Skip to main content
search
Monthly Archives

October 2020

Oct 29

Open Source Security Foundation Announces Education Courses and Participation Initiatives to Advance its Commitment to Securing the World’s Software Infrastructure

By Press Release

Free training opportunities, new member investments, consolidation with Core Infrastructure Initiative and new opportunities for anyone to contribute accelerate work on open source security

 

SAN FRANCISCO, Calif., Oct 29, 2020 OpenSSF, a cross-industry collaboration to secure the open source ecosystem, today announced free training for developing secure software, a new OpenSSF professional certificate program called Secure Software Development Fundamentals and additional program and technical initiatives. It is also announcing new contributors to the Foundation and newly elected advisory council and governing board members.

Open source software has become pervasive across industries, and ensuring its security is of primary importance. The OpenSSF, hosted at the Linux Foundation, provides a structured forum for a collaborative, cross-industry effort. The foundation is committed to working both upstream and with existing communities to advance open source security for all.

Open Source Security Training and Education

OpenSSF has developed a set of three free courses on how to develop secure software on the non-profit edX learning platform. These courses are intended for software developers (including DevOps professionals, software engineers, and web application developers) and others interested in learning how to develop secure software. The courses are specifically designed to teach professionals how to develop secure software while reducing damage and increasing the speed of the response when a vulnerability is found.

The OpenSSF training program includes a Professional Certificate program, Secure Software Development Fundamentals, which can allow individuals to demonstrate they’ve mastered this material. Public enrollment for the courses and certificate is open now. Course content and the Professional Certificate program tests will become available on November 5.

“The OpenSSF has already demonstrated incredible momentum which underscores the increasing priorities placed on open source security,” said Mike Dolan, Senior VP and GM of Projects at The Linux Foundation. “We’re excited to offer the Secure Software Development Fundamentals professional certificate program to support an informed talent pool about open source security best practices.”

New Member Investments

Sixteen new contributors have joined as members of OpenSSF since earlier this year: Arduino; AuriStor; Canonical; Debricked; Facebook; Huawei Technologies; iExec Blockchain Tech; Laboratory for Innovation Science at Harvard (LISH); Open Source Technology Improvement Fund; Polyverse Corporation; Renesas; Samsung; Spectral; SUSE; Tencent; Uber; and WhiteSource. For more information on founding and new members, please visit: https://openssf.org/about/members/

Core Infrastructure Initiative Projects Integrate with OpenSSF

The OpenSSF is also bringing together existing projects from the Core Infrastructure Initiative (CII), including the CII Census (a quantitative analysis to identify critical OSS projects) and CII FOSS Contributor Survey (a quantitative survey of FOSS developers). Both will become part of the OpenSSF Securing Critical Projects working group. These two efforts will continue to be implemented by the Laboratory for Innovation Science at Harvard (LISH). The CII Best Practices badge project is also being transitioned into the OpenSSF.

OpenSSF Leadership

The OpenSSF has elected Kay Williams from Microsoft as Governing Board Chair. Newly elected Governing Board members include:

  • Jeffrey Eric Altman, AuriStor, Inc.;
  • Lech Sandecki, Canonical;
  • Anand Pashupathy, Intel Corporation; and
  • Dan Lorenc from Google as Technical Advisory Committee (TAC) representative.

An election for a Security Community Individual Representative to the Governing Board is currently underway and results will be announced by OpenSSF in November. Ryan Haning from Microsoft has been elected Chair of the Technical Advisory Council (TAC).

There will be an OpenSSF Town Hall on Monday, November 9, 2020, 10:00a -12:00p PT, to share updates and celebrate accomplishments during the first three months of the project.  Attendees will hear from our Governing Board, Technical Advisory Council and Working Group leads, have an opportunity for Q+A and learn more about how to get involved in the project. Register here.

Membership is not required to participate in the OpenSSF. For more information and to learn how to get involved, including information about participating in working groups and advisory forums, please visit https://openssf.org/getinvolved.

 

New Member Comments

Arduino

“As an open-source company, Arduino always considered security as a top priority for us and for our community,” said Massimo Banzi, Arduino co-founder. ’”We are excited to join the Open Source Security Foundation and we look forward to collaborating with other members to improve the security of any open-source ecosystem.”

AuriStor

“One of the strengths of the open protocols and open source software ecosystems is the extensive reuse of code and APIs which expands the spread of security vulnerabilities across software product boundaries.  Tracking the impacted downstream software projects is a time-consuming and expensive process often reaching into the tens of thousands of U.S. dollars.  In Pixar’s Ratatouille, Auguste Gusteau was famous for his belief that “anyone can cook”.  The same is true for software: “anyone can code” but the vast majority of software developers have neither the resources or incentives to prioritize security-first development practices nor to trace and notify impact downstream projects.  AuriStor joins the OSSF to voice the importance of providing resources to the independent developers responsible for so many critical software components.” – Jeffrey Altman, Founder and CEO or AuriStor.

