New OpenSSF GM Sets Open Source Security Course

The Open Source Security Foundation (OpenSSF) will be using $10 million it has raised thus far to build tools and define best practices for securing open source software projects.

Brian Behlendorf, newly appointed general manager for OpenSSF, said the funding will be used to build additional tools for securing open source software along with defining best practices that maintainers of these projects should adapt.

OpenSSF already makes available a security scorecard, an automated tool that assesses a number of important heuristics associated with software security, package analysis tools, a security framework for managing software artifacts and policies that can be readily implemented.

There are also available best practices for producing higher-quality secure software that are certified using badges provided by OpenSSF, free training and a guide to coordinated vulnerability disclosure for open source software maintainers.

These efforts build on a software package data exchange (SPDX) specification for creating software bills of materials (SBOMs) and is now recognized as the ISO/IEC 5962:2021 international standard, added Behlendorf.

Launched last year as a new arm of the Linux Foundation, financial contributions to OpenSSF are coming from premier members such as Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk and VMware as well as from general members such as Aiven, Anchore, Apiiro, AuriStor, Codethink, Cybertrust Japan, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift and Wind River.

Estimates put the overall percentage of software that is available via open source license at about 70% of all software available. It’s not clear how much of that software is being consumed. For every larger open source project, there are now hundreds of smaller initiatives that have yet to gain critical mass in terms of adoption.

There is now, however, a lot more focus on the security of open source software in the wake of a series of high-profile breaches involving software supply chains. The concern is that a bad actor will contribute code loaded with malware to a project that, once consumed downstream within a larger application, will be activated.

Behlendorf said one of the assumptions that many maintainers of open source projects make is that contributors can be trusted. Now it’s become apparent there must be processes in place to vet those contributors and contributions, he added.

There is a need to take another look at and understand how to ensure integrity across the software supply chain, noted Behlendorf. In fact, the OpenSSF is already working on a project to enable maintainers to track developer identities, he added.

In the longer term, there may even be a role for blockchain platforms to provide an immutable record of code contributions, said Behlendorf. Overall, the goal is to promote standards and best practices that make open source software much more secure, he noted.

Behlendorf also noted there will be a tremendous amount of funding that will soon be made available by the U.S. Federal government in the wake of an executive order issued by the Biden administration that requires federal agencies to review their software supply chain processes.

It may take a while, but over time open source software will become a lot more secure. At the moment, however, security teams would be well-advised to conduct a thorough review of their software supply chains to eliminate any known vulnerabilities that could be easily exploited.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 747 posts and counting.See all posts by mike-vizard