StepSecurity Joins the Open Source Security Foundation (OpenSSF)

Introduction

We are thrilled to announce that StepSecurity has officially become a member of the Open Source Security Foundation (OpenSSF), a global initiative focused on securing open source software (OSS). This partnership represents a significant milestone in our journey towards empowering developers and organizations to effectively safeguard their open source projects from evolving CI/CD security threats.

StepSecurity has also previously collaborated with OpenSSF Scorecard and empowered hundreds of developers to achieve a higher security score for their open source projects with our automation platform.  

About OpenSSF  

OpenSSF, initiated by the Linux Foundation, is dedicated to sustainably securing OSS ecosystems by fostering collaboration, establishing best practices, and developing innovative solutions. The foundation brings together the industry’s most important open source security initiatives and the individuals and companies that support them.  

StepSecurity's Contribution to Open Source Security

The open source community lies at the heart of StepSecurity. Our community tier is trusted by over 2,900 open source projects including those of the Cybersecurity and Infrastructure Security Agency (CISA), Microsoft, Google, and more. We have enabled these organizations to secure their open source projects by automating GitHub Actions security best practices. The StepSecurity platform has defended against real-world CI/CD security attacks against prominent open-source projects such as Bazel and Flank.

So, what makes so many organizations choose the StepSecurity's platform? The answer lies in its ability to integrate various tools and the hardening aspects it offers for the CI/CD pipelines.  

We seamlessly enable the following:

• CI/CD Network and Infrastructure Security
• Static Application Security Testing (SAST) tool
• Software Composition Analysis (SCA) tool
• OpenSSF Scorecard
• Dependabot configuration for dependency updates  

When it comes to hardening aspects of the CI/CD pipelines, our platform ensures:

• Setting the least permissions for GitHub action tokens
• Pinning of GitHub Actions
• Docker image pinning

Here are the current number of repositories that have leveraged the StepSecurity platform for various fixes-

StepSecurity as a Part of OpenSSF

OpenSSF welcomed StepSecurity at SOSS Community Day North America along with esteemed new members like Ada Logics, The Boeing Company, Chainloop, Defense Unicorns, Ensignia, and Hedera. Here’s what the general manager of OpenSSF, Omkhar Arasaratnam, had to say about the new members,

“It brings us great pleasure to welcome our newest members to the OpenSSF. The challenge of safeguarding open source software is significant, and we eagerly anticipate collaborating with them.”

StepSecurity is proud to be a part of this growing community and we’re excited to collaborate in addressing the evolving CI/CD threats and strengthen the open source community. Our partnership with OpenSSF has been fantastic so far and formalizing it will allow us to empower even more open source maintainers to protect their projects against CI/CD attacks

Conclusion

We look forward to a fruitful collaboration with the OpenSSF community and contributing to the advancement of open source software security initiatives. To know more about this collaboration, read the OpenSSF announcement for its new members.

‍