Linux Foundation & Harvard carry out open source ‘security census’

The Linux Foundation’s Core Infrastructure Initiative (CII) is a project designed to support best practices with a key eye on the security of critical open source software projects.

The CII team has this month worked with the Laboratory for Innovation Science at Harvard (LISH).

Together, the two tech teams have produced ‘Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software.`

This Census II analysis and report digs into the structural complexities in the modern day software supply chain where open source is of course pervasive, but, perhaps, not always understood. 

Census II identifies the most commonly used free and open source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities.

Census I (2015) identified which software packages in the Debian Linux distribution were the most critical to the kernel’s operation and security.

“This report begins to give us an inventory of the most important shared software and potential vulnerabilities and is the first step to understand more about these projects so that we can create tools and standards that results in trust and transparency in software,”  said Jim Zemlin, executive director at the Linux Foundation.

Working in collaboration with Software Composition Analysis (SCAs) and application security companies, including ‘developer-first’ security company Snyk and Synopsys Cybersecurity Research Center (CyRC), the Linux Foundation and Harvard were able to combine private usage data with publicly available datasets and develop a methodology for identifying more than 200 of the most used open source software projects, 20 of which are detailed in the findings.

The increasing importance of FOSS throughout the economy became critically apparent in 2014 when the Heartbleed security bug in the OpenSSL cryptography library was discovered. By some estimates, the bug impacted nearly 20 percent, or half a million, of secure web servers on the Internet.

It was the impetus for the Core Infrastructure Initiative, which has raised millions of dollars for open source security in just the last six years.