Hey team – I was fortunate to be involved in the recent Summit in DC around improving OSS security. Unsurprisingly, there are some items in the plan that are heavily related to our work. I’d love to t

All, FYI: Dall-E-2 uses machine learning techniques to generate imagery from text. See: https://openai.com/dall-e-2/ I've received confirmation from OpenAI that once we get access to Dall-E-2, we can

All: I've created a proposed change for the "fundamentals" course on SQL injection, primarily to distinguish "parameterized statements" from "prepared statements". In many APIs "prepared statements" &

Scorecard and Allstar project enthusiasts! Our next biweekly combined project meeting (5/5) will be a working session to discuss and craft mission statements and visions for both projects. Ahead of th

FYI: The best practices badge project just did some routine updates of some of our dependencies because vulnerabilities in them were publicly announced yesterday. I thought I should provide some detai

The GitHub markdown version of the "Fundamentals" course has been recently updated to reference every major point in the 2021 OWASP Top 10 & the 2021 CWE Top 25. See: https://github.com/ossf/secure-sw

All: At the last OpenSSF Best Practices WG meeting, there was an agreement with my proposal to add a project/task to create a "one-page" guide for software developers, along with a supporting one-page

Having a boggle with the OSSF Zoom account, trying to get logged in. Hopefully we’ll start soon. Cheers, CRob Director of Security Communications Intel Product Assurance and Security

The OpenSSF & others have developed many things, but I've been repeatedly asked for a *short* guidance document (around a page) that tells people "what to do" & links to the details. I propose that th

All: Today the OpenSSF and LF Training & Certification announced the immediate availability of a free online training course, "Developing Secure Software". The course content mirrors the Secure Softwa

I really like the flashy *look* of the "infinity" diagram at wg-best-practices-os-developers/infinity2/index.html It's cool!! However, I don't like most of its current *categories*. I think they shoul

All, FYI: There are new plans in the works to add a new platform for the "Secure Software Development Fundamentals" courses, specifically the Linux Foundation Training & Certification platform. This w

The Linux Security Summit (LSS) is coming up, and some here may wish to present and/or attend. See below for details. The Call for Proposals (CFP) closes March 30. --- David A. Wheeler ===============

Hi teams – Just as a reminder, Wednesday at 10am EST we’ll be meeting with several folks from sig.eu to discuss open source software security models. If you are interested, please join us a the link b

Hi All, We're thrilled to announce the Scorecards V4 release! This includes 1M repos scanned weekly and a new Dangerous-Workflow check. We’re particularly excited about the new GitHub Action that inte

Hi, Some projects were slow to react to the offer and are only responding now. Do we still have some tokens to distribute? My understanding is that the coupon for the Titan tokens has expired but what

It's clear we have some leftover MFA tokens. I'd like to offer MFA tokens to all 10 of the log4j developers; log4j has been added the critical projects WG's list of critical projects. https://logging.

All: Good news! The Google & GitHub codes have been sent to projects who told us they wanted some & how many of each they wanted. I plan to post some stats, but currently we're too busy trying to dist

The deadlines have passed - let's start distributing MFA tokens!! Appu: Please start sending via email the Google coupon codes to the OSS projects that have requested one or more Titan tokens in our s

Best Practices Squad, The Scorecards team have scoped work and identified a well-qualified contractor to execute on scorecards automation improvements/fixes as well as some minor work on Allstar. The