to trace her journey from the Eclipse Foundation to her work with Ortelius, the Continuous Delivery Foundation, and the OpenSSF. CRob and Tracy dig into the importance of configuration management, DevSecOps, and projects like the OpenSSF Scorecard and Ortelius in making software supply chains more transparent and secure, plus strategies to bridge the education gap between security professionals and DevOps engineers.

 

#32 – S2E09 “Yoda, Inclusive Strategies, and the Jedi Council: A Conversation with Dr. Eden-Reneé Hayes”: In this episode of What’s in the SOSS, host Yesenia Yser sits down with DEI strategist, social psychologist, and Star Wars superfan Dr. Eden-Reneé Hayes to discuss the myths around DEIA and why unlearning old beliefs is key to progress. Plus, stay for the rapid-fire questions and discover if Dr. Hayes is more Marvel or DC.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

In the News:

  • ITOpsTimes – “Linux Foundation and OpenSSF launch Cybersecurity Skills Framework”
  • HelpNetSecurity – “Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed”
  • SiliconAngle“Linux Foundation debuts Cybersecurity Skills Framework to address enterprise talent gaps”
  • Security Boulevard – Linux Foundation Shares Framework for Building Effective Cybersecurity Teams
  • IT Daily – “Linux Foundation Launches Global Cybersecurity Skills Framework”
  • SC World – “New Cybersecurity Skills Framework seeks to bolster enterprise talent readiness”

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Apr 22
Love0

OpenSSF Newsletter – April 2025

By Newsletter

Welcome to the April 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR

This month, the OpenSSF highlights a new free training course, “Understanding the EU Cyber Resilience Act (CRA) (LFEL1001),” designed to help organizations prepare for the CRA’s full application by December 2027. The course covers essential requirements, roles, and compliance processes to help teams reduce risk and meet regulatory standards. The OpenSSF also invites you to join upcoming Community Day events in Japan, North America, India, and Europe to help drive collaboration in open source security. Don’t forget—submit your proposal to speak at OpenSSF Community Day Japan by April 27 and check out the live agenda for Community Day NA 2025. Explore key takeaways from VulnCon 2025, learn about the launch of Model Signing v1.0 to secure the ML supply chain, and preview our latest tech talk on global policy and the Open Source Project Security Baseline. Dive into IDC’s new research on software supply chains, enroll in the free course on the EU Cyber Resilience Act.Stay connected with OpenSSF community updates, upcoming events, and working group news!

Tech Talk Preview: Strengthening Open Source Through Security Standards and Global Policy

TechTalkApr2025

Open source is the backbone of today’s digital infrastructure – but with great power comes great responsibility. As cybersecurity threats grow and global policies evolve, open source projects must meet increasing security expectations. Join Christopher “CRob” Robinson (OpenSSF) (Moderator), Ben Cotton (Kusari), Emily Fox (Red Hat) and Megan Knight (ARM) for a tech talk that dives into these challenges and highlights the OpenSSF community’s solution: the Open Source Project Security Baseline. Learn how this framework helps projects align with key standards and prepare for compliance. 

Don’t miss out – register now and join the conversation to strengthen open source through community-driven security and global policy engagement.

NEW FREE COURSE: Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)

Enroll in LFEL 1001

With the Cyber Resilience Act (CRA) officially published as Regulation (EU) 2024/2847 and entering into force on December 10, 2024, the countdown is on for organizations to understand and prepare for its full application by December 11, 2027. The CRA introduces broad obligations for products with digital elements, aiming to reduce cybersecurity risks and increase trust in the European digital market.

To help organizations prepare, LF Education and the Open Source Security Foundation (OpenSSF) launched a free training course: “Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)” – now available online.

This course covers the key requirements of the EU’s Cyber Resilience Act (CRA), including terms, roles, obligations, essential cybersecurity requirements, product markings, compliance processes, and penalties for non-compliance. It prepares decision-makers, software developers, OSS developers, and OSS stewards to navigate CRA compliance, mitigate risks, and meet regulatory standards. 

Enroll in the free course!

