By Ashwin Ramaswami
The Open Source Security Foundation (OpenSSF)’s mission is to strengthen the open source software ecosystem through a collaborative initiative across industry. But did you know about the other initiatives focusing on strengthening open source security, happening across the Linux Foundation? In fact, one of the top priorities at the Linux Foundation is to enhance the security of the open source software ecosystem. The LF has a variety of projects and programs that help to advance this goal of increased cybersecurity for all.
In addition to the Open Source Security Foundation (OpenSSF), the Linux Foundation hosts a wide variety of efforts to address open source security. Achieving a secure open source software ecosystem requires a multi-pronged effort, whether through industry collaboration and funding, standards development, or initiatives across all levels of the stack.
To learn more about these initiatives, check out the LF’s new information gateway called LF Security. LF Security is a digital hub on the Linux Foundation’s website that brings together, in one place, all the LF resources and projects that accelerate open source software security.
You can visit LF Security at this link: https://www.linuxfoundation.org/lf-security. You can also learn more about LF Security by reading the announcement on the Linux Foundation blog.
Featured Projects
Here are some of the projects featured on LF Security:
- Post-Quantum Cryptography Alliance is a group developing cryptographic solutions resistant to quantum attacks.
- LF Events provides meetups for open source developers that often focus on security, such as CloudNativeSecurityCon and SOSS.
- OpenChain, which develops programs and industry standards to build a trusted software supply chain.
- SPDX, which concerns an open standard for Software Bills of Materials.
Other projects also include the Confidential Computing Consortium, which focuses on the adoption of Trusted Execution Environment (TEE) technologies and standards, and the Cloud Native Computing Foundation, which provides security research and support for cloud native projects.
Research and Education
The LF also hosts various initiatives around research and education. Linux Foundation Research publishes empirical insights and research around open source software security trends across industries. Most recently, LF Research has helped publish:
- A report on maintainer perspectives on open source security.
- In collaboration with Harvard Laboratory for Innovation Science (LISH), the Census II of Free and Open Source Software.
- In collaboration with Snyk, a joint research report on progress and the current state of open source software security.
Linux Foundation Training & Certification helps teach security skills to learners around the world to ensure we have a more security-informed and focused workforce. In addition to OpenSSF-developed courses such as the Developing Secure Software training course, certifications and training include certifications around Kubernetes cloud security and courses on DevSecOps and Cloud Native Fuzzing.
Other Resources
The webpage includes an issue alert with advice on how to avoid social engineering takeovers of open source projects, such as the recent attempted XZ Utils backdoor. This alert from the Open Source Security (OpenSSF) and OpenJS Foundations is aimed to help developers recognize early threat patterns and take steps to protect their open source projects.
And vulnerability disclosures aren’t just limited to OpenSSF’s own working group on the topic. LF Security includes resources and guidance on the process for how to report vulnerabilities to LF projects and foundations, or vulnerabilities related to LF infrastructure or the website. Having a clear vulnerability disclosure process is important in order to ensure the security of projects hosted under the Linux Foundation.
How to Contribute
This list of resources is not exhaustive, and still growing. The goal of LF security is to provide resources around open source security for all, and LF Security is always looking for additional resources and projects to feature that further highlight the important security work done throughout our projects or communities. If you want to contribute, propose a project, or share additional ideas, please get in touch!
Check out LF Security at this link: https://www.linuxfoundation.org/lf-securityÂ
About the Author:
Ashwin Ramaswami is a writer with the Linux Foundation. He is also an open source maintainer, web developer, and policy researcher. He previously worked on open source software security initiatives at Schmidt Futures and election security at the Cybersecurity and Infrastructure Security Agency. He holds a B.S. in Computer Science from Stanford University and a J.D. degree at Georgetown Law.