#SLSA

1 month ago

Back on Surf Lifesaving Patrol @KingstonBeach #SLSA #Tas

0 0 0 0

@billjondoyle.bsky.social

2 months ago

First day of surf patrols at #KingstonBeach #Tasmania #SLSA #SLSTas .

The same low that brought all the snow the last three days whipped up some solid swell for Hobart’s usually sheltered beaches.

0 0 0 0

bill doyle

2 months ago

christmas decorations in the mortlock chamber, state library of south australia

#australia #southaustralia
#SLSA #architecture #heritagearchitecture

5 0 0 0

OpenSSF Newsletter – December 2025 Welcome to the December 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community. ## TL;DR: 2025 OpenSSF Annual Report Free OpenSSF and Linux Foundation Education Courses Recap: OpenSSF Community Day Korea 2025 KubeCon Keynote Recap OpenSSF at OSPOlogyLive Europe New podcast episodes (#46–47): AI, open source & collaboration (Jay White, Microsoft) and supply chain security in academia (Justin Cappos, NYU) Alpha-Omega strengthened SBOM tooling and FreeBSD security Gemara site launched SecurityCon NA session videos now online SLSA v1.2 adds a new Source Track OpenBao v2.4.4 released Upcoming events: FOSDEM (31 Jan & 1 Feb 2026), Open Source SecurityCon (23 March 2026), KubeCon+CloudNativeCon Europe (23-26, March 2026) ## 2025 OpenSSF Annual Report Discover how the open source security community moved forward in 2025. The OpenSSF Annual Report highlights major achievements in education, tooling, vulnerability management, research, and global collaboration with insights from leadership and working groups. It’s a powerful look at how far we’ve come and where we’re headed as we work together to strengthen the security of open source software. Download the 2025 OpenSSF Annual Report and explore the progress, impact, and vision shaping the future of open source security. ## Blogs: What’s New in the OpenSSF Community? ### From Beginner to Builder: Free OpenSSF and Linux Foundation Education Courses Level up your open source security skills with this practical roundup from Ejiro Oghenekome and Sal Kimmich, CSM, a curated list of free, self-paced Linux Foundation Education and OpenSSF courses built for developers who want to contribute with confidence. From secure coding and threat modeling to OpenSSF Scorecard automation, SBOMs/signatures, and even essential context like ethics, inclusion, and new regulations, this blog post maps out clear learning paths you can start right away, before (or alongside) your next contribution. Read the blog. ### Recap: OpenSSF Community Day Korea 2025 OpenSSF Community Day Korea 2025, held on November 4 in Seoul, brought developers and security engineers together for practical sessions on open source and software supply chain security. Talks spanned CI/CD hardening, SBOM-driven tooling, Linux kernel testing, post-quantum cryptography, and AI/ML security, all framed by OpenSSF’s pillars of Education, Policy, Projects, and Community. The event marked a strong start for a growing OpenSSF community in Korea, with public, private, and academic stakeholders aligning around the message that securing open source is shared work. Read the recap blog. ### KubeCon Keynote Recap: “Supply Chain Reaction” and Why the OSPS Baseline Matters More Than Ever How can a Kubernetes cluster with zero known vulnerabilities still be compromised? In their KubeCon keynote “Supply Chain Reaction: A Cautionary Tale in K8s Security,” Stacey Potter (Community Manager, OpenSSF) and Adolfo García Veytia (Founder and Engineer, Carabiner Systems) walked through a realistic incident where a compromised compiler image injected a crypto-mining payload long before workloads reached the cluster, bypassing traditional defenses. They showed how tools like SLSA, Sigstore, Kyverno, and Ampel help secure the entire software lifecycle, and why the new Open Source Project Security (OSPS) Baseline with its eight control families and three maturity levels gives projects a practical, stepwise framework to resist invisible supply-chain attacks. The talk makes a clear case: adopting the OSPS Baseline is now essential for any open source project that wants real, preventative supply-chain security. Learn more. ### OpenSSF Projects in Less Than 5 Minutes Short on time but curious about open source security tools? This video series features quick interviews with OpenSSF maintainers, giving you a fast, developer-focused look at the projects, standards, and initiatives they’re building. Hear directly from the people behind the code and discover which tools you might want to try next. Watch the videos here. ### OpenSSF at OSPOlogyLive Europe Madalin Neag, EU Policy Advisor at OpenSSF participated in OSPOlogyLive Europe, where he presented The Cybersecurity Skills Framework presentation and discussed why securing software requires investing in people and shared security knowledge, not just technology. The session highlighted OpenSSF’s leadership in building practical, role-based security capabilities across engineering teams. The framework provides a clear, actionable map for identifying security skill gaps and prioritizing capability development across the software ecosystem. It also demonstrated how organizations can use a common language for security skills to systematically improve their cybersecurity posture.” ## What’s in the SOSS? An OpenSSF Podcast: **#47 – S2E24 Teaching the Next Generation: Software Supply Chain Security in Academia with Justin Cappos** On the latest episode of _What’s in the SOSS_ , host Yesenia Yser sits down with **Justin Cappos** , professor at **NYU Tandon School of Engineering** , to discuss why software supply chain security is still missing from many university curricula and how hands on, open source first education can better prepare students for real world security work. The conversation explores gaps in traditional computer science education, the importance of teaching open source collaboration, and how initiatives like the Linux Foundation’s **Academic Computing Accreditation Program** are helping institutions modernize security education. Listen to the episode and learn more about the Academic Computing Accreditation Program: https://www.linuxfoundation.org/academic-computing-accreditation **#46 – S2E23Securing the Future: AI, Open Source, and Collaboration with Jay White (Microsoft)** In this episode of What’s in the SOSS? Jay White from Microsoft’s Azure office of the CTO joins to talk about his path into open source and how it led him to focus on AI, machine learning, and security. He explains how model signing and transparency are becoming core to trustworthy AI, and shares ongoing work in OpenSSF and the Coalition for Secure AI (CoSAI) to build standards for AI supply chain security. The conversation touches on the challenges of cultural representation in AI models, why collaboration across companies and communities is essential, and how practitioners can get involved. Jay also reflects on the importance of community building and continuous learning as AI and open source evolve together. ## News from OpenSSF Community Meetings and Projects: * Recent Alpha-Omega supported work includes documenting package manager data across 70+ ecosyste.ms to improve tooling and SBOM generation, and strengthening FreeBSD’s software supply chain through machine-readable dependency inventories and long-term security planning. * Gemara now has a website published at https://gemara.openssf.org/. * The Global Cyber Policy WG and Core Toolchain Infrastructure project provided quarterly updates to the TAC. * The Securing Software Repositories WG is planning a Package Manager Security Forum for February 2 in Brussels. * Videos of all sessions from Open Source SecurityCon North America are now available. * SLSA released v1.2 with the introduction of the Source Track that covers threats from the authoring, reviewing, and management of source code. * OpenBao released v2.4.4. * OpenSSF will have a stand at FOSDEM and is collaborating on the CRA in Practice, SBOM and EU Policy Dev Rooms. ## In the News: * Dark Reading published expert commentary from Christopher Robinson after speaking to him about OpenSSF’s work categorizing 150,000 malicious npm packages. CRob notes the importance of MFA and artifact signing to verify that code is secure here: “Infamous Shai-hulud Worm Resurfaces From the Depths.” * In a Forbes article about the value of inclusive and resilient financial systems, Christopher Robinson of OpenSSF and Michael Lieberman of Kusari are included for their thoughts on secure fintech systems. Both suggest that open source software can play an important role in the future of finance, down to the code, and the Open Software Security Baseline is referenced in the article, “Secure By Design: Financial Systems For Climate Resilience.” * This month VMblog published Christopher Robinson’s cybersecurity predictions for 2026. CRob points out the importance of MLSecOps, SBOMs, and more in the article, “Five cybersecurity predictions for 2026.” ## Meet OpenSSF at These Upcoming Events! Connect with the OpenSSF Community at these key events: * FOSDEM 2026 – January 31 & February 1, 2026 * Open Source SecurityCon Europe – March 23, 2026 * KubeCon Europe – March 23 – 26, 2026 * OpenSSF Community Day North America – May 21, 2026 Ways to Participate: There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here. You’re invited to… * Join a Working Group or Project * Chat with us on Slack * Follow us on X, Mastodon, Bluesky, and LinkedIn ## See You Next Month! We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here! Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! Regards, The OpenSSF Team

2 months ago

0 0 0 0

@allthingsopen.bsky.social

3 months ago

Sunday at #Bridport #Tasmania for senior surf life saving competitions #SLSA

1 0 1 0

All Things Open

3 months ago

Left side says We Love Open Source. #WeLoveOpenSource. ATO. A community education resource from All Things Open. Right side has a sheep with a wolf's head.

🚀 NEW on We ❤️ Open Source 🚀

Brett Smith breaks down how SLSA helps your CI/CD robots protect digital sheep from supply chain threats. From EO 14028 to real-world security.

Read: allthingsopen.org/articles/sup...

#WeLoveOpenSource #SLSA #Cybersecurity #DevSecOps #OpenSource

3 0 0 0

Approov Mobile Security

@approov.bsky.social

3 months ago

Supply Chain Security Unpacked: Combating Dependency Confusion & Poisoned Pipelines Supply Chain Security Unpacked: Combating Dependency Confusion, Poisoned Pipelines Episode Notes: The software supply chain, the "backbone of modern software development," is under unprecedented assault, with attacks aimed at libraries and development tools soaring by an astounding 633% year-over-year. This episode explores the evolution of supply chain threats, examining everything from software vulnerabilities and malicious maintainers to hidden risks lurking in hardware and commercial binaries, and details the cutting-edge defenses developers are deploying to fight back. The Evolving Threat Landscape: Implicit Trust Exploited Modern attacks exploit the implicit trust developers place in package managers and public repositories. Key threats discussed include: - Dependency Confusion: First identified by Alex Birsan, this attack exploits package managers that prioritize packages found in public repositories (especially those with a higher version number) over identically named private packages. Attackers use reconnaissance to pinpoint internal package names (often by examining manifest files like package.json), publish a malicious package with the same name and a higher version to a public repository, and wait for the target application's build process to pull and execute the malicious code. Vectors for this attack include exploiting namespaces, DNS Spoofing, and manipulating CI/CD security settings. - Widespread Malware and Stolen Secrets: The npm ecosystem was recently hit by the self-replicating "Shai-Hulud" worm, which compromised over 500 packages and harvested sensitive credentials, including GitHub Personal Access Tokens (PATs) and API keys for cloud services like AWS, GCP, and Microsoft Azure. Stolen credentials remain a reliable attack vector, leading to incidents where attackers published malicious code on behalf of trusted entities (e.g., Nx, rspack). - Poisoned Pipelines and Malicious Maintainers: Highly sophisticated attackers are compromising build and distribution systems directly, bypassing code reviews. This includes notorious attacks like SolarWinds and compromises targeting GitHub Actions pipelines (e.g., Ultralytics and reviewdog/actions-setup). Furthermore, the XZ Utils backdoor highlighted the risk of malicious maintainers who build trust over years before inserting sophisticated backdoors into critical open-source projects. - Code Rot and Vulnerable Open Source: A survey of popular open-source packages found them rife with vulnerabilities, with an average of 68 vulnerabilities across 30 packages scanned, including many critical and high-severity flaws. Even actively maintained, high-traffic packages like Torchvision contained dozens of vulnerabilities, despite frequent updates. Defense and Verification: Making Trust Explicit To counter these escalating threats, the industry is focusing on making trust assumptions explicit and verifiable: - Supply-chain Levels for Software Artifacts (SLSA): SLSA is a security standard that helps consumers verify the process by which an artifact was created using a signed provenance file. Achieving Level 3 compliance involves stringent build platform hardening to prevent the forgery of provenance files. - Trusted Publishing and Attestations: Platforms like PyPI have implemented Trusted Publishing, which removes the need for developers to manage long-lived API tokens by utilizing short-lived OIDC tokens issued by the build platform. Building on this, digital attestations (driven by PEP 740) cryptographically bind published packages to their build provenance using Sigstore. - CI/CD Security Tools: Tools like Zizmor perform static analysis for GitHub Actions to flag subtle vulnerabilities like template injection or dangerous triggers. Capslock is an experimental tool used for Go language packages that statically identifies capabilities (like network access or file system operations), allowing developers to verify what code can actually do, regardless of where it came from. - Preventing Confusion: Developers can mitigate Dependency Confusion through strict naming conventions, proactively reserving namespaces (or "namesquatting" on platforms like PyPI), utilizing private package repositories with stringent access controls (RBAC/MFA), and enforcing package whitelisting and version locking using files like package-lock.json. - Verifying Commercial Binaries: Risks also lurk in closed-source commercial software ("black-box" binaries). The compromise of Justice AV Solutions (JAVS) demonstrated how malware (RustDoor) can be implanted in a backdoored installer; sophisticated tools like differential analysis are necessary to detect signs of tampering and unvetted files (such as the typosquatted ffmepg.exe). Organizations must adopt a "Don't Trust, but Verify" approach to all software received from suppliers. - The Future of Vulnerability Management: The cybersecurity community is moving beyond sole reliance on CVEs, especially following the NVD backlog experienced in 2024. Comprehensive security now requires visibility into threats like malware, tampering, secret leaks, and lack of hardening, rather than just known vulnerabilities. NIST SP 800-204D outlines crucial strategies for integrating SSC security measures—including generating provenance data—into DevSecOps CI/CD pipelines. Relevant Links and Resources: - Learn more about Dependency Confusion Prevention and DevSecOps Orchestration: https://approov.com/ - NIST SP 800-204D: Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines: https://doi.org/10.6028/NIST.SP.800-204D Keywords: Software Supply Chain Security, Dependency Confusion, Hardware Trojan, SLSA Framework, CI/CD Pipeline Security, DevSecOps, Trusted Publishing, PyPI, npm, Zizmor, Build Provenance, Side-Channel Attacks, Malware, Cryptojacking, NVD Backlog, Digital Attestations, Zero Trust.

