A number of security-focused groups have announced they are teaming up on a new open-source project to help secure software supply chains: Protobom. The project was created jointly by the Open Source Security Foundation (OpenSSF), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security Science and Technology Directorate (DHS S&T). Protobom allows … continue reading
The Graph for Understanding Artifact Composition (GUAC) is a project dedicated to enhancing the security of software supply chains that has recently become an incubating project under the Open Source Security Foundation (OpenSSF). This collaborative effort, initiated by Kusari, Google, and Purdue University, is designed to manage dependencies and offer actionable insights into the security … continue reading
The Open Source Security Foundation (OpenSSF) released the annual report for its Alpha-Omega project, an initiative that focuses on identifying and remedying vulnerabilities within source code to create a safer digital environment. According to OpenSSF, the Alpha-Omega project has become a pivotal player in enhancing the security infrastructure of open-source software, reflecting a proactive approach … continue reading
The Open Source Security Foundation (OpenSSF) is attempting to tackle the issue of malicious open source software with a new repository that will aggregate reports of malicious packages. “Currently, each open source package repository has its own approach to handling malicious packages. When a malicious package is reported by the community, it is common for … continue reading
OpenSSF created the Open Source Consumption Manifesto (OSCM) with the main objective of enhancing the utilization of open-source software. Similar to the Agile Manifesto, OSCM is based on core values and comprises 15 guiding principles for using open source. It is designed to be a continuously evolving document, according to the Open SSF. Open Source … continue reading
Open Source Summit North America is taking place this week in Vancouver. The event, hosted by the Linux Foundation, is a celebration of the open source community. It has the support of many major players in the industry, with news announced during the event coming from AWS, Meta, and more. Here are highlights of the … continue reading
The Open Source Security Foundation (OpenSSF) has announced the release of the first version of its supply chain security language, Supply-chain Levels for Software Artifacts (SLSA). The project provides specifications for software supply chain that have been established by community consensus. SLSA’s framework is split into several different levels that describe increasing security severity so … continue reading
The NSA and CISA released the guide “Securing the Software Supply Chain: Recommended Practices Guide for Developers” last month and while David Wheeler, the director of open-source supply chain security at the Linux Foundation and OpenSS, welcomes it, he said there are some questionable requirements. The guide covers aspects of security such as how to … continue reading
To address the ongoing concerns in the industry regarding supply chain security, AWS has announced it is increasing its investment in the Open Source Security Foundation (OpenSSF) by $10 million over the next three years. “Security is our top priority at AWS,” said Mark Ryland, director of the Office of the CISO at AWS. “As … continue reading
OpenSSF announced the Alpha-Omega Project to improve the security posture of open-source software by working together with software security experts. Microsoft and Google are supporting the project, which aims to improve global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code with a $5 … continue reading
