Jun 25

OpenSSF Newsletter – June 2025

By OpenSSF Newsletter

Welcome to the June 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Tech Talk: CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations + LFEL1001 course
Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership
Blogs: GUAC 1.0 release; CI/CD security guide; gittuf incubation; Choosing an SBOM Generation Tool; OSS and the CRA: am I a Manufacturer or a Steward?
Podcasts: #33 Bridging DevOps and Security: Tracy Ragan on the Future of Open Source; #32 Yoda, Inclusive Strategies, and the Jedi Council: A Conversation with Dr. Eden-Reneé Hayes
Free Courses: OpenSSF/Linux Foundation e-learning
News: CRA survey launch; CRA Brief Guide released; SLSA has v1.2 RC1; Zarf released v0.56.0; BOMops whitepaper; MLSecOps Whitepaper coming from AI/ML WG; Vulnerability WG reviewed June 6 U.S. EO & NIST’s reporting role.
Events: OpenSSF Community Days (Denver, Hyderabad, Amsterdam, Seoul); Open Source Summit NA/EU; Black Hat USA; DefCon; OSFF; SecurityCon.

Tech Talk: CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations

The recent Tech Talk, “CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations,” brought together open source leaders to explore the practical impact of the EU’s Cyber Resilience Act (CRA). With growing pressure on OSS developers, maintainers, and vendors to meet new security requirements, the session provided a clear, jargon-free overview of what CRA compliance involves.

Speakers included CRob (OpenSSF), Adrienn Lawson (Linux Foundation), Dave Russo (Red Hat), and David A. Wheeler (OpenSSF), who shared real-world examples of how organizations are preparing for the regulation, even with limited resources. The discussion also highlighted the LFEL1001 CRA course, designed to help OSS contributors move from confusion to clarity with actionable guidance.

Watch the session here.

Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership

The Open Source Technology Improvement Fund (OSTIF) addresses a critical gap in open source security by conducting tailored audits for high-impact OSS projects often maintained by small, under-resourced teams. Through its active role in OpenSSF initiatives and strategic partnerships, OSTIF delivers structured, effective security engagements that strengthen project resilience. By leveraging tools like the OpenSSF Scorecard and prioritizing context-specific approaches, OSTIF enhances audit outcomes and fosters a collaborative security community. Read the full case study to explore how OSTIF is scaling impact, overcoming funding hurdles, and shaping the future of OSS security.

Blogs:

✨GUAC 1.0 is Now Available

Discover how GUAC 1.0 transforms the way you manage SBOMs and secure your software supply chain. This first stable release of the “Graph for Understanding Artifact Composition” platform moves beyond isolated bills of materials to aggregate and enrich data from file systems, registries, and repositories into a powerful graph database. Instantly tap into vulnerability insights, license checks, end-of-life notifications, OpenSSF Scorecard metrics, and more. Read the blog to learn more.

✨Maintainers’ Guide: Securing CI/CD Pipelines After the tj-actions and reviewdog Supply Chain Attacks

CI/CD pipelines are now prime targets for supply chain attacks. Just look at the recent breaches of reviewdog and tj-actions, where chained compromises and log-based exfiltration let attackers harvest secrets without raising alarms. In this Maintainers’ Guide, Ashish Kurmi breaks down exactly how those exploits happened and offers a defense-in-depth blueprint from pinning actions to full commit SHAs and enforcing MFA, to monitoring for tag tampering and isolating sensitive secrets that every open source project needs today. Read the full blog to learn practical steps for locking down your workflows before attackers do.

✨From Sandbox to Incubating: gittuf’s Next Step in Open Source Security

gittuf, a platform-agnostic Git security framework, has officially progressed to the Incubating Project stage under the OpenSSF marking a major milestone in its development, community growth, and mission to strengthen the open source software supply chain. By adding cryptographic access controls, tamper-evident logging, and enforceable policies directly into Git repositories without requiring developers to abandon familiar workflows, gittuf secures version control at its core. Read the full post to see how this incubation will accelerate gittuf’s impact and how you can get involved.

