Uniting for better open-source security: The Open Source Security Foundation (OpenSSF)

guest · Aug 3, 2020

The Linux Foundation aims to improve open source software security
August 3,2020
https://betanews.com/2020/08/03/open-source-security-foundation/

Open source software has become commonplace in all sorts of environments. But its very nature means that those responsible for their users' or organization's security need to be able to understand and verify its security.

Today The Linux Foundation is announcing the formation of the Open Source Security Foundation (OpenSSF). This is a cross-industry collaboration that brings together leaders to improve the security of open source software by building a broader community with targeted initiatives and best practices.

The OpenSSF combines efforts from the Core Infrastructure Initiative, GitHub's Open Source Security Coalition and other open source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others. Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Purdue, SAFEcode, StackHawk, Trail of Bits, Uber and VMware.
Click to expand...

"Ensuring open source security is one of the most important things we can do and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort."

The formal creation of the group includes setting up a Governing Board, a Technical Advisory Council and separate oversight for each working group and project. OpenSSF intends to host a variety of open source technical initiatives to support security for the world's most critical open source software, all of which will be done in the open on GitHub.
Click to expand...

You can find out more about the project and how to get involved on the OpenSSF site.
Click to expand...

guest · Aug 3, 2020

Microsoft Joins Open Source Security Foundation
August 3, 2020
https://www.microsoft.com/security/blog/?p=91648

Microsoft has invested in the security of open-source software for many years and today I’m excited to share that Microsoft is joining industry partners to create the Open Source Security Foundation (OpenSSF), a new cross-industry collaboration hosted at the Linux Foundation.

Open-source software is core to nearly every company’s technology strategy and securing it is an essential part of securing the supply chain for all, including our own. With the ubiquity of open source software, attackers are currently exploiting vulnerabilities across a wide range of critical services and infrastructure, including utilities, medical equipment, transportation, government systems, traditional software, cloud services, hardware, and IoT.
Click to expand...

guest · Oct 30, 2020

Open Source Security Foundation launches a new certification program on edX
October 29, 2020
https://www.zdnet.com/article/open-...-launches-a-new-certification-program-on-edx/

If you're a programmer and you've heard it once, you've heard it a thousand times. "Build security into your programs!" That's easy to say, but how, exactly, do you do that? The Linux Foundation's Open Source Security Foundation (OpenSSF) has an answer: A set of three free classes and a certification program to get your security skills up to speed.

These classes are intended for the full range of software developers, including DevOps professionals, software engineers, and web application developers. Indeed, anyone interested in learning how to develop secure software will find these courses useful.
The courses focus on practical developer steps you can use to counter the most common kinds of attacks.
Click to expand...

Mike Dolan, The Linux Foundation's Senior VP and GM of Projects, said: "We're excited to offer the Secure Software Development Fundamentals professional certificate program to support an informed talent pool about open source security best practices."
Click to expand...

OpenSSF: Announcing: Secure Software Development EdX course, Sign Up Today!

The Open Source Security Foundation (OpenSSF) has developed a trio of free courses on how to develop secure software. These courses are part of the Secure Software Development Fundamentals Professional Certificate program, all available on the edX platform. This material is intended for all software developers so they can learn to develop secure software. It focuses on practical steps that any software developer can easily take, not theory or actions requiring unlimited resources.

Those interested can sign up starting October 29, 2020. The course material is expected to be released on November 5, 2020. For more information click here.
Click to expand...

guest · Dec 9, 2020

OpenSSF Launches Open Source Tool for Evaluating SAST Products
December 9, 2020
https://www.securityweek.com/openssf-launches-open-source-tool-evaluating-sast-products

The new tool, named OpenSSF CVE Benchmark, provides vulnerable code and metadata related to 218 known JavaScript and TypeScript vulnerabilities.

