By Jamie Thomas, Chair of the OpenSSF Governing Board
Like the open source ecosystem itself, the OpenSSF has grown and evolved during a very busy 2023. It’s no longer debatable, everyone depends upon open source software today. Surveys from the largest open software repositories show that open-source software underpins almost everything in modern software supply chains.
Throughout 2023, despite broader challenges in the technology ecosystem, the OpenSSF has achieved significant milestones, increased awareness, and built momentum while improving the overall security of the open source software ecosystem. At the heart of our efforts, we always strive to keep the open source software developer in mind. We need to support them and find innovative ways to make incorporating security into their workflows easier.
It takes clarity of thought, appropriate levels of resources, and determination to move the needle in this space. We all need to do our part, and I want to especially thank each member of the Open Source Security Foundation for their investment of people, brand support, and financial resources they generously contributed during 2023.
Permit me to share with you a few of the 2023 highlights.
- Software Security Education and Security Guidelines: As of August 2023, over 20,000 developers enrolled in OpenSSF courses on the fundamentals of developing secure software, and our community has collaborated to create a wide variety of guides for developers, consumers, and the security community to help improve best practices in support of more secure software development.
- Improved Open Source Software Evaluation and Infrastructure: We simplified obtaining security information about open source software packages so that consumers and maintainers can more efficiently assess Open Source Software (OSS) security. Here are three examples:
- OpenSSF Scorecard – Automatically assesses OSS projects against various software security criteria. A score is produced that helps OSS consumers estimate the security of the OSS and helps maintainers by giving them a goal to improve their score. Recent improvements include support for GitLab in addition to GitHub.
- Supply-chain Levels for Software Artifacts (SLSA) – SLSA is a framework to prevent tampering, improve integrity, and secure packages and infrastructure. SLSA version 1.0 was released in April of this year, focusing on protecting software build processes.
- Sigstore – Sigstore is an open source project for improving software supply chain security. The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more.
- Additional accomplishment areas include improving software repository security, enhanced vulnerability finding and reporting, funding security audits, and OS security research.
We also held a very successful follow up meeting with representatives from key government agencies this past September in Washington, D.C. US officials from the National Security Council (NSC), Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA) among others were there with private industry leaders to compare perspectives and review progress made since we last met.
It was very encouraging to hear new consensus that open source software is an invaluable digital public good that is consumed by both the private and public sectors. We also agreed that those who benefit from it need to actively support the open source ecosystem directly and/or obtain their OS software from others that do. We continue to engage with other major governmental agencies around the world to help them understand these common concerns while being sensitive to their unique perspectives.
As we look to 2024, the opportunities and challenges of Artificial Intelligence (AI), Machine Learning (ML), and the role of open source are becoming front and center. This is another area in which cross-community collaboration will be key. I am especially encouraged by the commitment by members of the OpenSSF to work with the Linux Foundation sister-organization LF AI & Data to bring together Subject Matter Experts (SMEs) to share knowledge and provide a more secure future. This is another area where broad collaboration with private and public sectors will be critical.
On a personal note, I want to share that this will conclude my second year as Governing Board Chair. I’d like to thank Brian Behlendorf who served as the General Manager of the OpenSSF for its formative years and welcome once again Omkhar Arasaratnam as the General Manager who stepped up mid-year to take this initiative to the next level. It has been my honor to serve as the Chair of the Governing Board to the OpenSSF over these past two years, and I look forward to even greater accomplishments in 2024. If you are not yet a member, please join us.
Jamie Thomas, Chair of the OpenSSF Governing Board and GM, Technology Lifecycle Services, and IBM Enterprise Security Executive
About the Author
Jamie Thomas has a history of setting innovation agendas that provide business solutions to clients worldwide. She has extensive organizational experience with R&D and client support transformation. She currently serves as General Manager, IBM Technology Lifecycle Services and IBM Enterprise Security.
In this role, Jamie oversees IBM Technology Lifecycle Services including the delivery of client support and services, providing clients with predictive, preventative, and technical support solutions focused on IBM Logo as well as multi-vendor infrastructure support. Jamie’s team partners with worldwide, leading technology providers to provide exceptional compute, storage and networking capability. She serves all of IBM as leader of the IBM Enterprise Security team, which protects IBM and IBM’s clients in an ever-changing and challenging cybersecurity environment by driving security and privacy by design into all of IBM’s offerings and providing industry regulatory and compliance leadership. Jamie serves as the board chair for the Open Source Security Foundation (OpenSSF), focused on addressing hardware and software open-source supply chain security.