Canonical Group

“It is our collective responsibility to constantly improve the security of open source ecosystem, and we’re excited to join the Open Source Security Foundation,” said Lech Sandecki, Security Product Manager at Canonical. “As publishers of Ubuntu, the most popular Linux distribution, we deliver up to 10 years of security maintenance to millions of Ubuntu users worldwide. By sharing our knowledge and experience with the OSFF community, together, we can make the whole open source more secure.”

Debricked

“The essence of open source is collaboration, and we strongly believe that the OSSF initiative will improve open source security at large. With all of the members bringing something different to the table we can create a diverse community where knowledge, experience and best practices can help shape this space to the better. Debricked has a strong background in research and extensive insight in tooling; knowledge which we hope will be a valuable contribution to the working groups,” said Daniel Wisenhoff, CEO and co-founder of Debricked.

Huawei

“With open source software becoming a crucial foundation in today’s world, how to ensure its security is the responsibility of every stakeholder. We believe the establishment of the Open Source Security Foundation will drive common understanding and best practices on the security of the open source supply chain and will benefit the whole industry,” said Peixin Hou, Chief Expert on Open System and Software, Huawei. “We look forward to making contributions to this collaboration and working with everybody in an open manner. This reaffirms Huawei’s long-standing commitment to make a better, connected and more secure and intelligent world.”

Laboratory for Innovation Science at Harvard

“We are excited to bring the Core Infrastructure Initiative’s research on the prevalence and current practices of open source into this broader network of industry and foundation partners,” said Frank Nagle, Assistant Professor at Harvard Business School and Co-Director of the Core Infrastructure Initiative at the Laboratory for Innovation Science at Harvard. “Only through coordinated, strategically targeted efforts – among competitors and collaborators alike – can we effectively address the challenges facing open source today.”

Open Source Technology Improvement Fund

“OSTIF is thrilled to collaborate with industry leaders and apply it’s methodology and broad expertise for securing open-source technology on a larger scale. The level of engagement across organizations and industries is inspiring, and we look forward to participating via the Securing Critical Projects Working Group,” said Chief Operating Officer Amir Montazery. “Linux Foundation and OpenSSF have been instrumental in aligning efforts towards improving open-source software, and OSTIF is grateful to be involved in the process.”

Polyverse

“Polyverse is honored to be a member of OpenSSF. The popularity of open source as the ‘go-to’ option for mission critical data, systems and solutions has brought with it increased cyberattacks. Bringing together organizations to work on this problem collaboratively is exactly what open source is all about and we’re eager to accelerate progress in this area,” said Archis Gore, CTO, Polyverse.

Renesas

“Renesas provides embedded processors for various application segments, including automotive, industrial automation, and IoT. Renesas is committed to ensuring the integrity and confidentiality of systems and data while mitigating cybersecurity risks. To enable our customers to develop robust systems, it is essential to provide root-of-trust of the open source software that runs on our products,” said Shinichi Yoshioka, Senior Vice President and CTO of Renesas. “We are excited to join the Open Source Security Foundation and to collaborate with industry-leading security professionals to advance more secure computing environments for the society.”

Samsung

“Samsung is trying to provide best-in-class security with our technologies and activities. Not only are security risks reviewed and removed in all development phases of our products, but they are also monitored continuously and patched quickly,” said Yong Ho Hwang, Corporate Vice President and Head of Samsung Research Security Team, Samsung Electronics. “Open source is one of the best approaches to drive cross-industry effort in responding quickly and transparently to security threats. Samsung will continue to be a leader in providing high-level security by actively contributing and collaborating with the Open Source Security Foundation.”

Spectral

“Spectral’s mission is to enable developers to build and ship software at scale without worry. We feel that the OpenSSF initiative is the perfect venue to discuss and improve open source security and is a natural platform that empowers developers. The Spectral team is happy to participate in the working groups and share their expertise in security analysis and research of technology stacks at scale, developer experience (DX) and tooling, open source codebases analysis and trends, developer behavioral analysis, though the ultimate goal of improving open source security and developer happiness,” said Dotan Nahum, CEO and co-founder of Spectral.

SUSE

“At SUSE, we power innovation in data centers, cars, phones, satellites and other devices. It has never been more critical to deliver trustworthy security from the core all the way to the edge,” said Markus Noga, VP Solutions Technology at SUSE. “We are committed to OpenSSF as the forum for the open source community to collaborate on vulnerability disclosures, security tooling, and to create best practices to keep all users of open source solutions safe.”

