jgreig, 5 days ago to random

OpenSSF is creating an email list called Siren that aims to spread threat intelligence and security information related to open source projects

The org was prompted to create the list after the log4j, XZ Utils and OpenJS cybersecurity issues #OpenSSF

https://therecord.media/openssf-siren-open-source-threat-intelligence-mailing-list

jschauma, 1 month ago to random

Here's a thorough analysis of all the commits by "Jia Tan" from 2023-08 through 2024-03, showing the many legitimate code changes done before the introduction of the #xz #backdoor:

https://tukaani.org/xz-backdoor/review.html

msw, 1 month ago to opensource

Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects

XZ Utils cyberattack likely not an isolated incident

#OpenSource #FreeSoftware #FOSS #OSS #InfoSec #XZ #OpenJS #OpenSSF #Linux

https://openjsf.org/blog/openssf-openjs-alert-social-engineering-takeovers

paris, 1 month ago to swift

heading to #openssf community day as part of #ossna #osssna summit. come say hi to talk about #swift, #pkl, the cool stuff i’m up to, or #opensource governance today or throughout the week

hope to see you 💖

ascherbaum, 1 month ago to random

Oh, look, the #OpenSSF is placing the #xz #xzutils problem on the sole #liblzma maintainer.

Instead of "remaining vigilant" they could help directing more resources to open source projects. None of this is to be seen in the article.

https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/

davidism, 1 month ago to opensource

The OpenSSF is supposedly an important organization of experts, but I only know two things about them: the scorecard that has been unhelpful for Flask for years, and the terrible post about xz. Here's what overworked maintainers actually need from a group of security experts: direct long term contribution, to teach and improve a project's security. Don't just show us a big list of extra work, directly contribute to help us fulfill the list. #OpenSource #OpenSSF

YourAnonRiots, 3 months ago to Cybersecurity Japanese

🔒 #CISA teams up with #OpenSSF to introduce a framework called "Principles for Package Repository Security," aimed at fortifying open-source software ecosystems against cyber threats.

https://thehackernews.com/2024/02/cisa-and-openssf-release-framework-for.html

#cybersecurity #hacking

fosslife, 5 months ago to security

New list of Secure Software Development Guiding Principles released by @openssf https://www.fosslife.org/10-guidelines-secure-software-development-openssf #BestPractices #OpenSSF #security #FOSS #SoftwareDevelopment #OpenSource

fosslife, 7 months ago to opensource

In response to a rise in attacks, @openssf announces the creation of the Malicious Packages repository https://www.fosslife.org/openssf-introduces-malicious-packages-repository #OpenSSF #OpenSource #vulnerabilities #security #database

nicorikken, 8 months ago to foss

At #OpenSSFDay the US government is praised for their effort for supporting software security through #FOSS. Rightfully so. I know in Europe the European Commission and national government are doing great things as well including through #NGI via #NLNet Would be great of this can be highlighted some way, perhaps through collaboration with #OpenSSF

fosslife, 8 months ago to opensource

Open Source Consumption Manifesto released by @openssf https://www.fosslife.org/openssf-creates-manifesto-consumption-open-source-software #OSCM #OpenSSF #OpenSource #guidelines #SoftwareDevelopment #SoftwareSupplyChain #FOSS #vulnerabilities #policy #security