We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
In recent years there have been multiple vulnerabilities in open-source software that have been exploited, leaving organizations of all sizes at risk. Vulnerabilities in software components like the open-source Log4j java library have impacted millions of users around the world. According to a 2021 study from Synopsys, 84% of all codebases contain at least one open-source vulnerability.
As open source is increasingly part of all software, it has also become a foundational element of the software supply chain. One year ago, the Biden administration issued an executive order to try to improve software supply chain security, which led to efforts to embrace a software bill of materials (SBOM) that helps to reveal what’s inside an application — which, more often than not, is open source.
Among the leading open-source organizations is the Linux Foundation and its Open Source Security Foundation (OpenSSF), which has a growing base of users. Today at the Open Source Software Security Summit II in Washington, D.C., OpenSSF announced an ambitious, multipronged plan with 10 key goals to better secure the entire open-source software ecosystem.
While open-source software itself can sometimes be freely available, securing it will have a price. OpenSSF has estimated that its plan will require $147.9 million in funding over a two-year period.
In a press conference held after the summit, Brian Behlendorf, general manager of OpenSSF, said that $30 million has already been pledged by OpenSSF members including Amazon, Intel, VMware, Ericsson, Google and Microsoft.
“I’ve been working with the source community for almost two decades, and in that period of time we’ve had multiple cases where a vulnerability in an open-source component has posed dramatic risk to a broad set of society,” Jim Zemlin, executive director of the Linux Foundation, said. “Today is one of the first times I’ve seen an actionable plan that has concrete goals.”
Zemlin also emphasized that while the plan outlined by OpenSSF is ambitious, there is a lot that needs to get done.
“We’re in the first five minutes of a long game and the urgency here could not be greater,” Zemlin said. “Adversaries are getting more sophisticated, supply chain attacks are happening more often and cyber conflict is escalating around the globe.”
OpenSSF looking to succeed where past efforts have not
The new plan from OpenSSF is not the first time the Linux Foundation has led an effort to help secure open-source software.
Eight years ago, in the aftermath of the Heartbleed vulnerability in the open-source OpenSSL cryptographic library, the Linux Foundation started the Core Infrastructure Initiative (CII). The CII was also an effort to help improve open-source security and it also raised money from vendors.
In response to a question from VentureBeat, Zemlin noted he started the CII after the Heartbleed attack to get direct financial support to the maintainers of OpenSSL.
“That was a case where we were just supporting a small set of individuals to do some work on critical projects,” Zemlin said. “What became very clear to us and what this new OpenSSF work builds upon, is that you have to provide certain resources that include training for developers about how to write secure code in the first place, and a set of tools so that they can release code security.”
Zemlin argued that back in 2014 when the Heartbleed vulnerability first appeared, the complexity of the overall software supply chain was not as difficult to manage as it is today. He noted that between 2014 and 2022, there has been a dramatic increase in the volume of small reusable open-source components that have become the building blocks of modern software. The increase in usage has created a level of complexity that’s extremely difficult to manage.
The new OpenSSF plan aims to provide direct support for developers to solve problems, as well as audit code bases to help identify potential vulnerabilities. Zemlin said that the new plan also intends to help remove what he referred to as “friction points” in the supply chain where software package managers could use additional security. The additional security includes the use of authenticated package signing for the distribution of software components.
While OpenSSF was in Washington to talk with government and industry leaders about open-source security, the organization is not looking for a handout from the government to help foot the bill.
“I just want to be clear: we’re not here to fundraise from the government,” Behlendorf said. “We did not anticipate needing to go directly to the government to get funding for anyone to be successful.”
That said, Behlendorf said that the OpenSSF’s plan to secure open-source software is a plan that benefits everybody and the government is a major user of open-source software.
“I think we have a lot of alignment, in terms of interests, and we’re eager to see the public sector get involved,” he said.
Behlendorf also stated that while the plan is to help secure open-source software, there will always be bugs. The goal is to just find and remediate them faster to help limit risk.
“Software will never be perfect,” he said. “The only software that doesn’t have any bugs is software with no users.”