It’s rare to see a community truly come together for the common good, but that’s exactly what happened yesterday within our open source community. We cherished the opportunity to participate in a conversation, led by the Open Source Security Foundation (OpenSSF), where industry, open source foundations, and government all came together to discuss how we solve the massive problem of securing open source software (OSS).
Being a part of these conversations with White House officials and nearly 50 other companies or organizations, who also believe in harnessing all the power of open source, while minimizing its risk, has been invigorating. I’m proud of the work that’s gone into developing a new plan set forth by OpenSSF titled The Open Source Software Security Mobilization Plan (more on that below). With this, we’re making incredible steps toward getting open source maintainers and the producers of open source, the help they deserve. And, we are fully committed to playing whatever role we can in that endeavor.
But, I also ask that we as a community, don’t lose sight of all the things we can do right this minute to help consumers of open source better manage and secure their supply chains. As we fix the broader system, there is tooling that already exists that makes more secure and more maintainable open source possible.
Let me explain more below.
Open Source Use is Ubiquitous
When we first started Sonatype, it was an uphill battle helping companies understand how much open source they were even using. We’ve come a long way since then and there is little question that most development organizations, whether industry or government are widely using open source within their software supply chains. Just for some context on how widespread its use is, research shows:
