The open source software (OSS) community is ever-changing, and the security of OSS rapidly evolves in parallel. This requires OpenSSF to regularly re-evaluate our focus and approach to intentionally improve OSS security. Today the Open Source Security Foundation (OpenSSF) releases an updated Mission, Vision, Values and Strategy (MVS) for the foundation as approved by the Governing Board on November 9, 2023.
The MVS is a technique used by many within the industry to help focus and coalesce work by laying out clear objectives that define our collective “why”. The north star statement in the Vision inspires our daily work, with actionable steps we plan to take to execute on our strategy. The strategy maps how we plan to achieve the mission and vision.
The MVS is a guiding light that spans across the OpenSSF and represents the high-level scope that drives the Technical Advisory Council’s (TAC) Technical Vision. The TAC, then provides focus and guidance to Technical Initiatives (TIs) – which are composed of our Working Groups (WGs), Projects, and Special Interest Groups (SIGs).
You can find the MVS on the OpenSSF About Page of our website.
OpenSSF MVS: a Deep Dive
Let’s dive in deeper and look at the MVS’ statements:
The Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. This includes fostering collaboration, establishing best practices, and developing innovative solutions.
Open source is a team sport in which we all have a role. Through the work of the tools, guidelines, specifications, and our collective community contributions, we aim to help uplift the security quality of OSS by helping it be securely created, distributed, and consumed. Solutions should have a sustainable impact and be updated as OSS evolves in the future.
OSS is a digital public good and as an industry, we have an obligation to address the security concerns with the community. We envision a future where OSS is universally trusted, secure, and reliable. This collaborative vision enables individuals and organizations in a global ecosystem to confidently leverage the benefits and meaningfully contribute back to the OSS community.
Open Source benefits everyone, and we are doing our part in helping contribute to being done more securely to be more resilient to future threats, vulnerabilities, and weaknesses. This shared vision we see paints a picture of how open source software can be viewed and augmented based on our collaboration with developers, consumers, and other interested stakeholders.
The OpenSSF serves as a trusted partner to affiliated open source foundations and projects and provides valuable guidance and artifacts, like the top ten Secure Software Development Guiding Principles, to those projects and foundations that encourage security by design and security by default. OpenSSF initiatives should make security easier for open source maintainers and contributors. Consumers of OSS can leverage the output of the OpenSSF to have clear, consistent, and trusted signals to better understand the security profile of OSS content.
The OpenSSF is committed to encouraging all interested stakeholders to participate in the foundation and its technical initiatives (TIs). The OpenSSF is viewed as an influential advocate for mutually-beneficial external efforts and an educator of policy decision makers.
More than just advocacy to Diversity, Equity, and Inclusion (DEI) groups, the OpenSSF remains committed to directly facilitating an environment for all perspectives, all backgrounds, and equitable opportunities for global mentorship and education. The OpenSSF remains committed to continuously evolving these efforts to bring more inclusive and diverse software security education, ensuring stakeholder share opportunities to engage in and receive value from OpenSSF TIs.
The foundation’s work will be made publicly available.
While typically not part of a traditional MVS document, our community felt very strongly about including value statements about what we believe, support, and how we act. We believe in following secure development guiding principles and producing and consuming software responsibility is foundational to moving security forward for everyone. We operate in a neutral space where all thoughts, opinions, and ideas are valued equally to collectively secure and improve our ecosystem. We maintain that diversity in thought and backgrounds is the best path to ensure the most robust and positive outcomes for our community. We also pledge that every piece of our work is fully open, viewable, and usable by the public, for the public good.
These are the techniques the OpenSSF plans to take to help us meet that Mission and achieve that Vision described above.
The OpenSSF strategy is outlined across five key areas:
- Education and targeted communication: Develop and promote best practices, guidelines, and educational resources to enhance open source software security awareness and expertise within the ecosystem. OpenSSF advocates with targeted personas (including maintainers, contributors, and consumers) in the OSS ecosystem to improve their default security posture and catalyzes efforts to reduce or eliminate friction in achieving that state.
Education and stakeholder engagement is a key way to transfer knowledge and functionality to participants and contributors within the open source software ecosystem. It is important to ensure the output of OpenSSF Technical Initiatives (TIs) are shared in a meaningful way to developers and consumers of OSS. The goal is the broader OSS ecosystem has access to the tools and information that helps both developers produce more secure software and provides signals downstream to the consumers that leverage those components.
- Facilitate collaboration: Foster a culture of collaboration and inclusion among OSS communities, security experts, and industry stakeholders to sustainably address open source software security challenges effectively with transparent operations and governance.
Securing OSS is a collaborative process. Convening experts from many disciplines and backgrounds is a key capability of the OpenSSF. Harnessing the collective energy and engagement from across industries, end users, governments, academia, and researchers effectively promotes the advancement of secure OSS.
- Sustainable technical innovation and enhanced delivery: Support tooling and process enhancements to existing security capabilities. Deliver new security capabilities to open source ecosystems, such as vulnerability detection, incident response, secure coding practices, and actionable standards.
This is where the technical work occurs. Individuals and members collaborate to develop tools, projects and recommendations that would be very difficult for any one individual or member to create on their own. The OSS ecosystem has started to benefit from work in TIs, including “turning dollars into security” with the Alpha-Omega project, digitally signing code with Sigstore, and evaluating OSS for security metrics with Scorecard. Additionally, some Working Groups (WGs) focus on the specific support for secure OSS that benefits developers and consumers. All OpenSSF TIs must be completed in an operationally and financially sustainable manner to ensure ongoing delivery. An example of sustainable operations includes how participants learn and understand they can begin to participate in existing TIs, or bring new TIs to the OpenSSF. The path to maturing and sustaining TIs that support OSS Security is an important part of the strategy to create and maintain relevant OSS security outcomes across the ecosystem.
- Advocacy and policy: Advocate for policies and practices that promote OSS security, working with governments, industry bodies, and other relevant organizations.
The prevalence of OSS creates a web of security issues, where one OSS package can create a ripple effect of incidents throughout the software supply chain. The rapid adoption of OSS across a wide variety of industries has, therefore, become a key topic of interest for governments around the globe who seek to secure OSS and protect their citizens. OpenSSF participates in government-focused forums as a trusted advisor, subject matter expert, and advocate for the security of open source ecosystems to help educate and foster collaboration with policymakers.
- Community engagement: Actively engage with OSS communities through events, conferences, workshops, and online platforms to foster dialogue, collaboration, and knowledge exchange.
First and foremost, OSS has always been about community. There are several pathways for community engagement. One is engagement with the OSS developers we serve. OpenSSF seeks to continue to widen the awareness and adoption of Technical Initiative (TI) outcomes across the developer community. Another is our internal individual and membership participants in TIs. OpenSSF is always working to improve collaboration and connections between the team mates that show up daily to improve OSS security. Another community engagement pathway is with peer foundations in the OSS ecosystem that can both share security challenges within their ecosystem that OpenSSF can explore how to address, as well as apply TI outcomes across their community. Yet another community engagement pathway is with the consumers of OSS working to improve OSS security in their respective security workflows and decisions. As members of and participants in these communities, we seek to help make and deepen connections across the various community ecosystems by bringing the best minds and ideas together to improve OSS security across OSS communities and ecosystems.
We welcome everyone to review the MVS, provide feedback in Slack, and even be inspired to contribute alongside all of our passionate and talented members! Please engage, provide feedback, and contribute. Remember that patches are ALWAYS welcome!