Copyright © 2024 The Linux Foundation®. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. OpenSSF Overview Improve the security of open source software for all

Copyright © 2024 The Linux Foundation®. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. Mission The Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. This includes fostering collaboration, establishing best practices, and developing innovative solutions. Vision OSS is a digital public good and as an industry, we have an obligation to address the security concerns with the community. We envision a future where OSS is universally trusted, secure, and reliable. This collaborative vision enables individuals and organizations in a global ecosystem to confidently leverage the benefits and meaningfully contribute back to the OSS community. ● Est. 2020 ● Security by design & Security by default

Values: Open Source is a Public Good 3 The OpenSSF serves as a trusted partner to affiliated open source foundations and projects and provides valuable guidance and artifacts, like the top ten Secure Software Development Guiding Principles, to those projects and foundations that encourage security by design and security by default. OpenSSF initiatives should make security easier for open source maintainers and contributors. Consumers of OSS can leverage the output of the OpenSSF to have clear, consistent, and trusted signals to better understand the security profile of OSS content. The OpenSSF is committed to encouraging all interested stakeholders to participate in the foundation and its technical initiatives (TIs). The OpenSSF is viewed as an influential advocate for mutually-beneficial external efforts and an educator of policy decision makers. More than just advocacy to Diversity, Equity, and Inclusion (DEI) groups, the OpenSSF remains committed to directly facilitating an environment for all perspectives, all backgrounds, and equitable opportunities for global mentorship and education. The OpenSSF remains committed to continuously evolving these efforts to bring more inclusive and diverse software security education, ensuring stakeholder share opportunities to engage in and receive value from OpenSSF TIs.

4 Why now? Source: [Synopsys 2024] "2024 Open Source Security and Risk Analysis Report” by Synopsys https://www.synopsys.com/software-integrity/engage/ossra/ossra-report [Sonatype2022] “2022 State of the Software Supply Chain” by Sonatype https://www.sonatype.com/state-of-the-software-supply-chain/introduction https://www.csoonline.com/article/567531/the-biggest-data-breach-fines-penalties-and-settlements-so-far.html

Public & Private Sector: Security is critical among all critical infrastructure sectors (blog) Chemical Communi- cations Dams Emergency Services Financial Government Facilities Information Technology Transpor- tation Systems Commercial Facilities Critical Manu- facuring Defense Industrial Base Energy Food & Agriculture Healthcare & Public Care Nuclear Reactors, Materials, & Waste Water & Wastewater Systems 5

Securing Software: Make it secure AND secure its supply chain 6 Source Build Package Dependencies Developer Consumer A B C D F G H E Source Integrity Build & Distribution Integrity A Bypassed code review B Compromised source control system C Modified code after source control D Compromised build platform E Using a bad dependency F Bypassed CI/CD G Compromised package repo H Using a bad package

Projects AD. Alpha & Omega project AE. Sigstore AF. Core Toolchain Infrastructure (CTI) Vulnerability Disclosures I. CVD Guides SIGs J. OSS-SIRT SIG K. Open Source Vuln Schema (OSV) project L. OpenVEX SIG M. Vuln Autofix SIG DevRel Community Best Practices A. Secure Software Development Fundamentals courses SIG B. Security Knowledge Framework (SKF) project C. OpenSSF Best Practices Badge project D. OpenSSF Scorecard project E. Common Requirements Enumeration (CRE) project F. Concise & Best Practices Guides SIGs G. Education SIG H. Memory Safety SIG Source code Build Package Package selection information Vulnerability information Dependencies Consumer Developer Metrics & Metadata N. Security Insights O. Security-Metrics: Risk Dashboard project P. Security Reviews project AH. Security Insights Spec project Security Tooling Q. SBOM Everywhere SIG R. OSS Fuzzing SIG AI. SBOMit project AJ. Protobom Supply Chain Integrity S. SLSA project T. S2C2F project AJ. Gittuf project AK. GUAC project Securing Critical Projects U. List of Critical OS Projects SIG V. criticality_score project W. Census SIG X. Package Analysis project Y. allstar project Securing Software Repositories AB. Repository as a Service Project AI/ML Security Diversity, Equity, & Inclusion End Users Z. Threat Modeling SIG A B E F G H M AD N O P V W X AF AB D AJ AH C Q R AI U Y S AE T Z I J L N OpenSSF Technical Initiatives Landscape

