In recent years, there have been many open source software vulnerabilities that have been exploited, leaving organizations of all sizes at risk. Vulnerabilities in software components such as the open source Log4j java library have affected millions of users around the world. According to a 2021 Synopsys study, 84% of all code bases contain at least one open source vulnerability.
As open source has become an increasing part of all software, it has also become an essential component of the software supply chain. One year ago, the Biden administration issued an executive order to try to improve the security of the software supply chain, which led to efforts to adopt a software bill of materials (SBOM) that helps expose what’s inside an app — which, too often, is open source.
Among the leading open source organizations are the Linux Foundation and the Open Source Security Foundation (OpenSSF), which have a growing user base. Today at the second Open Source Software Security Summit in Washington, DC, OpenSSF announced an ambitious, multi-pronged plan that includes 10 key goals to better secure the open source software ecosystem.
While open source software itself can sometimes be freely available, securing it will come at a price. OpenSSF has estimated that its plan will require $147.9 million in funding over two years.
At a press conference after the summit, Brian Behlendorf, General Manager of OpenSSF, said that $30 million has already been pledged by OpenSSF members including Amazon, Intel, VMware, Ericsson, Google and Microsoft.
“I’ve been working with the source community for nearly two decades, and in that time period we’ve had multiple instances where a vulnerability in an open source component posed a significant risk to a wide range of the community,” Jim Zemlin, CEO of the Linux Foundation, said. “Today is one of the first times I’ve seen an actionable plan with specific goals.”
Zemlin also emphasized that while the plan outlined by OpenSSF is ambitious, there is a lot more to do.
“We are in the first five minutes of a long game and the urgency here couldn’t be greater,” said Zemlin. Adversaries are getting more sophisticated, supply chain attacks are occurring more often and cyber conflict is escalating around the world.
OpenSSF looks to success where previous efforts have not.
The new plan from OpenSSF isn’t the first time the Linux Foundation has led an effort to help secure open source software.
Eight years ago, in the wake of the Heartbleed vulnerability in the open source OpenSSL cipher library, the Linux Foundation launched the Core Infrastructure Initiative (CII). CII has also been an attempt to help improve the security of open source and has also raised funds from vendors.
In response to a question from VentureBeat, Zemlin noted that he started CII after the Heartbleed attack to get direct financial support for OpenSSL maintainers.
“It was a case where we were supporting a small group of people to do some work on important projects,” Zmelin said. “What became very clear to us and what this new OpenSSF work builds on, is that you have to provide certain resources that include training for developers on how to write secure code in the first place, and a set of tools so that they can release the security token.”
Zemlin argued that in 2014 when the Heartbleed vulnerability first appeared, the complexity of the software’s overall supply chain wasn’t as difficult to manage as it is today. He noted that between 2014 and 2022, there was a significant increase in the volume of small, open-source, reusable components that became the building blocks of modern software. The increase in usage has led to a level of complexity that is extremely difficult to manage.
The new OpenSSF plan aims to provide direct support for developers to solve problems, as well as audit code bases to help identify potential vulnerabilities. Zemlin said the new plan is also intended to help remove what he referred to as “friction points” in the supply chain where software package managers can use additional security. Additional security includes the use of an authenticated package signature to distribute software components.
While OpenSSF has been in Washington to speak with government and industry leaders about open source security, the organization is not looking for a handout from the government to help foot the bill.
“I just want to be clear: We are not here to raise money from the government,” Behlendorf said. “We did not anticipate the need to go directly to the government to get funding for anyone to be successful.”
However, Behlendorf said the OpenSSF Scheme for Securing Open Source Software is a plan that benefits everyone and the government is a major user of open source software.
“I think we have a lot of consensus in terms of interests, and we are keen on engaging the public sector,” he said.
Behlendorf also stated that while the plan is to help secure open source software, there will always be bugs. The goal is to find and treat them faster to help reduce risk.
“Software will never be perfect,” he said. “The only software that does not have any errors is the software that does not have users.”
VentureBeat mission It is to be the digital city arena for technical decision makers to gain knowledge about transformational enterprise technology and transactions. Learn more about membership.