✨Choosing an SBOM Generation Tool

With so many tools to build SBOMs, single-language tools like npm-sbom and CycloneDX’s language-specific generators or multi‐language options such as cdxgen, syft, and Tern, how do you know which one to pick? Nathan Naveen helps you decide by comparing each tool’s dependency analysis, ecosystem support, and CI/CD integration, and reminds us that “imperfect SBOMs are better than no SBOMs.” Read the blog to learn more.

✨OSS and the CRA: Am I a Manufacturer or a Steward?

The EU Cyber Resilience Act (CRA) introduces critical distinctions for those involved in open source software particularly between manufacturers and a newly defined role: open source software stewards. In this blog, Mike Bursell of OpenSSF breaks down what these terms mean, why most open source contributors won’t fall under either category, and how the CRA acknowledges the unique structure of open source ecosystems. If you’re wondering whether the CRA applies to your project or your role this post offers clear insights and guidance. Read the full blog to understand your position in the new regulatory landscape.

What’s in the SOSS? An OpenSSF Podcast:

#33 – S2E10 “Bridging DevOps and Security: Tracy Ragan on the Future of Open Source”: In this episode of What’s in the SOSS, host CRob sits down with longtime open source leader and DevOps champion Tracy Ragan to trace her journey from the Eclipse Foundation to her work with Ortelius, the Continuous Delivery Foundation, and the OpenSSF. CRob and Tracy dig into the importance of configuration management, DevSecOps, and projects like the OpenSSF Scorecard and Ortelius in making software supply chains more transparent and secure, plus strategies to bridge the education gap between security professionals and DevOps engineers.

#32 – S2E09 “Yoda, Inclusive Strategies, and the Jedi Council: A Conversation with Dr. Eden-Reneé Hayes”: In this episode of What’s in the SOSS, host Yesenia Yser sits down with DEI strategist, social psychologist, and Star Wars superfan Dr. Eden-Reneé Hayes to discuss the myths around DEIA and why unlearning old beliefs is key to progress. Plus, stay for the rapid-fire questions and discover if Dr. Hayes is more Marvel or DC.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

Global Cyber Policy WG is running a CRA survey to measure interest in the individual Standards work streams for the CRA. The results will be used to determine the specific Standards in which the group will invest time and focus.
Best Practices & Global Cyber Policy WG’s released the Cyber Resilience Act (CRA) Brief Guide for Open Source Software (OSS) Developers.
SLSA has a v1.2 RC1 PR out for review.
Zarf released version v0.56.0 overhauling the Packager SDK for enhanced SDK utility and maturation.
AI/ML WG is finalizing the MLSecOps Whitepaper for release.
SBOM Everywhere SIG is working on a BOMops Whitepaper
Vulnerability Disclosures WG discussed the June 6 U.S. Executive Order and NIST’s responsibilities including vulnerability reporting best practices.

In the News:

ITOpsTimes – “Linux Foundation and OpenSSF launch Cybersecurity Skills Framework”
HelpNetSecurity – “Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed”
SiliconAngle – “Linux Foundation debuts Cybersecurity Skills Framework to address enterprise talent gaps”
Security Boulevard – Linux Foundation Shares Framework for Building Effective Cybersecurity Teams
IT Daily – “Linux Foundation Launches Global Cybersecurity Skills Framework”
SC World – “New Cybersecurity Skills Framework seeks to bolster enterprise talent readiness”

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Denver, Colorado – June 26, 2025
Hyderabad, India – August 4, 2025
Amsterdam, Netherlands – August 28, 2025
Seoul, South Korea – November 4, 2025

Connect with the OpenSSF Community at these key events:

Open Source Summit NA: June 23 – 25, 2025
Black Hat USA 2025: August 2-7, 2025
DefCon 2025: August 7-10, 2025
Open Source Summit EU: August 25 – 27, 2025
Open Source in Finance Forum (OSFF): October 21-22, 2025
Open Source SecurityCon 2025: November 10, 2025

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Month!

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!

