Open Source Summit North America 2023

One important aspect of the Open Source Software (OSS) community’s collective security response should be to create developer tooling. Such tooling makes it easier to write secure software by default and reduces the burden on maintainers. Research by the OpenSSF and Linux Foundation have shown that maintainers often benefit from better developer tooling, particularly when they might not otherwise have bandwidth to focus on security. Examples include CI pipeline tooling, tools such as Sigstore for package signing and verification, and efforts such as automated vulnerability scans and remediation. Part of the OpenSSF’s Alpha-Omega Project, “Omega”, also works on applying automated security analysis, scoring, and remediation guidance to maintainer communities of the “long tail” of open source projects. There is a lot of potential for the community to improve this as a whole: for example, we could create CI tools to make it easier to integrate fuzzers or static analysis tools into pipelines. This session will discuss existing initiatives in this space and ideas for potential future directions of security tooling, as well as ways to get involved in these projects.