The tool can be integrated with ESLint, CodeQL and NodeJsScan, but its creators hope the community will help build integrations with more security tools and help expand the dataset.
The goal of the tool, whose source code is available on GitHub, is to make it easier for security teams to evaluate various SAST tools.
Specifically, it helps determine if a security tool can detect a vulnerability or if it produces a false negative, and whether it can recognize a validated patch or it produces a false positive
Click to expand...

Launched in August 2020 and hosted by the Linux Foundation, OpenSSF aims to improve the security of open source software by building a community, best practices and targeted initiatives. Its members include GitHub, IBM, Google, VMware, Microsoft, NCC Group, OWASP, JPMorgan Chase, Red Hat, Intel, HackerOne, Uber, GitLab, Okta and others.
Click to expand...

OpenSSF: Introducing the OpenSSF CVE Benchmark

Today, at Black Hat Europe, the Open Source Security Foundation (OpenSSF) unveiled its latest initiative: the OpenSSF CVE Benchmark. The benchmark consists of vulnerable code and metadata for over 200 historical JavaScript/TypeScript vulnerabilities (CVEs). It includes tooling for analyzing the real-world codebases that were affected by these vulnerabilities, using a range of different static application security testing (SAST) tools. The automatically-generated reports will help security teams evaluate different security tools on the market.
Click to expand...

guest · Jul 31, 2021

OpenSSF adds new members from around the globe to improve OSS security
July 31, 2021
https://www.helpnetsecurity.com/2021/07/31/openssf-membership/

OpenSSF announced new membership commitments to advance open source security education and best practices. New members include Accurics, Anchore, Bloomberg Finance, Cisco Systems, Codethink, Cybertrust Japan, OpenUK, ShiftLeft, Sonatype and Tidelift.

“The massive support we’re seeing for the OpenSSF and its initiatives is a reflection of the industry-wide commitment to secure open source software,” said Kay Williams, Governing Board Chair, OpenSSF, and Supply Chain Security Lead, Azure Office of the CTO, Microsoft. “We welcome the latest OpenSSF new members and look forward to their contributions.“
Click to expand...

The new Scorecard 2.0 is also available now and includes new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis. The Scorecard is gaining adoption for automating analysis and trust decisions on the security posture of open source projects.
Click to expand...

OpenSSF: July 2021 Update – New members and new resources for Best Practices and Vulnerability Disclosures underway

guest · Oct 14, 2021

OpenSSF Bags $10 Million Investment
October 13, 2021
https://www.securityweek.com/openssf-bags-10-million-investment

The Linux Foundation has secured a new $10 million investment that will help expand and support the Open Source Security Foundation (OpenSSF).

The funding will help OpenSSF focus on identifying and addressing security vulnerabilities in open source software, thus securing the software supply chain. The foundation is also working on the development of best practices, tooling, training, and vulnerability disclosure practices.

"This pan-industry commitment is answering the call from the White House to raise the baseline for our collective cybersecurity wellbeing, as well as ‘paying it forward’ to open source communities to help them create secure software from which we all benefit," Jim Zemlin, executive director at the Linux Foundation, said in a statement announcing the investment.
In addition to the funding, OpenSSF announced that open source luminary Brian Behlendorf will serve as its General Manager.
Click to expand...

guest · Aug 18, 2022

Capital One, Akamai among 13 organizations added to open source security group
August 17, 2022

A non-profit organization run under the banner of the Linux Foundation and dedicated to securing open-source software has bolstered its ranks with 13 new members from private industry, the finance sector and academia.

The Open Source Security Foundation (OpenSSF) announced Wednesday that it will be adding more than a dozen new entities to its membership. It will include financial titan Capital One as a premier member who will receive a seat on the foundation’s governing board. The other new members are Akamai, Indeed, Kasten by Veeam, Scantist, SHE BASH, Socket Security, Sysdig, Timesys, ZTE, Eclipse Foundation, Perdue University and TODO Group.
Click to expand...

David A. Wheeler, director of open source supply chain security at the Linux Foundation, told SC Media in an interview that while some of the foundations they create are more restrictive, the criteria for OpenSSF membership is as wide as the impact of the problem they’re trying to collectively solve.

