Software Supply Chain Security

Open Infrastructure Is Not Free, Part II: The Hidden Cost of Running Package Registries

Blog AI Linux Foundation Open Source Sustainability Package Registries Software Supply Chain Security

Why Third-Party Notices Are Breaking at Scale: What the Ecosystem Needs Next

Blog Guest Blog Open Source Compliance SBOM Software Supply Chain Security Third-Party Notices vulnerability management

What’s in the SOSS? Podcast #53 – S3E5 AIxCC Part 3 – Buttercup’s Hybrid Approach: Trail of Bits’ Journey to Second Place in AIxCC

Podcast agentic AI AI security AI/ML security Open Source Security Software Supply Chain Security

What’s in the SOSS? Podcast #52 – S3E4 AIxCC Part 2 – From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMs

Podcast AI Cyber Challenge AI security AIxCC DARPA AIxCC large language models LLM security Podcast Software Supply Chain Security Taesoo Kim vulnerability detection What’s in the SOSS

Your Guide to the OpenSSF OSPS Baseline for More Secure Open Source Projects

The Open Source Project Security (OSPS) Baseline is a community-developed catalog of practical security controls that helps open source projects understand what good security looks like and how to improve over time.

Blog developer best practices Open Source Security OpenSSF OSPS Baseline Software Supply Chain Security

Catching Malicious Package Releases Using a Transparency Log

Trail of Bits, with funding from OpenSSF, is improving Sigstore’s rekor-monitor to help maintainers detect malicious package releases, monitor signing identities, and strengthen software supply chain security using transparency logs.

Blog Guest Blog attestations ecosystem security identity signing Open Source Security OpenSSF package security rekor sigstore Software Supply Chain Security Trail of Bits transparency logs TUF

What’s in the SOSS? Podcast #47 – S2E24 Teaching the Next Generation: Software Supply Chain Security in Academia with Justin Cappos

NYU professor Justin Cappos joins the OpenSSF podcast to discuss why software supply chain security is missing from most university curricula -- and how hands-on, open source-first education can change that.

Podcast academia code signing higher education Linux Foundation Open Source Community Open Source Security OpenSSF Podcast SBOM Secure Software Development security education Software Supply Chain Security What’s in the SOSS

OpenSSF Newsletter – October 2025

Discover the latest updates across the OpenSSF community including new learning offerings, AI/ML security advancements, SBOM evolution under the CRA, Scorecard improvements, Sigstore research, upcoming events, and fresh podcast episodes helping secure the future of open source.

Newsletter AI security community events EU Cyber Resilience Act Open Source Security OpenSSF Newsletter OpenSSF projects SBOM Scorecard Secure Software Development sigstore Software Supply Chain Security Tech Talks

SBOMs in the Era of the CRA: Toward a Unified and Actionable Framework

By Madalin Neag, Kate Stewart, and David A. Wheeler In our previous blog post, we explored how the Software Bill of Materials (SBOM) should not be a static artifact created...

Blog EU Cyber Resilience Act Global Cyber Policy Guest Blog Cyber Resilience Act OpenSSF tools SBOM interoperability Software Supply Chain Security SPDX CycloneDX standards

What’s in the SOSS? Podcast #42 – S2E19 New Education Course: Secure AI/ML-Driven Software Development (LFEL1012) with David A. Wheeler

Podcast AI security developer training OpenSSF education Podcast secure AI development Software Supply Chain Security