AI/ML Security Diversity, Equity, & Inclusion DevRel Community Best Practices End Users Metrics & Metadata Securing Critical Projects Securing Software Repositories Security Tooling Supply Chain Integrity Vulnerability Disclosures Members Leading & Participation in Working Groups: New

9 ● From the General Manager ● Members ● From the Governing Board Chair ● Governing Board Members ● 2023 Highlights ● By the Numbers ● From the Technical Advisory Council Chair ● TAC Members ● Working Group and Project Updates ● Community Engagement ● Making Headlines Impact: Creating & Improving the mechanisms to secure open source software

● Improved Organizational Security Posture & Culture ● Improved Risk Mitigation ○ Consumption & Contribution ● De-Risk ○ Reduce Vendor Lock-in ○ Vendor Evaluation ● Collaborative Development ○ Shift from “Individually by each company” to “Shared Responsibility” ● Increased Efficiency ○ Improved incident response time ○ Increase OSS usage & workflows ○ Iteration with industry peers ● Ecosystem Development ○ Upskill & Training ○ Recruit & Retain Security Talent 10 C- Suite Business Value Tech Org Value Risk Mitigation, Time & Money: OpenSSF ROI

Business Value from OpenSSF Projects: 11 Hear the full explanation of value of Scorecard from IBM in the Tech Talk here

12 We’ve launched new projects and research ● Project: SBOMit: Adding Verification to SBOMs ● Project: gittuf: A Security Layer for Git Repositories ● Research: Maintainer Motivations, Challenges, and Best Practices on Open Source Software Security

13 OpenSSF to Support DARPA on New AI Cyber Challenge (AIxCC) ● Challenge to automatically find & fix software vulnerabilities using artificial intelligence with $18.5M in prizes ● OpenSSF will serve as challenge advisor to guide teams creating AI systems capable of addressing vital cybersecurity issues U.S. AI Safety Institute Consortium AI Innovation in Security

14 US Public Sector The OpenSSF brought together US Government (USG) officials from the National Security Council (NSC), Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA) among others with industry leaders. Participants discussed the security challenges for the consumption of OSS in critical infrastructure sectors and beyond and highlighted the shared responsibility needed to ensure the resilience of OSS in critical infrastructure. ● Security Incident Response ● Securing Repos ● Education

15 ● EU is in the process of finalizing the Cyber Resilience Act (CRA) policy ● Once finalized (Q4 2024) the CRA will move into standardization ● OpenSSF will work closely with the EU Commission and EU Parliment to ensure that these standards embrace, support and encourage open source software in a secure and responsible manner. EU Public Sector

Making Headlines: 16

17

18 We’re hosting events to bring the community together ● Announcing the First Ever SOSS Fusion Conference: How You Can Get Involved ○ Submit to Speak at SOSS Fusion 2024 ● Registration is open for SOSS Community Day North America ● Recap of OpenSSF Day Japan

Events- Secure Open Source Software (SOSS) 19 SOSS: a series of events, anchored by geographical area (e.g., European Union): ● SOSS Community Days ○ Reimagines OpenSSF Day ○ Co-located with Open Source Summits (OSS) when possible ● SOSS Policy Summits (Invite) ○ Focused on engaging our partners in private sector and public sector ○ Focusing on North America and Europe ○ More details to come on APAC later this year. ● SOSS Package Managers’ Forum (Invite) ○ Focused on security of package/artifact repositories ○ Attendance to be focused on maintainers / administrators of key software artifact repositories ○ Topics to be focused on securing the means of OSS distribution points ● SOSS Fusion Conference - Premier Event ○ Our premiere open source security event, will occur once a year ○ Bringing together OSS producers and consumer such as, maintainers/contributors, software developers, security experts for technical conversations and community building ○ Recently announced keynote: Bruce Schneier

