The Open Source Security Foundation (OpenSSF) has a membership base, obviously, but joining this cross-industry organisation hosted at the Linux Foundation isn’t just a question of signing up for a membership badge.
Focused on bringing together the world’s most important software supply chain security initiatives, the OpenSSF lists new members once and only once they can be classified as general member ‘commitments’, with the clue quite definitely in the committed end of the equation.
Eight new members have joined this year.
New OpenSSF general member commitments include those from Amesto Fortytwo, Code Intelligence, Kusari, Privado, Scotiabank, Technology Innovation Institute (TII).
New associate members include the Open Source Business Alliance – Bundesverband für digitale Souveränität e.V. and Python Software Foundation.
The total number of OpenSSF members is currently over 100 and organisation membership saw an 88% growth in 2022 from a variety of different sectors.
Governments are watching
This growth (arguably, or perhaps inarguably) comes at this critical time when world governments are looking at how code is secured and considering related legislation, such as the EU Cyber Resilience Act.
The OpenSSF recently submitted commentary outlining the impact of the CRA on open source communities and future software development.
“As we work to secure the open source ecosystem, it is more important than ever that our membership represents all stakeholders in the open source community, from companies to research associations to open source foundations,” said Brian Behlendorf, General Manager of OpenSSF
Behlendorf says that investing in security remains of the utmost importance even during times of economic uncertainty.
“Threat surfaces continue to evolve and attackers continue to exploit vulnerabilities. We are happy to see that technical communities continue to demonstrate a strong commitment to investing in security now and for the future,” he added.
The latest commitments follow a period for OpenSSF that has seen major new initiatives and milestones, such as updates from various initiatives and working groups described in the OpenSSF’s first annual report, new funding pledges and investments for Alpha-Omega, participating in various open source security conferences in Europe, and the first Open Source Security Meetups in Tokyo and Hong Kong.
“Amesto Fortytwo is both an end-user of OSS, which we use to create our services and products, but also a contributor to various projects. As a company focusing on security and platform services, making sure that the ecosystem thrives is of utmost importance to us. Our employees already dedicate time to help the community out, and we are proud to now also be a member of OpenSSF,” said Roberth Strand, principal cloud engineer, Amesto Fortytwo.
Security incidents such as Heartbleed and Log4Shell show significant weaknesses in the software supply chain.
In his role as co-founder and chief scientist at Code Intelligence, Khaled Yakdan says that his team took on the mission of providing effective testing that developers enjoy using in their regular workflows to find, understand and fix vulnerabilities.
“We open sourced significant parts of our technology, making it available to everyone, which helped find many critical vulnerabilities in open-source software.
We are thrilled to join OpenSSF to share our knowledge, experience, and learnings with the community and collaborate on accelerating the advances of open-source security.”
Kusari is also proud to join the OpenSSF. CTO Michael Lieberman notes that with the majority of software utilising OSS in some capacity and the ever-increasing complexity of projects’ dependency graphs OSS security grows more important.
“Kusari is committed to making supply chain security simple for everyone from developer through to the C-suite through a holistic SDLC focused approach and are happy to see that alignment also reflected in the vision of the OpenSSF,” said Lieberman.
The OpenSSF insists that it is committed to collaboration and working both upstream and with existing communities to advance open source security for all.