At Amsterdam’s SecurityCon Europe, the Linux Foundation’s OpenSSF adds new members and showcases progress on SLSA, Gemara, and AI security.
Today at Open Source SecurityCon Europe in Amsterdam, the Open Source Security Foundation announced that it’s signed up some new members. The foundation — founded in 2020 — is a cross-industry Linux Foundation initiative that combined the Core Infrastructure Initiative that was launched in 2014 as a response to the Heartbleed bug in OpenSSL with other projects.
The new members are Helvethink, a Geneva-based consulting company focused on DevSecOps, cloud infrastructure, and cloud‑native application design; Spectro Cloud, a San Jose-based company that produces platforms for designing, deploying, and operating Kubernetes and AI environments across data centers, public clouds, and edge locations; and Quantrexion, a Greece-based cybersecurity and governance company that runs “human risk management” programs as managed services to reduce people-driven cyber risks.
They all come onboard at the foundation’s lowest General membership level, with dues based on employment numbers that can range from $5,000 to $50,000 annually.
“Open source security continues to evolve significantly in the face of new, automated threats,” Steve Fernandez, general manager of OpenSSF, said in a statement. “Our member organizations are seeding a more secure future, built with longevity in mind, by working with the OpenSSF. This network of projects, maintainers, and thousands of contributors is key to reinforcing reliable, sustainable open source software for all.”
OpenSSF’s Growth
At the conference, OpenSSF pointed to several achievements during the last couple of months that have helped further its goal to secure open source software:
- A new partnership with New York City-based Kusari — a company that focuses on supply chain security — to offer Kusari Inspector at no cost to OpenSSF projects. The platform provides maintainers with deeper visibility into software supply chains and enables proactive security checks at the pull request level.
- The Supply-chain Levels for Software Artifacts project — basically a checklist of practices and controls to prevent tampering with software, improve the integrity and provenance of build artifacts, and secure build systems and release pipelines — achieved graduated status. This achievement advances SLSA’s stability, maturity, and adoption as a critical framework for supply chain integrity.
- The release of the Gemara Project’s inaugural white paper. The project is a governance, risk, and compliance engineering model for automated risk assessment and “compliance as code.” The white paper’s findings outline a new framework for integrating security-as-code principles directly into the software development lifecycle.
- The launch of new SIGs focused on Model Lifecycle Provenance and GPU-Based Model Integrity. These groups, under the AI/ML Security Working Group, expand the Foundation’s focus on securing the rapidly evolving field of AI/ML software security.
- OpenSSF was approved, via Linux Foundation Europe, as a cybersecurity Liaison Organization to CEN and CENELEC, the European Committees responsible for developing European standards in most sectors and in electrotechnical engineering respectively, strengthening OpenSSF’s role in standards development and policy discussions in Europe.
- The official launch of the OpenSSF Ambassador Program, an initiative that recognizes and supports individuals who actively advocate for open source software security and the OpenSSF community. Applications are now open for the initial intake.
- Over 7,300 learners enrolled in OpenSSF’s free course, “Understanding the EU Cyber Resilience Act,” or LFEL1001. The foundation has had over 75,000 enrollments in OpenSSF training programs to date.
“Open source is the foundation of modern infrastructure — and its security is a shared responsibility,” said Saad Malik, CTO and co-founder of Spectro Cloud. “By joining the OpenSSF, Spectro Cloud is investing directly in the community work that raises the bar for everyone. Just as importantly, it strengthens the standards and practices behind the software we ship, so our customers can deploy Kubernetes with confidence in the integrity of every component.”
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment