Celebrating OpenSSF’s Anniversary

Kusari celebrates the past, present, and future of the Open Source Security Foundation.

Ben Cotton

August 6, 2025

Monday marked the fifth anniversary of the Open Source Security Foundation (OpenSSF). OpenSSF is the part of the Linux Foundation dedicated to improving tooling, practices, standards, and education for security in the open source ecosystem. At Kusari, we’re proud to have been involved in OpenSSF since our founding.

‍

At Kusari, our commitment to open source goes beyond usage. We contribute time, energy, and engineering talent because we believe in the mission, and we understand that a strong open source ecosystem is critical to our own success and the success of the broader software industry.

‍

Securing open source is an important part of Kusari. Our founders and employees have a long history of leadership and active participation in OpenSSF projects and other open source communities — both on behalf of Kusari and individually. We are far more active than one might expect relative to our size. Kusari employees sit on the OpenSSF’s Governing Board & Technical Advisory Council, lead the Open Source Project Security Baseline SIG, maintain the in-toto-attestation & in-toto-golang projects, and sit on the steering committees for the SLSA Framework & OpenSSF Scorecard. And, of course, we co-created the GUAC project, which we contributed to OpenSSF in 2024.

‍

Why does a small company dedicate time and talent to open source communities?

Like most modern software companies, Kusari builds on a foundation of open source. But unlike many, we go deeper — we actively shape the projects we depend on. Here’s why.

It’s an Investment in Ourselves

We depend on open source to deliver value to our customers. Ensuring the long-term health and security of those dependencies is not charity—it’s strategic. A vibrant, sustainable open source ecosystem means more secure, more resilient products for everyone, including us.

We Share in Shaping the Industry

Through initiatives like OpenSSF and projects like GUAC and SPDX, we’re able to collaborate with global experts to define best practices, tooling standards, and policy frameworks that will define software supply chain security for the next decade.

Participating in OpenSSF presents:

A network of world-class experts pushing the boundaries of what's possible.
A seat at the table in defining how software should be built, shared, and secured.
A platform for innovation, where experimental ideas can take shape and scale
A channel for education, both learning from others and contributing our knowledge

Plus, open source projects are a great learning lab. We gain new skills and also learn about new technologies and use cases that are important to developers & security practitioners. Lessons we learned building GUAC helped shape Kusari Platform. Participating in new projects has helped our staff learn new programming languages and developer tools.

‍

With the European Union’s Cyber Resilience Act (CRA) and other industry regulations coming into force, the software industry is going to have to work harder to secure software supply chains. This is good for consumers, of course, but it can be a challenge for manufacturers. OpenSSF’s work to produce training content for developers, plus standards & tooling for project maintainers to improve their security posture, are a critical part of getting the industry ready.

‍

We congratulate the OpenSSF on its fifth birthday and look forward to working with OpenSSF staff and contributors for the next five years — and many more beyond that!

‍

If you’ll be in Amsterdam later this month for Open Source Summit & OpenSSF Community Day Europe, please join us for the following sessions:

‍

Like what you read? Share it with others.

Open Source Summit 2022

Takeaways & Learnings

June 23, 2022

Tim Miller

SPIFFE/SPIRE CSI Driver

Overview of the SPIFFE/SPIRE CSI Driver

June 27, 2022

Parth Patel

Not Just Third Party Risk

There’s a misconception in Cybersecurity among some that Software Supply Chain Security is just Third Party Risk Mana...

Celebrating OpenSSF’s Anniversary

Why does a small company dedicate time and talent to open source communities?

It’s an Investment in Ourselves

We Share in Shaping the Industry

Other blog posts

Open Source Summit 2022

SPIFFE/SPIRE CSI Driver

Not Just Third Party Risk

Government Memo for Enhancing the Security of the Software Supply Chain

A High Fidelity View of Software Supply Chain

Kusari presenting at KubeCon and Cloud Native SecurityCon NA 2022

The Next Heartbleed?

Kusari's Software Supply Chain Security Overview

Applying Zero Trust to the Software Supply Chain

Figure Out Who's Lurking in Your Supply Chain With Signatures and Attestations

Kusari Open-Sources Spector

GUAC v0.1 Beta Release

Quest to determine the 'G' in GUAC

daBOM Podcast with Tim & DJ

Announcing Helm Chart for GUAC

Case Study: A discussion with Guidewire on GUAC

Announcing the Kusari YouTube Channel and GUACademy

Terror of cURL - Preparation is Half the Battle

Spooky Enhancements: Unveiling GUAC's OpenVEX Feature

What the NSA Missed in its SBOM Management Recommendations

Contributor to Leader: Securing Open Source Software at OpenSSF

Our $8M Funding Round Fuels our Mission to Make the Software Supply Chain Transparent and Secure

Kusari Soaks up Community at FOSDEM and Beyond

From Open Source Community to Joining a Start-up – while in High School

Unveiling GUAC as an OpenSSF Incubating Project for Software Dependency Management

Graph for Understanding Artifact Composition (GUAC) Joins OpenSSF as Incubating Project

XZ Backdoor: Software Security Lessons

Proactive Security in the Post-Log4j Era

Graph for Understanding Artifact Composition (GUAC) adds persistent storage in v0.6.0 release

Another Turn of the Page: GUAC v0.7.0 Released

Counting CVEs Was Never Enough

Kusari Signs the Secure by Design Pledge

To Fork or Not to Fork

Meeting Federal Software Supply Chain Mandates

Achieving Wisdom with GUAC Visualizer

Announcing GUAC v0.8.0 Enhancements

Why Software Cannot Be Secured by SBOMs Alone

Hack-Proof Artificial Intelligence Supply Chains Using Open Source Security

GUAC Boosts License Transparency

Understanding Prevalence is the First Step

You Can’t Fix Issues if You Can’t Find Them

Introducing the Kusari Platform—know your software

Is Your Supply Chain Haunted by CVEs?

The Path to Zero CVEs: Vanquishing Cyber Threats

Is the Internet on Fire? The State of Open Source Security

The Best Way to Secure Your Open Source Supply Chain is to Participate

Rust Won’t Fix Everything: Moving Toward a Memory-Safe Future

Threat Modeling in the Software Development Life Cycle

Solving the “Bottom Turtle” Problem in Supply Chain Security

Software Supply Chain Security Predictions: Hits & Misses from 2024

AI Alone Won’t Fix Your Supply Chain

Software Supply Chain Security Predictions for 2025

Stick a Pin in It: Managing Dependencies for Supply Chain Security

Alarms Raised by Critical Reverse Backdoor Vulnerability in Medical Devices

Unpacking the Kusari Score

Unpacking the Kusari “Effort to Fix” Capability

Building a Foundation of Trust for a Stronger Software Supply Chain

Analyzing Third-Party Risk in Open Source Software

Addressing Third-Party Risk in Open Source Software

Raising the Bar for Open Source Security: Introducing the OSPS Baseline

Unpacking Kusari Platform Views

Starting the Security Journey: Producing an SBOM

The Next Step in the Security Journey: Comparing SBOMs

Another Step on the Security Journey: A Constellation of SBOMs

The Last Step on the Security Journey: Kusari Platform

Securing Your AI Models

GUAC Now Supports Runtime Kubernetes SBOMs using Kubescape

Securing the Software Supply Chain book now available!

Providing Secure Updates with TUF

The Hidden Risk in Your Software: Understanding Transitive Dependencies

Codifying the SDLC with in-toto

The Hidden Risk in Your Software: Managing Transitive Dependencies

VulnCon 2025 Recap

The Future of CVEs

Identifying Threats in the Implementation Phase