Skip to main content

đŸ“© Stay Updated! Follow us on LinkedIn and join our mailing list for the latest news!

All Posts By

OpenSSF

How LF communities enable security measures required by the US Executive Order on Cybersecurity

By Blog

Our communities take security seriously and have been instrumental in creating the tools and standards that every organization needs to comply with the recent US Executive Order

Overview

The US White House recently released its Executive Order (EO) on Improving the Nation’s Cybersecurity (along with a press call) to counter “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”

In this post, we’ll show what the Linux Foundation’s communities have already built that support this EO and note some other ways to assist in the future. But first, let’s put things in context.

The Linux Foundation’s Open Source Security Initiatives In Context

We deeply care about security, including supply chain (SC) security. The Linux Foundation is home to some of the most important and widely-used OSS, including the Linux kernel and Kubernetes. The LF’s previous Core Infrastructure Initiative (CII) and its current Open Source Security Foundation (OpenSSF) have been working to secure OSS, both in general and in widely-used components. The OpenSSF, in particular, is a broad industry coalition “collaborating to secure the open source ecosystem.”

The Software Package Data Exchange (SPDX) project has been working for the last ten years to enable software transparency and the exchange of software bill of materials (SBOM) data necessary for security analysis. SPDX, recognized and implemented as ISO/IEC standard 5962:2021, is supported by global companies with massive supply chains, and has a large open and closed source tooling support ecosystem. SPDX already meets the requirements of the executive order for SBOMs.

Finally, several LF foundations have focused on the security of various verticals. For example,  LF Public Health and LF Energy have worked on security in their respective sectors. Our cloud computing industry collaborating within CNCF has also produced a guide for supporting software supply chain best practices for cloud systems and applications.

Given that context, let’s look at some of the EO statements (in the order they are written) and how our communities have invested years in open collaboration to address these challenges.

Best Practices

The EO 4(b) and 4(c) says that

The “Secretary of Commerce [acting through NIST] shall solicit input from the Federal Government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria [including] criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices [and guidelines] for enhancing software supply chain security.” Later in EO 4(e)(ix) it discusses “attesting to conformity with secure software development practices.”

The OpenSSF’s CII Best Practices badge project specifically identifies best practices for OSS, focusing on security and including criteria to evaluate the security practices of developers and suppliers (it has over 3,800 participating projects). LF is also working with SLSA (currently in development) as potential additional guidance focused on addressing supply chain issues further.

Best practices are only useful if developers understand them, yet most software developers have never received education or training in developing secure software. The LF has developed and released its Secure Software Development Fundamentals set of courses available on edX to anyone at no cost. The OpenSSF Best Practices Working Group (WG) actively works to identify and promulgate best practices. We also provide a number of specific standards, tools, and best practices, as discussed below.

Encryption and Data Confidentiality

The EO 3(d) requires agencies to adopt â€œencryption for data at rest and in transit.” Encryption in transit is implemented on the web using the TLS (“https://”) protocol, and Let’s Encrypt is the world’s largest certificate authority for TLS certificates.

In addition, the LF Confidential Computing Consortium is dedicated to defining and accelerating the adoption of confidential computing. Confidential computing protects data in use (not just at rest and in transit) by performing computation in a hardware-based Trusted Execution Environment. These secure and isolated environments prevent unauthorized access or modification of applications and data while in use.

Supply Chain Integrity

The EO 4(e)(iii) states a requirement for

 â€œemploying automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code.” 

