OpenSSF Update Q4 2023: Building on Our Security Work

Hello, Linux Foundation members and readers! Here’s what we at the Open Source Security Foundation (OpenSSF) worked on during the past quarter:

• In September, we hosted OpenSSF Day Europe in Bilbao, Spain.
• In September in DC, we also hosted the Secure Open Source Software (SOSS) Summit 2023, gathering government and industry leaders to collaborate on open source software security.
• We welcomed six new members from leading technology firms to the OpenSSF.
• In August, we announced the OpenSSF is partnering with Defense Advanced Research Projects Agency (DARPA) to advise on the AI Cyber Challenge (AIxCC).

OpenSSF Day Europe

On September 18, 2023, we hosted OpenSSF Day Europe at the Open Source Summit Europe in Bilbao, Spain. Throughout the day, we hosted several sessions around the state of open source software security, discussing current initiatives and what’s next.

OpenSSF Gathers US Government and Industry Leaders at Secure Open Source Software Summit 2023

The OpenSSF brought together US Government (USG) officials from the National Security Council (NSC), Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA), among others with industry leaders at the Secure Open Source Software (SOSS) Summit 2023. Participants at the Summit discussed the security challenges for the consumption of OSS in critical infrastructure sectors and beyond and highlighted the shared responsibility needed to ensure the resilience of OSS in critical infrastructure.

OpenSSF Welcomes New Members in Support of Securing Open Source Software

We welcomed six new members from leading technology firms to the OpenSSF. New general members include Mend.io, RTX, Shopify, SlimAI, and Stacklok. A new associate member, the Rust Foundation, also joined. Technical communities continue to prioritize investment in open source security and recognize the role of supporting and sustaining open source communities in maintaining a healthy, vibrant, and secure open source ecosystem.

OpenSSF to Support DARPA on New AI Cyber Challenge (AIxCC)

The Open Source Security Foundation (OpenSSF) announced at Black Hat 2023 its collaboration with the Defense Advanced Research Projects Agency (DARPA) on the AI Cyber Challenge (AIxCC) – a two-year competition aimed at driving innovation at the nexus of AI and cybersecurity to create a new generation of cybersecurity tools. 

Latest News from the OpenSSF

We’ve been busy at the OpenSSF, and often share updates with the community on our blog. Here are a few recent posts from our blog that you won’t want to miss. Check them out!

• OpenSSF Day Europe Agenda Now Live - July 13
• Fuzz Introspector: optimizing fuzzing workflows - July 20
• Manage how you protect your assets at scale with SBOMs - July 21
• OpenSSF Vulnerability Disclosures Working Group Helps Guide and Automate Handling Risk - July 27
• Understanding and Applying the OpenSSF Criticality Score in Open Source Projects - July 28
• The Rising Threat of Software Supply Chain Attacks: Managing Dependencies of Open Source Projects - August 18
• Join Us in Adopting the Open Source Consumption Manifesto - August 24
• US Federal Government’s RFI on Open Source Software Security - August 25
• OpenSSF Scorecard Launches v4.12 with Support for GitLab - August 28
• Submit to Speak at OpenSSF Day Japan - August 28
• Securing Software Repositories Working Group: Repositories, Registries, and Tools - August 30
• Introducing RSTUF, Repository Service for TUF - August 31
• Strengthening Open Source Software: Best Practices for Enhanced Security - September 6
• VDR, VEX, OpenVEX and CSAF - September 7
• Behind the Scenes of the Alpha-Omega Summer Mentorship Program - September 8
• CISA’s Open Source Software Security Roadmap - September 12
• What You Need to Know About the Linux Foundation’s New Vulnerability Reporting Policy - September 14
• OpenSSF Releases Source Code Management Best Practices Guide - September 14
• Join us for an OpenSSF Tech Talk on SLSA - September 15
• Advancing Rustls and Rust for Linux with OpenSSF Support - September 18
• Threat Modeling the Supply Chain for Software Consumers - September 27
• OpenSSF Securing Critical Projects Working Group: Identifying and Helping Improve Top Open Source Projects - September 28
• Announcing sigstore-python 2.0 - September 29

OpenSSF in the News Highlights

• Dark Reading - Cl0p's MOVEit Campaign Represents a New Era in Cyberattacks - July 5
• Security Conversations - OpenSSF GM Omkhar Arasaratnam on open-source software security - July 5
• OpenJS Foundation - Node.js Security Progress Report - July 17
• Linux Foundation - OpenSSF Outlook Q3 2023: Continuing to Strengthen the Open Source Ecosystem - July 18
• InfoWorld - A new hope for software security - July 24
• TechCrunch - DARPA launches two-year competition to build AI-powered cyber defenses - August 9
• The New Stack - Artificial Intelligence: Stopping the Big Unknown in Application, Data Security - August 18
• *En Español* Power Moment Podcast - Retos y oportunidades para ser resiliente en la era digital (Challenges and opportunities to be resilient in the digital age) - August 20
• Cybernews - Security pundits call for responsible consumption of open source software - August 25
• Open Source Watch - A New Take on Software Code Security: The Open Source Consumption Manifesto - August 28
• Dark Reading - MOVEit Breach Shows Us SQL Injections Are Still Our Achilles' Heel - August 30
• Axios - Biden administration, tech industry draft a long-term plan to secure open source software - September 12
• Wall Street Journal - White House Calls for Stronger Open-Source Security - September 13
• SDxCentral - How to make open source software more secure (highlights from SOSS) - September 13
• F5 DevCentral Podcast - This Month In Security, Ep 13: August, 2023 - OpenSSF / Hacker Summer Camp - September 15
• IT Security Wire - OpenSSF Welcomes New Members in Support of Securing Open Source Software - September 18
• Dark Reading - Will Government Secure Open Source or Muck It Up? - September 27
• Tech Native - Five Critical Ways to Protect Your Software Supply Chain - September 27
• The Stack - JPMorgan’s Global CISO urges use of Sigstore, Alpha-Omega in open source security drive - October 5

How You Can Help Secure the OSS Supply Chain

We remain committed to ensuring the open source software ecosystem is secure for all. Explore getting involved in the OpenSSF. This could range from participating in our working groups to joining our Slack or mailing list.

We look forward to working with you to help secure the entire OSS ecosystem!