Here are valuable references and resources for understanding and implementing open source security and supply chain protection.

Security Frameworks & Standards

SLSA

Supply-chain Levels for Software Artifacts - A security framework for software supply chain integrity

OpenSSF Scorecard

Automated security health metrics for open source projects

NIST SSDF

Secure Software Development Framework for comprehensive software security

CIS Controls

Cybersecurity controls including software asset management

Vulnerability Databases

OSV Database

Distributed vulnerability database for open source software

National Vulnerability Database

US government repository of standards-based vulnerability management data

GitHub Advisory Database

Security advisories from GitHub and the open source community

Snyk Vulnerability DB

Commercial vulnerability database with detailed remediation guidance

Security Tools & Scanners

OSV-Scanner

Google’s vulnerability scanner for dependencies and container images

Trivy

Comprehensive security scanner for containers, IaC, and dependencies

Dependabot

GitHub’s automated dependency update and security alert service

Snyk

Commercial security platform for finding and fixing vulnerabilities

Package Registries & Metadata

deps.dev

Google’s open source insights and dependency information service

Libraries.io

Comprehensive package manager and dependency tracking platform

NPM Security

Security features and audit capabilities in the npm ecosystem

PyPI Security

Security features and best practices for Python Package Index

SBOM Tools & Standards

CycloneDX

Lightweight software bill of materials standard and tooling

SPDX

Software Package Data Exchange standard for software supply chain data

NTIA SBOM

US government guidance on software bill of materials

CISA SBOM

Cybersecurity and Infrastructure Security Agency SBOM resources

Policy & Compliance

Executive Order 14028

US Executive Order on Improving the Nation’s Cybersecurity

Open Policy Agent

Policy engine for cloud native environments and infrastructure

NIST Cybersecurity Framework

Framework for improving critical infrastructure cybersecurity

ISO 27001

International standard for information security management

Research & Intelligence

Sonatype State of Software Supply Chain

Annual report on software supply chain security trends

CNCF Security TAG

Cloud Native Computing Foundation security technical advisory group

OpenSSF Research

Open Source Security Foundation research initiatives

IEEE Software Supply Chain

Academic research on software engineering and security

Learning Resources

Books and Publications

Training and Certification

Industry Organizations

OpenSSF

Open Source Security Foundation - Cross-industry collaboration on security

CNCF

Cloud Native Computing Foundation - Container and cloud security

Linux Foundation

Research on free and open source software usage and security

OWASP

Open Web Application Security Project - Web application security

Conferences and Events

Major Security Conferences

  • RSA Conference - Premier cybersecurity event
  • Black Hat / DEF CON - Security research and hacking conference
  • BSides - Community-driven security conferences worldwide
  • OWASP Global AppSec - Application security conference

Supply Chain Specific Events

  • Supply Chain Security Summit - Focused on software supply chain
  • KubeCon + CloudNativeCon - Cloud native and container security
  • Open Source Summit - Linux Foundation’s flagship open source event
  • DevSecOps Days - Local DevSecOps community events

Tools Integration

CI/CD Platforms

Container Security

Community Resources

SafeDep Community

Join our Discord community for vet and SafeDep discussions

Security Twitter

Follow security researchers and practitioners

Reddit r/netsec

Network security community discussions

HackerNews Security

Technology and security news discussions

Regular Publications

Security Newsletters

  • tl;dr sec - Weekly security newsletter
  • Krebs on Security - Security journalism and investigation
  • The Hacker News - Cybersecurity news and insights
  • Dark Reading - Enterprise security coverage

Research Publications

  • ACM Digital Library - Academic computer science research
  • IEEE Xplore - Engineering and technology research
  • arXiv Security - Preprint security research papers
  • USENIX Security - Systems security research

This curated list represents some of the most valuable resources in the open source security and supply chain protection space. For the latest tools, research, and best practices, consider joining our community where members share updates and discoveries.

Resources are regularly updated as the security landscape evolves. Submit suggestions for additional resources through our GitHub repository or community channels.