The LF has many projects that support SC integrity, in particular:

  • in-toto is a framework specifically designed to secure the integrity of software supply chains.
  • The Update Framework (TUF) helps developers maintain the security of software update systems, and is used in production by various tech companies and open source organizations.  
  • Uptane is a variant of TUF; it’s an open and secure software update system design which protects software delivered over-the-air to the computerized units of automobiles.
  • sigstore is a project to provide a public good / non-profit service to improve the open source software supply chain by easing the adoption of cryptographic software signing (of artifacts such as release files and container images) backed by transparency log technologies (which provide a tamper-resistant public log). 
  • We are also funding focused work on tools to ease signature and verify origins, e.g., we’re working to extend git to enable pluggable support for signatures, and the patatt tool provides an easy way to provide end-to-end cryptographic attestation to patches sent via email.
  • OpenChain (ISO 5230) is the International Standard for open source license compliance. Application of OpenChain requires identification of OSS components. While OpenChain by itself focuses more on licenses, that identification is easily reused to analyze other aspects of those components once they’re identified (for example, to look for known vulnerabilities).

Software Bill of Materials (SBOMs) support supply chain integrity; our SBOM work is so extensive that we’ll discuss that separately.

Software Bill of Materials (SBOMs)

Many cyber risks come from using components with known vulnerabilities. Known vulnerabilities are especially concerning in key infrastructure industries, such as the national fuel pipelines,  telecommunications networks, utilities, and energy grids. The exploitation of those vulnerabilities could lead to interruption of supply lines and service, and in some cases, loss of life due to a cyberattack.

One-time reviews don’t help since these vulnerabilities are typically found after the component has been developed and incorporated. Instead, what is needed is visibility into the components of the software environments that run these key infrastructure systems, similar to how food ingredients are made visible.

A Software Bill of Materials (SBOM) is a nested inventory or a list of ingredients that make up the software components used in creating a device or system. This is especially critical as it relates to a national digital infrastructure used within government agencies and in key industries that present national security risks if penetrated. The use of SBOMs would improve understanding of the operational and cyber risks of those software components from their originating supply chain.

The EO has extensive text about requiring a software bill of materials (SBOM) and tasks that depend on SBOMs:

  • EO 4(e) requires providing a purchaser an SBOM â€œfor each product directly or by publishing it on a public website” and “ensuring and attesting
 the integrity and provenance of open source software used within any portion of a product.” 
  • It also requires tasks that typically require SBOMs, e.g., â€œemploying automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly
.” and â€œmaintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.” 
  • EO 4(f) requires publishing â€œminimum elements for an SBOM,” and EO 10(j) formally defines an SBOM as a “formal record containing the details and supply chain relationships of various components used in building software
  The SBOM enumerates [assembled] components in a product
 analogous to a list of ingredients on food packaging.”

The LF has been developing and refining SPDX for over ten years; SPDX is used worldwide and is approved as ISO/IEC International Standard 5962:2021.  SPDX is a file format that identifies the software components within a larger piece of computer software and metadata such as the licenses of those components. SPDX 2.2 already supports the current guidance from the National Telecommunications and Information Administration (NTIA) for minimum SBOM elements. Some ecosystems have ecosystem-specific conventions for SBOM information, but SPDX can provide information across all arbitrary ecosystems.

SPDX is real and in use today, with increased adoption expected in the future. For example:

  • An NTIA “plugfest” demonstrated ten different producers generating SPDX. SPDX supports acquiring data from different sources (e.g., source code analysis, executables from producers, and analysis from third parties). 
  • corpus of some LF projects with SPDX source SBOMs is available. 
  • Various LF projects are working to generate binary SBOMs as part of their builds, including yocto and Zephyr
  • To assist with further SPDX adoption, the LF is paying to write SPDX plugins for major package managers.

Vulnerability Disclosure

No matter what, some vulnerabilities will be found later and need to be fixed. EO 4(e)(viii) requires â€œparticipating in a vulnerability disclosure program that includes a reporting and disclosure process.” That way, vulnerabilities that are found can be reported to the organizations that can fix them. 

