Accurics, Anchore, Bloomberg Finance, Cisco Systems, Codethink, Cybertrust Japan, OpenUK, ShiftLeft, Sonatype, and Tidelift have joined the Open Source Security Foundation (OpenSSF), a cross-industry forum focused on improving open source software security.
With open source software (OSS) increasingly becoming a major pillar of the application development lifecycle, maintaining the security of open source code is critical to securing modern software, whether it is used on end-user devices or in enterprise environments.
It’s difficult for security teams to gain full visibility into the dependency supply chain when open source software relies on a chain of third-party code, and any vulnerability there could lead to a full network compromise.
OpenSSF now includes around 45 members and associate members who collaborate to improve the security of open source software as a whole. OpenSSF is also open to everyone, including non-members.
Identifying security threats, ensuring that vulnerabilities are responsibly reported, securing critical projects, and promoting best practises are among the goals of the cross-industry endeavour.
Scorecard, an OpenSSF project that provides risk scores for open source software, will help developers, enterprises, and users make informed decisions by improving visibility into the security risks associated with dependencies.
In late June, a updated version of Scorecard was published, which included many security checks, a redesigned architecture for evaluating critical projects and easier access to data.