We’re excited to bring Transform 2022 live back on July 19 and virtually July 20 – 28. Join AI and data leaders for insightful conversations and Interesting networking opportunities. Sign up today!
Open source security is currently going through a period of rapid change, thanks in no small part to the efforts of the Linux Foundation’s OpenSSF (Open Source Security Foundation).
During an all-day event at the Open Source Summit on June 20, OpenSSF advocates, leaders, and contributors discussed the current state of open source security and the cost of it. In detail, a lot of efforts are underway to help improve the current situation. OpenSSF was busy in 2022 as it ramped up its fundraising efforts it expected will cost 150 million dollars to help secure open source software. The fundraising effort is just one of a number of larger initiatives that OpenSSF is working on.
“We’re like a circus, I say it’s lovely and some of you love going to the circus,” said Brian Behlendorf, general manager of OpenSSF. “There’s a lot going on at OpenSSF, a lot of different teams, and that’s part of our strength.”
Multiple rounds of OpenSSF open source secure circus tent
Behlendorf identifies three key rings as OpenSSF’s primary goals: Ensuring open source software production, improving vulnerability detection and remediation, and shortening patch and response times to issues.
Those goals are accomplished through efforts led by multiple working groups at OpenSSF. Working groups currently active cover practices, vulnerability disclosure, security tools, security threat identification, supply chain integrity, and software repository security.
The $150 million fundraising effort announced in May is an initiative that Behlendorf said is “putting the circus on the road,” in an effort to help deliver a specific set of initiatives to ensure open source software.
“The big theme across the crowdfunding plan is not how do we take open source developers more seriously, but how do we show up to help?” Behlendorf said. “How do we add to their existing processes with better tools, pay people to show up on projects and say we are here to help one way or another. ”
Throughout the day, many speakers took to the podium to detail various OpenSSF-related efforts to help improve open source software.
One of the most fundamental, but least understood, aspects of security in general is how to properly disclose a security hole. During an OpenSSF day session, Anne Bertucio, senior program manager at Google, outlined best practices for open source developers on how to responsibly disclose vulnerabilities. Bertucio pointed at OpenSSF’s OSS Vulnerability Guide as a brochure that organizations can use to help with this process.
Navin Srinivasan, security engineer at Endor Labs outlined OpenSSF Scorecard Projects are derived from projects that predate the creation of OpenSSF. The scorecard project gives open source projects a ‘score’ based on adherence to security best practices.
A related project is Allstar project Originally announced in August 2021. Jeff Mendoza, security engineer at Google explains that while scorecards provide scores, Allstar can help users improve scores. Mendoza says Allstar acts as a GitHub app that continuously checks your security best practices on a code repository and can allow users to quickly fix problems.
Project Alpha Omega Funds Python and Eclipse Security
Another important project in OpenSSF is Alpha-Omega Supply chain security efforts were started back in February.
During OpenSSF Day, OpenSSF announced that through Alpha-Omega, $800,000 in funding will be provided to help secure technology initiatives from the Python Software Foundation and from the Eclipse Foundation.
Python is one of the most commonly used open source programming languages today. The new funding will be used to provide support for a dedicated security expert that will formalize best practices across Python Software Foundation projects.
The Eclipse Foundation develops software development tools, including the Eclipse Integrated Developer Environment (IDE). Funds for Eclipse will be used to help the organization implement supply chain security best practices.
In addition, the Secure Open Source Rewards (SOS.dev) project initiated by Google will now be conducted under the umbrella of OpenSSF. SOS.dev is an initiative designed to help reward developers for implementing security best practices in open source software projects.
Security is the price of open source innovation
OpenSSF’s $150 million fundraising drive was fueled in no small part by the emergence of open source code Log4j . Vulnerability disclosed in December 2021. That incident helped put a new focus on the challenges of open source security.
Jamie Thomas, general manager of strategy and development at IBM, commented that the Log4j incident was a catalyst for those involved in the open source industry to find ways to be more proactive about security. One challenge for many with Log4 crashes is that it is the end-user in some cases to find out if they are vulnerable and then patch it. She said that end users shouldn’t have to worry about that and that supporting it is up to the people who build and deliver the software.
“Our obligation is to shoulder the responsibility of security and ensure that software is designed with security in mind,” says Thomas.
Among the many large institutions affected by Log4j is financial giant JPMoran Chase. Rao Kakkakula, director of JPMorgan Chase, commented that in the past, his organization could have reacted strongly to the Log4J incident and simply decided to stop using open source software and build something on its own. . That is not what is happening in 2022.
Kakkakula says that JPMorgan Chase executives are now asking how the company can better support the open source community to improve security.
“Trends are shifting to favor rather than blame people,” says Kakkakula.
JPMorgan’s need to help improve open source security is not based on some altruistic goal, but a very real one. Kakkakula explains that there are more than 53,000 developers at JPMorgan Chase. He notes that most applications today use open source software to help drive innovation forward.
“For faster innovation, open source is key in my opinion because I don’t want to reinvent the wheel,” says Kakkakula. “Security is then key to really enabling the technology so that we keep the trust of our customers intact.”
VentureBeat’s mission is a digital city square for technical decision-makers to gain knowledge of transformative enterprise technology and transactions. Learn more about membership.