The CII Best Practices badge passing criteria requires that OSS projects specifically identify how to report vulnerabilities to them. More broadly, the OpenSSF Vulnerability Disclosures Working Group is working to help “mature and advocate well-managed vulnerability reporting and communication” for OSS. Most widely-used Linux distributions have a robust security response team, but the Alpine Linux distribution (widely used in container-based systems) did not. The Linux Foundation and Google funded various improvements to Alpine Linux, including a security response team.

We hope that the US will update its Vulnerabilities Equities Process (VEP) to work more cooperatively with commercial organizations, including OSS projects, to share more vulnerability information. Every vulnerability that the US fails to disclose is a vulnerability that can be found and exploited by attackers. We would welcome such discussions.

Critical Software

It’s especially important to focus on critical software — but what is critical software? EO 4(g) requires the executive branch to define “critical software,” and 4(h) requires the executive branch to â€œidentify and make available to agencies a list of categories of software and software products
 meeting the definition of critical software.”

Linux Foundation and the Laboratory for Innovation Science at Harvard (LISH) developed the report Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software, which analyzed the use of OSS to help identify critical software. The LF and LISH are in the process of updating that report. The CII identified many important projects and assisted them, including OpenSSL (after Heartbleed), OpenSSH,  GnuPG, Frama-C, and the OWASP Zed Attack Proxy (ZAP). The OpenSSF Securing Critical Projects Working Group has been working to better identify critical OSS projects and to focus resources on critical OSS projects that need help. There is already a first-cut list of such projects, along with efforts to fund such aid.

Internet of Things (IoT)

Unfortunately, internet-of-things (IoT) devices often have notoriously bad security. It’s often been said that “the S in IoT stands for security.” 

EO 4(s) initiates a pilot program to â€œeducate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices [based on existing consumer product labeling programs], and shall consider ways to incentivize manufacturers and developers to participate in these programs.” EO 4(t) states that such â€œIoT cybersecurity criteria” shall “reflect increasingly comprehensive levels of testing and assessment.”

The Linux Foundation develops and is home to many of the key components of IoT systems. These include:

  • The Linux kernel, used by many IoT devices. 
  • The yocto project, which creates custom Linux-based systems for IoT and embedded systems. Yocto supports full reproducible builds. 
  • EdgeX Foundry, which is a flexible OSS framework that facilitates interoperability between devices and applications at the IoT edge, and has been downloaded millions of times. 
  • The Zephyr project, which provides a real-time operating system (RTOS) used by many for resource-constrained IoT devices and is able to generate SBOM’s automatically during build. Zephyr is one of the few open source projects that is a CVE Numbering Authority.
  • The seL4 microkernel, which is the most assured operating system kernel in the world; it’s notable for its comprehensive formal verification.

Security Labeling

EO 4(u) focuses on identifying:

“secure software development practices or criteria for a consumer software labeling program [that reflects] a baseline level of secure practices, and if practicable, shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone [and] identify, modify, or develop a recommended label or, if practicable, a tiered software security rating system.”

The OpenSSF’s CII Best Practices badge project (noted earlier) specifically identifies best practices for OSS development, and is already tiered (passing, silver, and gold). Over 3,800 projects currently participate.

There are also a number of projects that relate to measuring security and/or broader quality:

Conclusion

The Linux Foundation (LF) has long been working to help improve the security of open source software (OSS), which powers systems worldwide. We couldn’t do this without the many contributions of time, money, and other resources from numerous companies and individuals; we gratefully thank them all.  We are always delighted to work with anyone to improve the development and deployment of open source software, which is important to us all.

David A. Wheeler, Director of Open Source Supply Chain Security at the Linux Foundation

Technology and Enterprise Leaders Combine Efforts to Improve Open Source Security

By Press Release

New collaboration called Open Source Security Foundation (OpenSSF) consolidates industry efforts to improve the security of open source software

SAN FRANCISCO, Calif., Aug 3, 2020 – The Linux Foundation, today announced the formation of the Open Source Security Foundation (OpenSSF). The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It combines efforts from the Core Infrastructure Initiative, GitHub’s Open Source Security Coalition and other open source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others. Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware.

