Open source community sets out path to secure software

The open source community has presented a 10-point plan to improve the security and resilience of its software, bringing together more than 90 executives from 37 organisations, alongside US government officials, at a summit in Washington DC.

Held a year on from president Biden’s executive order on improving US cyber security, the Open Source Software Security Summit II was organised by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF).

The plan outlines a two-year, $150m (£123m) programme to advance vetted solutions to the 10 major problems identified in the plan, as well as to establish a firm pathway to both more immediate improvements and underpinnings for future development.

A group of companies, Amazon, Ericsson, Google, Intel, Microsoft and VMware have already pledged over $30m of the total needed, with more funding to be identified as the plan develops further.

“On the one year anniversary of president Biden’s executive order, today we are here to respond with a plan that is actionable, because open source is a critical component of our national security and it is fundamental to billions of dollars being invested in software innovation today,” said Linux Foundation executive director Jim Zemlin.

“We have a shared obligation to upgrade our collective cyber security resilience and improve trust in software itself.  This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership.”

OpenSSF executive director Brian Behlendorf added: “What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”

The 10-point plan, which can be read in full on OpenSSF’s website, is as follows:

1. To deliver baseline secure software development education and certification;
2. To establish a public, supplier-neutral, objective-metrics-based risk assessment dashboard for 10,000 widely used open source software (OSS) components;
3. To accelerate the adoption of digital signatures on OSS releases;
4. To eliminate the root causes of many vulnerabilities by replacing non-memory-safe languages;
5. To establish an OpenSSF-backed incident response team to help open source projects respond to vulnerability disclosures;
6. To improve the ability of maintainers and experts to discover new vulnerabilities in open source projects;
7. To establish a programme of third-party code audits and remediation for up to 200 of the most-critical OSS components;
8. To coordinate industry-wide data sharing to improve how the community goes about determining what the most-critical OSS components actually are;
9. To improve the adoption of software bill of materials (SBOM) tooling and training;
10. And finally, to enhance the 10 most-critical OSS build systems, package managers and distribution systems with improved supply chain security tools and practices.

Commenting on the plan, Mike Hanley, chief security officer (CSO) at GitHub, said: “Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain.

“As home to 83 million developers around the world, GitHub is uniquely positioned and committed to advance these efforts, and we’ve continued our investments to help developers and maintainers realize improved security outcomes through initiatives including 2FA enforcement on GitHub.com and NPM, open sourcing the GitHub Advisory Database, financial enablement for developers through GitHub Sponsors, and free security training through the GitHub Security Lab.

“The security of open source is critical to the security of all software. Summit II has been an important next step in bringing the private and public sector together again and we look forward to continuing our partnerships to make a significant impact on the future of software security,” he said.