By Amir Montazery (OSTIF), Jeff Mendoza (Kusari), and David Edelsohn (IBM)
This month’s spotlight focuses on the OpenSSF Securing Critical Projects Working Group, which aims to provide a platform for advocates to identify critical projects and take proactive steps in securing those projects. Learn more about what we’ve been working on and how you can help out!
Securing Critical Projects Working Group
The Securing Critical Projects WG aims to solve the problem of insecure (and often unknown) critical projects. First, we focus on helping identify which projects are critical, which will allow discovery of projects that can benefit from additional security focus. We’ve been working on curating a set of identified open source projects that are critical in the open source ecosystem. This will help individuals, organizations, and foundations who want to help support critical open source projects. We also host tools that can be used as inputs in evaluating a project’s criticality as well as tools that are used to help secure those projects.
Highlights of the Past Few Months
Recently, we completed the latest iteration of our set of critical open source projects; the list can be found at this link. Compiling this involved analysis, research, and discussion within the working group. We used various sources of data and tools to rank packages, such as criticality_score, data from the Census II program, and results from the OSTIF Managed Audit program.
We are also beginning to develop a system for curating, ingesting, and maintaining the set of critical open source projects. The intention is to develop a system where the set of projects can continually be curated and updated in a way that is more automated and will require less upkeep from the working group.
Finally, we are collaborating with others in the working group and the OpenSSF community on completing strategic documents, like the OpenSSF Mission, Vision, Strategy, and Roadmap document (MVSR).
New and Upcoming Initiatives
Package Analysis is working on improving static analysis of the packages being analyzed, whose results will soon be ingested into a BigQuery database for exploration, with an initial focus on finding obfuscated packages published on NPM. The Package Feeds project, which notifies Package Analysis of package updates to analyze, has received many improvements to its reliability and accuracy as well.
We’d love to get more engagement and involvement from OpenSSF and the greater community in identifying critical open source projects and curating the set we already have. We understand there are many ways to conceptualize which projects are critical or the most important, and we welcome additional perspectives on how we can understand this. Finally, we are exploring use cases of the set of critical projects within the OpenSSF and greater open source community, so that we can better understand their prevalence and the impact of supporting these critical projects.
To get involved, consider attending a WG meeting – you can find more information on our meeting times on GitHub. We also have APAC-friendly meetings. Additionally, you can join our public email list or find us at #wg_securing_critical_projects on the OpenSSF Slack. We look forward to working with you!
About the Authors
Amir Montazery is the Managing Director and Cofounder of Open Source Technology Improvement Fund, Inc (OSTIF). OSTIF is a Chicago-based organization focused on directly helping open-source software projects improve their security posture. Amir comes from a background in Finance, IT and Internal Auditing, applying years of experience to help develop OSTIF’s processes and partnerships. Furthermore, Amir is responsible for negotiating and organizing over 10,000 hours of security-focused work for organizations like Google and Amazon Web Services along with groups like Mozilla Foundation and Open Source Security Foundation (OpenSSF).
Jeff Mendoza is co-chair of the Securing Critical Projects Working Group, leader of the OpenSSF Allstar project, a maintainer of the GUAC project and a software engineer at Kusari. Jeff has over 20 years of software engineering experience with a focus on Open Source, Cloud Native, and Supply Chain Security. Jeff has worked in Open Source Programs Offices and Open Source Security teams at Microsoft and Google. He is a long-time enthusiast of Free and Open Source Software and also enjoys cycling in his free time.
David Edelsohn has been at the forefront of Open Source Software and Linux by establishing and expanding the global GNU Toolchain ecosystem and the Linux on IBM Power software ecosystem, and by enhancing the machine learning software ecosystem on IBM Power and IBMz. David is a member of the IBM Academy of Technology and has a Ph.D. in computational physics.