Open source software has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source that ultimately reaches end users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain.

The OpenSSF brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are just a couple of the projects that will be brought together under the new OpenSSF. The Foundation’s governance, technical community and its decisions will be transparent, and any specifications and projects developed will be vendor agnostic. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

“We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on,” said Jim Zemlin, executive director at The Linux Foundation. “Ensuring open source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”

With the formalization of the group, the open governance structure is established and includes a Governing Board (GB), a Technical Advisory Council (TAC) and a separate oversight for each working group and project. OpenSSF intends to host a variety of open source technical initiatives to support security for the world’s most critical open source software, all of which will be done in the open on GitHub.

For more information and to contribute to the project, please visit https://openssf.org

Resources

Threats, Risks & Mitigations of the Open Source Ecosystem, Open Source Security Coalition
Vulnerabilities in the Core, Harvard’s Lab for Innovation Science and Linux Foundation
Red Hat Product Security Risk Report, Red Hat

Governing Board Member Quotes

GitHub
“Every industry is using open source software, and it is our collective responsibility to help maintain a healthy and secure ecosystem,” said Jamie Cool, Vice President of Product Management, Security at GitHub. “GitHub founded the Open Source Security Coalition in 2019 to bring together industry leaders around this mission and ensure the consumption of open source software is something that all developers can do with confidence. We look forward to this next step in the evolution of the coalition and serving as a founding member of the Open Source Security Foundation.”

Read more in GitHub’s blog.

Google
“Security is always top of mind for Google and our users. We have developed robust internal security tools and systems for consuming open source software internally, for our users, and for our OSS-based products. We believe in building safer products for everyone with far-reaching impacts, and we are excited to work with the broader community through the OpenSSF. We look forward to sharing our innovations and working together to improve the security of open source software we all depend on,” said Director of Product Security, Google Cloud, James Higgins.

IBM
“Open source has become mainstream in the enterprise. As such, the security of the open source supply-chain is of paramount importance to IBM and our clients,” said Christopher Ferris, IBM Fellow and CTO Open Technology. “The launch of the Open Source Security Foundation marks an important step towards giving open source communities the information and tools they need to improve their secure engineering practices, and the information developers need to choose their open source wisely.”

JPMorgan Chase
“Developing, growing and using open source software is a top priority for JPMorgan Chase. We are committed to partner with the community through the Open Source Security Foundation to ensure trust and security in open source software for everyone,” stated Lori Beer, Global Chief Information Officer, JPMorgan Chase.

Microsoft
“As open source is now core to nearly every company’s technology strategy, securing open source software is an essential part of securing the supply chain for every company, including our own,” said Mark Russinovich, Chief Technology Officer, Microsoft Azure. “As with everything open source, building better security is a community-driven process. All of us at Microsoft are excited to be a founding member of the Open Source Security Foundation and we look forward to partnering with the community to create new security solutions that will help us all.”

Read more in Microsoft’s blog.

NCC Group
“The security and privacy of the internet is essential for the protection of individuals, organizations and critical infrastructure, and also the future of democracy and our civil liberties. Given the fundamental role open source plays in powering our world, creating scalable resources and tools to help software maintainers, developers, and users understand and improve their projects’ security is a significant step toward a safer and more secure world. By bringing together a dedicated group of technologists with a shared desire to improve the security of open source software, together we can begin to remediate – or even prevent – security vulnerabilities at a scale not previously possible,” stated Jennifer Fernick, Head of Research at global cyber security expert NCC Group.”

OWASP
“Joining the Linux Foundation and the Open Source Security Foundation is central to our mission to advance the state of application security, especially as OpenSSF is already aligned with OWASP’s core philosophies of openness, transparency and innovation,” said Andrew van der Stock, Executive Director of OWASP, the Open Web Application Security Project. “We look forward to working with all of the participating organizations to improve the state of software security and work together on projects of vital interest to software developers, organizations, and governments around the world.”

