In this FOSDEM talk, Brian Bellendorf, the general manager for the Open Source Security Foundation (OpenSSF), discusses the learnings from the Log4J incident and the efforts of OpenSSF to enhance the security of open source software. He emphasizes the pervasiveness of open source code in software supply chains, with approximately 78% of code in a typical code base being pre-existing open source code. Bellendorf outlines the various opportunities for compromise in the software supply chain and the need for standardized secure coding practices to reduce the risk of vulnerabilities. He also discusses the importance of measurement, tools, and culture change in improving security. Bellendorf mentions several initiatives and resources offered by OpenSSF, such as evaluating open source code, secure software development fundamentals training, and badges for best practices and security scorecards. He talks about the Sigstore software signing service and the importance of anonymity in open source development. Bellendorf also addresses the economic considerations of funding security initiatives and the potential collaboration between OpenSSF and OWASP. He concludes by highlighting the need for collective action and investment to improve the security of open source software.