Regards,

The OpenSSF Team

May 22

Love0

OpenSSF Newsletter – May 2025

By OpenSSF Newsletter

Welcome to the May 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Here’s a quick summary of this month’s highlights: the OpenSSF Tech Talk showed how the Security Baseline helps projects enhance compliance and resilience; the Best Practices WG released the guide “Simplifying Software Component Updates” to prevent API‐compatibility vulnerabilities; the CFP for Community Day Europe (Amsterdam, August 28) closes May 26; the Cybersecurity Skills Framework offers a free, customizable way to align job roles with practical security skills (webinar June 11); Ericsson’s C/C++ Compiler Hardening Guide, now jointly maintained with OpenSSF, demonstrates the power of community-driven security practices; three fresh podcast episodes are live (#29 Stacey Potter, #30 GitHub’s SOS Fund, and #31 Cybersecurity Framework Launch); and our community continues to buzz with WG updates, upcoming Community Days in Tokyo, Denver, Hyderabad, Amsterdam and Seoul, and CFP for Open Source SecurityCon.

Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness

The Linux Foundation and OpenSSF have released the Cybersecurity Skills Framework, a customizable global reference guide that aligns IT job roles with practical cybersecurity competencies. The framework defines foundational, intermediate, and advanced proficiency levels mapped to standards like DoD 8140, CISA NICE, and ICT e-CF, enabling organizations to assess and build security capabilities across job roles.

Developed through global research and community feedback, the framework empowers enterprise leaders to close skills gaps, strengthen security culture, and systematically reduce cyber risk. Listen to the podcast, attend the webinar on Wednesday, June 11 at 11:00 am EDT. Learn more.

OpenSSF Tech Talk Recap: Using Security Baseline to Navigate Standards and Regulations

OSPSTechTalkRecap

The Open Source Security Foundation (OpenSSF) hosted a Tech Talk titled “How to Use the OSPS Baseline to Better Navigate Standards and Regulations” to help maintainers, contributors, and organizations apply the OSPS Baseline in real-world projects. This session offered practical guidance on enhancing compliance, reducing risk, and building more resilient open source software. Learn more.

New Guide on Simplifying Software Component Updates

NewGuideonSimplifyingSoftwareComponent Updates

The Open Source Security Foundation (OpenSSF) Best Practices Working Group has released the new guide Simplifying Software Component Updates. This guide by David A. Wheeler (The Linux Foundation) and Georg Kunz (Ericsson) gives software producers and consumers practical steps to simplify component compatibility. Applying the principles in this guide will eliminate many vulnerabilities in software. Backward-incompatible changes to an application programmer interface (API) often lead to unaddressed security vulnerabilities. Read the blog.

Call for Proposals for OpenSSF Community Day Europe Open Through 26 May, 2025

OpenSSF Community Day Europe takes place on Thursday, 28 August in Amsterdam, Netherlands, co-located with Open Source Summit EU. This event brings together contributors, maintainers, practitioners, and researchers to collaborate on securing the open source software we all rely on. Submit your proposals by 26 May 2025 on topics such as AI and ML in security, cyber resilience and supply chain security, OSS signatures and verification, real-world case studies, regulatory compliance, and enhanced security tooling. Learn more.

Case Study: Ericsson’s C/C++ Compiler Options Hardening Guide and OpenSSF Collaboration

This case study highlights Ericsson’s collaboration with the OpenSSF on the C/C++ Compiler Options Hardening Guide, a pragmatic resource that maps compiler hardening flags to their performance and security impacts. Originally drafted by Ericsson’s product security team and donated to the OpenSSF, the guide is now maintained in the OpenSSF Best Practices Working Group. Community feedback from compiler maintainers, Linux distribution contributors, and projects like Wireshark, Chainguard, and CPython has refined its recommendations, leading to internal adoption at Ericsson and broader ecosystem uptake.

Ericsson’s work demonstrates how open sourcing practical security guidance and engaging the community can drive real improvements in C/C++ code hardening across the industry. Read the case study.

What’s in the SOSS? An OpenSSF Podcast:

#29 – S2E06 “Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey Potter”: Meet Stacey Potter, OpenSSF’s new Community Manager, as she shares her journey into open source and her community first mindset.

#30 S2E07 “Scaling Security: Inside the GitHub Securing Open Source Software Fund”: Kevin Crosby and Xavier René-Corail from GitHub discuss the Securing Open Source SOS Fund, its $10K stipends, lessons from cohort 1, and maintainer month.

