The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important software supply chain security initiatives, has announced many new members from leading technology firms in sectors that span software development, cybersecurity, data science, platform as a service, semiconductors, finance, think tanks, academics, and more, bringing the total number of OpenSSF members over one hundred.
New general member commitments include those from Airbyte, Anaconda, Boostsecurity, ControlPlane, Cybozu, Docker, Endor Labs, FOSSA, HackerOne, Phylum, Qualys, Trail of Bits, VicOne, and AMD Xilinx. New associate members include FS-ISAC, OpenForum Europe, and Nanyang Technological University.
“We are delighted to welcome new members to the OpenSSF,” says Brian Behlendorf, General Manager of OpenSSF. “As attacks continue to target critical infrastructure, both industry and governments around the world are paying attention and are proactively seeking ways to improve the security posture of the open source software we all depend on.”
The latest commitments follow a productive period for OpenSSF in which the foundation has announced Sigstore general availability, new investments from Alpha-Omega, new features from Scorecards, concise guides for developing more secure software and evaluating open source software from the Best Practices Working Group, an expanded set of technical initiatives with a new End Users Working Group, Software Bill of Materials (SBOM) Everywhere Special Interest Group (SIG), Secure Supply Chain Consumption Framework SIG, and much more.
Today, OpenSSF hosts the OpenSSF Day Japan at the Open Source Summit Japan in Yokohama where community members lead sessions about ongoing work to secure the software supply chain and the future of open source security. As part of this conference, OpenSSF announces that the free Developing Secure Software training course focused on the fundamentals of developing secure software is now available in Japanese.
“We are excited to join the Open Source Security Foundation’s growing community. As a data infrastructure company that is both a user of open source software and a host of a thriving open source project, Airbyte is particularly sensitive to the data protection needs that exist up and down the supply chain. We are as thrilled to be collaborating on the evolution of open source security standards as we are to support and learn from the experiences of others in the OpenSSF network,” said, Patsy Bailin, Head of Data Policy, Airbyte.
“We are excited to be a sponsor and contributing member of this important foundation. We are committed to securing open source software and providing maintainers, users, and administrators the tools needed to secure open source. With more than 30 million users of Anaconda Distribution and our repository of packages built from source, we are highly dedicated to the advancement of the open-source community and recognize, as do the other members of this foundation, that it will take all of us working together in the open to secure the future of open-source software,” commented, Stephen Nolan, SVP of Product, Anaconda.
“The software supply chain, and in particular, the open source ecosystem – finds itself today in front a big challenge: how to secure, and regain trust, in the software that the world uses…Solving this will require lots of innovation, collaboration among, and determination to keep ‘chipping away at it’ – one piece at a time. BoostSecurity believes that software supply chain security should be accessible, and consumable – by companies of all sizes and at all levels of security maturity and capabilities, and are proud to do our part in this endeavour. We are eager to work with the OpenSSF and its member companies to make the world’s software factory more secure,” said, Zaid Al Hamami, Founder and CEO, BoostSecurity.
“Open source software is the engine of innovation for enterprises and governments across the globe. Its proliferation brings opportunity, but increases exposure in the face of the modern threat landscape. ControlPlane is committed to advancing cross-industry collaboration through the OpenSSF to systematically reduce risk for a more secure technological future,” said, Andrés Vega, Vice President of Operations, North America, ControlPlane.
“As a company whose vision is to build a society brimming with teamwork, we are excited to be joining OpenSSF to work together to strengthen the security of the open source software ecosystem. The challenge is not just to make our cloud service secure, but to collaborate across the industry to improve the security of the software supply chain as a whole. We look forward to working with OpenSSF members on this project and building a more secure future,” said, Takuya Yoshikawa, Cloud Service Department Manager, Cybozu.
“Docker has been working on supply chain security for many years, and is excited to join OpenSSF to work more closely with the communities there. As a developer focused company with many millions of users and customers, Docker recognises that security work falls to developers to implement, and they need help, support and tooling to improve the security of the world’s software that they develop and consume. Docker has been working with upstream open source communities for many years, through initiatives like Docker Official Images and Docker Verified Publishers that are used and trusted by millions of developers. Joining OpenSSF is part of our commitment to expand the work we are doing in this space, and work even more closely with the other communities and companies involved in the essential work of securing open source software,” said, Justin Cormack, CTO, Docker.
