White House officials, The Linux Foundation, OpenSSF and 37 private sector tech companies have announced a 10-point open source and software supply chain mobilization plan and $150 million of funding over two years.
At a summit meeting yesterday several participating organizations came together to collectively pledge an initial tranche of funding towards implementation of the plan. Those companies are Amazon, Ericsson, Google, Intel, Microsoft, and VMWare, pledging over $30M.
This builds on the existing investments that OpenSSF community members make into open source software. An informal poll of stakeholders indicates they spend over $110M and employ nearly a hundred full-time equivalent employees focused on nothing but securing the open source software landscape. This plan adds to those investments.
Eric Brewer, VP of infrastructure at Google Cloud and Google Fellow says, “We’re thankful to the Linux Foundation and OpenSSF for convening the community today to discuss the open source software security challenges we’re facing and how we can work together across the public and private sectors to address them. Google is committed to supporting many of the efforts we discussed today, including the creation of our new Open Source Maintenance Crew, a team of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects, and by providing support to the community through updates on key projects like SLSA, Scorecards; and Sigstore, which is now being used by the Kubernetes project. Security risks will continue to span all software companies and open source projects and only an industry-wide commitment involving a global community of developers, governments and businesses can make real progress. Google will continue to play our part to make an impact.”
The agreed plan has three key goals, to secure open source production, improve vulnerability discovery and remediation, and to shorten patching response time.
“Today, we had the opportunity to share our IBM Policy Lab’s recommendations on how understanding the software supply chain is key to improving security,” says Jamie Thomas, enterprise security executive at IBM. “We believe that providing greater visibility in the software supply chain through SBoMs (Software Bill of Materials) and using the Open Source Software community as a valuable resource to encourage passionate developers to create, hone their skills, and contribute to the public good can help strengthen our resiliency. It’s great to see the strong commitment from the community to work together to secure open source software.”
The full 10-point plan is on the OpenSSF site, there’s a summary of the points below:
- Security Education — Deliver baseline secure software development education and certification to all.
- Risk Assessment — Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
- Digital Signatures — Accelerate the adoption of digital signatures on software releases.
- Memory Safety — Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
- Incident Response — Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
- Better Scanning — Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
- Code Audits — Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
- Data Sharing — Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
- SBOMs Everywhere — Improve SBOM tooling and training to drive adoption.
- Improved Supply Chains — Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.
Image credit: Artur Szczybylo/Shutterstock