There seems to be an ever growing set of things to care about when we look to secure software, especially open source software. Securing builds through practices like SLSA, creating SBOMs like SPDX, signing software through tools like Sigstore, using VEX through specifications like OpenVEX, and so much more. Software developers are now being asked to add a deep understanding of cybersecurity to their never ending list of responsibilities. There is truly a "sandwich" of tools, practices, and data to produce, and consume, many of which are developed in the OpenSSF community.

How can we make eating this "sandwich" simple? Cybersecurity is only effective if people follow the practices and use the tools. This is easier to do when you do this at the start of a software project as opposed to retrofitting it.

Learn more about Skootrs (pronounced scooters), a new open source tool that makes adoption of these practices and tools, along with generation of security metadata easy through automation and guardrails.