The OpenSSF (Open Source Security Foundation) had a busy and productive year in 2022, furthering its mission to improve the security of open source software and promote best practices within the community. Chainguard is proud to support the work the OpenSSF is doing and is one of the top contributors to several key initiatives run by the OpenSSF including Sigstore and the Supply Chain Levels for Software Artifacts “SLSA'' framework.
Our CEO and cofounder Dan Lorenc sits on the Technical Advisory Council and helped spearhead the Supply Chain Integrity working group alongside Chainguard co-founder Kim Lewandowski. This week, the OpenSSF published its first annual report highlighting the progress made over the past year and outlining what’s next for the initiatives and projects they support.
In this blog, we look at some of the top accomplishments and milestones the OpenSSF has achieved in 2022 and highlight our favorite items on the horizon for 2023.
Developed new security tools and resources: The OpenSSF has released and maintained several new tools and resources to help developers and security professionals improve the security of their open source projects. One of these tools is the Sigstore, a new standard for signing, verifying, and protecting software. This project had a record year reaching over 450+ contributors, nearly 10 million Rekor signatures and is in use by over 70 organizations. Sigstore is on track to be the fastest adopted open source project in history. To further adoption of Sigstore in various ecosystems, Sigstore language clients for Python, Java, Javascript, Rust, and Ruby are in development.
The OpenSSF has also created a number of educational resources, including a series of webinars and workshops on topics such as secure coding practices and incident response.
Improved the security of open source projects: One of the main goals of the OpenSSF is to improve the security of open source projects, and in 2022 the organization has made significant progress towards this goal. The OpenSSF has worked with a number of open source projects to identify and fix security vulnerabilities, and has also helped to improve the security of these projects through the development of new tools and resources. By working to improve the security of open source projects, the OpenSSF is helping to ensure that these projects are as secure as possible, and is helping to protect users from potential security threats.
In 2022, the Securing Critical Projects working group found and fixed 22 vulnerabilities and CVEs, nine of those 22 were deemed critical/high in severity. In total 94 security improvements were made to critical projects.
What’s Next
While significant progress has been made in how the world views open source software and the security of it, there is still much work to be done. At Chainguard, we are excited about what the future holds, including supporting OpenSSF’s investments in SBOM everywhere, replacement of non-memory-safe languages and establishing a risk assessment dashboard for OSS.
Our team will also continue to support and invest resources into core initiatives such as SLSA, Sigstore, Alpha-Omega, SPDX. Here is a look at what is on the horizon for 2023:
Supply Chain Integrity Working Group: This working group has been a great place for information sharing across a wide range of organizations, presentations, and home to several key projects including SLSA, FRSCA. In 2023, SLSA is targeting a 1.0 release and kicking off a conformance program.
Sigstore: Is hyper focused on fostering a seamless adoption experience for users and organizations. In 2023, it will continue to focus on increasing user adoption and advancing the tooling to allow for seamless integration. Sigstore language clients for Python, Java, Javascript, Rust, and Ruby will be completed and available for use.
Overall, the OpenSSF has had a very successful year and has made significant progress in its efforts to improve the security of open source software and promote best practices within the community. To date, the OpenSSF has reached over 100 active members from a wide range of organizations committed to securing open source software. With its strong partnerships and collaborative approach, the OpenSSF has been able to leverage the expertise of others in the community and increase the impact of its work. By continuing to focus on these efforts, the OpenSSF is well positioned to make even more progress in the coming year and we look forward to supporting that continued advancement at Chainguard.
If you are looking for ways to increase your investments and impact in securing the open source software ecosystem, I encourage you to join the OpenSSF in 2023.