📣 New Podcast! "Supply Chain Security Unpacked: Combating Dependency Confusion & Poisoned Pipelines" on @Spreaker #approov #appsec #ci_cd #cybersecurity #dependencyconfusion #devsecops #nist #slsa #softwareintegrity #supplychainsecurity #threatintelligence

1 0 0 0

OpenSSF

@openssf.org

3 months ago

SLSA: Industry-Driven Guidelines for Software Supply Chain Security | OpenSSF Project Spotlight YouTube video by OpenSSF

🌟 New OpenSSF Project Spotlight 💃

In this interview, SLSA Steering Committee member Tom Hennen (Google) breaks down how SLSA is helping organizations strengthen trust across the software supply chain.

Watch the full Project Spotlight:
🔗 www.youtube.com/watch?v=gdYl...

#OpenSSF #SLSA #OSSSecurity

1 1 0 0

Continuous Delivery Foundation (CDF)

3 months ago

Stunning Sunday out at #CarltonBeach #Tasmania for Surf Life Saving squad selection #SLSA

2 0 0 0

@cdeliveryfdn.bsky.social

4 months ago

⚠️ Reducing the Risk of Source Tampering With #SLSA
Watch Tom Hennen's #cdCon talk: www.youtube.com/watch?v=ZdQp...

0 0 0 0

Socio-Legal Studies Assocation

@slsauk.bsky.social

5 months ago

🚨 Exciting news!
The SLSA Postgraduate Conference 2026 will take place at Cardiff University 🏛️ on 8–9 January 2026.

A space for early-stage PhD researchers to connect, share ideas & grow together 🌱

👇 Details in the comments section!

#SLSA #PhD #SocioLegal

4 1 1 0

5 months ago

Stunning morning for a paddle at #KingstonBeach #Tasmania #SLSA

4 0 0 0

Celebrating the Community: OpenSSF at Open Source Summit and OpenSSF Community Day Europe Recap From August 25 to 28, 2025, the Linux Foundation hosted a high-impact week of open source collaboration and innovation in Amsterdam. OpenSSF’s participation, in both Open Source Summit Europe and OpenSSF Community Day Europe, brought together developers, maintainers, researchers, and policymakers to strengthen software supply chain security and align on global regulations like the EU Cyber Resilience Act (CRA). Photos and recordings are now available!

6 months ago

0 0 0 0

Celebrating the Community: OpenSSF at Open Source Summit and OpenSSF Community Day Europe Recap From August 25 to 28, 2025, the Linux Foundation hosted a high-impact week of open source collaboration and innovation in Amsterdam. OpenSSF’s participation, in both Open Source Summit Europe and OpenSSF Community Day Europe, brought together developers, maintainers, researchers, and policymakers to strengthen software supply chain security and align on global regulations like the EU Cyber Resilience Act (CRA). Photos and recordings are now available!

6 months ago

0 0 0 0

Celebrating the Community: OpenSSF at Open Source Summit and OpenSSF Community Day Europe Recap From August 25 to 28, 2025, the Linux Foundation hosted a high-impact week of open source collaboration and innovation in Amsterdam. OpenSSF’s participation, in both Open Source Summit Europe and OpenSSF Community Day Europe, brought together developers, maintainers, researchers, and policymakers to strengthen software supply chain security and align on global regulations like the EU Cyber Resilience Act (CRA). Photos and recordings are now available!

6 months ago

0 0 0 0

OpenSSF

@openssf.org

7 months ago

New to OpenSSF or thinking about getting involved? We've got you. 💡

This blog by Ejiro and Sal introduces all our working groups, tools, and projects like #sigstore, #SLSA, and #OpenSSFScorecard.

Start here 👉 openssf.org/blog/2025/08...

0 0 0 0

DevOpsCon | Community & Conferences

@devopscon.bsky.social

7 months ago

Learn how the Open Source Security Foundation (OpenSSF) is helping DevOps teams lock down supply chains without slowing down delivery.

More info: https://f.mtr.cool/drzczkupam

#DevOpsCon #DevSecOps #OpenSSF #SupplyChainSecurity #SLSA

0 0 0 0