Supported by The Linux Foundation, the Open Source Security Foundation (OpenSSF) aims to create a cross-industry forum for a collaborative effort to improve open source software security. The list of initial members includes Google, Microsoft, GitHub, IBM, Red Hat, and more.
As open source has become more pervasive, its security has become a key consideration for building and maintaining critical infrastructure that supports mission-critical systems throughout our society. It is more important than ever that we bring the industry together in a collaborative and focused effort to advance the state of open source security. The world’s technology infrastructure depends on it.
Microsoft CTO for Azure Mark Russinovich explained clearly why open source security must be a community effort:
Open-source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance. [...] Open-source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process.
The OpenSSF will bring together diverse open source security initiatives starting with the Core Infrastructure Initiative (CII) and GitHub's Open Source Security Coalition. In addition, it will create several working groups to address key security concerns. Those include vulnerability disclosure, with the aim to speed up the time required to fix a vulnerability and deploy the fix; security tooling, with the aim to improve existing security tools and develop new ones; security threats identification, focusing on creating key metrics to better asses how each component in an open source project fares in regard to security; and security best practices.
Additionally, the OpenSSF will aim to help critical projects to get the support they need to guarantee their security.
Whether it is dedicated help from specialized experts or simply grant money or cloud credits, we recognize that no two projects are the same, and support can come in many shapes. We intend to work with upstream maintainers to understand what help and support they need, and then develop scalable processes to make this help available.
Among others, Google and Microsoft announced their participation to the OpenSSF with specific focus on a number of areas, including shared schemas and metadata to better enforce security best practices; dependency management and risk assessment to map vulnerabilities to specific code versions; tools for build verification, like its own Tekton; and using developer identity to associate changes to their authors.
Besides joining the OpenSSF, GitHub confirmed its commitment to open source security and stated it will continue investing and building new security features free to public repositories.