By Brian Behlendorf, OpenSSF
2022 has been a big year for the Open Source Security Foundation (OpenSSF). As a cross-industry collaboration that brings leaders and member organizations together to improve upon open source software security, we have spent this year successfully building upon our existing initiatives and created a foundation for the future. In that vein, we are pleased to announce the publication of our first-ever annual report.
A thriving, diverse, nonstop community
The OpenSSF is a thriving, diverse, nonstop community. Across more than 30 different active software projects and other technical initiatives, we’ve been able to have the kind of reach and impact we need to put a dent in the global software security challenges we all know are only getting more intense and more costly.
This is the year that countries woke up to the need to consider, incorporate, and invest into the security of open source software, as a part of ensuring the reliability of critical infrastructure. This community is rising to meet that awareness with the kind of rough consensus and running code required to make these efforts truly cross-industry.
Over the course of 2022, OpenSSF membership grew to over one hundred organizations of all kinds. More than six hundred different individuals contributed to our technical initiatives.
The OpenSSF annual report brings you messages from the Chairs of the Governing Board (GB) and Technical Council Advisory Council (TAC), top highlights of 2022, updates from Working Groups (WGs) and Projects, a review the Open Source Software (OSS) Security Mobilization Plan we released at the the OSS Summit II in a meeting with the US White House, and a discussion about the impact the OpenSSF has had throughout the course of the year. Though we are a relatively young organization and just launched in 2020, over the course of 2022 we have formed and strengthened multiple partnerships, projects, and events to further the state of open source software security.
A few 2022 highlights
- Sigstore Reaches General Availability: In October 2022, Sigstore reached general availability at its first ever namesake event, SigstoreCon North America. Sigstore, which facilitates signing, verifying, and protecting software, has continued to see massive contributions and adoption, improving the integrity of the software supply chain and reducing the friction developers face around security. In June 2022, a new course on Sigstore was released, Securing Your Software Supply Chain with Sigstore.
- Launch of the Alpha-Omega Project: In February 2022, OpenSSF launched the Alpha-Omega Project, an effort to improve the security posture of open source software, with an initial investment of $5 million. In 2022, Alpha-Omega issued a cumulative total of over $2 million in grants to projects including Node.js, jQuery, the Eclipse Foundation, the Python Software Foundation, and the Rust Foundation.
- Security Training: The Best Practices for Open Source Developers WG increased awareness and education of security best practices through improvements and updates to its free training course: Developing Secure Software. This included making the course available for integration into organization Learning Management Systems (LMSs), as well as a translation into Japanese. The working group also released Concise Guides on Developing More Secure Software and Evaluating Open Source Software and provided an npm Best Practices Guide for those using the popular npm package manager.
- OSS Security Mobilization Plan: Following two US White House convenings bringing together open source developers, companies, and federal policymakers around securing open source software, the OpenSSF released the Open Source Software Security Mobilization Plan and announced $30 million in pledges to improve the resiliency and security of the OSS ecosystem. The Mobilization Plan outlines ten streams of investment to rapidly advance well-vetted solutions to make immediate improvements to OSS security worldwide. Throughout 2022, the OpenSSF community has acted on the Mobilization Plan and will continue to do so into 2023 and beyond.
- Policy: In May 2022, OpenSSF GM Brian Behlendorf testified to the U.S. House of Representatives Committee on Science, Space, and Technology about the work being done within the OpenSSF and broader OSS community to improve the security and trustworthiness of open source software. In June 2022, Jim Zemlin, Executive Director of the Linux Foundation, participated along with government and private-sector leaders in the White House Cyber Workforce and Education Summit, where he discussed approaches on how to develop cybersecurity education that benefits the OSS ecosystem. In December 2022, David A. Wheeler, Director of Open Source Supply Chain Security, was a panelist in a workshop on trustworthy and secure OSS organized by the European Commission.
- Convening OpenSSF Days: We hosted OpenSSF Days in Austin, Dublin, and Yokohama at Open Source Summits North America, Europe, and Japan, as well as a separate OpenSSF Summit China in Shenzhen. These brought together the global open source community to discuss the challenges, big-picture solutions, ongoing work, and successes in securing the OSS supply chain.
- MFA Security Efforts: The OpenSSF Technical Advisory Council publicly supported various efforts to increase the use of MFA in various organizations. The Best Practices Working Group (WG) coordinated the distribution of hundreds of codes for free MFA tokens to developers of the 100 most critical open source projects in 2021–2022 in what was known as the “Great MFA Distribution.”
For many more highlights and achievements, read our annual report!
Looking ahead to 2023, we can use your help. Now that many of you are starting to use the OpenSSF’s work, please jump in as a contributor to the projects most relevant to you. Let’s work together to make measurable improvements in the open source tools, processes and best practices that will improve the security of all software. We’d love for you or your organization to get involved at the OpenSSF, whether through giving feedback, participating in our working groups, or helping with other initiatives. To join us, please check out some of the many ways to get involved.