The Open Source Security Foundation (OpenSSF), a cross-industry initiative of the Linux Foundation focused on sustainably securing open source software, on Thursday announced five new members have joined the foundation. New OpenSSF members include ActiveState, Aikido, Minimus, and TuxCare, who join the Foundation as General Members. The FreeBSD Foundation also joins as an Associate Member. The momentum bringing these new members together is fuelled by what the OpenSSF has defined as “two converging pressures” in the software ecosystem: increasingly mandatory security standards and the need to unify organizations and countries behind those standards. Upholding global cyber standardsThe OpenSSF continuously pledges to provide practical resources to its members to help them navigate complex requirements such as the European Union Cyber Resilience Act and its global equivalents, including the US National Security Strategy.“As the threat landscape for software supply chains becomes more complex, the need for community-driven security standards has never been more urgent,” said Steve Fernandez, general manager of OpenSSF. Fernandez has stated that the growth in OpenSSF membership and the arrival of projects like OSS-CRS show that security is an “important priority for all” and that the OpenSSF itself is providing the practical tools and guidance developers need to build more resilient software.The joining organizations will contribute to working groups and technical initiatives to help drive the strategic direction of the OpenSSF. By collaborating within a neutral forum, all members support the long-term sustainability of the open-source ecosystem.Drop the dashboard ditheringWillem Delbare, founder and CEO of Aikido Security, tells The New Stack that the future of software security won’t be won in dashboards. Instead, Delbare says, it will be won inside code repositories, package managers, and developer tooling. “Attackers already understand that the fastest way into production is through the software supply chain,” Delbare says. “Threat actors are increasingly adept at poisoning dependencies, compromising maintainer accounts, delivering malicious commits, exposing credentials, and creating subtle changes buried deep in infrastructure code.”He notes that the focus at Aikido is pushing security controls directly into the places developers already operate: the terminal, the CI/CD pipeline, Git workflows, container builds, and low-level code paths that are hardest to monitor but most dangerous when compromised. “That includes projects like Safe Chain, Zen Firewall, OpenGrep, and BetterLeaks, where the goal is not just visibility but active prevention,” clarifies Delbare. “For maintainers and engineers working close to the kernel, sandboxing layers, or runtime infrastructure, security tooling must become operational infrastructure, not just another compliance checkbox. OpenSSF is one of the few places where companies can collaborate openly on that problem and build standards that developers will actually adopt.”“Many companies refuse to actively participate in the support or maintenance of the very projects they’re using to get rich… This is not only morally repugnant, but also short-sighted and poor business practice.”— Kat Cosgrove, head of developer advocacy, Minimus.Morally repugnant short-sightednessKat Cosgrove, head of developer advocacy at cloud container security protection specialist Minimus, tells The New Stack that, despite all the best efforts playing out in the open source security space, there’s still a lot of white noise out there. She underlines this statement and thinks that “it’s no longer hyperbole” to say open-source software is the foundation of almost everything we build today.“Despite this, many companies refuse to actively participate in the support or maintenance of the very projects they’re using to get rich,” Cosgrove says. “They leave open source maintainers to build and secure their products for them, and they carelessly task their own engineers with the responsibility to operate without the standards or tooling necessary to fill in the gaps. This is not only morally repugnant, but also short-sighted and poor business practice.” Clearly unafraid to call out the laggards and leeches, Cosgrove is resolute about her organization’s raison d’être in the industry: an obligation to “do right” by users. “It is mandatory to ensure open source maintainers have the necessary tools to secure their projects so that your developers can safely implement those projects in production environments,” she says.Repossessing repo responsibilityThe need to shift focus to the software application repository (repo) is a hugely important theme right now. Leslie Pascual, field engineering manager for AI & security at ActiveState, underlines this fact and tells The New Stack that this isn’t rocket science, i.e., security must manifest itself and appear where engineers actually work.“Quite simply, that means appearing in the repo, the build, the package workflow, the container, the sandbox, and the command line,” Pascual says. “For kernel-level and systems engineers, those moments sit right at the trust boundary of modern infrastructure. At ActiveState, we focus on helping teams operationalize trust, whether through secure builds, provenance, or BOM and VEX details.”The resounding sentiment from Pascual and others here is that there is a solid, tangible effort underway to build workflows that software engineers can actually use. It’s a heartfelt pledge echoed by Igor Seletskiy, CEO of TuxCare, a company known for its rebootless vulnerability patching, compliance-ready Linux security, vulnerability intelligence, and long-term security services.Seletskiy tells The New Stack that vulnerabilities and supply chain attacks have changed what it means to depend on open source, and AI is accelerating both channels. “Every package a developer pulls now carries an unanswered question about who built it, what’s in it, and whether it can be trusted,” Seletskiy says. “Answering that takes coordinated work across the ecosystem, which no single company can do alone. That’s why we joined OpenSSF.”As executive director of the FreeBSD Foundation, Deb Goodkin upholds the organization’s mission to support the FreeBSD open-source operating system through research and education.In line with the new memberships highlighted here, she has said that, “As a critical component of the global digital infrastructure, we believe FreeBSD must be part of the security discussions shaping the future of open source. Joining the OpenSSF will enable us to collaborate with others to help protect the software the world depends on.” A trusted foundation for operationsIn a related announcement, the OpenSSF also noted additional technical resources for Python secure coding, the first cohort of OpenSSF Ambassadors, and new projects like OSS-CRS joining the foundation’s sandbox during OpenSSF Community Day North America this week in Minneapolis. The OpenSSF has widely stated that its efforts ensure that open source remains a trusted foundation for digital innovation by addressing the technical, legal, and human elements of modern cybersecurity.The post “Morally repugnant shortsightedness”: Why open source security leaders say companies must stop freeloading on maintainers appeared first on The New Stack.