The Linux Foundation on Monday announced the formation of the Open Source Security Foundation (OpenSSF) as the latest initiative to improve software security.
OpenSSF is a cross-industry collaboration that brings together industry leaders to improve the security of open-source software by building a broader community with targeted initiatives and best practices. It combines efforts from the Core Infrastructure Initiative and GitHub’s Open Source Security Coalition.
The new security foundation also includes other open-source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others. Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Purdue, SAFEcode, StackHawk, Trail of Bits, Uber, and VMware.
The membership ranks of OpenSSF assembles the industry’s most important open source security initiatives and the individuals and companies that support them. The Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are just two of the projects that will be brought together under the new OpenSSF.
The Foundation’s governance, technical community, and its decisions will be transparent and any specifications and projects developed will be vendor-agnostic, according to the LF. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open-source security for all.
Open-source software has become pervasive in data centers, consumer devices and services. Its technology is used by technologists and businesses alike.
Because of its development process, open source that ultimately reaches end-users has a chain of contributors and dependencies. It is important that those responsible for their users’ or organization’s security are able to understand and verify the security of this dependency chain, according to LF officials in describing the need for this new initiative.
“We believe open source is a public good, and across every industry we have a responsibility to come together to improve and support the security of open-source software we all depend on,” said Jim Zemlin, executive director at The Linux Foundation.
“Ensuring open-source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort,” he added.
The OpenSSF’s organizational structure is built around the open governance structure and includes a governing board, a technical advisory council, and a separate oversight for each working group and project.
OpenSSF intends to host a variety of open-source technical initiatives to support security for the world’s most critical open-source software, all of which will be done in the open on GitHub.
Expansion Not Intention
The LF already has numerous subgroups and specialized communities under its umbrella. The intent is not to create another one, according to Chris Aniszczyk, vice president for strategic and dev programs at The Linux Foundation.
“This is less about creating a new organization versus consolidating multiple efforts across the industry and LF,” he told LinuxInsider.
The Core Infrastructure Initiative was funded largely by grants. OpenSSF will be supported by Linux Foundation membership dues with targeted organization contributions to support initiatives, he explained. The CII plans to contribute resources and experience to the OpenSSF and plans to work through their project approval process shepherded by the OpenSSF TAC for desired projects.
The organization is bootstrapping so the first order of business is holding its first governing board, technical council, and working group meetings this month. The best way to get involved is to attend one of the WG meetings, he said.
The OpenSSF will pursue an aggressive first set of activities, noted Aniszczyk. The agenda calls for six primary activities.
Vulnerability disclosures in a timely manner is the vision for an open-source software ecosystem. That window for fixing a vulnerability and deploying it across the ecosystem needs to be measured in minutes, not months. To that end, OpenSSF wants to create a unified format and API for vulnerability reporting and coordinated disclosure to drive broad adoption.
Security tooling is the primary mission. The goal is to provide the best security tools for open source developers and make them universally accessible.
“We want to create a space where members can collaborate together to improve upon existing security tooling and develop new ones to suit the needs of the broader open source community,” said Aniszczyk.
Identifying security threats to open-source projects is another essential objective. That will enable stakeholders to have informed confidence in the security of open-source projects.
The group hopes to accomplish that objective by identifying a set of key metrics and building tooling (API, web UI) to communicate those metrics to stakeholders. That will enable stakeholders to better understand the security posture of individual open source components, Aniszczyk added.
Three other targets for OpenSSF is to provide security best practices for open source developers. Second, securing critical projects will establish audits, assurance, response teams, improvements, and hands-on tactical work. Third, helping projects verify the identities in the software supply chain can result by creating a developer identity verification program.
This initiative is very significant, agreed Rob Enderle, president and principal analyst at the Enderle Group. It showcases that the LF and the OpenSSF are taking these threats seriously and stepping up sharply to deal with them.
Enderle noted that given the growing number of open-source software security efforts in the mix, there is a potential for one too many that gets in everyone else’s way.
“But this effort should help them drill through the confusion to get to a solution because it drives collaboration. So while this may seem additive in terms of complexity, if they execute to plan, it should force the redundant efforts into this one, eventually simplifying the effort and making it more likely to be successful,” he told LinuxInsider.