The Open Source Security Foundation (OpenSSF) today launched a Alpha-Omega Project to improve the security of open source software with an initial investment of $5 million provided by Microsoft and Google.
Brian Behlendorf, managing director of OpenSSF, said the goal is to make security expertise available to a wider range of open source software projects and provide access to testing tools. automated security tools that can be integrated into DevSecOps workflows used to build open source software. The OpenSSF previously launched a certification effort to make it easier to identify secure open source software.
Michael Scoveta, senior security product manager for OpenSSF, added that organizations managing multiple open source projects will find it more efficient to automate the testing processes on those projects using a common set of tools.
OpenSSF was implemented to increase confidence in the security of open source software following a series of high-profile breaches and zero-day vulnerabilities. More recently, the White House called a meeting to discuss the state of open source software security. Meeting participants included Anne Neuberger, Deputy National Security Advisor for Cybersecurity and Emerging Technologies, Chris Inglis, National Director of Cybersecurity, and representatives from the Office of the National Director of Cybersecurity, Office of Science Policy and Technology, Department of Defense, Department of Commerce, Department of Energy, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST), and National Science Foundation . Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, Linux Foundation, OpenSSF, Microsoft, Oracle, Red Hat, and VMware all sent representatives.
The White House is clearly exerting more pressure after the Zero Day disclosure Log4j vulnerability in Java applications that have wreaked havoc in corporate computing environments and government agencies. This vulnerability has shown how organizations depend on open source software projects that are often created and maintained by a handful of volunteer maintainers and contributors. The people who created these projects don’t always have a lot of expertise in cybersecurity. In fact, many would argue that the responsibility for securing open source software rests with the organizations that use what amounts to free software. It is not the responsibility of contributors and maintainers to drop everything and immediately create a patch to fix a zero-day vulnerability.
The federal government, however, has made it clear by executive order that it expects IT vendors and large companies that depend on open source software to do more to secure it. The Alpha-Omega project is an important step in this direction.
Behlendorf said OpenSSF doesn’t try to dictate precisely how open source projects should implement DevSecOps best practices and workflows. Instead, OpenSSF plans to meet smaller projects where they are in terms of DevSecOps workflows while sharing best practices with larger projects that have already established security review processes.
One way or another, the security of open source software should improve steadily in the months and years to come. The challenge is to ensure that this progress happens before there is another major security incident.