Key Takeaways from VulnCon 2025: Insights from the OpenSSF Community

In “Key Takeaways from VulnCon 2025: Insights from the OpenSSF Community”, Christopher Robinson (CRob), Chief Security Architect at OpenSSF, reflects on the power of collaboration and innovation that defined this year’s VulnCon. Held in Raleigh, NC, the event brought together global security professionals to tackle pressing challenges in vulnerability management. CRob shares firsthand insights from OpenSSF’s active involvement throughout the conference, highlights the importance of metadata, open source supply chain security, and evolving global regulations like the EU’s Cyber Resilience Act. If you’re passionate about strengthening the open source ecosystem and want to hear how the OpenSSF community is leading the charge, check out this blog.

Last chance to speak at OpenSSF Community Day Japan!

Call for Proposals closes Sunday, April 27 at 23:59 JST.

Join us in Tokyo and share your insights on open source security, tooling, education, AI, and more. Whether it’s a 5-minute lightning talk or a 20-minute session, we welcome diverse voices from across the ecosystem.

👉 Submit your proposal today

OpenSSF Community Day NA 2025 Agenda Live!

1200x628 AgendaLive

We are excited to share that the agenda for OpenSSF Community Day North America 2025 is now live! Join us on June 26 in Denver, Colorado, for a day filled with collaboration, technical insights, and future-focused conversations on securing the open source ecosystem.

Launch of Model Signing v1.0: OpenSSF AI/ML Working Group Secures the Machine Learning Supply Chain

In Launch of Model Signing v1.0: OpenSSF AI/ML Working Group Secures the Machine Learning Supply Chain, authors Mihai Maruseac (Google), Martin Sablotny (NVIDIA), Eoin Wickens (HiddenLayer), and Daniel Major (NVIDIA) introduce the first stable release of the model-signing project from the OpenSSF AI/ML Working Group. This blog presents the motivation, features, and broader goals of the project, including how model signing helps secure the integrity and provenance of machine learning artifacts across the supply chain. Read the full blog to learn how this initiative marks a key milestone toward a secure AI future and how you can get involved.

Community Member Updates:

Google Cloud and Canonical recently sponsored a new report by IDC on the State of Software Supply Chains. According to the report, which surveyed over 500 decision-makers in IT and Information Security roles, 7 in 10 responsible teams spend more than 6 hours per week on security patching. The report also reveals that compliance with regulations remains a challenge for most organizations, with more than a third of respondents reporting that they struggle to understand how regulations apply to specific systems and software components. The adoption of artificial intelligence is increasing compliance burdens with 60% of organizations reporting that they have only basic or no security controls to safeguard their AI/ML systems.

Download the report on Canonical’s website for other interesting stats and learnings on open source supply chains.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Mar 25
Love0

OpenSSF Newsletter – March 2025

By Newsletter

Welcome to the March 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR

This month, the OpenSSF invites you to participate in global Community Days and explore new initiatives to strengthen open source security throughout 2025. Tune in to the latest podcast episode highlighting key insights from leaders at Intel and GitHub, learn about the recent Policy Summit in Washington, D.C., and enroll in the new, free cybersecurity course designed specifically for software development managers. Plus, stay informed about exciting project updates and upcoming community events!

Join us at OpenSSF Community Day Events in North America, India, Japan, and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

✅ Secure your spot – Register today!

✅ Have insights to share? Submit to speak before CFP closes!

✅ Support the mission – Become a sponsor!

Join us in shaping a safer and more secure digital world. 

2025 OpenSSF Content Themes: Strengthening Open Source Security Throughout the Year

Content_theme

Cybersecurity is an ongoing challenge, and OpenSSF is leading efforts to strengthen open source security in 2025. This blog outlines the key content themes for the year, from strengthening OSS ecosystems to enhancing security tools and addressing vulnerabilities. Each month, OpenSSF will explore these critical topics through events, expert discussions, and blog contributions. Stay updated on these discussions and learn how you can contribute to OpenSSF’s mission.

What’s in the SOSS? An OpenSSF Podcast is back for Season 2!

In Season 2’s first episode, CRob chats with Arun Gupta (Intel, OpenSSF Governing Board Chair) and Zach Steindler (GitHub, OpenSSF TAC Chair) about lessons learned in open source security from 2024 and what’s ahead for 2025.

