Linux Foundation Addresses Open Source Security
The Linux Foundation announced this week it has launched yet another consortium, this time in the hopes of bringing some order to multiple previous efforts to address open source security.
The Open Source Security Foundation (OpenSSF) will consolidate the efforts of existing open source security initiatives Core Infrastructure Initiative and the Open Source Security Coalition previously launched by GitHub. In addition, various security projects launched by other founding governing board members including, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, Red Hat and others will be incorporated.
Chris Aniszczyk, vice president of strategic and developer programs for The Linux Foundation, said the OpenSSF will reduce duplicated efforts across all these initiatives by first centralizing management and then bringing respective teams together to work on related projects. Additional founding OpenSSF members include ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware.
The Linux Foundation took on a prominent role in fostering open source security when it coordinated the funding for open source developers to collaborate on developing a path for the notorious security flaw discovered in the OpenSSL cryptography library in 2014. The OpenSSF represents a more concerted effort to proactively address open source vulnerabilities more broadly, said Aniszczyk.
Open source vulnerability issues continue to be a significant challenge. Just last week researchers revealed the existence of a BootHole vulnerability that potentially could allow hackers to bypass the Secure Boot feature of both Linux and Windows operating systems. Providers of open source operating systems are now racing to develop a patch. However, exploiting that vulnerability requires privileged access to a system. The goal of the OpenSSF would be to proactively discover vulnerabilities in a way that would enable patches to be more readily available at the time of disclosure.
In theory, at least, open source projects should be more secure because code is reviewed by the peers who make up any community. In practice, however, developers don’t often have as full an appreciation for the nuances of cybersecurity. That may be improving as organizations embrace best DevSecOps practices, but as long as humans write code there will be cybersecurity issues. The only unknown is how severe any potential vulnerability may prove to be. The OpenSSF is inviting cybersecurity professionals to join the consortium to share their cybersecurity expertise with the open source community to help close that gap, said Aniszczyk.
Of course, the perception is that open source code is somehow less secure than commercial software. In reality, open source software simply may be targeted more because the software is open to all, including cybercriminals who tend to focus on looking for exploits in any software that is deployed widely. The OpenSFF is betting that over time, the collective efforts of the cybersecurity and open source developers will carry the day.
