Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream.
Let the OSS Enterprise newsletter guide your open source journey! Sign up here.
The Linux Foundation-backed Open Source Security Foundation (OpenSSF) has launched a new project designed to secure the software supply chain.
The Alpha-Omega Project, as it’s called, will work directly with project maintainers to find zero-day vulnerabilities (i.e. previously unknown bugs) in open source codebases, and work toward fixing them. Microsoft and Google will provide an initial cash injection of $5 million, which follows another recent $10 million recurring commitment the duo made to the OpenSSF alongside fellow member organizations such as Amazon, Facebook, and Oracle.
The OpenSSF is a cross-industry collaboration launched by the Linux Foundation back in 2020, and as of last October is being led by open source pioneer Brian Behlendorf, the principal creator of the Apache web server.
Fixing flaws
The timing of this latest announcement is no coincidence. The White House recently hosted an open source security summit, with members from across the public and private divide convening to discuss how best to tackle flaws in community-driven software. The meetup was organized in the wake of the critical Log4j vulnerability dubbed Log4Shell, which had existed for many years but was only recently discovered. Both Microsoft and Google were present at the summit, as was the Linux Foundation, so it’s clear that the gathering last month has helped foster at least some momentum to bolster the software supply chain.
The Log4j vulnerability resurfaced age-old questions around the inherent security of open source software, particularly ones that are not supported by squadrons of full-time developers and security personnel. Indeed, one of the Log4j project’s core maintainers — one who was instrumental in fixing the vulnerability — has a full-time job elsewhere as a software architect. He works on “Log4j and other open source projects” in his spare time.
And it’s against that backdrop that the Alpha-Omega Project is setting out to enhance OSS supply chain security. As its name suggests, the project has two core components — Alpha will work with project maintainers of “the most critical open source projects,” helping them to identify and fix security vulnerabilities and improve their overall security posture. Omega, on the other hand, will identify “at least” 10,000 of the most widely used OSS projects, and apply “automated security analysis, scoring, and remediation guidance” across the respective maintainer communities.
So who, exactly, are the members of these open source communities — is it simply the existing maintainers and contributors? That will be part of it, but the OpenSSF will also look to engage other professionals — including volunteers and paid individuals — to spearhead its push.
“For example, we’d love to see cybersecurity professionals participate as well,” Behlendorf told VentureBeat. “However, to be clear, there will be paid staff who will lead the engagements with key open source projects (Alpha), and do research using automated tooling to find problematic areas in the long-tail of open source projects (Omega).”
Multi-pronged strategy
As the Log4j vulnerability highlighted, a common complaint from the open source realm is that the maintainers of some of the most critical software components receive little in the way of compensation. While the Alpha-Omega Project may go some way toward addressing that, it’s not simply a case of throwing money at maintainers — there is a clear multi-pronged strategy behind the investment.
“I don’t know of any (credible) open source developers who would write more secure code if only someone slipped them some cash,” Behlendorf explained. “However, maintainers are likely to know about the best ways that a modest amount of funds could be applied to fix a serious known issue, update dependencies, set up their OpenSSF Best Practices Badge, or more. So working with maintainers to get that picture, and make sure the funding is targeted on the right opportunities, is key.”
Alpha will be a collaborative project that targets the most critical open source projects, as identified through work carried out by the OpenSSF Securing Critical Projects working group, which combines expert opinions and data. Omega, meanwhile, will use a suite of software tools to identify vulnerabilities automatically — this could be anything from security scanners from companies such as Snyk, to open source tools such as Google’s OSS-Fuzz, and other internal proprietary tools that may eventually be made open source. However, Behlendorf also noted that they anticipate having to create new tools, ones that can intelligently answer questions such as: “that feature that made Log4J so difficult to secure…. what other projects have a similar feature?”
“We expect our paid staff and the community to work together on new tooling to help answer that, and other questions that come up, as new vectors for attack become better understood,” Behlendorf said.
When all is said and done, it’s clear that there has been some effort over the past year to better support open source security — particularly from within “big tech”. Last year, Google revealed it would fund Linux kernel developers; committed $1 million to a Linux Foundation open source security rewards program; and also revealed revealed it was sponsoring the Open Source Technology Improvement Fund (OSTIF), which is specifically focused on conducting security reviews in critical open source software projects.
There seems to be at least some alignment — and even overlap — across these various initiatives, with OSTIF in particular sharing some common goals to those of Alpha-Omega.
“We view the kind of help we anticipate giving open source projects and developers through Alpha-Omega as strictly additive to other assistive efforts those projects may already be receiving,” Behlendorf said. “We are also working hard to ensure that the efforts across all OpenSSF members are harmonized and focused to maximize impact.”
And that is a point work picking up on. Sarah Novotny, Microsoft’s open source lead for the Azure Office of the CTO, noted last year that open source is now the accepted model of cross-company collaboration. This ethos is very evident here — the OpenSSF counts members that are otherwise major commercial rivals, but they are having to come together for the greater good of their respective products, customers, and bottom line. Open source is the strand that joins the dots.
“Open source software is a vital component of critical infrastructure for modern society — therefore we must take every measure necessary to keep it and our software supply chains secure,” Behlendorf said.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More
Source: Read Full Article