We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!
Open source security is currently undergoing a period of rapid transformation, not thanks to the efforts of the Linux Foundation’s OpenSSF (Open Source Security Foundation).
In an all-day event at the Open Source Summit on June 20, OpenSSF supporters, leaders, and contributors discussed in detail the current state of open-source security and the many efforts being made to help improve the current situation. OpenSSF is busy in 2022 as it accelerates a mobility effort that it expects to cost $ 150 million to help secure open-source software. Attempts at mobilization are just one of the large group of initiatives undertaken by OpenSSF.
“We’re a kind of circus, I say with love and some of you like to go to the circus,” said Brian Behlendorf, general manager of OpenSSF, during a session of the Open Source Summit event. “There’s a lot going on in OpenSSF, there are a lot of different teams and that’s part of our strength.”
Multiple rings of OpenSSF open-source security circus tent
Behlendorf identified three key rings as primary goals for OpenSSF: securing open-source software products, improving vulnerabilities and fixes, and reducing the time it takes to patch and respond to problems.
Those goals are implemented through the efforts of multiple working groups led by OpenSSF. Currently active working groups include Ast Practice, vulnerability disclosure, security tooling, security risk identification, supply chain integrity, and secure software repositories.
The $ 150 million mobilization effort announced in May is an initiative that Behlendorf said is about “taking the circus to the road” in an effort to help provide a solid set of initiatives to secure open-source software.
“The big theme in the whole mobility plan is not how we make open-source developers more serious, but how we look with help.” Behlendorf said. “How can we add to their existing processes with better tooling, pay people to show up on projects and say we’re here to help in one way or another.”
During the day, multiple speakers took to the podium to detail the various efforts involved with OpenSSF to help improve open source software.
One of the most fundamental, yet least well-understood aspects of overall security is how to properly disclose security vulnerabilities. In a session during OpenSSF Day, Ann Bertussio, Google’s senior program manager, outlined best practices for open-source developers on how to responsibly disclose vulnerabilities. Bertusio pointed to OpenSSF’s OSS vulnerability guide as a playbook that organizations can use to help with the process.
Naveen Srinivasan, a security engineer at Indoor Labs, outlined the OpenSSF Scorecard project, which is rooted in projects that have an earlier date of formation of OpenSSF. Scorecard projects give ‘scores’ to open-source projects based on adherence to best practices for security.
The related project is the Allstar project which was announced in August 2021. Google’s security engineer Jeff Mendoza explained that while scorecards provide scores, Ulstar can help users improve scores. Mendoza said Allstar acts as a GitHub application that constantly checks on code repositories for best practices for your security and can enable users to troubleshoot issues quickly.
The Alpha Omega Project funds Python and Eclipse Security
Another major project under OpenSSF is the alpha-omega supply chain security effort, which was resumed in February.
During OpenSSF Day, OpenSSF announced that Alpha-Omega would provide $ 800,000 in funding from the Python Software Foundation and the Eclipse Foundation to help secure technology initiatives.
Python is one of the most popular open-source programming languages in use today. The new funding will be used to support dedicated security expertise that will formalize best practices throughout the Python Software Foundation projects.
The Eclipse Foundation develops software development tools, including the Eclipse Integrated Developer Environment (IDE). Funds for the adoption will be used to help the organization implement supply chain best practices for security.
In addition, the Secure Open Source Rewards (SOS.dev) project launched by Google will now proceed under the auspices of OpenSSF. SOS.dev is an initiative designed to reward developers for implementing best practices for security in open source software projects.
Security is the cost of open-source innovation
Open-SSF’s $ 150 million mobilization effort was not in any small part inspired by the emergence of open-source Log4j vulnerabilities announced in December 2021. That incident helped to refocus on the challenges of open source security.
Jamie Thomas, general manager of strategy and development at IBM, commented that the Log4j event was a catalyst for those involved in the open-source industry to learn more about security. One challenge for many with the Log4 phenomenon was that in some cases it was the responsibility of end users to determine if they were vulnerable and then patch up. She said end users didn’t have to worry about it and that it was up to them to create and provide software to support it.
“We have a responsibility to take care of the security and ensure that the software is designed with security in mind,” Thomas said.
Among the many large organizations influenced by Log4j was the financial giant JPMoran Chase. Rao Kakkakula, director of JPMorgan Chase, commented that in the past, his organization may have suffered a knee-jerk reaction to the Log4J incident and decided to simply stop using open-source software and create something on its own. This is no longer the case in 2022.
Kakkakula said JPMorgan Chase executives are now asking how the company can better help the open-source community improve security.
“The trend is changing to be more supportive rather than blaming people,” Kakakakula said.
The need to help improve JPMorgan’s open-source security is not based on some philanthropic goal, but it is very practical. Kakkakula explained that JPMorgan Chase has over 53,000 developers. He noted that most applications today use open source software to drive innovation.
“In my opinion, open source is the key to innovation quickly because I don’t want to rediscover the wheel,” Kakkakula said. “Then security is the key to enabling technology so we keep customer confidence intact.”
Venturebeat’s mission Digital Town Square is set to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more about membership.