Developing secure software: Free tools and training at the OpenSSF
In its annual report, the Open Source Security Foundation shows how it supports the community in security issues: Tools, training and advice.
(Image: erzeugt mit Dall-E durch iX)
The Open Source Security Foundation (OpenSSF) has published its annual report for 2024. The foundation's work focused on the further development of security tools, developer training and lobbying, particularly in the USA and Europe.
The OpenSSF now has 126 members from 15 countries, including AWS, Google, Intel, Microsoft and Red Hat. 2239 contributors from the community helped in the working groups or in the development of the security tools. 62,618 projects use the Sigstore tool, 12,000 participants attended Foundation courses and 7,500 projects, such as Kubernetes, Linux Kernel and node.js, follow the best practices published by OpenSSF.
Free training and open source tools
(Image:Â OpenSSF)
Many developers will be particularly interested in the free courses and teaching materials as well as the tools provided by the OpenSSF. For example, the online introductory course Developing Secure Software (LFD121), which 8,000 participants attended this year, is available free of charge. Publicly accessible are also instructions for Secure Principles for Package Repository Security, Correctly Using Regular Expressions for Secure Input Validation or Compiler Options Hardening Guide for C and C++. A further document on Python is in preparation. The OpenSSF also charges fees for other parts of the training program.
The report names Sigstore and Scorecard as the most important of the 14 tools under the umbrella of the foundation. The key and certificate manager Sigstore, which will be completed in 2022, secures software components as well as the build and supply chain process. The OpenSSF operates its own Trust Center for this purpose. The Scorecard project is used to record metrics in the area of security. New tools added to the sandbox this year are Protobom, bomctr and Minder, which manage a software bill of material or the supply chain.
Another task of the OpenSSF is to identify and list system-critical open source software and advise the projects involved. It also compiles a monthly security score for 500,000 projects.
The Foundation intends to strengthen its commitment to artificial intelligence in the future: "As AI becomes more widespread, I look forward to seeing how the OpenSSF develops more tools to make AI and open source more secure and to promote AI to improve security," writes Arun Gupta, Chairman of the Governing Board, in the report.
The annual report can be downloaded free of charge as a PDF on the Foundation's website.
Read also
EU directive: manufacturers of software and AI soon be liable for their products
Open source software: Germany must break free from dependency
FreeBSD 14.2: Installer finally loads firmware, OCI images for the cloud
Paris update: Nextcloud Talk now with desktop client and AI
Anonymizing Linux: Tails 6.10 corrects desktop startup errors
(who)