The Open Source Security Foundation, a cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), welcomes six new members from leading technology firms. New OpenSSF general members include Mend.io, RTX, Shopify, SlimAI, and Stacklok. New OpenSSF associate member, the Rust Foundation, also joins. Technical communities continue to prioritize investment in open source security and recognize the role of supporting and sustaining open source communities in maintaining a healthy, vibrant, and secure open source ecosystem.
“We are excited to welcome these new members to the OpenSSF community,” said Omkhar Arasaratnam. “At a time when open source software’s place in critical infrastructure is more important than ever before, we look forward to working together to make the open source ecosystem more safe, secure, and reliable.”
Today, the OpenSSF hosts OpenSSF Day Europe at Open Source Summit Europe in Bilbao, Spain. OpenSSF Day is an exciting opportunity to learn more about ongoing efforts to secure the open source software ecosystem. Highlights on the schedule include sessions on collaboratively developing security in the open, managing vulnerabilities, collaborating along the open source supply chain, building better pipelines, and more. A panel will explore navigating open source, open standards and government directives for better cybersecurity.
The OpenSSF recently released the Source Code Management Best Practices Guide 1.0. This guide is a comprehensive resource dedicated to raising awareness and education for securing and implementing best practices for source code management platforms, including GitHub and GitLab.
OpenSSF’s Alpha-Omega Project granted $530,000 to the Internet Security Research Group (ISRG), the parent organization of Prossimo, to bring memory safety to critical components of the Internet. The Alpha portion of Alpha-Omega is collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. The grant to Prossimo is earmarked to advance the functionality and scalability of the Rustls TLS library and the Rust for Linux effort.
The OpenSSF also recently released updates to Scorecard, its automated tool for measuring OSS projects’ security status; Scorecard now supports GitLab (in addition to GitHub) and its analyses now have many improvements.
In support of the DARPA AI Cyber Challenge (AIxCC), a two-year competition aimed at driving innovation at the nexus of AI and cybersecurity to create a new generation of cybersecurity tools, the OpenSSF is serving as challenge advisor and the Open Track Registration opens on November 1st.
Recently, the US Federal Government issued a Request for Information (RFI) on Open Source Software Security that originated from the Open-Source Software Security Initiative (OS3I) interagency working group created to improve OSS security. The OpenSSF plans to reply to the RFI, and encourages all stakeholders to respond as well. The US Cybersecurity and Infrastructure Security Agency (CISA) also recently released an Open Source Software Security Roadmap with which the OpenSSF is uniquely positioned to assist toward securing open source software for the public good.
Last week, the OpenSSF brought together US Government (USG) officials from the National Security Council (NSC), Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA) among others with industry leaders at the Secure Open Source Software (SOSS) Summit 2023. Participants at the Summit discussed the security challenges for the consumption of OSS in critical infrastructure sectors and beyond and highlighted the shared responsibility needed to ensure the resilience of OSS in critical infrastructure.