The Open Source Security Foundation (OpenSSF), a cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), welcomes six new members from leading technology firms. New OpenSSF general members include Mend.io, RTX, Shopify, SlimAI, and Stacklok. New OpenSSF associate member, the Rust Foundation, also joins. Technical communities continue to prioritize investment in open source security and recognize the role of supporting and sustaining open source communities in maintaining a healthy, vibrant, and secure open source ecosystem.
“We are excited to welcome these new members to the OpenSSF community,” said Omkhar Arasaratnam. “At a time when open source software’s place in critical infrastructure is more important than ever before, we look forward to working together to make the open source ecosystem more safe, secure, and reliable.”
Today, the OpenSSF hosts OpenSSF Day Europe at Open Source Summit Europe in Bilbao, Spain. OpenSSF Day is an exciting opportunity to learn more about ongoing efforts to secure the open source software ecosystem. Highlights on the schedule include sessions on collaboratively developing security in the open, managing vulnerabilities, collaborating along the open source supply chain, building better pipelines, and more. A panel will explore navigating open source, open standards and government directives for better cybersecurity. Both in-person and virtual registration are available.
The OpenSSF recently released the Source Code Management Best Practices Guide 1.0. This guide is a comprehensive resource dedicated to raising awareness and education for securing and implementing best practices for source code management platforms, including GitHub and GitLab.
OpenSSF’s Alpha-Omega Project granted $530,000 to the Internet Security Research Group (ISRG), the parent organization of Prossimo, to bring memory safety to critical components of the Internet. The Alpha portion of Alpha-Omega is collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. The grant to Prossimo is earmarked to advance the functionality and scalability of the Rustls TLS library and the Rust for Linux effort.
The OpenSSF also recently released updates to Scorecard, its automated tool for measuring OSS projects’ security status; Scorecard now supports GitLab (in addition to GitHub) and its analyses now have many improvements.
In support of the DARPA AI Cyber Challenge (AIxCC), a two-year competition aimed at driving innovation at the nexus of AI and cybersecurity to create a new generation of cybersecurity tools, the OpenSSF is serving as challenge advisor and the Open Track Registration opens on November 1st.
Recently, the US Federal Government issued a Request for Information (RFI) on Open Source Software Security that originated from the Open-Source Software Security Initiative (OS3I) interagency working group created to improve OSS security. The OpenSSF plans to reply to the RFI, and encourages all stakeholders to respond as well. The US Cybersecurity and Infrastructure Security Agency (CISA) also recently released an Open Source Software Security Roadmap with which the OpenSSF is uniquely positioned to assist toward securing open source software for the public good.
Last week, the OpenSSF brought together US Government (USG) officials from the National Security Council (NSC), Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA) among others with industry leaders at the Secure Open Source Software (SOSS) Summit 2023. Participants at the Summit discussed the security challenges for the consumption of OSS in critical infrastructure sectors and beyond and highlighted the shared responsibility needed to ensure the resilience of OSS in critical infrastructure.
General Member Quotes
Never before has so much attention been focused on open source software and its impact on modern application development and security. We founded our business with the belief that OSS is fundamental in creating world-changing applications. That’s why we’re excited to join OpenSSF and take on a more active role in helping to educate the open source community about the importance of open source security.
– Jeff Martin, Vice President of Product, Mend.io
As the world’s largest aerospace and defense company, RTX and our more than 180,000 global employees are pushing the limits of technology and science to redefine how we connect and protect our world. Through our industry-leading businesses – Collins Aerospace, Pratt & Whitney, and Raytheon – we are advancing aviation, engineering integrated defense systems for operational success, and developing next-generation secure software solutions to help global customers address their most critical challenges. Joining the OpenSSF community strengthens our ability to solve the hardest problems in aerospace and defense, and it continues our long history of Open Source participation – ranging from project contributions to active leadership on various Open Source software projects and communities.
– Nora Tgavalekos, VP of Product Cybersecurity, RTX
Shopify has already been actively participating in several OpenSSF working groups, but now we’re very proud to formally become an OpenSSF member. Shopify could not have been built without open source software, and the OpenSSF is playing a key role in keeping open source as the obvious choice for tomorrow’s entrepreneurs as well.
– Mike Dalessio, Director of Engineering, Shopify
At Slim, the bedrock of our endeavors is software supply chain security, with open source serving as the essential framework supporting our solutions. Our affiliation with OpenSSF is a strategic move to deepen our ties with the community. Together, we aim to enhance the security of vital software by promoting best practices and pioneering initiatives. This commitment not only elevates industry standards but ensures everyone benefits from secure, dependable, and trustworthy software.
– John Amaral, CEO, SlimAI
Stacklok is excited to announce our engagement with the OpenSSF. As a company led by founders of efforts including Kubernetes, CNCF and Sigstore, we have a deep appreciation for the power of community-centric open source. We believe that it will take a village to address the increasingly sophisticated threats emerging in the supply chain segment and are proud to engage with and participate in this key community.
– Craig McLuckie, CEO and Co-Founder, Stacklok
Associate Member Quote
The Rust Foundation is an independent, nonprofit organization dedicated to the performance, safety, and sustainability of the Rust programming language and its global community. OpenSSF has been a prominent advocate of the Rust Foundation’s work to bolster the security of Rust, most notably through Alpha-Omega’s generous funding of our Security Initiative. We are thrilled to solidify our relationship with OpenSSF through this Associate Membership and we look forward to working collaboratively for the good of the entire open source landscape.
– Rebecca Rumbul, Executive Director & CEO, Rust Foundation