“Every different foundation has rules about who can join and who can’t, but in the case of the OpenSSF, it’s extremely broad and intentionally so because basically everybody is impacted by the security or lack of security in open-source software,” Wheeler said.
Click to expand...

More recently, OpenSSF unveiled a 10-point plan at the Open Source Security Summit hosted by the White House in May. That plan will feed into 10 different workstreams, like finding ways to reduce patching response times for open source software, developing new metrics to track code and components, moving the industry away from non-memory safe programming languages that make it difficult to find and fix vulnerabilities, establishing a framework for incident response teams that can be deployed across the open source community and conduct annual third-party reviews of the top 200 most critical open source security components.
Click to expand...

OpenSSF: OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain

SAN FRANCISCO, August 17, 2022 – The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important software supply chain security initiatives, today announced 13 new members from leading financial services, technology, employment, software development, cybersecurity, telecommunications, and academic sectors.
Click to expand...

guest · Nov 18, 2022

OpenSSF Adopts Microsoft-Built Supply Chain Security Framework
By Ionut Arghire - November 17, 2022

The Open Source Security Foundation (OpenSSF) on Wednesday announced the adoption of Secure Supply Chain Consumption Framework (S2C2F), a Microsoft-built framework for consuming open source software.
Click to expand...

In use within Microsoft since 2019 and made public in August 2022, S2C2F defines real-world threats to open source software (OSS) and includes requirements to mitigate them. The consumption-focused framework takes a threat-based, risk-reduction approach to mitigating supply chain threats against the OSS.

The framework includes eight different areas of practice, including ingestion, inventory, updates, enforcement, audit, scanning, rebuilding, and fixing (upstream).
Click to expand...

Each of these comprises requirements organized on four levels of maturity, namely basic governance practices (OSS inventory, vulnerability scanning, and dependencies updates), improving mean time to remediate (MTTR) vulnerabilities in OSS, proactive security analysis and controls, and mitigation against sophisticated attacks.

“Using the S2C2F, teams and organizations can more efficiently prioritize their efforts in accordance with the maturity model. The ability to target a specific level of compliance within the framework means teams can make intentional and incremental progress toward reducing their supply chain risk,” Microsoft explains.
Click to expand...

OpenSSF: OpenSSF Expands Supply Chain Integrity Efforts with S2C2F

By Jay White, Microsoft and David A. Wheeler, Linux Foundation - November 16, 2022
A robust strategy around securing how developers consume and manage open source software (OSS) dependencies when building software is essential. The Secure Supply Chain Consumption Framework (S2C2F) is a consumption-focused framework that uses a threat-based, risk-reduction approach to mitigate real world threats in Open Source Software (OSS).

Today, we are pleased to announce that it has been adopted by the OpenSSF under the Supply Chain Integrity Working Group and formed into its own Special Interest Group (SIG). The Secure Supply Chain Consumption Framework (S2C2F), when coupled with a producer-focused artifact-oriented framework such as Supply chain Levels for Software Artifacts (SLSA), gives software producers and consumers a complete guide for how to approach building and consuming software securely.
Click to expand...

Microsoft: Microsoft contributes S2C2F to OpenSSF to improve supply chain security

By Mark Russinovich - November 16, 2022
On August 4, 2022, Microsoft publicly shared a framework that it has been using to secure its own development practices since 2019, the Secure Supply Chain Consumption Framework (S2C2F), previously the Open Source Software-Supply Chain Security (OSS-SSC) Framework.

We are pleased to announce that the S2C2F has been adopted by the OpenSSF under the Supply Chain Integrity Working Group and formed into its own Special Initiative Group (SIG). Our peers at the OpenSSF and across the globe agree with Microsoft when it comes to how fundamental this work is to improving supply chain security for everyone.
Click to expand...

Log in or Sign up

Uniting for better open-source security: The Open Source Security Foundation (OpenSSF)

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Uniting for better open-source security: The Open Source Security Foundation (OpenSSF)

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches