The Open Source Security Foundation (OpenSSF), an offshoot of the Linux Foundation focusing on sustainably securing open source software, has announced a raft of new members as well as a series of guiding principles for secure software development. The announcements were made at OpenSSF Day Japan, held as part of the Open Source Summit in Tokyo, Japan.
OpenSSF's new additions comprise leading technology companies, Patchstack, SparkFabrik, and TestifySec, as well as ISC2. The growing membership, which now stands at 120, emphasises the increasing recognition of the importance of investing in open-source security. "We're delighted that our new members are joining the OpenSSF," said Omkhar Arasaratnam, General Manager of the OpenSSF. He stressed the significance of their support in tackling the crucial task of securing open source software.
As part of their OpenSSF Day Japan presentations, OpenSSF revealed their Secure Software Development Guiding Principles. These set out essential practices, providing better security assurance for organisations implementing them. Software producers and suppliers can pledge to align with these fundamental measures and incorporate them into their development cycles.
Two new guides, additionally available in Japanese, were also introduced. One is for open source projects interested in issuing and managing their own CVE IDs via the CVE Numbering Authority program. The other, the Compiler Options Hardening Guide for C and C++, is intended to assist developers in making informed decisions about compiler options to fortify their software against memory-safety issues and other software defects.
In cooperation with LF Energy, OpenSSF published a whitepaper earlier this week arguing that open source software is vital for innovating and transforming the energy infrastructure. They challenged common misconceptions that contrast open source software with robust cyber defence, arguing that it can actually offer a strong guard against cyber threats.
The Alpha-Omega Project has revealed its plans to aid Homebrew in reaching SLSA Build Level 2 and to continue supporting the Rust Foundation security initiative in 2024. The Project also expressed contentment with the outcomes of earlier grants, with the OpenJS Foundation revealing that an end-user audit showed three-quarters of a billion websites are running outdated software.
In further collaborative efforts, OpenSSF has responded to the US Federal Government's Request for Information on Open Source Software Security and is contributing to the Defense Advanced Research Projects Agency’s AI Cyber Challenge. This focuses on bringing innovation to the intersection of AI and cybersecurity to produce a new generation of cybersecurity tools.