  • How the Mission, Vision, Values, Strategy, and Roadmap (MVVSR) framework is shaping OpenSSF’s focus
  • The biggest security challenges faced in 2024, from supply chain attacks to SBOM adoption
  • Exciting initiatives for 2025—including making security more accessible to open source maintainers

Join the conversation and get insights into the future of open source security. Listen now and stay tuned as we announce our new co-host!

OpenSSF Hosts 2025 Policy Summit in Washington, D.C. to Tackle Open Source Security Challenges

The OpenSSF successfully hosted the 2025 Policy Summit in Washington, D.C., bringing together industry leaders and security experts to address open source security challenges. The event featured keynotes, panel discussions, and breakout sessions focused on AI security, software supply chain governance, and policy recommendations for secure OSS consumption. 

The OpenSSF is committed to tackling the most pressing security challenges facing the consumption of open source software in critical infrastructure and beyond ” said Steve Fernandez, General Manager, OpenSSF. 

Discussions highlighted the importance of industry-led security initiatives, collaboration with policymakers, and the need for standardized security frameworks. Following the summit, OpenSSF will refine security guidance and best practices to enhance open source software security globally. Learn more about the event, key takeaways, OpenSSF’s Vision, and how to get involved in shaping open source security policy. 

NEW FREE COURSE: Security for Software Development Managers (LFD125)

Security for Software Development Managers course

The OpenSSF and Linux Foundation Education have launched a new, free cybersecurity e-Learning course, Security for Software Development Managers (LFD125). Designed for those who manage or aspire to manage developer teams, this course covers critical security concepts needed to build resilient applications. Participants will learn how to identify vulnerabilities, implement proactive security measures, and guide their teams in creating secure software. Security for Software Development Managers (LFD125) is a self-paced, 2-hour course that includes access to a discussion forum for engagement with experts and peers. Upon successful completion, participants receive a digital badge and certificate. 

Enroll today and strengthen your leadership skills in software security!

News from OpenSSF Community Meetings and Projects

In the News

Meet OpenSSF at These Upcoming Events!

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Jan 23
Love0

OpenSSF Newsletter – January 2025

By Newsletter

Welcome to the January 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Call for Proposals: OpenSSF Community Day NA 2025!

The CFP is now open for OpenSSF Community Day North America 2025, happening June 26 in Denver, CO! Share your insights, success stories, and innovations with the open source security community.

Key Dates:

  • CFP Closes: March 23, 2025
  • Event Date: June 26, 2025

Submit 5-, 10-, 15-, or 20-minute talks on topics like AI and ML in security, supply chain resilience, regulatory compliance, and more. First-time speakers welcome!

 Submit Your Proposal Now

We Need Your Input!

Take a short survey to help the OpenSSF, LF Research, and LF Europe assess the open source community’s readiness for the EU Cyber Resilience Act and other emerging regulatory challenges. Your insights will shape best practices and prepare the ecosystem for what’s ahead.

Take the survey

Bonus for participating:

Get a 35% discount on any Linux Foundation e-learning course or certification exam (valid until May 1, 2025).

Added bonus: For every completed survey, LF Research will donate to the Linux Foundation’s Travel Fund, supporting open source developers and community members in attending events they might otherwise miss.

Your participation helps strengthen our community—thank you! The survey closes Friday, Jan. 24, 2025. 

CRA Stewards and Manufacturers Workshop: Key Takeaways and Next Steps

Last month the Linux Foundation Europe and the OpenSSF teams held a workshop focused on the implications of the recently published Regulation (EU) 2024/2847, commonly known as the Cyber Resilience Act or CRA. The 2024 Stewards and Manufacturers Workshop in Amsterdam was a highly successful event where members from across the Linux Foundation, other upstream open source foundations, community experts, and government officials came together to get a common understanding of the obligations of both Manufacturers and Stewards, and how each group needs to collaborate together as the legislation starts to go into effect over the next three years.

Learn more

What’s in the SOSS? Podcast #23 – Kusari’s Michael Lieberman Talks GUAC, SLSA and Securing the Open Source Supply Chain

In the latest episode of What’s in the SOSS?, CRob chats with Michael Lieberman, CTO and co-founder of Kusari, about supply chain security in the open source ecosystem. They discuss Michael’s journey in open source, his work with SLSA and GUAC, practical tips for addressing SBOMs, and his vision for the future of OSS security. Michael also shares advice for aspiring contributors and thoughts on what’s next for supply chain security.