#31 – S2E08 “Cybersecurity Framework Launch”: Delve into the development of the Cybersecurity Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.

News from OpenSSF Community Meetings and Projects:

RSTUF reached the 1.0.0 release candidate milestone for its core services
Best Practices WG published a guide for Simplifying Software Component Updates
Security Baseline added mappings to OWASP SAMM
Zarf released version v0.54.0 including improvements to image uploads and general OCI enhancements
Global Cyber Policy WG is collaborating on a response to the European Commission’s public consultation on the EU Cybersecurity Act
ORBIT WG will hold its first bi-weekly meeting on Thursday at 1 pm EDT
Security Tooling WG voted to approve the creation of a new SIG: Reliable Software Decomposition
Securing Software Repositories and Global Cyber Policy working groups presented their quarterly updates to the TAC

In the News:

InfoSecurity Magazine: OpenSSF Publishes Security Framework for Open Source Software
SecurityWeek: OpenSSF Releases Security Baseline for Open Source Projects
DevOps.com: OpenSSF Defines Baseline for Securing Open Source Software
silicon ANGLE: Linux Foundation Debuts Cybersecurity Skills Framework to Address Enterprise Talent Gaps
Help Net Security: Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Tokyo, Japan – June 18, 2025
Denver, Colorado – June 26, 2025
Hyderabad, India – August 4, 2025
Amsterdam, Netherlands – August 28, 2025
Seoul, South Korea – November 4, 2025

Connect with the OpenSSF Community at these key events:

RSA Conference: April 28 – May 1, 2025
Open Source Summit NA: June 23 – 25, 2025
DefCon 2025: August 7-10, 2025
Open Source Summit EU: August 25 – 27, 2025
Open Source in Finance Forum (OSFF): October 21-22, 2025
Open Source SecurityCon 2025: November 10, 2025

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Month!

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!

Regards,

The OpenSSF Team

Feb 26

Love0

OpenSSF Newsletter – February 2025

By OpenSSF Newsletter

Welcome to the February 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Learn more:
- Open Source Software in Public Policy
- EU Cyber Resilience Act (CRA)

Join us at OpenSSF Community Day Events in North America and Europe 2025!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Denver, Colorado – June 26, 2025
Amsterdam, Netherlands – August 28, 2025

✅ Secure your spot – Register today!
✅ Have insights to share? Submit to speak before CFP closes!
✅ Support the mission – Become a sponsor!

Join us in shaping a safer and more secure digital world.

OpenSSF Announces Initial Release of the Open Source Project Security Baseline

The Open Source Security Foundation (OpenSSF) has announced the initial release of the Open Source Project Security Baseline (OSPS Baseline)—a new initiative designed to help open source projects enhance their security posture through tiered best practices. The OSPS Baseline aligns with global cybersecurity frameworks, including the EU Cyber Resilience Act (CRA) and NIST Secure Software Development Framework (SSDF), making it easier for maintainers and contributors to adopt practical security measures.

With adoption commitments from projects like GUAC, OpenVEX, bomctl, and Open Telemetry, the OSPS Baseline is already helping open source communities strengthen their security foundations. This release marks a significant step toward providing maintainers with clear, actionable security guidance that grows alongside their projects. Learn more.

Does the EU CRA affect my business?

DoestheEUCRAAffectMyBusiness

The European Union’s Cyber Resilience Act (CRA), which came into effect on December 10, 2024, introduces significant cybersecurity requirements for products sold or commercially available in the EU market. With wide-ranging impacts set to take effect by November 2026, businesses must assess whether they fall under the CRA’s scope and take necessary steps for compliance.

This blog provides key insights into how the CRA applies to Products with Digital Elements (PDEs), its implications for manufacturers, businesses, and open source projects, and what steps organizations need to consider. While some view it as an added burden, cybersecurity professionals see it as an opportunity to strengthen security practices across the software supply chain.

If you develop software, hardware, or services that interact with digital products in the EU, understanding the CRA is critical. Read the full blog to determine if the CRA affects your business and how you can prepare for compliance.