Tencent

“Tencent believes in the power of open source technology and collaboration to deliver incredible solutions to today’s challenges. As open source has become the de facto way to build software, its security has become a critical component for building and maintaining the software and infrastructure,” said Mark Shan, Chair of Tencent Open Source Alliance and Board Chair of the TARS Foundation. “By bringing different organizations together, OpenSSF provides a platform where developers can collaboratively build solutions needed to protect the open source security supply chain. Tencent is very excited to join this collaborative effort as an OpenSSF member and contribute to its open source security initiatives and best practices.

WhiteSource

“In today’s world, software development teams simply cannot develop software at today’s pace without using open source. Our goal has always been to empower teams to harness the power of open source easily and securely. We’re honored to get the opportunity to join the Open Source Security Foundation where we can join forces with others to contribute, together, towards open source security best practices and initiatives.” David Habusha, VP Product.

About the Open Source Security Foundation (OpenSSF)

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support the open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page:  https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Cloer
Story Changes Culture
503-867-2304
jennifer@storychangesculture.com

Oct 29

Announcing: Secure Software Development EdX course, Sign Up Today!

By Blog

The Open Source Security Foundation (OpenSSF) has developed a trio of free courses on how to develop secure software. These courses are part of the Secure Software Development Fundamentals Professional Certificate program, all available on the edX platform. This material is intended for all software developers so they can learn to develop secure software. It focuses on practical steps that any software developer can easily take, not theory or actions requiring unlimited resources.

Those interested can sign up starting October 29, 2020. The course material is expected to be released on November 5, 2020. For more information click here.

Almost all software is under attack today, and many organizations and developers are unprepared in their defense. The Secure Software Development Fundamentals courses will enable software developers to create and maintain systems that are much harder to successfully attack, reduce the damage when attacks are successful, and speed the response so that any latent vulnerabilities can be rapidly repaired. The best practices covered in this program apply to all software developers, and include information especially useful to those who use or develop open source software.

Today 48% of technical hiring managers stated hiring professionals with security expertise is a high priority (as reported in the 2020 Open Source Jobs Report), so there is not a better time to engage in this course. Similarly, Security Software Developers earn 35% more than Software Developers in a US nationwide average (according to ZipRecruiter Sep 25, 2020 data).

The courses in this program discusses risks and requirements, design principles, and evaluating code (such as packages) for reuse. It then focuses on key implementation issues: input validation (such as why allowlists and not denylists should be used), processing data securely, calling out to other programs, sending output, cryptography, error handling, and incident response. This is followed by a discussion on various kinds of verification issues, including different kinds of security tools. The program concludes with a discussion on deployment and vulnerability reporting.

Chris Aniszczyk (CTO of Cloud Native Computing Foundation (CNCF)) said, “In today’s world where more companies are using more software, becoming software companies themselves and everything is becoming connected, security education is more important than ever. At CNCF, we are excited about this new security professional certificate, and intend to have all of our project leadership pass the courses in the program and recommend you do the same in your communities.”

Software developers can take each of the three courses at no cost. They can enroll at any time, and they will then have limited-time access to the course material on EdX. Developers who wish to prove mastery of the material (or have unlimited access time to the material on EdX) can enroll in the Secure Software Development Fundamentals Professional Certificate program for a fee. The courses included in the program are:

  1. Secure Software Development: Requirements, Design, and Reuse (LFD104x)
  2. Secure Software Development: Implementation (LFD105x)
  3. Secure Software Development: Verification and More Specialized Topics (LFD106x)

Those interested can sign up starting October 29, 2020. The course material is expected to be released on November 5, 2020. For more information click here.

Oct 21

OpenSSF Public Town Hall – November 9 2020, 10am Pacific

By Blog

Please join us for the first-ever OpenSSF Town Hall Meeting on November 9, 2020 from 10 AM to 12 PM Pacific Time (US and Canada).

In this meeting, we will share updates and celebrate accomplishments during the first three months of the project. Attendees will hear from the Governing Board, Technical Advisory Council, and Working Group leads, have an opportunity for Q+A, and learn more about how to get involved in the project. Click here to register.

Agenda

  • Welcome and Overview
  • What’s Happening
    • Governing Board and Planning Committee
    • Technical Advisory Council
    • Working Groups
      • Identifying Security Threats – security metrics for open source projects
      • Security Tooling – state of the art, globally accessible security tools
      • Best Practices – awareness and education of security best practices
      • Vulnerability Disclosures – efficient vulnerability reporting and remediation
      • Digital Identity Attestation – ensuring the provenance of open source code
      • Securing Critical Projects – hands-on help for critical open source projects
  • Discussion + Q&A

This is a public meeting and everyone is welcome!  Please register using the link below to receive a  confirmation email with an option to add the meeting to your personal calendar.

http://bit.ly/OpenSSFTownHall

We are actively seeking individuals and companies to join us and get involved in securing the open source ecosystem. The town hall meeting is a great opportunity for those not currently involved to learn more about the work we are doing at OpenSSF and how to become a part of it!

We hope to see you there!

Oct 07

OpenSSF seeks Security Community Individual Representative for Governing Board

By Blog

The Open Source Security Foundation (OpenSSF) is accepting nominations for the Security Community Individual Representative seat on our Governing Board. The nomination period is open until October 23 2020, after which voting will occur, to conclude on November 5 2020. In this post, we would like to provide some additional information about the role, including its’ activities and our rationale behind creating this position. At the bottom of the post, we share a link where nominations can be submitted, as well as contact information.

What is OpenSSF?
The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community, targeted initiatives, and best practices. Current initiatives are linked to from our GitHub page.

The OpenSSF was established on the premise that security researchers need a mechanism to allow them to collaboratively address methods needed to secure the open source supply chain. It recognizes that security researchers across the globe within organizations have common interests and concerns. OpenSSF facilitates sustained dialogue and project work among private entities, foundations/nonprofits, individual contributors, and academia.

What is involved in serving on the OpenSSF Governing Board?
Governing Board members are responsible for the overall organization and funding of the OpenSSF.  Some activities in which they participate include things like:

  • establishing criteria for membership and dues
  • overseeing business and community outreach
  • adopting and maintaining policies and procedures
  • establishing advisory bodies, committees, programs and councils to support the mission of the OpenSSF
  • approving a budget and fundraising proposals
  • publishing use cases, user stories, websites and priorities to help inform the ecosystem and technical community
  • voting on all decisions or matters coming before the Governing Board

Governing Board (GB) members typically spend 2-3 hours per month preparing for and attending a monthly Governing Board meeting. Many GB members choose to spend additional time in Governing Board related committees which could include strategy, finance, and communications committees.

Like all Governing Board seats, the Security Community Individual Representative seat is unpaid and is held on a volunteer basis, generally as a complement and component of an individual’s primary employment within the industry. As outlined in Section 3 of the OpenSSF Charter, the Security Community Individual Representative will serve a one year term (i.e.: until August 2021), coinciding with the OpenSSF Member Representative elections.

More details about the Governing Board and general organization and operations of OpenSSF are available in the OpenSSF Charter, which should be considered the authoritative document about this role.

Additional OpenSSF governance information can be found on GitHub.

Rationale for Security Community Individual Representative Governing Board seat

When drafting the original Charter for OpenSSF, one thing we were keen on was the prompt introduction of dedicated seats to diversify the perspectives and professional experiences of our Governing Board. Ultimately this included adding and reserving a seat for a representative from a Nonprofit organization or Academia (“Associate Member Representative”), as well as adding and reserving a seat for an individual from the broader technical community who could help bring further perspective (“Security Community Individual Representative”).

Perhaps a bit of a misnomer, the “Security Community Individual Representative” is a dedicated seat for an individual from the open source software maintainer community and/or the security community.

We envisioned that such a seat would be filled by a nominee who showed a longtime dedication to the open source software ecosystem and/or is someone from the security community who has expertise in areas like application security and vulnerability management. We imagined that such a candidate probably would not work at any of the organizations of which the founding members of the OpenSSF GB are members/employees, is likely to have played a fundamental role in the development and maintenance of one or more large or critical open source projects, and/or has worked on securing software at scale through research, engineering, or other security roles, and could help us to ensure that decisions we make and security initiatives we support are a net positive for maintainers, their projects, and the OSS ecosystem. The intention behind the role was to better represent the range of perspectives, backgrounds, needs, and motivations amongst OSS maintainers and security researchers, including individual contributors, and to ensure that a person with this viewpoint would have a dedicated “seat at the table” within OpenSSF governance to help us broaden the range of feedback, ideas, and expertise that would be represented at the Governing Board level.

It should be noted that these are merely some suggested criteria, and anyone who feels they would make a great community rep for an organization focusing on OSS and security is warmly welcomed to apply. By no means are the items listed above a hard requirement for nomination

Submit your nomination
Nominations for the Security Community Individual Representative seat will be open until October 23 2020, and voting will take place until November 5 2020. See nomination instructions below. Once the nomination period closes, voting will be open to members of the openssf-announcements@lists.openssf.org mailing list. Click here to sign up for an OpenSSF mailing list.

Nominations (including self-nomination) can be submitted to the form below (Due October 23rd 2020):
https://docs.google.com/forms/d/e/1FAIpQLSd61bqfR_siMDvWlCC4s3jKxaVAVbOIIrt9_EwDqZ23VPmMlQ/viewform

Questions and Feedback
To share feedback with the OpenSSF Governing Board, please complete this quick form. Additionally, learn more about how to get involved here.

[Editor’s note: This post was updated October 7 2020 to add clarifying language around desirable qualities for a nominee]

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved
Close Menu