By Michael Scovetta (Microsoft) and Michael Winser (Google)
Alpha-Omega is an OpenSSF project, established in February 2022, with a mission to protect society by improving the security of open source software through direct maintainer engagement and expert analysis, trying to build a world where critical open source projects are secure and that security vulnerabilities are found and fixed quickly. During our first year, we helped fund important security work for some of the most important open source projects and have begun to see the impact of that work.
We’re happy to share our first annual report, which describes what we’ve accomplished, what we’ve learned, and the impact we hope to have in 2023.
We’ve provided funding to improve security in five critical open source projects: Node.js, the Eclipse Foundation, the Rust Foundation, jQuery, and the Python Software Foundation. Some of these engagements have just started recently, but we’ve already seen tremendous progress from the Node.js and Eclipse teams:
- The Node Security Working Group was reactivated and has started to create a threat model for Node.js. The team has been working on an experimental permissions model for Node modules, and are adding automated vulnerability checks to the Node.js continuous integration infrastructure. Finally, they’ve been able to triage over 20 vulnerability reports and issue multiple fixes, which directly improved the security of the Node.js runtime. Read more about Node.js’ progress.
- The Eclipse team ran Scorecards against all Eclipse Foundation projects, analyzed the results, and created a prioritized list of activities that they’ll focus on to achieve the best and broadest impact, which include hardening the build infrastructure and enabling security tools. Read more about Eclipse’s progress.
Through Omega, we use a combination of tools and expert analysis to identify security vulnerabilities across the 10,000 most-critical open source projects. Highlights from our Annual Report related to Omega include:
- We recently welcomed our first full-time employee, Yesenia Yser, who will help us accelerate our progress.
- We released an open-source analysis toolchain designed to scan open source packages, and used this toolchain to identify eleven vulnerabilities in critical open source projects.
- We released experimental tools, including a system call tracer, and made progress on a triage portal intended to make security research and reporting more efficient.
- We experimented with generating fully-automated security reviews, based exclusively on tooling, and are applying these learning to generate consumable assertions describing the security state of a project.
New Funding Announcements
We’re thrilled to announce that we’ve reached an agreement with Amazon Web Services (AWS) to provide $2.5 million in funding to Alpha-Omega. This pledge represents a commitment to an industry-wide collaboration to improve global software supply chain security. In addition, we’re exploring a potential partnership with the Financial Services Information Sharing and Analysis Center (FS-ISAC).
“The additional support from AWS for the Alpha-Omega Project will allow us to continue to scale our reach to work alongside maintainers of the critical open source projects to fix security vulnerabilities and apply automated security analysis to widely deployed OSS.”Brian Behlendorf, General Manager, OpenSSF
“Open source software security is a shared responsibility. Through our contribution, we’re helping to fund the important work that Alpha Omega is doing across a broad range of open source communities. By combining efforts with others to find and fix vulnerabilities in critical open source projects, everyone who uses and builds on open source can also share in the benefits of a more secure software supply chain.”David Nalley, Head of Open Source Strategy and Marketing, Amazon Web Services
How to Get Involved
Alpha-Omega values experimentation. Since the best way to address security risk within the open source community isn’t always clear, we’ll make investments, learn what works and what doesn’t, and refine our approach over time. We welcome community input on the methodologies we use to select projects and the types of activities that may have the greatest impact. We welcome active community participation through a few different forums:
- We hold public meetings once a month and maintain a Slack channel where everyone is welcome to participate.
- The tools created as part of Alpha-Omega are all open source and available for both end-users and contributors.
- All OpenSSF working groups are open to anyone; getting involved there remains the best way to improve the security of the open source ecosystem.
In addition, we’re interested in collaborating with individuals and organizations that share our vision and can help us achieve our mission. Specifically, we’re interested in these key areas:
- Funding: If you represent an organization able to provide funding to the Alpha-Omega project, please contact us.
- Commercial Tooling: If you represent a security tool or vendor that can perform leading-edge security analysis of open source projects, please contact us.
- Critical Projects: If you represent a critical open source project, believe you would benefit through a security investment, and have a plan for how you would leverage those funds, please contact us.
We look forward to an amazing 2023, “turning money into security”.