Open Source Security Foundation Grows After White House Summit
It's less than two years old, but the Open Source Security Foundation (OpenSSF,) a cross-industry group hosted at the Linux Foundation, is attracting an impressive (and growing) roster of members signing up to pitch in on efforts to identify and fix security vulnerabilities in open-source software (OSS), while improving everything from tooling and training to research and vulnerability disclosure practices.
This week, the OpenSSF announced that 19 new organizations have joined that effort, including Citi, Huawei Technologies, Spotify, Alibaba Cloud, and JFrog, bringing the total current membership (by my count) to 60. They're joining a group that already includes Google, Microsoft, AWS, Meta, Cisco, GitHub, Intel, Red Hat, and Snyk. (A complete list of members is available here.)
"The importance of open-source software security is well recognized by the customer, industry, and government," said Dr. Kai Chen, chief security strategist at Huawei, a new Premium Member of the OpenSSF, in a statement. "It is time for the community to take strategic, continuous, effective ,and efficient actions to advance the open-source software security posture…."
The foundation's expanding membership represents what the OpenSSF calls "cross-industry momentum," spurred at least in part by the White House Open Source Security Summit in January. The OpenSSF was there, representing hundreds of communities and projects by highlighting collective cybersecurity efforts and sharing their desire to work with the administration across public and private sectors.
Brian Behlendorf, executive director at OpenSSF, was optimistic about that meeting when I talked with him last week. He said the participants from the administration were well informed on the topic.
"They asked good questions, and we tried to make the point that the government is a major user of open-source software," he told me. "And consequently, has a vested interest in improving its consumption of that software. But also, that there are increasing amounts of code being contributed by governments, or by them through contractors, so they're effectively publishers of open-source software, actually a peer in the community. And we talked about what role they should play."
Behlendorf, who assumed his current role in October, is probably best known as a primary developer of the Apache Web Server and a founding member of the Apache Software Foundation. "We're calling this job 'general manager' to de-emphasize that title," he said. "But even that overstates it. Orchestrator, maybe? I'm really more of a circus ringmaster."
The OpenSSF combines the Linux Foundation’s Core Infrastructure Initiative (CII), an effort to improve OSS security in response to the 2014 Heartbleed bug, and the Open Source Security Coalition (OSSC), which was founded by the GitHub Security Lab to build a community to support open-source security for decades to come.
"As all industries increasingly rely upon open-source software to deliver digital experiences, it is our collective responsibility to help maintain a vibrant and secure ecosystem," said Lena Smart, chief information security officer at MongoDB, a new general member of the foundation. "You can have all the tools in the world, but at the end of the day, it is people across multiple organizations around the world working together that will ensure an expansive cybersecurity program…"
Since it was launched in August 2020, the OpenSSF has reached some important milestone across a variety of its technical initiatives, including:
Alpha-Omega Project Launch
The Alpha-Omega Project focuses on improving global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open-source code, and get them fixed. The "Alpha" component will work with the maintainers of open-source projects to help them identify and fix security vulnerabilities and to improve their security posture. The "Omega" component aims to identify at least 10,000 widely deployed OSS projects for which it can apply automated security analysis, scoring, and remediation guidance in their open-source maintainer communities. Microsoft and Google are supporting the project with a $5 million investment.
Scorecards Increases Scans to 1 million Projects
Scorecards is an OpenSSF project that helps open-source users understand the risks of the dependencies they consume. GitHub and Google recently announced Scorecards v4, and the project has increased the scale of its scans from 50,000 projects to one million projects identified as most critical based on their number of direct dependencies.
Sigstore Project Gains Momentum
Sigstore is a set of tools developers, software maintainers, package managers and security experts. The recently released a project update reported nearly 500 contributors, more than 3,000 commits, and more than one million entries in Rekor.
Nearly 1,000 Codes for Free MFA Tokens
The Securing Critical Projects Working Group coordinated the distribution of nearly 1,000 codes for free multi-factor authentication (MFA) tokens donated by Google and GitHub to developers of the 100 "most critical" open-source projects. "This is a small but critical step in avoiding supply chain attacks based on stolen credentials of key developers," the foundation said in a press release.
Posted by John K. Waters on March 2, 2022