Later this Year - SOSS Fusion 20 ● We will be hosting SOSS Fusion ○ October 22 - 23 ○ Atlanta, Georgia ● Premier event where the brightest minds in software development and cybersecurity converge to secure the open source software that we all depend on ● Keynote: Bruce Schneier ● Call for Proposals (CFP) is now open!

21 https://openssf.jobboard.io/

Improve Security // Collective change requires collective participation to help improve the security of software your organization certainly depends on Step Up // Your customers, regulators, insurers, and other important stakeholders will recognize that your organization is stepping up to join the challenge Drive Change // Your participation will help others spark new ideas, provide insights on roadblocks or challenges, understand requirements, and improve the value of OpenSSF’s outcomes Commit Resources // Your membership support will ensure we have resources to work with you and your teams, and identify opportunities to improve security together. Why participate in OpenSSF?

23 OpenSSF Premier Members

24

25 Associate Members

“As open source is now core to nearly every company’s technology strategy, securing open source software is an essential part of securing the supply chain for every company, including our own.” Mark Russinovich, Azure CTO and Technical Fellow, Microsoft “The OpenSSF is the best place for cross-industry leadership for these very challenging topics, and we look forward to working with the US and other governments to improve security worldwide." Eric Brewer, VP of Infrastructure and Fellow, Google “As a founding member of the OpenSSF, we have worked to improve the security of open source and the integrity of all software. We commend the US Government’s recent initiative to raise awareness on this pressing topic and call to action the technology community to solve one of the most complex security challenges of our time.” Rao Lakkakula, Executive Director Cybersecurity, JP Morgan Chase “IBM is deeply focused on developing and building highly secure hybrid cloud, AI and quantum-safe technologies that are designed to protect our clients’ most sensitive workloads both today and into the future. As a long-time open source leader, IBM looks forward to working with the OSSF, our industry partners, and open source communities towards addressing the ever-increasing challenge of hardware and software open source supply chain security.” Jamie Thomas, General Manager, Strategy & Development and IBM Enterprise Security Executive Hear From Our Members: 26

Get Involved 27

Legal Notice Copyright © Open Source Security Foundation®, The Linux Foundation®, & their contributors. The Linux Foundation has registered trademarks and uses trademarks. All other trademarks are those of their respective owners. Per the OpenSSF Charter, this presentation is released under the Creative Commons Attribution 4.0 International License (CC-BY-4.0), available at . You are free to: ● Share — copy and redistribute the material in any medium or format for any purpose, even commercially. ● Adapt — remix, transform, and build upon the material for any purpose, even commercially. The licensor cannot revoke these freedoms as long as you follow the license terms: ● Attribution — You must give appropriate credit , provide a link to the license, and indicate if changes were made . You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. ● No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. 28

Appendix 29

Engage with us on social media X @openssf LinkedIn OpenSSF Mastodon social.lfx.dev/@openssf YouTube OpenSSF Facebook OpenSSF 30

Subscribe to our mailing list openssf.org/sign-up 31

Legal Notice Copyright © Open Source Security Foundation®, The Linux Foundation®, & their contributors. The Linux Foundation has registered trademarks and uses trademarks. All other trademarks are those of their respective owners. Per the OpenSSF Charter, this presentation is released under the Creative Commons Attribution 4.0 International License (CC-BY-4.0), available at . You are free to: ● Share — copy and redistribute the material in any medium or format for any purpose, even commercially. ● Adapt — remix, transform, and build upon the material for any purpose, even commercially. The licensor cannot revoke these freedoms as long as you follow the license terms: ● Attribution — You must give appropriate credit , provide a link to the license, and indicate if changes were made . You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. ● No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. 32