Listen Now

Have a subject idea or know someone inspiring we should feature? Email us at marketing@openssf.org!

SOSS Community Day India 2024: Wrap Up

SOSSIndiaWrapUp

Towards the end of 2024, we hosted the inaugural SOSS Community Day India, and we’re thrilled to share that it was a resounding success! This remarkable event brought together some of the most active open source contributors in the industry for a day filled with sharing, learning, and collaboration

What made this gathering truly special was being co-located with KubeCon + CloudNativeCon India 2024. With over 350 registrations (and a waiting list, no less!), we saw a truly varied set of personas join us for this unforgettable experience. Engineers, legal professionals, CXOs, and students all came together to share their expertise, showcase their projects, and learn from one another.

Learn more

Accelerating OpenSSF Adoption: Unlocking Scorecard Insights with a Centralized Dashboard

Accelerating OpenSSF Adoption: Unlocking Scorecard Insights with a Centralized Dashboard

Open source components power 90% of modern applications but pose security risks like vulnerabilities and supply chain attacks. The OpenSSF Scorecard evaluates projects on critical security metrics, while the new Ortelius OpenSSF Dashboard aggregates these results at the application level, providing transparency and actionable insights to secure your software.

Discover how these tools can help you trust your dependencies and strengthen open source security.

Learn more

Predictions for Open Source Security in 2025: AI, State Actors, and Supply Chains

Predictionsof2025

Open source software powers nearly all modern applications, yet its vulnerabilities make it a prime target for cyberattacks. High-profile incidents like the xz Utils backdoor highlight growing threats from state actors and cybercriminals. The rise of AI tools like GenAI amplifies these risks, enabling scaled phishing campaigns and fake contributors to erode trust.

To protect open source as a global asset, greater investment, improved governance, and faster patching are critical.

Learn more

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Nov 26
Love0

OpenSSF Newsletter – November 2024

By Newsletter

Welcome to the November 2024 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

The SOSS Fusion 2024 Playlist is Live!

Catch up on the highlights from SOSS Fusion 2024, The Conference for Secure Open Source Software with the full YouTube playlist. Explore keynotes, technical sessions, and workshops from industry leaders like Dan Lorenc and Cory Doctorow. Discover actionable insights and tools to secure open source software.

📺 Watch now: SOSS Fusion 2024 YouTube Playlist

Secure Your Software Supply Chain with Abhisek Datta

Join us for an insightful webinar, Policy, Security, and the Software Supply Chain, featuring security expert Abhisek Datta on November 27 from 2:00 PM – 3:00 PM. This event is hosted in the lead-up to SOSS Community Day, India, co-located with KubeCon + CloudNativeCon India 2024.

Mark your calendars and register today!

Join us in Delhi for SOSS Community Day India on December 10, 2024, co-located with KubeCon + CloudNativeCon India

Hosted by the OpenSSF, this event will bring together open source security enthusiasts to connect, collaborate, and share knowledge. Whether you’re an industry leader or a passionate technologist, this is your opportunity to dive deep into the latest open source security trends, learn from experts, and network with the vibrant open source community. Don’t miss out—register today and be part of the conversation on securing open source software!

Learn more

2025 Virtual Tech Talk Call for Proposal (CFP)

We are excited to invite proposals for the 2025 Virtual Tech Talk Series, providing a platform for in-depth discussions on critical initiatives to secure open source software within the OpenSSF community. These tech talks are designed to foster knowledge sharing, highlight innovative technical projects, and showcase efforts driving the future of open source security.

Have a topic or expertise you’d like to share? Submit your Call for Proposals (CFP) by December 13, 2024, to ensure ample time for review and planning. This is your chance to contribute, connect with peers, and inspire others in the field.

Submit your CFP

Case Study: Kusari’s Implementation of OpenSSF Tools and Services


Kusari has tackled software supply chain challenges like transparency and inefficiencies by integrating OpenSSF tools such as AllStar, Scorecard, and GUAC, while adopting open standards like SLSA and OpenVEX. These solutions have enhanced their ability to manage risks and contribute actively to the OpenSSF community.

Participating in open source communities allows us to shape the future of software supply chain technology,” says Parth Patel, Kusari’s Co-founder.

