Growing Member Base and New Initiatives Continue to Advance Open Source Software Security
Tokyo, Japan, December 4, 2023 – The Open Source Security Foundation (OpenSSF), a cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), announced new members from leading technology firms and a new set of Secure Software Development Guiding Principles at OpenSSF Day Japan.
New OpenSSF general members include Patchstack, SparkFabrik, and TestifySec. New OpenSSF associate member, ISC2, also joins. OpenSSF ends the year with 120 members as technical communities continue to emphasize the importance of investing in open-source security. They acknowledge the crucial role of supporting and sustaining open source communities to uphold a robust, lively, and secure open source ecosystem.
“We’re delighted that our new members are joining the OpenSSF,” said Omkhar Arasaratnam, General Manager of the OpenSSF. “Securing open source software is a formidable task, and we look forward to their partnership.”
Today, the OpenSSF hosts OpenSSF Day Japan at Open Source Summit Japan in Tokyo. OpenSSF Day is an exciting opportunity for maintainers, contributors and others in cybersecurity to learn more about ongoing efforts to secure the open source software ecosystem. Highlights on the schedule include sessions with more than 20 experts on trends of exploited OSS vulnerabilities, malicious packages repo, SBOM policy for Japan’s industry sector, global collaboration in open source security, and more. A panel will explore navigating open source, open standards, and government directives for better cybersecurity.
At the start of OpenSSF Day Japan, OpenSSF released the Secure Software Development Guiding Principles that describe a series of foundational practices to help provide better assurance and security for organizations leveraging them. Producers and suppliers of software can pledge to align with this set of core practices and follow them throughout their development lifecycles.
The OpenSSF also introduced two new guides that have also been translated into Japanese. One is a new guide for open source projects that are interested in issuing and managing their own CVE IDs through the CVE Numbering Authority (CNA) program. The other is a Compiler Options Hardening Guide for C and C++ designed to help developers make informed choices regarding compiler options to harden their software against memory-safety issues and other software defects.
Earlier this week, LF Energy and OpenSSF jointly published a new whitepaper on how open source software is critical to the innovation and transformation of our energy infrastructure. Contrary to common misconceptions, OSS offers not just affordability and adaptability but also a robust shield against cyber threats.
The Alpha-Omega Project recently announced grants to help Homebrew reach SLSA Build Level 2 and continued support of the Rust Foundation security initiative in 2024. Alpha-Omega is also pleased to see sustained impact from earlier grants: the OpenJS Foundation announced the results of an end-user audit based on an IDC survey that shows three-quarters of a billion websites are running out of date software and the Eclipse Foundation finished an audit of the Mosquitto project.
These latest announcements build on collaborative efforts already underway at OpenSSF, most recently including a response to the US Federal Government Request for Information (RFI) on Open Source Software Security and support for the Defense Advanced Research Projects Agency (DARPA) on the AI Cyber Challenge (AIxCC) – a two-year competition aimed at driving innovation at the nexus of AI and cybersecurity to create a new generation of cybersecurity tools.
Additional updates on OpenSSF projects and milestones can be found here.
General Member Quotes
"Our goal has always been to make the open source security more accessible to small and midsize enterprises (SMEs). As a company, we’ve been a firm believer in the community & collaboration, which resonated with us immediately as we were invited to join the OpenSSF family. Patchstack runs an active open source bug hunting community (Patchstack Alliance) where ethical hackers are rewarded for reporting new security vulnerabilities found in open-source software. We are the global leader of open source vulnerability intelligence, ranking #1 as a CNA in 2023 for the highest number of CVEs processed. Patchstack offers vPatches to its SaaS customers which allows them to auto-mitigate production applications from all of the latest vulnerabilities to immediately reduce exposure. We are determined to cover the entire lifecycle of open source vulnerabilities. We see the OpenSSF membership as a logical next step to give back to the community, share our knowledge, data, and further educate the SME market about open source & supply chain security."
- Oliver Sild, Co-Founder & CEO, Patchstack"As an organisation based on Open Source values and already a dynamic member of CNCF and LFE, SparkFabrik is excited to join OpenSSF. Our expertise focuses on Cloud Native applications and is based on Open Source software. We are committed to the dissemination, promotion and protection (we actively support the Linux Foundation Europe’s #FixTheCRA campaign) of Open Source, which we see as a driver for transformation. We have long focused on the importance of Software Supply Chain Security, for individual organisations and for the common fabric that individuals create. Joining OpenSSF, we are committed to supporting the development of best practices within this key community, to disseminate and produce frameworks that underpin the solutions we want to offer."
- Paolo Mainardi, CTO and co-founder, SparkFabrik"TestifySec is dedicated to the belief that everyone deserves secure software. OpenSSF perfectly embodies this value. Open source software should not only be secure but also utilize open and shared methods and tools. Having actively contributed to ongoing Technical Initiatives, we are thrilled to officially become a member of OpenSSF. We look forward to continuing our journey with OpenSSF, contributing to a more secure software landscape for all."
- John Kjell, Director of Open Source, TestifySec
Associate Member Quote
"Secure open source code is critical, as it is the bedrock of so much innovation around the globe. By joining the OpenSSF, ISC2 is dedicated to ensuring developers have access to the education and training they need to deliver more secure and resilient solutions."
- Clar Rosso, CEO, ISC2
Additional Resources
###
About the OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.
About the Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
Media Contact
Jennifer Bly, OpenSSF