Red Hat
“Red Hat is unrelenting in our commitment to open source and in participating to make upstream projects successful. We believe security is an essential part of healthy project communities,” said Chris Wright, CTO of Red Hat. “Now, more than ever, is the time for us to join together with other leaders to help ensure key projects are secure and consumable in our products, across enterprises, and as part of the hybrid cloud. We are excited to help found this Open Source Software Foundation.”

Additional Founding Member Quotes

ElevenPaths
“The security of an enterprise application or services depends mainly on the security of all its components. The vast majority of business applications and services are not fully developed in-house as they make use of open source components that help accelerate the development cycle and extend their functionality. Therefore, it is essential to ensure that all open source components comply with the best practices of secure development and periodic reviews are carried out to positively impact all software that makes use of these components. Joining the Open Source Security Foundation is fully aligned with our vision and principles.”

GitLab
“GitLab is excited to play a part in the creation of the Open Source Security Foundation (OpenSSF) to further cross-industry collaboration and move the security of open source projects forward as it is key to the future of technology,” said David DeSanto, director of product for Secure and Defend at GitLab. “Aligning with GitLab’s mission of ‘everyone can contribute,’ we look forward to supporting and contributing to the community to bring together security-conscious developers to change open source development in a collaborative and fundamental way.”

HackerOne
“Open source software powers HackerOne,” said Reed Loden, Head of Open Source Security, HackerOne. “It powers our software, our infrastructure, and our model for engaging with our community. As part of our mission to make the internet safer, we want to make it easier for open source projects to remain secure. For over three years, we’ve given the open source community our platform for free, and we’ve been long-time supporters of initiatives like Internet Bug Bounty. Joining the Linux Foundation and the Open Source Security Foundation allows us to continue on our mission and make the internet safer alongside some of the foremost visionaries in security. We look forward to seeing the change we can make together.”

Intel
“It takes the industry working together to advance technology and accelerate open source security initiatives. Hardware and software are inextricably linked to deliver security, transparency and trust in open source software. Together with the OpenSSF, Intel will continue to play a key role in mobilizing the industry at large and solving security challenges from the cloud to the edge,” said Anand Pashupathy, GM of System Security Software, Intel.

SAFECode
“Open source software is a major component in today’s software supply chain and thus comprises a significant fraction of the software that individuals and organizations rely upon. Supporting the secure development of open source software is of critical importance to SAFECode members and the software community,” said Steve Lipner, executive director of SAFECode. “We are looking forward to bringing our software security experience to bear as we participate in the Open Source Security Foundation’s mission to build a collaborative, cross-industry community to support the security of open source software.”

StackHawk
“The use of open source has undoubtedly reached critical mass, with ever increasing dependency trees and software complexity. Equipping engineering teams to deliver secure applications simply and scalably is core to our mission at StackHawk. We are excited to be one of the founding members of the Open Source Security Foundation to ensure that this can be a reality across software development as a whole and look forward to continued partnership with the community,” said StackHawk’s Founder & CEO, Joni Klippert.

Uber
“Security and Privacy is always top of mind at Uber to ensure we are responsible stewards of our user’s data. We’re always focused on mitigating all types of software vulnerabilities and as such the security of open source software is a top priority. Historically, we’ve worked with other industry leaders to help build a strong security community around open source software and we are excited to expand those efforts with the OpenSSF,” said Rob Fletcher, Sr Manager, Security Engineering.

VMware
“Strengthening the security posture, policies, and processes in the open source community and in widely used open source projects is strengthening the whole software ecosystem – for all players,” said Joshua Lock, security tech lead, Open Source Technology Center, VMware. “VMware strongly supports the goal of making our software ecosystem more resilient and more secure.”

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Cloer
reTHINKit Media
503-867-2304
jennifer@rethinkitmedia.com