The Open Source Security Foundation (OpenSSF) today launched an Alpha-Omega Project to improve the security of open source software using a $5 million initial investment provided by Microsoft and Google.
Brian Behlendorf, general manager for the OpenSSF, said the goal is to make security expertise available to a broader range of open source software projects and provide access to automated security testing tools that can be incorporated into the DevSecOps workflows used to build open source software. The OpenSSF previously launched a certification effort to make it easier to identify secure open source software.
Michael Scoveta, principal security product manager for OpenSSF, added that organizations managing multiple open source projects will find it more efficient to automate testing processes across those projects using a common set of tools.
The OpenSSF was set up to increase confidence in open source software security in the wake of a series of high-profile breaches and zero-day vulnerabilities. Most recently, the White House convened a meeting to discuss the state of open source software security. Meeting participants included Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, National Cyber Director Chris Inglis and officials from the Office of the National Cyber Director, Office of Science and Technology Policy, the Department of Defense, the Department of Commerce, the Department of Energy, the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST) and the National Science Foundation. Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, the Linux Foundation, OpenSSF, Microsoft, Oracle, Red Hat and VMware all sent representatives.
The White House is clearly bringing more pressure to bear after the disclosure of the zero-day Log4j vulnerability in Java applications that wreaked havoc in enterprise IT environments and government agencies. That vulnerability made it clear just how dependent organizations are on open source software projects that are often created and maintained by just a handful of volunteer maintainers and contributors. The individuals that created those projects don’t always have a lot of cybersecurity expertise. In fact, many of them would argue that the onus for securing open source software is on the organizations that use what amounts to free software. It’s not the responsibility of the contributors and maintainers to drop everything and immediately create a patch to address a zero-day vulnerability.
The federal government, however, has made it clear via executive order that it expects IT vendors and large enterprises that depend on open source software to do more to secure it. The Alpha-Omega Project is a significant step in that direction.
Behlendorf said the OpenSSF is not trying to dictate precisely how open source projects should implement DevSecOps best practices and workflows. Instead, the OpenSSF plans to meet smaller projects where they are in terms of DevSecOps workflows while sharing best practices with larger projects that already have established processes for reviewing security.
One way or another, the security of open source software should steadily improve in the months and years ahead. The challenge is making sure those advances occur before there is yet another major security incident.