OpenSSF

How hot can your SLSA really get? 🔥 From Mild to Wild: How Hot Can Your SLSA Be? Andrew M. (Red Hat) & Adolfo García Veytia explore real-world SLSA maturity -- what adoption actually looks like in practice, and how organizations can meaningfully raise the bar on supply chain security. Don’t miss this session at the Open Source #SecurityCon Europe - colocated at KubeCon + CloudNativeCon. 👉 View the agenda & register now: https://lnkd.in/gc-D5Eid

What a great day! The CHAOSS community cross-posted one of my favorite GR-OSS OUT episodes. It's a great chat with Stacey Potter from OpenSSF about what it means to build welcoming open source communities. Give it a listen! 🎧 https://lnkd.in/eCQ4aUGa Thanks to Dawn Foster for connecting the dots, Alice Sowerby and the CHAOSScast team for sharing it with their audience, and G-Research Open Source for giving us a platform to have these conversations. #OpenSource #CommunityHealth #Security

Package repository security impacts every open source ecosystem. 🔐 OpenSSF brought together npm, PyPI, Maven Central, RubyGems, crates.io, Packagist, CPAN, Go modules, and more to discuss shared challenges -- from identity and governance to transparency and sustainability. 🔑 Key themes included: • Maintainer identity and account security • Governance and abuse handling at scale • Transparency and auditability • Sustainability as a security requirement Security failures don’t stay isolated. Through transitive dependencies and shared tooling, risks ripple across ecosystems. Read the recap and join the Securing Software Repositories Working Group: 🔗 https://lnkd.in/eNy3cJXA #OpenSourceSecurity #OSSSecurity

End-of-Life (EOL) software is creating permanent security risks that can’t be patched away. Join Sonatype, HeroDevs, and OpenSSF today at 11am EST as we unpack the 2026 State of the Software Supply Chain Report and share strategies to tackle "forever risks." Save your spot: https://lnkd.in/ev9jmquv AI is reshaping development, but it’s also accelerating the use of outdated, vulnerable components. Christopher Robinson Brian Fox David Welch

From “😣 oh no, regulation!” to “💡 here’s how we do this!” At #FOSDEM2026, the CRA in Practice DevRoom showed how developers, maintainers, foundations, and manufacturers are turning the EU #CyberResilienceAct into real, workable workflows, powered by open collaboration, practical tooling, and community-driven processes. With less than two years until the EU Cyber Resilience Act becomes mandatory, the open source ecosystem is shifting from policy discussions to practical implementation. From SBOMs and VEX to stewardship models and risk-based compliance, this blog captures the key lessons and takeaways. 👉 Read the full recap and explore what #CRA readiness looks like in practice: https://lnkd.in/ecc44Tj6 Blog by Madalin Neag (OpenSSF), Megan K. (Arm), Philippe Ombredanne, and Roman Zhukov (Red Hat) This blog mentioned: Adam Herzog, Arnaud Le Hors (IBM), Cassie Crossley, Daniel Appelquist, Götz Martinek, Charlie Dixon (Arm), Jaroslav Reznik (Red Hat).

End-of-Life (EOL) software is creating permanent security risks that can’t be patched away. Join HeroDevs, Sonatype, and OpenSSF on 2/18 at 11am EST as we unpack the 2026 State of the Software Supply Chain Report and share strategies to tackle "forever risks." Save your spot 🔗 https://lnkd.in/ea8ekknT #VulnerabilityManagement #OpenSourceSecurity #EOL #Cybersecurity #HeroDevs #Sonatype #OpenSSF

What does it take to win Defense Advanced Research Projects Agency (DARPA)’s AI Cyber Challenge (AIxCC)? In Episode #52 of What’s in the SOSS? an #OpenSSF Podcast, Professor Taesoo Kim explains how Team Atlanta combined: • Fuzzing • Symbolic execution • LLM-powered reasoning to detect and prove vulnerabilities at scale in real-world open source software. Key insight: Finding bugs is one challenge. Proving them is another. By combining AI with traditional security approaches, the team reduced false positives and improved real-world impact. Now they are bringing those capabilities to the broader open source community. 🎧 Listen now https://lnkd.in/eaMT-MhE Christopher Robinson

If you're a manufacturer who’s looking for a path to improve the CRA-readiness of your open source dependencies, this post is for you. This Friday we’re kicking off the 2026 Security Slam, facilitated by the Cloud Native Computing Foundation (CNCF)'s Technical Advisory Group for Security. It’s is an effort to help projects improve their security hygiene, and the objectives are aligned with CRA requirements. You can get up to speed on past efforts and what to expect this time by reading the announcement posted by the OpenSSF: https://lnkd.in/gheu9CQd In past Slams, we have seen that projects who adopt security hygiene practices continue to operate at a higher standard than other projects for years after the Slam completed. And best of all, we have the stats to show it. This year Slam Advisors are helping projects onboard to the OpenSSF Best Practices Badge (Baseline Edition!) as well as LFX Insights, which means there will be receipts that you can reference during your own due diligence or CRA conformity assessment efforts. Check out the LFX platform to see how handy it is for understanding your dependencies: https://lnkd.in/g9svwjsA We owe a huge thanks to Jim Zemlin for his dogged persistence pushing the LFX Insights platform through multiple iterations to create the amazing value we see today for both maintainers and end users. And to folks like Kier McDermott and Jonathan Reimer who improve the platform’s quality every day. Here’s two things you can do to take advantage of all that’s happening next month, and further your company’s goals as part of this Security Slam: 1. Share the Slam website with projects you depend on, and let them know why their participation matters to you: securityslam.com 2. Attend an upcoming ORBIT Launchpad meeting to discuss your needs and observations with other maintainers, so that folks like Nicole Bates and Sarah Evans can consolidate industry feedback for project maintainers: https://lnkd.in/g4zFy2YV The world is at a critical junction in the future of open source security — this event is a rare fulcrum you can leverage to make a big, lasting impact. I’ll be sharing the results and updates at upcoming conferences, including the awards ceremony on stage at KubeCon EU in Amsterdam — I hope to see you there!

🛡️ Security Slam 2026 is open for registration (https://lnkd.in/gXHtek3P)! 🔬 From February 20–March 20, OpenSSF is partnering with Cloud Native Computing Foundation (CNCF) TAG Security & Compliance and Sonatype on a 30-day challenge focused on improving real-world security hygiene. Projects will work through practical milestones using OpenSSF tools, supported by the Slam Library, maintainers, and advisors -- culminating in recognition at KubeCon + CloudNativeCon Europe. This year’s Slam expands eligibility through LFX Insights, making it accessible to more projects across the open source ecosystem. 👉 Learn how to participate and register: https://lnkd.in/gXHtek3P Blog by Stacey Potter (OpenSSF) and ⚙️ Eddie Knight (Sonatype) #OpenSource #OSSSecurity #SecuritySlam2026