➡️ Read more about Kusari’s journey and the tools they use.

October was Cybersecurity Awareness Month!

CybersecurityMonth
This year, the focus was on collective action across sectors to enhance cybersecurity resilience. Organizations prioritized OSS governance, developers adopted secure coding practices, and academic institutions prepared the next generation of professionals—all contributing to safer digital ecosystems.

OpenSSF supported these efforts with resources like Developing Secure Software (LFD121) and events like SOSS Fusion, which fostered collaboration and knowledge sharing.

➡️ Read more about how we worked together to stay secure and informed.

OpenSSF Adds Minder as a Sandbox Project to Simplify the Integration and Use of Open Source Security Tools

Minder, contributed by Stacklok, simplifies the integration and use of open source security tools through a policy-based approach that spans the entire software development lifecycle. With features like noise reduction, auto-remediation, and integration with OpenSSF tools such as Sigstore, Minder empowers organizations to strengthen their security posture.

➡️ Explore Minder and see how it enhances open source security.

OpenSSF Expands Secure Development Course with Interactive Labs


The Open Source Security Foundation (OpenSSF) has enhanced its free “Developing Secure Software” course (LFD121) with hands-on labs and interactive activities. These new features provide developers with practical techniques to counter modern cyberattacks, improving engagement and knowledge retention.

With over 25,000 enrollments globally, this course offers a comprehensive learning experience covering secure design principles, implementation, and verification techniques. Developers can earn a completion certificate and access optional browser-based labs for an immersive learning experience.

➡️ Enroll in LFD121 and start building secure software today!

OpenSSF Welcomes New Members and Introduces New Initiatives at SOSS Community Day Japan

At SOSS Community Day Japan, OpenSSF celebrated its growing community with the addition of new members, including Arm, embraceable AI, Fujitsu, Ruby Central, and Trifecta Tech, furthering its mission to secure open source software.

In a recent press release, OpenSSF also announced new initiatives: Minder, a sandbox project simplifying security tool integration; bomctl, enhancing SBOM management; and Zarf, enabling secure software delivery in air-gapped environments.

➡️ Read more about our new members and initiatives.

 

Red Hat’s Collaboration with the OpenSSF and OSV.dev Yields Results: Red Hat Security Data Now Available in the OSV Format

RedHat'sCollaborationwithOpenSSF

Red Hat has partnered with OpenSSF and Google’s OSV.dev to make its security data available in the OSV format. This enhances transparency, accessibility, and integration with tools like OSV-Scanner, supporting better vulnerability management.

➡️ Learn more about this collaboration.

 

How We Can Learn from Open Source Software to Address the Challenges of AI

How_We_Can_Learn_from_Open_Source_Software_to_Address_the_Challenges_of_AI

AI models bring transformative potential but also risks like deepfakes, bias, and misuse. Drawing from open source principles, we can address these challenges by fostering collaboration across industry, academia, and government, securing the AI supply chain, and building “secure by default” models.

OpenSSF’s work with agencies like CISA offers a roadmap for leveraging open source security principles to improve the safety and reliability of open foundation models.

➡️ Read how open source lessons can shape a secure AI future.

 

The OpenSSF Armored Goose “Honk”: Advancing Open Source Security

ArmouredGooseHonk

The Open Source Security Foundation’s (OpenSSF) logo features “Honk,” an armored goose holding a shield, embodying the foundation’s mission to protect open source software. Representing adaptability, resilience, and teamwork, Honk symbolizes the innovative approaches OpenSSF employs to enhance security in the open source ecosystem.

Discover the story behind Honk and how OpenSSF champions collaboration and defense in open source security.

➡️ Learn more about Honk and join the mission.

In the News

Meet OpenSSF at These Upcoming Events!

