White House officials, the Linux Foundation, OpenSSF and 37 private sector technology companies announced a 10-point software and open source supply chain mobilization plan and $150 million in funding over two years.
At a summit meeting yesterday, several participating organizations came together to collectively pledge a first tranche of funding for the plan’s implementation. These companies are Amazon, Ericsson, Google, Intel, Microsoft and VMWare, pledging over $30 million.
This builds on the existing investments that members of the OpenSSF community are making in open source software. An informal survey of stakeholders indicates that they spend over $110 million and employ nearly a hundred full-time equivalent employees focused on nothing but securing the open source software landscape. This plan is in addition to these investments.
Eric Brewer, VP of Infrastructure at Google Cloud and Google Fellow, said, “We are grateful to the Linux Foundation and OpenSSF for convening the community today to discuss the security challenges of open source software. we face and how we can work together across the public and private sectors to address them. Google is committed to supporting many of the efforts we’ve talked about today, including the creation of our new team Open Source Maintenance, a team of Google engineers who will work closely with upstream maintainers to improve the security of open source projects, and providing support to the community through updates on key projects such such as SLSA, Scorecards, and Sigstore, which is now used by the Kubernetes project Security risks will continue to affect all software companies and projects. It’s open source and only an industry-wide commitment involving a global community of developers, governments, and businesses can make real progress. Google will continue to play our part to make an impact.”
The agreed plan has three key goals: securing open source production, improving vulnerability detection and remediation, and shortening patch response time.
“Today we had the opportunity to share recommendations from our IBM Policy Lab on how understanding the software supply chain is critical to improving security,” said Jamie Thomas, Chief Security Officer company at IBM. “We believe that providing greater visibility into the software supply chain through SBoMs (Software Bill of Materials) and using the open source software community as a valuable resource to encourage passionate developers to create, perfect their skills and contributing to the public good can help build our resilience.It’s great to see the strong commitment from the community to work together to secure open source software.
The full 10 point plan is on the OpenSSF site, there is a summary of the points below:
- Security Training — Provide basic security software development training and certification for everyone.
- Risk Assessment — Establish a public, vendor-neutral risk assessment dashboard based on objective metrics for the top 10,000 (or more) OSS components.
- Digital Signatures — Accelerate the adoption of digital signatures on software releases.
- Memory Safety — Eliminate the root causes of many vulnerabilities by replacing insecure languages for memory.
- Incident Response – Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to help open source projects during critical moments when responding to a vulnerability.
- Better Analysis — Accelerate the discovery of new vulnerabilities by maintainers and experts with advanced security tools and expert guidance.
- Code Audits — Perform third-party code reviews (and any necessary remediation work) on up to 200 of the most critical OSS components once a year.
- Data Sharing – Coordinate industry-wide data sharing to enhance research that helps determine the most critical OSS components.
- SBOM Everywhere — Improve SBOM tooling and training to drive adoption.
- Improved Supply Chains — Improve the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.
Image credit: Artur Szczybylo/Shutterstock