By Brian Behlendorf, OpenSSF
On August 23rd, we at the OpenSSF and Linux Foundation Japan hosted the Open Source Security Summit Japan. We were joined by senior cybersecurity representatives from more than 20 leading Japanese firms, including Hitachi, Fujitsu, LINE, NEC, NTT Data, Toyota, Suzuki, Toshiba, SBI, and OpenSSF members Renesas, Cybertrust and Cybozu, along with senior representation from the Japanese Ministry of Economy, Trade and Industry (METI), AIST, IPA and JP-CERT. We convened to discuss open source software (OSS) security challenges, modern challenges to the global software supply chain, and how to accelerate improvements. The meeting follows on the heels of a similar summit the Linux Foundation and OpenSSF held in conjunction with the White House in the United States earlier this year and demonstrates a growing interest and priority for governments and industry around the world to concentrate and collaborate on OSS security.
Outcomes/Key Takeaways
The day began with an overview of the current global situation with a presentation by Jim Zemlin on the priority other governments are placing on open source software security and global coordination on this effort. Further emphasizing this point, he was followed by pre-recorded remarks specifically for this event from National Cyber Director Chris Inglis, head of cyber strategy at the US White House, emphasizing the White House’s commitment to collaboration with the open source community and global partners on this topic, and the urgency to address this today.Â
This was followed by a presentation by Masahiro Uemura, Deputy Director-General for Cybersecurity and Information Technology at the Ministry of Economy, Trade and Industry (METI), Government of Japan. Efforts to ensure software security are underway in Japan. METI has established a task force to study software management methods to ensure cyber-physical security. The task force is working to develop a collection of management practices for utilizing OSS and ensuring its security and to conduct a demonstration project (PoC) to promote SBOM utilization, but with an eye towards rapid roll-out across many sectors should the PoC succeed. Mr. Uemura also shared a deck discussing their Proof of Concept work and roadmap, which they’ve allowed us to share a translated version of. We were highly impressed by the depth of their work to date, and are eager to explore ways in which our SBOM efforts, particularly the “SBOM Everywhere” stream in the Mobilization Plan, can accelerate their efforts.
Throughout the event it was repeatedly emphasized: OSS security is a global challenge. Industries in Japan were affected just as severely by recent vulnerabilities as the rest of the world – perhaps more so due to the intense degree of digitalization of the Japanese economy and society – calling for an all-of-industry effort to respond.
After a welcoming video from OpenSSF Chairperson Jamie Thomas, I presented the details of the Open Source Software Security Mobilization Plan, which identifies 10 different initiatives that the OpenSSF community devised to substantially impact the security of OSS. We discussed how each stream of the plan could align with national policies and priorities for Japan, and how Japanese industry could participate in the further definition and implementation of the plan.
After lunch, we decided to drill down into one specific facet of the Plan: SBOMs. Takashi Ninjouji from Toshiba and Shane Coughlan from the Linux Foundation shared their work in Japan moving the automotive and electronics industries towards the OpenChain platform, which uses a subset of the SPDX standard to implement an SBOM sharing system. This system is in production today for security use cases, showing that Japanese companies can be leading-edge adopters of new technologies when they are fit for purpose. Many things have been learned from their deployment experience, and that has fed into further work with the core SPDX standards, which Kate Stewart of the SPDX initiative also appeared by video to discuss. We shared the investments that the OpenSSF community is making into core libraries for SPDX to modernize them for SPDX 2.3 and beyond, to encourage broader adoption in light of growing demand from customers and governments.
Finally, we heard from our OpenSSF members in Japan – Cybertrust, Cybozu, and Renesas – about the challenges and opportunities for better security in Open Source software in Japan.
There was substantial recognition among the participants that today’s software supply chain relies heavily on open source software for both underlying components and operation, and Japan is no different, especially given its early embrace of OSS by both industry and government. However, long-term strategies for mitigating the risk of security issues requires long-term thinking and investment. The sentiment in the room appeared to support the view that the time is now for Japan’s businesses and government to begin to make those investments.
At the end of the day, Mr. Uemura of METI shared this perspective:Â
“As I participated in today’s conference, I learned a lot about the various efforts including the standardization of the security of open source software, what direction the developers and the US government is taking to strengthen the security as a policy measure, and I think it was a very informative session.
As the important thing for the software security of METI, the task force will consider it with the cooperation of the industry and the power of the relevant ministries and agencies. How to proceed with the utilization of SBOM is a big issue here, but today I was able to exchange opinions with the Linux Foundation, OpenSSF, and other related parties, as well as Japanese participants. Taking advantage of the latest trends in future studies, we will continue to make efforts today that are better, more user-friendly, more efficient, more cost-effective, and as a result improve security.”
The OpenSSF stands ready to engage with the business and policy communities around the world to develop a security-centered approach to the use and development of the open source software that underpins modern global society. Let us know when and where we can help!
–Brian