By Amit Elazari Bar On, Chair of OpenSSF Public Policy Committee and Brian Behlendorf, GM of OpenSSF
Throughout 2022, the Linux Foundation and OpenSSF in particular have been at the heart of a number of important conversations concerning the open source software (OSS) community and sustainability of the ecosystem. A large part of our global engagement efforts have been focused on collaborating with leaders in the public and private sector to further the ecosystem understanding of open source software security. Specifically, the Linux Foundation and OpenSSF focused on three key priority areas:
- Improving security and reducing systemic risk in the OSS ecosystem,
- Closing talent shortages through improved training and educational initiatives, and,
- Imparting the value of openness and the importance of the community.
Security and systemic risk
Log4shell, a software vulnerability that occurred in a widespread open source software component, was identified at the tail end of 2021. In response, many participants of the open source ecosystem, including the Linux Foundation and Open Source Security Foundation (OpenSSF), have been active in informing the public about the security imperatives and systemic risks associated with all software, including open source software.
In January 2022, OpenSSF participated in a White House meeting on software security convening the open source developer community in order to address software supply chain security challenges more broadly. Soon afterwards, OpenSSF launched the Alpha-Omega project, an initiative to improve the security posture of OSS through direct engagement of software security experts and automated security testing. In a hearing conducted in February by the United States Senate Homeland Security and Government Affairs Committee (HSGAC) on Log4shell, David Nalley from the Apache Software Foundation, and members of the Committee, emphasized the importance of investing in OSS supply chain security.
In April, OpenSSF responded to a NIST Request For Information on evaluating and improving cybersecurity resources to provide our recommendations on defining the National Initiative for Improving Cybersecurity in Supply Chains (NIICS). Our submission highlighted the importance of software lifecycle management, diversity of open source participants, and a need for embracing an holistic approach to security.
Brian Behlendorf, OpenSSF General Manager, testified in a May hearing conducted by the United States House of Representatives Committee on Science, Space, and Technology, where he highlighted specific areas where the Federal government could collaborate with industry to improve OSS security as a whole. Later in May, the Linux Foundation and OpenSSF convened the Open Source Software Security Summit II, an effort with over 90 executives from 37 companies and government leaders to reach a consensus on key actions needed to secure the ecosystem. We delivered the Open Source Software Security Mobilization Plan, which outlines industry efforts to advance well-vetted solutions to major security problems in the OSS ecosystem, including securing OSS production (e.g. training, scorecards, signing artifacts), improving vulnerability discovery and remediation (e.g. audits, research, tooling), and shortening ecosystem patching response time (e.g. SBOM enablement, package management).
In June, the Linux Foundation collaborated with Snyk to release a report on Addressing Cybersecurity Challenges in Open Source Software, which gives an overview of security concerns in the OSS ecosystem and how successful companies have been at handling OSS risks. The Foundation also provided input into the findings and recommendations outlined in Cyber Safety Review Board’s report on Log4shell. In September, OpenSSF reviewed and summarized legislation introduced in the Senate, titled ‘Securing Open Source Software Act of 2022‘ in a blog post.
Additionally, in collaboration with the Laboratory of Innovation Science at Harvard, LF Research published the Census II report, which identifies the usage of free and open source software across production applications at thousands of companies.
Closing talent shortages
In June 2022, Jim Zemlin, Executive Director of the Linux Foundation, participated along with government and private-sector leaders in the White House Cyber Workforce and Education Summit. He emphasized approaches on how to develop cybersecurity education that benefits the OSS ecosystem, including the Linux Foundation’s free offering of Secure Software Development Fundamentals Courses.
LF Research has published a number of reports describing different use cases and the benefits of open source software. This includes a report on Open Source Program Offices (OSPOs), including the responsibilities of such offices, how enterprises structure them, and common challenges that they face. LF Research also published a guide on how enterprises can most effectively use open source software, including establishing an open source strategy and accelerating implementation efforts.
At DEF CON 30 in August, DEF CON Policy Village hosted a moderated panel on Return-Oriented Policy Making for Open Source and Software Security which explored how to leverage policy mechanisms under existing regulatory approaches and authorities to improve open source and software security. OpenSSF members participated in the roundtable, which also included members of the government who are engaged in developing and implementing policies.
Value of openness and importance of the community
Throughout our engagement efforts, we have emphasized the value of openness and OSS. Using OSS has many benefits, including allowing organizations to be more flexible and innovative. Any efforts to address OSS security and sustainability should also keep in mind the entire ecosystem, including closed source software. When taking steps to improve OSS supply chain security, we must ensure our efforts address the entire software supply chain in order to deliver maximum impact. Moreover, any actions taken to secure OSS should consider potential disincentivization or harm that may hinder the open innovation and collaboration OSS enables.
We also recognize the importance of bringing the community together. Later in the year, we hosted OpenSSF Days at the OSS Summit North America, OSS Summit Europe, and OSS Summit Japan, all events that helped publicize a variety of issues relevant to open source software communities. We also hosted an Open Source Software Security Summit Japan in Tokyo and Open Source Security and Community Curation Event with OpenUK in London.
2022 has been a critical year for advancing efforts to engage with the broader community about open source software and the need to come together to steward the implementation of security best practices that take into account the unique challenges of open source. As we approach 2023, we need to continue and advance this work and build upon it. Consider getting involved to help shape this strategy and securing open source supply chains and software more broadly, for the future of open source!