How much will it cost to secure open-source software? OpenSSF says $147.9M

We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!


Open-source software has had multiple vulnerabilities in recent years, putting organizations of all sizes at risk. Weaknesses in software components such as the open-source Log4j java library have affected millions of users worldwide. According to Synopsis’s 2021 study, 84% of all codebases have at least one open-source vulnerability.

As open source has become an integral part of all software, it has also become a cornerstone of the software supply chain. A year ago, the Biden administration issued an executive order to try to improve software supply chain security, leading to attempts to adopt a software bill of materials (SBOM) that helps disclose what’s inside the application – which is often No, it is open source.

Leading open-source organizations include the Linux Foundation and its Open Source Security Foundation (OpenSSF), which has a growing user base. Today at the Open Source Software Security Summit II in Washington, DC, OpenSSF announced an ambitious, multilateral plan with 10 main goals to better protect the entire open-source software ecosystem.

While open source software itself may sometimes be freely available, there will be a cost to securing it. OpenSSF estimates that its plan will require $ 147.9 million in funding over a two-year period.

In a press conference after the summit, Brian Behlendorf, general manager of OpenSSF, said that એસ 30 million had already been pledged by OpenSSF members, including Amazon, Intel, VMware, Ericsson, Google and Microsoft.

“I’ve been working with the resource community for almost two decades, and we’ve had multiple cases during that period where vulnerabilities in the open-source component posed a dramatic risk to the wider community,” said Jim Zemlin, executive director of the Linux Foundation. “Today, for the first time, I saw an efficient plan with concrete goals.”

Zemlin also pointed out that while the plan outlined by OpenSSF is ambitious, there is a lot to be done.

“We’re in the first five minutes of a long game and the urgency here can’t be too much,” Zemlin said. “Opponents are becoming more sophisticated, supply chain attacks are becoming more frequent, and cyber conflicts are on the rise around the world.”

OpenSSF is looking to succeed where past efforts have not been

OpenSSF’s new scheme is not the first time the Linux Foundation has tried to help secure open-source software.

Eight years ago, after a heartbreak vulnerability in the open-source OpenSSL cryptographic library, the Linux Foundation launched the Core Infrastructure Initiative (CII). CII also sought to help improve open-source security and raised money from vendors.

In response to a question from VentureBeat, Zemlin noted that he initiated CII after a heartbleed attack to seek direct financial support from OpenSSL maintainers.

“It was a case where we were supporting a small group of individuals to do some work on crucial projects,” Zemlin said. “What has become very clear to us, and what makes this new OpenSSF function, is that you have to provide specific resources, including training and a set of tools for developers on how to write secure code in the first place so that they can release it. . Code security. “

Zemlin argued that when heartblood vulnerabilities first appeared in 2014, managing the complexity of the overall software supply chain was not as difficult as it is today. He noted that between 2014 and 2022, there has been a dramatic increase in the volume of small reusable open-source components that have become the building blocks of modern software. The increase in consumption has created a level of complexity that is extremely difficult to manage.

The new OpenSSF scheme aims to provide developers with direct support for troubleshooting, as well as an audit code base to help identify potential vulnerabilities. Zemlin said the new plan also aims to help eliminate what is referred to as “friction points” in the supply chain where software package managers can use extra security. Additional protections include the use of authorized package signing for the distribution of software components.

While OpenSSF was in Washington to talk to government and industry leaders about open-source security, the organization is not seeking a handout from the government to help move the bill forward.

“I just want to be clear: we are not here to raise funds from the government,” Behlendorf said. “We didn’t expect anyone to go directly to the government to get funding to succeed.”

Behlendorf said OpenSSF’s plan to secure open-source software is a plan that benefits everyone and the government is a major user of open-source software.

“I think we have a lot of alignment in terms of interests, and we look forward to seeing the public sector get involved,” he said.

Behlendorf also said that while the plan is to help secure open source software, there will always be errors. The goal is simply to find and fix them quickly to help limit the risk.

“Software will never be perfect,” he said. “The only software that has no bugs is software that has no users.”

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more about membership.

Similar Posts

Leave a Reply

Your email address will not be published.