“Eighty percent of the code in modern applications is code your developers didn’t write but depend on through open source packages. When our founding team was leading the Prisma Cloud engineering group at Palo Alto Networks, we realized the true magnitude of this issue. Our mission now is to enable OSS to live up to its true potential without introducing unnecessary risk. It’s exciting to once again take a new approach to the market, and we believe these solutions will radically enhance application development everywhere. The OpenSSF is leading the charge on open source security. They are establishing a trust-based partnership with any organization that relies on open source, with the goal of making open source use scalable and secure, while helping the community thrive. These ideals align perfectly with ours, which is why we’re so excited for this partnership,” explained, Varun Badhwar, CEO and Co-Founder, Endor Labs.
“FOSSA is proud to join the 100+ other members of the OpenSSF community in our shared mission to advance open source security. We’re excited to get to work with the other remarkable leaders in the foundation, and share our expertise across the software supply chain, especially mitigating the risks associated with open source license violations and security vulnerabilities. Everything we do at FOSSA is for the love of open source, and in support of the massive positive impact it has on innovation and equality for our customers. Our support for and participation in OpenSSF is another example of that commitment,” Kenaz Kwa, VP of Product, FOSSA.
“Open source software is foundational to our digital world and, just as we all benefit from open source, we must collectively contribute to its security. Log4Shell demonstrated the devastating impact of open source vulnerabilities, if not properly addressed, on organizations and their software supply chains. For too long, only a small but vital group of volunteers have helped secure open-source projects for the entire internet. We launched the Internet Bug Bounty to fund the security of open-source projects to address this challenge, and we view OpenSSF as a critical teammate in building toward the same vision of a safer internet. We are proud to join OpenSSF and support project maintainers, developers, and security teams to reduce the impact of Log4Shell and vulnerabilities like it,” commented, Kayla Underkoffler, Senior Security Technologist, HackerOne.
“We are excited to be a contributing member of the Linux Foundation and to support OpenSSF’s mission. At Phylum, we are doing our part to secure the universe of code by automating software supply chain security to block new risks, prioritize existing issues and allow organizations to only use open-source code that they trust,” said, Patrick Sheehan, CRO, Phylum.
“Open-source software is at the very core of Trail of Bits. We make our tools open source with the aspiration that organizations can use them to tackle their security challenges, including those within the software supply chain. When our engineers and researchers work on a problem, it’s likely that the solution will benefit the entire community, not just a given customer. We consider it of strategic importance that we make our in-house knowledge available, so issues can be solved at-large. To that end, we’ve built tools that automatically build a dependency graph and SBOM, find various issues in Python, and enable code signing and verification. We plan to build on these accomplishments as a general member of OpenSSF, and look forward to collaborating with other organizations in the pursuit of making open-source software as secure as possible,” commented, Dan Guido, CEO, Trail of Bits.
“Modern electronic vehicles adopt more and more open source software and it’s becoming a regular target of hackers. The security concerns have been raised in regulations, such as UN R155, ISO/SAE 21434. Powered by Trend Micro’s 30+ years of experience in cybersecurity, VicOne, as an automotive cybersecurity expert, will help our OEM/Tier-1 customers to strengthen data security practices and comply with international standards and regulations including proactive monitoring new cybersecurity incidents, open source vulnerability assessment, prioritization, and SBOM management,” said, Terence Wang, Director of Product Management, VicOne Inc.
“AMD is excited to join the Open Source Security Foundation to contribute to and stay on top of the latest open source security standards, including tooling, best practices, and other standards. AMD is committed to driving the adoption of open source software and joining OpenSSF will be critical to helping to ensure that AMD’s open source software releases are using the latest security standards accepted by the open source community. It will also provide additional confidence for our customers that not only is our software open sourced, but is also secure,” said, Nathan Menhorn, Sr. Product Security Engineer, AMD.