Topic: openssf

OpenSSF teams up with Eclipse Foundation to define specifications for the EU’s Cyber Resilience Act

The Open Source Security Foundation (OpenSSF), which is a Linux Foundation project devoted to improving open source software security, has announced a collaboration with the Eclipse Foundation’s Open Regulatory Compliance Working Group to work on the EU’s Cyber Resilience Act. The Cyber Resilience Act (CRA) establishes security requirements for hardware and software products for sale … continue reading

OpenSSF, CISA, and DHS collaborate on new open-source project for creating SBOMs

A number of security-focused groups have announced they are teaming up on a new open-source project to help secure software supply chains: Protobom. The project was created jointly by the Open Source Security Foundation (OpenSSF), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security Science and Technology Directorate (DHS S&T).  Protobom allows … continue reading

SD Times Open-Source Project of the Week: Guac

The Graph for Understanding Artifact Composition (GUAC) is a project dedicated to enhancing the security of software supply chains that has recently become an incubating project under the Open Source Security Foundation (OpenSSF).  This collaborative effort, initiated by Kusari, Google, and Purdue University, is designed to manage dependencies and offer actionable insights into the security … continue reading

OpenSSF shares progress for its Alpha-Omega project in 2023

The Open Source Security Foundation (OpenSSF) released the annual report for its Alpha-Omega project, an initiative that focuses on identifying and remedying vulnerabilities within source code to create a safer digital environment.  According to OpenSSF, the Alpha-Omega project has become a pivotal player in enhancing the security infrastructure of open-source software, reflecting a proactive approach … continue reading

OpenSSF launches Malicious Packages repository to track reports of compromised open source packages

The Open Source Security Foundation (OpenSSF) is attempting to tackle the issue of malicious open source software with a new repository that will aggregate reports of malicious packages.  “Currently, each open source package repository has its own approach to handling malicious packages. When a malicious package is reported by the community, it is common for … continue reading

OpenSSF launches Open Source Consumption Manifesto

OpenSSF created the Open Source Consumption Manifesto (OSCM) with the main objective of enhancing the utilization of open-source software. Similar to the Agile Manifesto, OSCM is based on core values and comprises 15 guiding principles for using open source. It is designed to be a continuously evolving document, according to the Open SSF.  Open Source … continue reading

Open Source Summit: AWS open sources Cedar, SPDX Release Candidate 3.0, and OpenSSF updates

Open Source Summit North America is taking place this week in Vancouver. The event, hosted by the Linux Foundation, is a celebration of the open source community. It has the support of many major players in the industry, with news announced during the event coming from AWS, Meta, and more.  Here are highlights of the … continue reading

Version 1.0 of SLSA provides specifications for software supply chain security

The Open Source Security Foundation (OpenSSF) has announced the release of the first version of its supply chain security language, Supply-chain Levels for Software Artifacts (SLSA). The project provides specifications for software supply chain that have been established by community consensus. SLSA’s framework is split into several different levels that describe increasing security severity so … continue reading

NSA’s and CISA’s recent security guidance: The good and the bad

The NSA and CISA released the guide “Securing the Software Supply Chain: Recommended Practices Guide for Developers” last month and while David Wheeler, the director of open-source supply chain security at the Linux Foundation and OpenSS, welcomes it, he said there are some questionable requirements.  The guide covers aspects of security such as how to … continue reading

AWS increases its commitment to OpenSSF by $10 million

To address the ongoing concerns in the industry regarding supply chain security, AWS has announced it is increasing its investment in the Open Source Security Foundation (OpenSSF) by $10 million over the next three years.   “Security is our top priority at AWS,” said Mark Ryland, director of the Office of the CISO at AWS. “As … continue reading

OpenSSF announces new project for improving supply chain security

OpenSSF announced the Alpha-Omega Project to improve the security posture of open-source software by working together with software security experts.  Microsoft and Google are supporting the project, which aims to improve global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code with a $5 … continue reading Protection Status