OpenSSF1d ago

Third-Party Notices (TPNs) are often the only verifiable record when source code or #SBOMs are inaccessible, yet they’re usually trapped in unstructured PDFs.

A new guest blog by Devashri Datta discusses transforming TPNs into "Security Intelligence."

https://openssf.org/blog/2026/04/17/why-third-party-notices-are-breaking-at-scale-what-the-ecosystem-needs-next/

anchoreMar 12
SBOM adoption is accelerating, driven by #security best practices and regulatory requirements. This guide explains why #SBOMs matter, how to implement them, and how they fit into a #DevSecOps strategy. Download now: https://get.anchore.com/sbom101-guide-for-devsecops-community/
anchoreFeb 9
#SBOMs are becoming a standard requirement for secure software development. Learn how to generate, manage, and use SBOMs effectively to improve security posture, automate compliance, and reduce risk across your organization. Download the guide: https://get.anchore.com/sbom101-guide-for-devsecops-community/ #devsecops #compliance #security
anchoreJan 21

"It's hard to know what to fix in your software…if you don't know what's in your software." 🛑

Brian Thomason explains why the US Navy prioritizes high-fidelity #SBOMs as the foundation of every security check.

Read the full breakdown on RAISE 2.0: https://anchore.com/blog/how-raise-2-0-is-transforming-navy-devsecops/

Peter N. M. HansteenJan 12

Again for the evening (CET) crowd:

The recording from NYC*BUG (Properly pronounced "Nice Bug") Saturday January 10th, 2026 session "The Book of PF 4th ed + EU CRA: It's time to Engineer up" is now available:

Youtube: https://youtu.be/HOCsvcCm1Ec
Peertube: https://toobnix.org/w/bQPtKXKqJMdeYDbzhrrkEa

#bookofpf #OpenBSD #freebsd #packetfilter #EUCRA #CRA #SBOMS #dependency #supplychain #security @nostarch

NYC*BUG Jan 2026: Upcoming 4th edition of The Book of PF, CRA and more, Peter Hansteen

YouTube
N-gated Hacker NewsDec 24
Andrew Nesbitt takes us on a thrilling journey through the dazzling world of #lockfiles, asking the earth-shattering question: could they be SBOMs? 🚀✨ Spoiler alert: the answer is yes, but in formats as unique as snowflakes. ❄️ Meanwhile, the rest of the world waits with bated breath for the EU to dictate our digital lives! 🇪🇺🔒
https://nesbitt.io/2025/12/23/could-lockfiles-just-be-sboms.html #SBOMs #digitaltransformation #EUregulations #cybersecurity #HackerNews #ngated
Could lockfiles just be SBOMs?

Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?

Andrew Nesbitt
Hacker NewsDec 24

Could lockfiles just be SBOMs?

https://nesbitt.io/2025/12/23/could-lockfiles-just-be-sboms.html

#HackerNews #lockfiles #SBOMs #softwaredevelopment #cybersecurity #open_source

Could lockfiles just be SBOMs?

Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?

Andrew Nesbitt
OpenSSFDec 22

🧑‍🌾 bomctl makes SBOMs easier to work with by handling format and version differences for you. Convert between SPDX and CycloneDX, upgrade spec versions, and link #SBOMs across suppliers and systems.

Watch the OpenSSF Project Spotlight about #bomctl: https://youtu.be/Tax1pNaySYQ?si=98Cg8V73m7uHzTMu

Inside the bomctl Project: Bridging SBOM Generation & Analysis | OpenSSF Project Spotlight

YouTube
OpenSSFDec 15

When a new vulnerability drops, the first question is always: Is this in my supply chain? 🔍

By ingesting and enriching #SBOMs with vulnerability and dependency data, #GUAC lets you query your entire application portfolio and pinpoint where action is needed immediately.

🎥 https://youtu.be/uDT0xes5ico?si=3qMKMsRk0lYcL8fS

GUAC: Mapping Software Relationships for Supply Chain Security | OpenSSF Project Spotlight

YouTube
Josh BressersOct 20

I chat with @mbarbero about security happenings at the @EclipseFdn

My favorite project they have is helping projects generate #SBOMs, but there's a lot happening. If you want to see some public examples of how to do security right, give it a listen!

https://opensourcesecurity.io/2025/2025-10-eclipse-sbom-mikael-barbero/

Eclipse Foundation SBOMs with Mikael Barbero

In this conversation, Josh speaks with Mikael Barbero, head of security at the Eclipse Foundation. They discuss the foundation’s role in enhancing the security posture of open source projects, the importance of Software Bill of Materials (SBOMs), and the various security services provided to projects. Mikael explains the challenges and strategies involved in implementing security best practices across a diverse range of projects, as well as the foundation’s proactive approach to navigating security regulations and compliance. This is some great security work happening for open source projects.

Open Source Security