January 2021

The OpenSSF community has been working fast and furious since its formation last year to improve the security of the open source ecosystem. We all know this is no small mission and so we’re taking a moment to report out on all the work that’s happening and invite you to participate.  We also hope to see you at our next Town Hall Meeting on Monday, February 22, 1:00-2:00p ET.  Click here to register.

Technical Vision 

Perhaps most importantly, we’ve worked across companies and geographies to articulate our technical vision for this effort. Our challenge is a big one and a collective and intentional vision allows us to prioritize the pressing needs. 

We envision a future where participants in the open source ecosystem use and share high quality software, with security handled proactively, by default, and as a matter of course:

• Developers can easily learn secure development practices and are proactively guided by their tools to apply those practices and automatically informed when action is needed to prevent, remediate, or mitigate security issues.

• Developers, auditors, and regulators can create and easily distribute security policies that are enforced through tooling and automation, providing continuous assurance of the results.

• Developers and researchers can identify security issues (including unintentional vulnerabilities and malicious software) and have this information swiftly flow backwards through the supply chain to someone who can rapidly address the issue.

• Community members can provide information and notifications about product defects, mitigations, quality, and supportability and have this information rapidly flow forward across the ecosystem system to all users, and users can rapidly update their software or implement mitigations as appropriate.

Working Group Progress

Our working groups are where the work gets done, and contributors from across the industry have made important progress in recent months. The Technical Vision will help to direct this work. Here are the latest updates: 

Securing Critical Projects
This workgroup focuses on understanding which open source software projects are the most critical so that security work can be prioritized accordingly. The group is working on a Criticality Score and contributed to the Report on the 2020 FOSS Contributor Survey by Harvard & the Linux Foundation.

Security Tooling
The latest tool to come from this workgroup is the CVE Benchmark for tooling and data sets. It analyzes realworld codebases for more than 200 historical JavaScript/TypeScript vulnerabilities, using a range of static application security testing (SAST) tools. 

Identifying Security Threats
This group is making progress on a Security Metrics dashboard for open source projects. An early version of the security metric dashboard has already been demonstrated to the working group.

Vulnerability Disclosures
This group is developing user personas to focus on gaps in current practices and assessing vulnerability management practices and standards that are in use within the community today.

Best Practices
The group has established Security Scorecards, which auto-generates a “security score” through a number of checks on OSS projects. It’s simple to understand, fully automated, uses objective criteria and has the ability to make a large impact across the OSS ecosystem by driving awareness and inspiring projects to improve their security posture. 

This group is also developing a reference architecture and an educational presentation about the core components and relationships of the working group projects; working with the OWASP Security Knowledge Framework (SKF) to provide information on best practices and labs to try them out in various programming languages and improving the CII Best Practices Badge with internationalization that includes more Chinese translators and initial progress on Swahili. 

Security Representative to the OpenSSF Governing Board 

We also want to share that Ian Coldwater has been elected to the OpenSSF Governing Board as Security Representative. Ian is the director of Software Engineering – DevSecOps at Twilio and specializes in hacking and hardening Kubernetes, containers and cloud-native infrastructure. They are also the co-chair of the Kubernetes SIG Security. 

Oh, and if you haven’t already read it, the Linux Foundation’s Director of Open Source Supply Chain Security, David A. Wheeler has a new post about how to prevent supply chain attacks like SolarWinds – with specific recommendations. 

The OpenSSF is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support the open source security for decades to come. 

For more information and to learn how to get involved, including information about participating in working groups and advisory forums, please visit https://openssf.org/getinvolved.

Author: Kim Lewandowski, on behalf of the Digital Identity Attestation Working Group

We kicked off the first Digital Identity Attestation Working Group meeting under the OpenSSF in August, 2020. The objective of this working group is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance or origin of the code they maintain, produce and use.

We spent the first several meetings discussing different threat models as it relates to the digital identities of those involved in software supply chains, and what types of attacks are possible in each link of the chain. After this exercise, we’ve filled up our meetings with community presentations as we all try to learn more about this space and brainstorm potential opportunities to work together on mitigating these types of attacks. 

Below is a summary of the presentations to date:

Linux Kernel

• Presenter: Konstantin Ryabitsev (Linux Foundation)
• Summary: This presentation is an overview of how the Linux Kernel handles developer identity verification.
• Slides
• Youtube

In-Toto

• Presenter: Santiago Torres-Arias (Purdue University)
• Summary: This presentation introduced in-toto as a framework to automate compliance for software supply chain operations, onboarding new actors (e.g., developers) within an organization, and verifying best practices on software development lifecycles. Using in-toto, these processes can be cryptographically checked to ensure each actor performed their duties properly, that no steps were missed and no evidence of these steps was tampered with.
• Slides
• Youtube

Self Sovereign Identity

• Presenter: Arnaud Le Hors (IBM)
• Summary:  A short introduction to Self Sovereign Identity, a new system of identity management allowing individuals and organizations to have control over their digital identity. This presentation introduces the overall architecture based on a specific scenario, highlights key principles, and points to various related initiatives focusing on developing supporting standards and software.
• Slides
• Youtube

The Node.js Release Process

• Presenter: Myles Borins (GitHub)
• Summary: Myles reviewed how the Node.js project manages releases in a secure and reliable way. We looked at the tools we use to help release managers maintain multiple release lines, our testing infrastructure, and the processes we have in place to ensure reliable consistent releases.
• Youtube

Git Signing with SSH

• Presenter: Damien Miller (Google)
• Summary: Discussion of the goal of having every line of code in a git repository cryptographically attributable back to an author or importer.
  A proposal to refactor git’s cryptography support to allow more signature schemes than just the current gnupg. Proposal to add support for signing using SSH keys, based on the observation that most git users already have a SSH key that they use to authenticate to a repository.  Discussion of progress already made in OpenSSH to support arbitrary signatures that could be compatible.
  Hope that signing using SSH keys could be made near-seamless and that signing of commits and pushes could become default for most users.  Discussion of repository-host side countersigning, etc needed to retain provenance across rebase/merge operations.
• Slides
• Youtube

PKI

• Presenter: Mike Malone (Smallstep)
• Summary: An introduction to and overview of public key infrastructure (PKI) standards and technologies. Broadly, PKI deals with key distribution and management (enrollment, renewal, revocation, transparency, etc). This presentation explores the standards and practices in place for the Web PKI (HTTPS), and how they could be applied to help secure the software supply chain.
• Slides
• Youtube

Janssen

• Presenter: Mike Schwartz
• Summary: Janssen is an open source digital identity and access management platform. Organizations can use this software to self-host an identity provider or to build this capability into a product . The project includes “Janssen Auth Server”, which is an OAuth Authorization Server and an OpenID Connect Provider. Janssen Auth Server is a fork of the core component of Gluu Server 4.2.2, which was certified at the OpenID Foundation.  Other components of the Janssen Project include an implementation of a W3C WebAuthn server (FIDO 2), which enables people to enroll, authenticate and manage these new credentials.  In addition to the source code, the Janssen Project publishes cloud native assets and a distribution which can be installed on a VM or bare metal.  
• Youtube
• Project Home Page: https://jans.io

What’s Next?

We’re always looking for new presenters on topics in this space. If you are interested in presenting or would like to get involved with the working group, check out the GitHub repo for details on meetings and other communication channels.

In the future, this working group is looking to explore efforts around signature transparency throughout the software supply chain.

Thanks to all the presenters for taking the time to present and for their help compiling this recap!