Get Involved in OpenSSF

You’re invited to…

See You Next Month

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Oct 23
Love0

OpenSSF Newsletter – October 2024

By Newsletter

Welcome to the October 2024 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Join us in Tokyo for SOSS Community Day Japan on October 30, 2024, co-located with the Open Source Summit Japan (October 28-29)

Hosted by the OpenSSF, this event will bring together open source security enthusiasts to connect, collaborate, and share knowledge. Whether you’re an industry leader or a passionate technologist, this is your opportunity to dive deep into the latest open source security trends, learn from experts, and network with the vibrant open source community. Don’t miss out—register today and be part of the conversation on securing open source software! Learn more

Recap on SOSS Community Day EU

SOSSCommunity24EU
On September 19, the OpenSSF community gathered in Vienna for SOSS Community Day EU, held alongside Open Source Summit EU. Each summit and community day is a celebration of open source excellence, showcasing the collective efforts of passionate individuals committed to making the world a safer place. We extend a heartfelt thanks to our dedicated maintainers for their continuous efforts in advancing open source security!

Recordings and photos are now available. Relive the moment as we recap some of the exciting conversations from the event! Read more

2025 Virtual Tech Talk Call for Proposal (CFP)

We are excited to invite proposals for the 2025 Virtual Tech Talk Series, providing a platform for in-depth discussions on critical initiatives to secure open source software within the OpenSSF community. These tech talks are designed to foster knowledge sharing, highlight innovative technical projects, and showcase efforts driving the future of open source security.
Have a topic or expertise you’d like to share? Submit your Call for Proposals (CFP) by December 15, 2024, to ensure ample time for review and planning. This is your chance to contribute, connect with peers, and inspire others in the field.
Submit your CFP

OpenSSF Education Tech Talk Highlights & Future Opportunities

10-10TechTalk
The OpenSSF hosted a virtual Tech Talk titled Jumpstart Your Journey: Mastering OSS Security Development with the Linux Foundation Education. This session was designed for aspiring open source professionals and newcomers eager to dive into the world of open source software (OSS) security.  Read more

Developer Relations: The Human Connection Driving Open Source Security

DeveloperRelationsTheHumanConnectionDriving OpenSourceSecurity

Open source security isn’t just about technology—it’s about the people behind it. Developer Relations (DevRel) connects developers, maintainers, and contributors, ensuring that they have the tools and support to make open source software more secure and resilient. As Katherine Druckman, Open Source Evangelist at Intel, said in her recent episode of the What’s in the SOSS? podcast: “We solve technical problems with technical solutions, but there are also so many human problems that need human solutions.” This illustrates the heart of DevRel—bringing together people to drive progress in open source security. Read more

OpenSSF SOSS Fusion Conference Kicks off with Talks from Google and Cisco Executives

SOSS-Fusion-2024-OpenSSF-SOSS-Fusion-Conference-Kicks-off-with-Talks-from-Google-and-Cisco-Executives-

The Open Source Security Foundation (OpenSSF) announced the opening of the Secure Open Source Software (SOSS) Fusion Conference in North America in Atlanta, GA. This event unites a diverse community of professionals, including public sector leaders, software developers, security engineers, students, cybersecurity experts, CISOs, CIOs, founders, and tech pioneers. With a robust agenda covering AI security, critical open source security projects, public policy, and today’s most pressing security topics, SOSS Fusion offers a comprehensive look at OpenSSF’s initiatives that’s aimed at simplifying security for developers, and will help them prepare to shape a safer digital world in 2025 and beyond. Read more

Join us for SigstoreCon: Supply Chain Day at KubeCon NA 2024

SigstoreCon
Join us for SigstoreCon: Supply Chain Day at KubeCon NA 2024 in Salt Lake City on November 12! Attendees will explore the latest advancements in digital artifact signing, with sessions on Sigstore, SLSA, The Update Framework (TUF), and more.

Key Topics Include:

  • Case Studies: Real-world examples of how projects are leveraging Sigstore, SLSA, or TUF
  • Package Registry Adoption: Insights for maintainers adopting Sigstore/SLSA
  • Client Development: Learnings from building Sigstore clients
  • Technical Deep Dives/Research: Exploring transparency, privacy-preserving identities, and more

Don’t miss this opportunity to stay ahead in supply chain security​!

View agenda 

Register now

Empower Your Software Development with OpenSSF’s Free “Developing Secure Software” Course! 

Learn secure software fundamentals at your own pace and earn a recognized certificate. Plus, we’ve just added new optional labs in LFD121! These hands-on exercises will help you practice countering attacks with real-world scenarios and helpful hints. Enroll here

In the News

Meet OpenSSF at These Upcoming Events!

Get Involved in OpenSSF

You’re invited to…

See You Next Month

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

 

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved