Hi everyone,
Janurary has marked a significant step forward for open source as the Open Source Security Foundation (OpenSSF) and the Linux Foundation represented their hundreds of communities and projects at The White House on the increasingly present security challenges in open source software supply chain and our commitment to solving this issue.
Check out these articles from the Linux Foundation & OpenSSF here: https://www.linuxfoundation.org/press-release/the-openssf-and-the-linux-foundation-address-software-supply-chain-security-challenges-at-white-house-summit/
Security has always been a major point of discussion for open source, now the open source security discussion is front-and-center.
This is good news! Software security is a global challenge and open source, due to its focus on transparency, can create better security outcomes.
The LFX platform offers Security to all public hosted Git projects as a tool that provides the following for your open source repositories:
- Updated Dependency Tree List
- Vulnerability Scanning
- OpenSSF Best practices Badging
- Non- inclusive language scanning
- Code Secrets Scanning
But all of this security scanning information needs to be acted upon with priority to improve the open source projects.
As there have been several attacks on the confidence of open source including Log4j, NPM package hijacking, and Heartbleed. We will need to track security data and be able to relay the message to the public.
Standards on security benchmarks and best practices will have to be agreed upon and widely adopted to improve our culture of security and trust.
So let’s start the discussion here:
As a community what practices are you taking to keep your project repositories or contributions secure?
- Is your project onboarded to LFX Security?
- Are you working towards attaining an OpenSSF Best Practices Badge?
- What do you believe are best practices to improve Open Source security and trust and how do you communicate and track your measures taken?
Hit REPLY and let’s continue the discussion on a more secure open source for us all.