End-of-Life (#EOL) software is creating permanent security risks that can’t be patched away.

Join us today at 11am EST as we unpack the 2026 State of the Software Supply Chain Report and share strategies to tackle "forever risks."

Save your spot: https://webinars.sonatype.com/wcc/eh/5011667/lp/5216592/modern-vulnerability-management?utm_source=partner&utm_medium=openssf&utm_campaign=sscr%20webinar

🗣️ Our newest #Zarf Tech Talk recap is live! 📹

This Tech Talkbrought together experts from Sonatype, Defense Unicorns, and Boeing to break down one of the biggest challenges in secure software delivery: operating in disconnected or restricted environments.

📺 Watch the recording: https://youtube.com/watch?v=maAavgVmFuc&feature=youtu.be

📝 Read the full recap: https://openssf.org/blog/2025/11/18/tech-talk-recap-simplifying-devsecops-in-air-gapped-environments-with-zarf/

📄 Access the slides: https://openssf.org/resources/tech-talks/simplifying-devsecops-in-air-gapped-environments-with-zarf/

Thanks to our moderator Eddie Knight, speakers Brandt Keller, Kit Patella, and Dan Miller!

This episode of #OpenSourceSecurity I chat with Deb Nicholson about the Python Software Foundation. We discuss what they do, their current grant program, and how you can get involved

The PSF is the group behind the legendary Python community. It's a fun chat, Deb has so much knowledge to share

https://opensourcesecurity.io/2025/2025-09-psf-deb-nicholson/

🚨 July #OpenSSF Newsletter is here!

✅ CRA Brief Guide
✅ New podcast episodes
✅ Free training courses
✅ Global OSS security events
✅ Project updates (OpenBao, Zarf & more)

📬 Read it: https://openssf.org/newsletter/2025/07/30/openssf-newsletter-july-2025/

A benefit to having a business major who is trained in application development do your vulnerability assessment is that we tend to take things like marketing and vision into account when doing the test. Sometimes, perceptions are an extremely important part of results, and how an attacker will approach a site is driven by those perceptions.

If you are not a business major, quick tip: Spend 30 minutes doing deep searches on the company name, the owner's names, the type of business they're in, and any unique phrases so that you get an idea of what people are saying. Use a tool. Get a subscription to the Wall Street Journal or FT. Dig through their databases. Hit the Wayback Machine.

Look on TOR! Set up a couple of accounts on some of the forums on there (obviously don't connect them to your real identity). Do searches before a test - just see what people are saying. Sometimes it's a big deal.

#pentesting #business

🛡️ Software is about to be regulated worldwide. Are you ready?

To help #OSS contributors navigate what's coming, the #OpenSSF has released a CRA Brief Guide for OSS Developers.

📘 Learn more: https://openssf.org/blog/2025/07/15/new-cyber-resilience-act-cra-brief-guide-for-oss-developers/
📘 Read the guide: https://best.openssf.org/CRA-Brief-Guide-for-OSS-Developers

Join Sonatype's Brian Fox, Ilkka Turunen, and OpenSSF's Christopher "CRob" Robinson for a live discussion exploring the risks of over-reliance on #CVEs and how to build a resilient, diversified security strategy.

📅 April 22 | 🕘 9:00 AM ET

https://www.sonatype.com/resources/webinars/cve-reliance

Open source projects are adapting to CRA requirements—and the journey is already underway.
Civil Infrastructure Platform, Zephyr, and Yocto are setting examples.
The latest blog from the Linux Foundation shares how security best practices are being built in.

🔗 https://www.linuxfoundation.org/blog/pathways-to-cybersecurity-best-practices-in-open-source-how-three-linux-foundation-projects-are-leading-the-way-in-cra-compliance
#OpenSource #Cybersecurity #CRA #LinuxFoundation