Topic: openssf

OpenSSF shares progress for its Alpha-Omega project in 2023

The Open Source Security Foundation (OpenSSF) released the annual report for its Alpha-Omega project, an initiative that focuses on identifying and remedying vulnerabilities within source code to create a safer digital environment.  According to OpenSSF, the Alpha-Omega project has become a pivotal player in enhancing the security infrastructure of open-source software, reflecting a proactive approach … continue reading

OpenSSF launches Malicious Packages repository to track reports of compromised open source packages

The Open Source Security Foundation (OpenSSF) is attempting to tackle the issue of malicious open source software with a new repository that will aggregate reports of malicious packages.  “Currently, each open source package repository has its own approach to handling malicious packages. When a malicious package is reported by the community, it is common for … continue reading

OpenSSF launches Open Source Consumption Manifesto

OpenSSF created the Open Source Consumption Manifesto (OSCM) with the main objective of enhancing the utilization of open-source software. Similar to the Agile Manifesto, OSCM is based on core values and comprises 15 guiding principles for using open source. It is designed to be a continuously evolving document, according to the Open SSF.  Open Source … continue reading

Open Source Summit: AWS open sources Cedar, SPDX Release Candidate 3.0, and OpenSSF updates

Open Source Summit North America is taking place this week in Vancouver. The event, hosted by the Linux Foundation, is a celebration of the open source community. It has the support of many major players in the industry, with news announced during the event coming from AWS, Meta, and more.  Here are highlights of the … continue reading

Version 1.0 of SLSA provides specifications for software supply chain security

The Open Source Security Foundation (OpenSSF) has announced the release of the first version of its supply chain security language, Supply-chain Levels for Software Artifacts (SLSA). The project provides specifications for software supply chain that have been established by community consensus. SLSA’s framework is split into several different levels that describe increasing security severity so … continue reading

NSA’s and CISA’s recent security guidance: The good and the bad

The NSA and CISA released the guide “Securing the Software Supply Chain: Recommended Practices Guide for Developers” last month and while David Wheeler, the director of open-source supply chain security at the Linux Foundation and OpenSS, welcomes it, he said there are some questionable requirements.  The guide covers aspects of security such as how to … continue reading

AWS increases its commitment to OpenSSF by $10 million

To address the ongoing concerns in the industry regarding supply chain security, AWS has announced it is increasing its investment in the Open Source Security Foundation (OpenSSF) by $10 million over the next three years.   “Security is our top priority at AWS,” said Mark Ryland, director of the Office of the CISO at AWS. “As … continue reading

OpenSSF announces new project for improving supply chain security

OpenSSF announced the Alpha-Omega Project to improve the security posture of open-source software by working together with software security experts.  Microsoft and Google are supporting the project, which aims to improve global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code with a $5 … continue reading Protection Status