OpenSSF Seeks $150M+ to Address Open Source Software Security

The Open Source Security Foundation (OpenSSF) this week outlined a plan to better secure open source software by focusing on 10 streams of investment that, in total, would require more than $150 million.

The overall goal, announced at the Open Source Software Security Summit II, is to make sure open source software running in production environments is secure, improve vulnerability discovery and remediation and reduce the amount of time required to patch software.

The specific streams of investment are:

Stream one: Create a small team to deliver baseline secure software development education and certification to all. Cost: $4.5 million for the first year and $3.45 million per year beyond.

Stream two: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) open source software components. Cost: $3.5 million for the first year and $3.9 million per year beyond.

Stream three: Accelerate the adoption of digital signatures on software releases. The goal is to have 50 of the top 200 projects and 1,000 of the top 10,000 projects adopt an interoperable software signing approach. Cost: $13 million for the first year and $4 million per year beyond, with a one-time $10 million push after the first year.

Stream four: Eliminate the root causes of many vulnerabilities by replacing non-memory-safe languages such as C and C++ in critical shared codebases. Cost: $5.5 million for the first year and $2 million per year beyond.

Stream five: Establish the OpenSSF Open Source Security Incident Response Team made up of a stable of 30 to 40 such experts. Cost: $2.75 million for the first year and $3.05 million per year beyond.

Stream six: Accelerate discovery of new vulnerabilities by maintainers and experts through vendor-neutral security tools and expert guidance that would eventually cover the top 10,000 open source software components. Cost: $15 million for the first year and $11 million per year beyond.

Stream seven: Conduct annual third-party code reviews and remediation work for the top 200 most-critical OSS components. The goal is to address 50 of the most critical projects in the first year and cover the top 200 in years two and beyond. Cost: $11 million for the first year and $42 million per year beyond.

Stream eight: Coordinate industry-wide data sharing to improve research that helps determine the most critical OSS components. Cost: $1.85 million for the first year and $2.05 million per year beyond.

Stream nine: Improve software bill of materials (SBOM) tooling and training to drive adoption, including a team to work directly with critical projects and submit improvements. Cost: $3.2 million for the first year and an unspecified amount per year beyond.

Stream 10: Enhance the 10 most critical OSS build systems, package managers and distribution systems to provide better supply chain security tools and best practices. Cost: $8.1 million for the first year and $8.1 million per year beyond.

Dan Lorenc, CEO of Chainguard, a provider of a platform for securing software supply chains, said rather than duplicating efforts, it makes sense for multiple open source projects to rely on the same tooling and centralized incident response capabilities. However, making open source software more secure using signatures is a prerequisite because today it’s simply too easy to tamper with software components in an upstream open source project that typically only has a handful of maintainers to support it.

Steve Chin, vice president of developer relations for JFrog, a provider of a continuous integration/continuous delivery (CI/CD) platform, added that the most critical thing to do is secure the repositories used by open source projects and make sure SBOMs are employed everywhere.

Ultimately, the amount of focus on software supply chain security will advance the adoption of DevSecOps best practices, he added. In fact, the need for more secure software is likely to accelerate the shift toward containers, since they can be ripped and replaced more easily than monolithic applications which are more challenging to patch, noted Chin.

It’s not clear whether $150 million is enough to address the scope of the open source security challenges ahead. After all, compared to the total cost invested in fixing the Log4Shell vulnerability alone, the funds being sought to fix open source software seem comparatively small.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 745 posts and counting.See all posts by mike-vizard