Since inception last year, the Open Source Security Foundation (OpenSSF) community has been focused on helping developers use and share high-quality software with security handled proactively. 

As a continuation of its commitment, the foundation is creating a Criticality Score as well as a Security metrics dashboard for open-source projects that will help prioritize which open-source project vulnerabilities need to be addressed first. 

The group has already released the CVE Benchmark for tooling and data sets and established Security Scorecards that auto-generates a “security score.” 

Additional details on the new work from OpenSSF is available here.

Anchore and GitLab team up on DevSecOps
The partnership enables automated container security and compliance processes through a new integration. 

GitLab users will now be able to see the results from Anchore’s deep container image scans in merge requests. It will also enable users to update merge requests with a package version to resolve vulnerabilities.

“Digital transformation has changed software development practices as organizations seek to deliver applications more quickly and update them more frequently. This shift, combined with increasing cybersecurity threats, requires developers to implement security and compliance checks throughout the DevSecOps life cycle. The integration between Anchore and GitLab helps to automate these DevSecOps best practices for enterprises, government agencies, and open source communities,” said Saïd Ziouani, the CEO and cofounder of Anchore. 

ActiveState announces new funding for modern security-first software development
ActiveState will use the strategic investment from Turn/River Capital to expand its software dependency, build, and risk management platform.

The ActiveState Platform helps enterprises identify their open-source vulnerabilities in third-party code both before and after the code is adopted, the company explained in a post. 

Apache weekly update
Last week, the Apache Software Foundation saw the release of Apache Arrow 3.0.0, the cross-language development platform for in-memory analytics, which adds many new features for C++, Rust, and Python users. 

Other new releases include Apache IoTDB 0.11.2, Commons Daemon 1.2.4, Traffic Server 9.0.0, JMeter 5.4.1, Nutch 1.18, and the elevation of Apache ECharts to Top-Level project status. 

The Apache Software Foundation also found vulnerabilities in Hadoop, ActiveMQ, and Nutch that are explained in more detail here.