agsandrew - Fotolia

New foundation to bolster security of open source software

The Open Source Security Foundation will bring together key open source security initiatives across the industry to improve and support the security of open source software

A foundation has been formed to improve the security of open source software, bringing together the industry’s open source security initiatives and companies that support them.

Called the Open Source Security Foundation (OpenSSF), the foundation is supported by The Linux Foundation and combines the work of the Core Infrastructure Initiative (CII), GitHub’s Open Source Security Coalition and other open source security work from governing board members including Google, IBM, JPMorgan Chase, Microsoft and Red Hat, among others.

The CII, which was formed by The Linux Foundation in the aftermath of the 2014 Heartbleed bug, will be dissolved in the long term, with its work coming under the auspices of the OpenSSF.

The Linux Foundation said the OpenSSF’s governance, technical community and decisions will be transparent and any specifications and projects developed will be supplier-agnostic, adding that it is committed to working with existing communities to improve open source security for all. 

Open source software has become pervasive in datacentres, consumer devices and services. Because of its development process, open source software that reaches users has a chain of contributors and dependencies.

Against this backdrop, The Linux Foundation said it is important that those responsible for their users’ and organisation’s security can understand and verify the security of this dependency chain. 

“We believe open source is a public good and we have a responsibility across every industry to come together to improve and support the security of open source software we all depend on,” said Jim Zemlin, executive director at The Linux Foundation.

“Ensuring open source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”

With the formalisation of the foundation, an open governance structure has been established and includes a governing board (GB) and a technical advisory council (TAC), both of which will not manage working groups and projects directly.

Instead, project maintainers will manage projects, and this includes defining the governance process. The GB is responsible for the budget, with the TAC handling the overall technical strategy.

The OpenSSF plans to host a variety of open source technical initiatives to support security for the world’s most critical open source software, all of which will be done in the open on GitHub. These include the most mission-critical software identified by Harvard’s Lab for Innovation Science.

Christopher Ferris, IBM fellow and chief technology officer (CTO) for open technology, said with open source becoming mainstream in the enterprise, the security of the open source supply chain is of paramount importance.

“The launch of the OpenSSF marks an important step towards giving open source communities the information and tools they need to improve their secure engineering practices, and the information developers need to choose their open source wisely,” he said.

Eugene Yeo, former chief operating officer at MyRepublic, an Asia-Pacific telco that uses open source software, told Computer Weekly that the OpenSSF is the right approach to resolving the security challenges seen today with open source projects.

“It brings together the community to help focus on better coding practices and faster vulnerability discovery and patching. As long as enough of the open source community supports and adopts the framework that OpenSSF sets out, there is a good chance of successfully resolving the security challenges that open source faces.”

According to a Snyk report on the state of open source security, the number of new vulnerabilities in open source packages fell by about 20% in 2019 compared with the previous year.

The open source security firm noted in a blog post that the decline could be due to better awareness among developers, improving organisational practices and advanced open source security tools in development pipelines.

Read more about open source in APAC

Next Steps

Pro-Ukraine sabotage renews scrutiny on open source security

Synopsys: Enterprises struggling with open source software

Read more on Application security and coding requirements