News

Top Tech Firms Form Open Source Security Foundation

• By Kurt Mackie
• August 6, 2020

A group of leading tech industry heavy weights that includes Microsoft, IBM, and Google, announced the formation this week of a new software foundation to consolidates industry efforts to improve the security of open-source software. Developed under the auspices of the Linux Foundation (LF), the Open Source Security Foundation (OpenSSF) is being billed as a cross-industry collaboration that will focus its members on improving the security of open-source software by "building a broader community, targeted initiatives, and best practices."

The founding membership of the OpenSSF also includes GitHub, JPMorgan Chase, NCC Group, the OWASP Foundation, and Red Hat. It's being hosted on GitHub.

"Open source software has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike," the Linux Foundation said in a statement. "Because of its development process, open source that ultimately reaches end users has a chain of contributors and dependencies. It is important that those responsible for their user or organization's security are able to understand and verify the security of this dependency chain."

The OpenSSF will benefit from existing LF projects, including the multi-million-dollar Core Infrastructure Initiative (CII), whose participants take a collaborative, pre-emptive approach to strengthening cyber security. OpenSSL is the first project to receive fellowship funding from the CII. Another open-source security effort, the GitHub-initiated Open Source Security Coalition (OSSC), will become part of the OpenSSF).

'We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on," said Jim Zemlin, the Linux Foundation's executive director, in a blog post. "Ensuring open source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort."

The open source software community has tended to be critical of proprietary software providers, such as Microsoft, because their code can't be independently checked. But Microsoft has been on a path to embrace open source ever since its CEO, Satya Nadella, made his famous "Microsoft loves Linux" pronouncement about five years ago.

"Open-source software is core to nearly every company's technology strategy," said Mark Russinovich, CTO of Microsoft's Azure group, in a blog post, "and securing it is an essential part of securing the supply chain for all, including our own. With the ubiquity of open source software, attackers are currently exploiting vulnerabilities across a wide range of critical services and infrastructure, including utilities, medical equipment, transportation, government systems, traditional software, cloud services, hardware, and IoT."

Microsoft had already been working with the OSSC to identify security threats in open source software. It's also worked to speed the software fixing process. Additionally, Microsoft has developed security tools for open source developers, and it currently offers best-practices advice, Russinovich noted.