Securing Public Sector Supply Chains is a Team Sport

Everyone is increasingly aware that software supply chain security is critical, but the challenges in the public sector come with added complexity—stringent policies, high-risk exposure, and slow approval processes. In this blog, Daniel Moch (Lockheed Martin) explores the unique security hurdles faced by public sector organizations and how the open source community, alongside OpenSSF, can help mitigate them.

From SLSA Provenance and VEX adoption to reputation-based contributor scoring, the blog outlines practical ways to enhance supply chain transparency and security. Read on to discover how collaborative efforts can make software security stronger for everyone. Read the blog here.

Linux Foundation Europe and OpenSSF Launch Initiative to Prepare Maintainers, Manufacturers, and Open Source Stewards for Global Cybersecurity Legislation

CRA Press Release

Linux Foundation Europe and OpenSSF have launched a global initiative to help open source communities navigate the EU Cyber Resilience Act (CRA) and worldwide cybersecurity regulations. The effort will focus on cybersecurity standards, compliance frameworks, and tooling to support maintainers and manufacturers. Learn more about this collaborative effort and how to get involved. Read the announcement here.

Alpha-Omega 2024 Annual Report

Alpha-Omega’s 2024 Annual Report highlights major strides in open source security, including $6 million in grants to strengthen critical projects like the Linux kernel, Python Software Foundation, and RubyGems. Through funding, security audits, and scaled vulnerability fixes, Alpha-Omega has helped build a sustainable security culture across the open source ecosystem. Discover the impact of these investments and the vision for 2025 in the full report. Read the blog and full report here.

News from OpenSSF Community Meetings and Projects:

Help OpenSSF improve by taking 5 minutes to fill out our Community Survey.
GUAC published its 2024 in review.
Global Cyber Policy WG had in-person meetups at FOSDEM. Notes here. They are setting up a new meeting series and drafting a mission statement for the EU CRA Standardization SIG https://doodle.com/group-poll/participate/dL0rpGWd.
SLSA completed and merged updates to its governance document.
gittuf released version 0.9.0.
SBOM Everywhere SIG SIG previewed using AI tooling to help update the SBOM Landscape catalog.
OpenSSF Scorecard has a new donation submission for an Azure Pipelines task.
Central now performs Sigstore Signature Validation (Java) https://central.sonatype.org/news/20250128_sigstore_signature_validation_via_portal/
Securing Software Repositories WG is hiring a technical writer to create guidance on when to allow a previously published package to be deleted from software repositories.
Three Working Groups submitted new quarterly updates to the TAC: BEAR, Vulnerability Disclosure, and Supply Chain Integrity.
Protobom added Allen Shearin as a maintainer.
Security Baseline has two open pull requests to refactor the baseline compiler, extending the cli to support more use cases and making the loader and generator easier to use.

In the News:

Meet OpenSSF at These Upcoming Events!

OpenSSF Policy Summit DC 2025: March 4, 2025
OpenSSF Community Day North America 2025: June 26, 2025
OpenSSF Community Day Europe 2025: August 28, 2025

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Month!

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!

Regards,

The OpenSSF Team

TL;DR:

Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness

OpenSSF Tech Talk Recap: Using Security Baseline to Navigate Standards and Regulations

New Guide on Simplifying Software Component Updates

Call for Proposals for OpenSSF Community Day Europe Open Through 26 May, 2025

Case Study: Ericsson’s C/C++ Compiler Options Hardening Guide and OpenSSF Collaboration

What’s in the SOSS? An OpenSSF Podcast:

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Ways to Participate:

See You Next Month!

Join us at OpenSSF Community Day Events in North America and Europe 2025!

OpenSSF Announces Initial Release of the Open Source Project Security Baseline

Does the EU CRA affect my business?

Securing Public Sector Supply Chains is a Team Sport

Linux Foundation Europe and OpenSSF Launch Initiative to Prepare Maintainers, Manufacturers, and Open Source Stewards for Global Cybersecurity Legislation

Alpha-Omega 2024 Annual Report

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

See You Next Month!

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get the latest announcements, event info, and the community news in your inbox