Snyk Blog

Priorities from the OpenSSF Secure Open Source Software Summit 2023

Written by:
Dan Appelquist
wordpress-sync/feature-open-source

October 4, 2023

0 mins read

Snyk has been a long-time active participant in and sponsor of the Open Source Security Foundation (OpenSSF). We’re there because we believe in supporting its mission of securing the open source ecosystem.

A recent summit meeting convened by the OpenSSF with the White House brought together various US Government departments for a chat about open source security. The background here is that the US government understands the importance of securing the open source ecosystem, because they understand that “open-source software is a critical tool used to shift power towards the stewards of democracy and demonstrate our values,” as Kemba Walden, acting National Cyber Director for the White House put it. 

The top three priorities that came out of this summit meeting were:

  1. Providing Security Education to OSS Maintainers, Contributors, and Consumers

  2. Securing OSS Repositories

  3. Enabling Cross-Industry OSS Incident Response (IR) Capabilities

I’ve been working, along side other OpenSSF members, to help publish a set of guidelines to help address point two on this list: Securing OSS Repositories.

SCM platforms are used for developer collaboration, community engagement, and as a part of the build and release process for many key open source software components and tools. It’s no wonder that SCM repositories would emerge from this discussion as one of the key leverage points for making open source software more secure.

The Source Code Management Best Practices Guide, launched earlier this month, gives developers, maintainers, and organizations that make use of the GitHub and GitLab SCM platforms a set of clear guidelines on how to set up and maintain security. Used together with OpenSSF Scorecard, this gives developers a comprehensive checklist and gives organizations that manage multiple open source repositories with some guidance on how they can set up permissions, workflows and policies for better security.

It’s been great collaborating with the co-leads on this work, Christine Abernathy from F5 and Noam Dotan from Legit Security. And we’re not done. This is the first release of these guidelines. We’re looking forward to incorporating additional SCM platforms and incorporating community feedback, since the guide itself is, of course, managed in an open source repository.

For more info on what’s going on in the OpenSSF, follow @openssf@social.lfx.dev on Mastodon.

Posted in:Open Source Security
wordpress-sync/feature-open-source

How to Build a Security Champions Program

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.

See the playbook
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon