By Jonathan Meadows and Jacques Chester
This month’s spotlight focuses on the OpenSSF End Users Working Group, which aims to ensure that the distinct and impactful voice of end users is heard in the development and delivery of the technical vision of The Open Source Security Foundation (OpenSSF). It represents the interests of public and private sector organizations that primarily consume open source rather than produce it.
The End User Working Group objectives are to:
- Represent the interests of public and private sector organizations that primarily consume open source.
- Ensure the use cases for end user consumption of Open Source software are factored into OpenSSF programs.
- Provide resources to develop and implement efficient strategies, processes, tools, and best practices that secure software supply chains.
- Educate other consumers on the risks associated with supply chain security.
Highlights of the Past Few Months
The End Users Working Group has been working hard on developing a generic threat model for end user Open Source Software (OSS) consumers. By leveraging the threat model and data showing known attacks, we can see where an end user could focus to secure their supply chain. Additionally, ecosystem-wide it allows us to identify where the many great frameworks such as SLSA or S2C2F fit in or if there are any gaps in the capabilities available. Threat modeling will then lead to a prioritization of where to focus and any gaps that need to be addressed. We’ve also taken time to help other working groups with related efforts that affect end users, such as the SCM Guide by our friends in the Best Practices WG.
We also championed and released the Open Source Consumption Manifesto. This document is a call to arms for all end users and consumers of OSS to take a more active role in deciding how they use OSS and how to keep themselves secure. The Open Source Consumption Manifesto seeks to:
- Prioritize secure consumption of open source components
- Be aware and considerate of the developer experience
- Build upon iterative policy-based foundations and best practices
New and Upcoming Initiatives
A critical goal is to grow representation and involvement by end users in the OpenSSF. End user organizations have distinct perspectives, pressures and priorities that need to be part of the overall mix. We have been continuously canvassing contacts in other firms and industries and hope to continue growing the working group in 2024.
Get Involved
The best way to get involved is to join our regular meetings, which can be found in the OpenSSF calendar. We discuss a wide variety of topics. Please work with us to identify threats and provide guidance on ingestion of open source software from an end user’s perspective. Let us together raise awareness of these issues and provide detailed guidance on how to mitigate threats with the open source supply chain to make it secure.
About the Authors
Jonathan Meadows (Citi) and Jacques Chester (independent) are co-leads of the End Users Working Group. They are both passionate about end user representation and issues.