We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Open-source security is currently undergoing a period of accelerated change, thanks in no small part to the efforts of the Linux Foundation’s OpenSSF (Open Source Security Foundation).
In a full-day event at the Open Source Summit on June 20, supporters, leaders and contributors to OpenSSF discussed the current state of open-source security and detailed, at great length, multiple efforts underway to help improve the existing state of affairs. The OpenSSF has been busy in 2022 as it has ramped up a mobilization effort that it expects will cost $150 million to help secure open-source software. The mobilization effort is only one in the larger set of initiatives that the OpenSSF has underway.
“We are kind of a circus, I say that lovingly and some of you like going to the circus,” Brian Behlendorf, OpenSSF general manager said in a session at the Open Source Summit event. “There are lots of things going on at OpenSSF, lots of different teams and that is a part of our strength.”
The multiple rings of the OpenSSF open-source security circus tent
Behlendorf identified three key rings as primary goals for the OpenSSF: Securing the production of open-source software, improving vulnerability discovery and remediation, and shortening the time it takes to patch and respond to issues.
Those goals are executed across efforts led by multiple working groups at the OpenSSF. The working groups currently active include est practices, vulnerability disclosure, security tooling, security threat identification, supply chain integrity and securing software repositories.
The $150 million mobilization effort announced in May is an initiative that Behlendorf said is about, “taking the circus on the road,” in an effort to help provide a concrete set of initiatives to secure open-source software.
“The big theme throughout the mobilization plan has not been how do we make open-source developers get more serious, but it has been about how do we show up with help?” Behlendorf said. “How do we add to their existing processes with better tooling, paying for people to show up on projects and say we’re here to help in one way or another.”
Over the course of the day, multiple speakers took the podium to detail various OpenSSF associated efforts to help improve open source software
One of the most basic, yet least well-understood aspects of security overall is how to actually properly disclose a security vulnerability. In a session during OpenSSF day, Anne Bertucio, senior program manager at Google, outlined best practices for open-source developers in how to responsibly disclose vulnerabilities. Bertucio pointed to the OpenSSF’s OSS Vulnerability Guide as a playbook that organizations can use to help with the process.
Navin Srinivasan, security engineer at Endor Labs outlined the OpenSSF Scorecard project, which has its roots in projects that pre-date the creation of the OpenSSF. The scorecard project gives open-source projects a ‘score’ based on adherence to best practices for security.
A related project is the Allstar Project which was originally announced back in August 2021. Jeff Mendoza, security engineer at Google explained that while scorecard provides a score, Allstar can help users improve the score. Mendoza said that Allstar operates as a GitHub application that continuously checks for your security best practices on code repositories, and can enable users to quickly remediate issues.
Alpha Omega project funds Python and Eclipse security
Another key project under OpenSSF is the Alpha-Omega supply chain security effort which was started back in February.
During OpenSSF Day, the OpenSSF announced that via Alpha-Omega, $800,000 in funding is going to be provided to help secure technology initiatives from the Python Software Foundation and from the Eclipse Foundation.
Python is one of the most popular open-source programming languages in use today. The new funding will be used to provide support for dedicated security expertise that will formalize best practices across Python Software Foundation projects.
The Eclipse Foundation develops software development tools, including the Eclipse Integrated Developer Environment (IDE). Funding for Eclipse will be used to help the organization to implement supply chain best practices for security.
Additionally, the Google initiated Secure Open Source Rewards (SOS.dev) project will now be moving under the auspices of the OpenSSF. SOS.dev is an initiative designed to help reward developers for implementing security best practices in open source software projects.
Security is the price of open-source innovation
The OpenSSF’s $150 million mobilization effort was motivated in no small part by the emergence of the open-source Log4j vulnerabilities that were disclosed in December 2021. That incident helped to put renewed focus on the challenges of open source security.
Jamie Thomas, general manager of strategy and development at IBM commented that the Log4j incident was a catalyst for those involved in the open-source industry to figure out how to be more proactive about security. A challenge for many with the Log4 incident was that it was incumbent on end users in some cases to figure out if they were vulnerable and then patch. She stated that end users shouldn’t have had to worry about that and it is up to those that build and provide software to help support it.
“It’s our obligation to take the burden of security and make sure that the software is designed with security in mind,” Thomas said.
Among the many large organizations that were impacted by Log4j, was financial giant JPMoran Chase. Rao Kakkakula, director at JPMorgan Chase, commented that in the past, his organization might have potentially had a knee jerk reaction to the Log4J incident and simply decided to just stop using the open-source software and build something on their own. That’s not what’s happening now in 2022.
Kakkakula said that executives within JPMorgan Chase are now asking how the company can better assist the open-source community to improve security.
“The trend is changing to being more supportive rather than blaming people,” Kakkakula said.
JPMorgan’s need to help improve open-source security isn’t based on some altruistic goal, but rather a very practical one. Kakkakula explained that there are over 53,000 developers at JPMorgan Chase. He noted that most applications today make use of open source software to help drive innovation forward.
“To innovate faster, open source is the key in my opinion as I don’t want to reinvent the wheel,” Kakkakula said. “Then security is the key to actually enabling the technology so that we keep the customer trust intact.”