Alpha-Omega Project Takes Human-Centric Approach to Open Source Software Security


The Log4j vulnerability crisis that erupted in late 2021 heightened the world’s security awareness of supply chain risks in free, universally deployed open source software. After an intense holiday campaign by administrators and cybersecurity professionals to track and patch the Log4j flaw, the White House hosted a meeting of industry leaders to discuss improving open source software security. source.

In a sign that the tech industry is stepping up its efforts, the Linux Foundation and the Open Source Security Foundation (OpenSSF) have announced Project Alpha-Omega. Backed by initial funding of $5 million from Microsoft and Google, the project aims to improve software supply chain security for 10,000 open source software projects by systematically searching for undiscovered vulnerabilities in open source code, then working with the project managers to correct them.

Alpha will target critical projects; Omega will identify defects in 10,000 projects

The Alpha part of the project will target and assess the most critical open source projects to help organizations improve their security postures. Projects will be selected based on the work of the OpenSSF Securing Critical Projects Working Group using a combination of expert opinion and data, including the OpenSSF criticality score and Harvard “Census” analysis identify critical open source software.

For these projects, members of the Alpha team, initially comprised of paid professionals funded through the initiative, will provide personalized assistance so that organizations can understand and address security gaps. This assistance may include, for example, threat modeling, automated security testing, source code audits, and assistance in remediating discovered vulnerabilities.

The Alpha team will also track a series of important metrics to help stakeholders better understand the security of the open source project they depend on. The team will further publish a transparent and standardized view of the project’s security posture and compliance with security best practices.

The Omega part of the initiative will use automated methods and tools to identify critical security vulnerabilities in at least 10,000 widely deployed open source projects using a combination of people, technologies and processes. Omega will have a dedicated team of software engineers who will continuously adjust the scanning pipeline to reduce false positive rates and identify new vulnerabilities. Although both Alpha and Omega launched with paid staff members, the initiative hopes to ultimately leverage more volunteers.

The initiative aims to fill a gap

Brian Behlendorf, Managing Director of OpenSSF, told CSO, “We realized there was a gap in terms of a set of requirements, which I think really came out with the call there. a few weeks with the White House.” Although driven by Log 4j, “the meeting was thought to ask these deeper questions about how the open source community writes code and where are the useful places to support better interventions to help mitigate the chances of a future Log4j. Then, once they happen, how do you respond to them in a more graceful way?”

“Meet the needs [of the spectrum of open-source software security projects], there are two things you need,” Behlendorf says. “You need better tooling and better automation to not only try to determine the security posture of a large number of projects en masse, but also to ask questions, to try to uncover new facts about these projects.”

Second, “You can’t just jump in with a 300-page white paper on how everyone should run their open source projects, because every open source project is different.” Behlendorf says a more hands-on approach is needed. “You have to come in and say, did you do any threat modeling? And here’s how you might think about it.

A human approach to securing open source

Michael Scovetta, senior security project manager at Microsoft, stresses the importance of a human approach in the Alpha-Omega process. He tells CSO that having people engaged on a highly collaborative basis is an essential component of the most critical Alpha projects.

“What Omega is definitely not is a machine that runs tools and then sends the results back to the open source developer,” he says. In a much lighter way, “what the open source developer of an Omega project would get from us is that we would only engage them when we find a critical vulnerability that needs their attention, and we’d be there to help him to some extent. by remedying it. »

Michael Winser, group product manager at Google, says a key outcome of the initiative, besides fixing open source software flaws, is the education element that comes with those fixes. “One of those kinds of meta results is that we learn to do this,” he told CSO. “The industry as a whole is still looking to adopt an appropriate security posture. We will begin to evolve our approach and learn from this scaling and work with other parts of OpenSSF, other groups and foundations, and open source maintainers to figure out how we can essentially elevate everyone a few inches at a time to make our security better industry-wide.

SBOMs are essential drivers of open source software security

Independent of the announcement of the Alpha-Omega initiative, the Linux Foundation released a report titled Software Bill of Materials (SBOM) and Cybersecurity Readiness, which discusses the relationship between open source maturity and SBOM readiness. Based on a survey of 412 organizations worldwide, the report reveals that 98% of organizations surveyed say they use open source software.

More importantly, the report finds that SBOM innovators are more likely to use open source software unconditionally, not because they are most at risk, but because they “simply have a more comprehensive culture and sophisticated around the use of open source software. ”

Stephen Hendricks, vice president of research at the Linux Foundation, told CSO that 66% of organizations surveyed said SBOMs were just as important for open source software as closed source software, while 20% said that SBOMs were more important for open source.

“The reality here is that two-thirds of organizations say SBOMs are important, whether they’re open source or not,” Hendricks says. “Everyone wants to know what the nomenclature of materials is; everyone wants to know about vulnerabilities. There’s a lot of open source software that goes into closed source software, and with virtually every organization using open source, it’s important to get the right open source, but it’s important to have all the right software.

Open source security is essential to global cybersecurity

Project Alpha-Omega and the Linux Foundation survey underscore the growing refrain among industry professionals that good open source software security is a critical driver of global cybersecurity. Speaking at the inauguration Secure Software Summit held last week, Dan Lorenc, Founder and CEO of Chainguard, said, “Open source software is part of everyone’s supply chain, whether they know it or not. So, understanding the security of open source software is pretty critical to understanding the broader supply chain security issues we face.

Abhishek Arya, Principal Engineer and Head of Google’s Open Source Security Team, said, “As new vulnerabilities emerge, we need to understand these security risks and be better prepared to manage them. We must understand that open source software is not free. It looks like it, but it comes at a huge security cost. Much open source software is developed by volunteers in their spare time where security often comes last in their list of priorities.

Rob Tompkins of the Apache Software Foundation emphasized the need to anticipate future Log4j-like security issues with more secure production practices: “First, fix your production environment. Fix your production software, please, please, please. I cannot stress this enough.

Copyright © 2022 IDG Communications, Inc.


Comments are closed.