Open Source Security

Emily Fox

unread,

Jan 10, 2022, 12:08:52 PM1/10/22

to I am The Cavalry

Hello Folks,

I'm working through some research on the current initiatives and activities of open source security beyond those already undertaken by the Linux Foundation, Cloud Native Computing Foundation, and Open Source Security Foundation. I'm active member and a leader in those groups, participate in the Cloud Security Alliance through my membership above, and feel like I'm missing part of the large ecosystem. What other groups or efforts are out there? Who is coordinating them? Effectively, what is going on outside of my own sphere of knowledge?

Thanks in advance!

~Emily Fox

T: @TheMoxieFox

GH: @TheFoxAtWork

Ashwin Ramaswami

unread,

Feb 2, 2023, 1:39:45 PM2/2/23

to I am The Cavalry

Here are some!

- https://www.opentech.fund/news/open-technology-fund-announces-free-and-open-source-software-sustainability-fund/

- NSF POSE -- https://www.nsf.gov/pubs/2023/nsf23556/nsf23556.htm

- Atlantic Council is doing work here -- https://twitter.com/cyberstatecraft/status/1549030582256025600?lang=en

- https://github.blog/2022-06-14-how-can-the-united-states-build-its-open-source-software-policy/

- https://ospoplusplus.org/

duncan sfractal.com

unread,

Feb 2, 2023, 2:45:30 PM2/2/23

to iamthe...@googlegroups.com

I would put everything in the software transparency area as counting as ‘Open source security”. They are for closed source as well but I think there is enough effort specific to open source that it would rate inclusion. So the work at https://ntia.gov/page/software-bill-materials which has wound down and now is the work at https://www.cisa.gov/sbom.

I’d include the CSAF/VEX work https://oasis-open.github.io/csaf-documentation/ - again for more than open source but open source is a major focus. Similarly with https://opencybersecurityalliance.org/pace/. In fact I’d widen it to all of OCA (https://opencybersecurityalliance.org/) since all the projects in it are open source security projects.

--

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

--
You received this message because you are subscribed to the Google Groups "I am The Cavalry" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iamthecavalr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/iamthecavalry/80ead517-bb15-4b13-889b-7f4340b7e878n%40googlegroups.com.

duncan sfractal.com

unread,

Feb 2, 2023, 3:42:20 PM2/2/23

to iamthe...@googlegroups.com

One more to add to the list is https://nonprofitcyber.org/ which seems to me to be trying to do the same thing you are.

“Nonprofit Cyber is a coalition of implementation-focused cybersecurity nonprofits to collaborate, work together on projects, voluntarily align activities to minimize duplication and increase mutual support, and link the community to key stakeholders with a shared communication channel”

To view this discussion on the web visit https://groups.google.com/d/msgid/iamthecavalry/CO1PR19MB5128CAC9A13AD04DA4F7E423BAD69%40CO1PR19MB5128.namprd19.prod.outlook.com.

FC Stegerman

unread,

Feb 6, 2023, 9:50:13 PM2/6/23

to iamthe...@googlegroups.com

* Emily Fox <themoxie...@gmail.com> [2022-01-10 18:08]:

> I'm working through some research on the current initiatives and
> activities of open source security beyond those already undertaken by the
> Linux Foundation, Cloud Native Computing Foundation, and Open Source
> Security Foundation. I'm active member and a leader in those groups,
> participate in the Cloud Security Alliance through my membership above, and
> feel like I'm missing part of the large ecosystem. What other groups or
> efforts are out there? Who is coordinating them? Effectively, what is
> going on outside of my own sphere of knowledge?

Are you already aware of Reproducible Builds [1]?

- FC

[1] https://reproducible-builds.org/

FC Stegerman

unread,

Feb 6, 2023, 9:50:14 PM2/6/23

to iamthe...@googlegroups.com

* Emily Fox <themoxie...@gmail.com> [2022-01-10 18:08]:

> I'm working through some research on the current initiatives and
> activities of open source security beyond those already undertaken by the
> Linux Foundation, Cloud Native Computing Foundation, and Open Source
> Security Foundation. I'm active member and a leader in those groups,
> participate in the Cloud Security Alliance through my membership above, and
> feel like I'm missing part of the large ecosystem. What other groups or
> efforts are out there? Who is coordinating them? Effectively, what is
> going on outside of my own sphere of knowledge?

Reply all

Reply to author

Forward