The Linux Foundation, the nonprofit organization enabling mass innovation through open source, has announced it has raised $10 million in new investments to expand and support the Open Source Security Foundation (OpenSSF), a cross-industry collaboration that brings together multiple open source software initiatives under one umbrella to identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. Open source luminary Brian Behlendorf will serve the OpenSSF community as General Manager.
Financial commitments from Premier members include Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk and VMware. Additional commitments come from General members Aiven, Anchore, Apiiro, AuriStar, Codethink, Cybertrust, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift and Wind River.
“This industry-wide commitment is answering the call from the White House to raise the baseline for our collective cybersecurity wellbeing, as well as ‘paying it forward’ to open source communities to help them create secure software from which we all benefit,” said Jim Zemlin, executive director at the Linux Foundation. “We’re pleased to have Brian Behlendorf’s leadership and extensive expertise on building and sustaining large communities and technical projects applied to this work. With the tremendous growth and pervasiveness of open source software, building cybersecurity practices and programs that scale is our biggest task at hand.”
According to industry reports (“2021 State of the Software Supply Chain,” by Sonatype), software supply chain attacks have increased 650 percent and are having a severe impact on business operations. In the wake of increasing security breaches, ransomware attacks and other cyber crimes tied to open source software, government leaders around the world are calling for private and public collaboration. Because open source software makes up at least 70 percent of all software (“2020 Open Source Security and Risk Analysis Report” by Synopsys), the OpenSSF offers the natural, neutral and pan-industry forum to accelerate the hardening and security of the software supply chain.
“There has never been a more exciting time to work in the open source community, and software supply chain security has never needed more of our attention,” said Brian Behlendorf, general manager, Open Source Security Foundation. “There is no single silver bullet for securing software supply chains. Research, training, best practices, tooling and collaboration require the collective power of thousands of critical minds across our community.”
The OpenSSF is home for a variety of open source software, open standards and other open content work for improving security. Examples include:
- Security Scorecard – a fully automated tool that assesses a number of important heuristics (“checks”) associated with software security
- Best Practices Badge – a set of Core Infrastructure Initiative best practices for producing higher-quality secure software providing a way for OSS projects to demonstrate through badges that they are following them
- Security Policies – Allstar provides a set and enforce security policies on repositories or organizations
- Framework – supply-chain levels for software artifacts (SLSA) delivers a security framework for increasing levels of software supply chain integrity
- Training – free secure software development fundamentals courses educating community members on how to develop secure software
- Vulnerability Disclosures – a guide to coordinated vulnerability disclosure for OSS projects
- Package Analysis – look for malicious software in OSS packages
- Security Reviews – public collection of security reviews of OSS
- Research – studies on open source software and critical security vulnerabilities conducted in association with the Laboratory for Innovation Science at Harvard (LISH) (e.g., a preliminary census and FOSS Contributor Survey)
For more information about OpenSSF, please visit: https://openssf.org/