Securing software is a priority for a functioning and thriving digital economy. Achieving sustainable and secure software, in particular open source software, is a shared effort, requiring a multi-faceted, long-term approach that includes tooling and resources, education, collaboration, and leadership!
At the Linux Foundation, our projects and communities are shoring up software supply chain security in diverse, widespread, and comprehensive ways, and stewarding compliance with regulations such as the EU Cyber Resilience Act and the US Executive Order on Cybersecurity. To encourage project discovery and enhance collaboration, we’ve created LF Security, a central home where you can get the resources you need to improve your organization’s security posture, and to encourage more people to join us in our efforts.
LF Security brings together the myriad LF project communities, initiatives, resources, and infrastructure that each advance the security of software, including technical projects, standards and specifications, events and webinars, training and certification programs, research projects, and other tools and initiatives. We’re committed to growing widespread awareness of our security resources, and encourage all stakeholders to contribute time, talent, working capital, and other inputs as a means to sustaining them.
If you’re new to open source, or a veteran of the community, LF Security is the place to find what you need to help secure open source software. And if you have a project to propose, want to contribute to our communities, or have other ideas to help us, we encourage you to get in touch!
Report a Security Vulnerability
Find the latest guidance on how to report vulnerabilities to LF projects and foundations, or with respect to Linux Foundation infrastructure (as a whole), or the main LF website.
Avoiding Social Engineering Takeovers
Read the alert for social engineering takeovers of open source projects to better recognize emerging threat patterns.
Discover the Linux Foundation projects and resources that accelerate open source software security
Explore industry-focused projects requiring specialized security standards and practices for regulatory compliance
FINOS accelerate innovation in financial services through open source, standards, and data. To enable open collaboration in this highly regulated industry, FINOS provides an Open Source Readiness training/certification and ongoing security scanning for its projects.
Featured Certifications
- Kubernetes and Cloud Native Security Associate (KCSA)
- Certified Kubernetes Security Specialist (CKS)
Hands-On Learning Workshops
-
Securing Coding Fundamentals (WSKF601)
-
Understanding Vulnerabilities and Security Threats (WSKF603)
Featured Training
Free
- Developing Secure Software (LFD121)
- Developing Secure Software - Japanese version (LFD121-JP)
- Securing Your Software Supply Chain with Sigstore (LFS182x)
- Understanding the OWASPⓇ Top 10 Security Threats (SKF100)
- Introduction to DevSecOps for Managers (LFS180x)
- Introduction to Zero Trust (LFS183x)
- Cybersecurity Essentials (A Must-Have for ALL Employees) (LFC108)
Free Express Learning (60-90 minutes)
- Security Self-Assessments for Open Source Projects (LFEL1005)
- Securing Projects with OpenSSF Scorecard (LFEL1006)
- Automating Supply Chain Security: SBOMs and Signatures (LFEL1007)
e-Learning Courses
- Kubernetes Security Essentials (LFS260)
- Modern Air Gap Software Delivery (LFS281)
- Implementing DevSecOps (LFS262)
- Mastering Infrastructure Security: Strategies, Tools, and Practices (SKF200)
- Cloud Native Fuzzing Fundamentals (LFS251)
- Kubernetes Security Fundamentals (LFS460) - Instructor-led Training
- Security and the Linux Kernel (LFD441) - Instructor-led Training
Featured Research
Other Resources
- A Spotlight on Security Efforts at the Linux Foundation
- Cloud Native Security White Paper
- CNCF Fuzzing Handbook
- CNCF Fuzzing updates 2023
- CNCF Software Supply Chain Best Practices
- Compiler Options Hardening Guide for C and C++
- Concise Guide for Developing Secure Software
- Concise Guide for Evaluating Open Source Software
- EU Cyber Resilience Act: The Linux Foundation Enables Open Source Software Stewardship for the CRA
- Guidance for Security Researchers to Coordinate Vulnerability Disclosures with Open Source Software Projects
- Guide to Becoming a CVE Numbering Authority as an Open Source Project
- Guide to Implementing a Coordinated Vulnerability Disclosure Process for Open Source Projects
- How LF communities enable security measures required by the US Executive Order on Cybersecurity
- npm Best Practices Guide
- OpenSSF Response to US CISA RFI on Cybersecurity Risk and Secure by Design Software
- OpenSSF Working Groups
- OSTIF’s 2023 Cloud Native Computing Foundation audit impact report
- Principles for Package Repository Security
- Source Code Management Best Practices Guide
- The US Executive Order on Cybersecurity and the LF Energy Foundation
As CNCF projects permeate every industry across the world, it's of utmost importance to ensure high quality security practices for CNCF open source projects. CNCF has funded dozens of high impact security and fuzzing audits that have yielded multitudes of security improvements across some of the most widely used cloud native open source projects.
– Chris Aniszczyk, CTO, CNCF
Open source security is a critical issue for trusted supply chains. The OpenChain Project has contributed to this by creating ISO 18974:2023 as the standard for open source security assurance, a supporting ecosystem, and reference documentation. In collaboration with our peers in the Linux Foundation, we are working towards better open source business process management for everyone.
– Shane Coughlan, General Manager, OpenChain
Operating in a systemically critical industry means cybersecurity is integral to all we do at FINOS. Not only do we offer our projects ongoing security but initiatives like FINOS Common Cloud Controls offer a blueprint for how financial institutions realize the full value of their investment in open source, by collaborating on building a security rosetta stone of sorts which can then in turn be adopted by regulators worldwide.
– Gabriele Columbro, Executive Director, FINOS
LF events play an essential role in advancing open source security by connecting a diverse range of participants who share a passion for the enhancement of, and addressing the evolving challenges around, open source security.
– Angela Brown, SVP and GM of Events, Linux Foundation
New research enables a data-driven approach to security best practices. LF Research reports identify gaps and challenges that ultimately assist in enhancing the overall security posture of open source.
– Hilary Carter, SVP Research and Communications, Linux Foundation
Open source is a public good. The mission of the Open Source Security Foundation (OpenSSF) is to collaborate with the public sector, the private sector, and the community to ensure that open source software is secure for everyone.
– Omkhar Arasaratnam, General Manager, OpenSSF
With cyber threats increasing exponentially, we must provide individuals with the skills and knowledge needed to defend our IT infrastructure. Leaders need to recognize that cybersecurity is everyone's business and commit to equipping everyone with the necessary tools to navigate this ever-evolving landscape.
– Clyde Seepersad, SVP, General Manager, Training & Certification, Linux Foundation.
Open Source Software (OSS) security is vital for digital infrastructure that drives the economy. OpenSSF fosters collaboration among industry, academia, and the public sector, enhancing OSS security. Providing a vendor-neutral platform for developers, it strengthens digital trust, ensuring global system resilience.
– Arun Gupta, Vice President and General Manager, Open Ecosystem, open.intel.com
Innovation through open source software (OSS) and OSS security tools develops capabilities that become part of our software supply chain at Dell Technologies. When OSS is built leveraging security fundamentals, the supply chain becomes more resilient and facilitates better integration, automation, auditing, and sustainment within the supply chain.
– Sarah Evans, Senior Engineering Technologist, Dell Technologies
With organizations and consumers under constant threat, the collaboration between the world’s largest open source software foundation and the world’s largest cyber security professional association will prove to be a powerful force in securing a safe future for all. Secure open source code is critical, as it is the bedrock of so much innovation around the globe. Together with the Linux Foundation, ISC2 is dedicated to ensuring developers have access to the education and training they need to deliver more secure and resilient solutions.
– Clar Rosso CC, CEO, ISC2