Skip to main content
Category

Press Release

The Linux Foundation and Open Source Software Security Foundation (OpenSSF) Gather Industry and Government Leaders for Open Source Software Security Summit II

By Press Release

10-Point Open Source and Software Supply Chain Security Mobilization Plan Released with Initial Pledges Surpassing $30M 

WASHINGTON, DC – May 12, 2022 – The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE, and OMB to reach a consensus on key actions to take to improve the resiliency and security of open source software. 

Open Source Software Security Summit II, is a follow-up to the first Summit held January 13, 2022 that was led by the White House’s National Security Council. Today’s meeting was convened by the Linux Foundation and OpenSSF on the one year after the anniversary of President Biden’s Executive Order on Improving the Nation’s Cybersecurity

The Linux Foundation and OpenSSF, with input provided from all sectors, delivered a first-of-its-kind plan to broadly address open source and software supply chain security. The Summit II plan outlines approximately $150M of funding over two years to rapidly advance well-vetted solutions to the ten major problems the plan identifies. The 10 streams of investment include concrete action steps for both more immediate improvements and building strong foundations for a more secure future. 

A subset of participating organizations have come together to collectively pledge an initial tranche of funding towards implementation of the plan. Those companies are Amazon, Ericsson, Google, Intel, Microsoft, and VMWare, pledging over $30M. As the plan evolves further more funding will be identified, and work will begin as individual streams are agreed upon.

This builds on the existing investments that the OpenSSF community members make into open source software. An informal poll of our stakeholders indicates they spend over $110M and employ nearly a hundred full-time equivalent employees focused on nothing but securing the open source software landscape. This plan adds to those investments.

KEY QUOTES

Jim Zemlin – Executive Director, Linux Foundation:  “On the one year anniversary of President Biden’s executive order, today we are here to respond with a plan that is actionable, because open source is a critical component of our national security and it is fundamental to billions of dollars being invested in software innovation today. We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in software itself.  This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership.”

Brian Behlendorf – Executive Director, Open Source Security Foundation (OpenSSF):  “What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it.  The plan we have put together represents the 10 flags in the ground as the base for getting started.  We are eager to get further input and commitments that move us from plan to action.”

Anne Neurenberger, Deputy National Security Advisor, Cyber & Emerging Tech at National Security Council, The White House:

“President Biden signed the Executive Order on Cybersecurity last year to ensure the software our government relies on is secure and reliable, including software that runs our critical infrastructure.  Earlier this year, the White House convened a meeting between government and industry participants to improve the security of Open Source software.  The Open Source security foundation has followed up on the work at that meeting and convened participants from across industry to make substantial progress.  We are appreciative of all participants’ work on this important issue.”

Atlassian

Adrian Ludwig, Chief Trust Officer

“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be participating in OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. We’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.”

Cisco

Eric Wenger, Senior Director, Technology Policy, Cisco Systems

“Open source software (OSS) is a foundational part of our modern computing infrastructure. As one of the largest users of and contributors to OSS, Cisco makes significant investments in time and resources to improve the security of widely-used OSS projects. Today’s effort shows the stakeholder community’s shared commitment to making open-source development more secure in ways that are measurable and repeatable.”

Dell

Jim Medica, Technologist in Dell Technologies’ Office of the CTO:

“Never before has software security been a more critical part of the global supply chain. Today, in a meeting led by Anne Neuberger [linkedin.com], Deputy National Security Advisor for Cyber and Emerging Technology, Dell and my Open Source Security Foundation colleagues committed our software security expertise to execute the Open Source Software Security Mobilization Plan. Dell’s best and brightest engineers will engage with peers to develop risk-based metrics and scoring dashboards, digital signature methodologies for code signing, and Software Bill of Materials (SBoM) tools – all to address the grand challenge of open source software security. This is an excellent example of the leadership Dell provides to proactively impact software security and open-source security solutions, and reinforces our commitment to the open source software community, to our supply chain and to our national security.”

Ericsson

Per Beming, Head of Standard and Industry Initiatives

“Ericsson is one of the leading promoters and supporters of the open source ecosystem, accelerating the adoption and industry alignment in a number of key technology areas. The Open Source Security Foundation (OpenSSF) is an industry-wide initiative with the backing of the Linux Foundation with the objective of improving supply chain security in the open source ecosystem.

 “As a board member of OpenSSF, we are committed to open source security and we are fully supportive of the mobilization plan with the objective of improving supply chain security in the open source ecosystem. Being an advocate and adopter of global standards, the initiatives aim to strengthen open source security from a global perspective.”

GitHub

Mike Hanley, Chief Security Officer

“Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain. As home to 83M developers around the world, GitHub is uniquely positioned and committed to advance these efforts, and we’ve continued our investments to help developers and maintainers realize improved security outcomes through initiatives including 2FA enforcement on GitHub.com and npm, open sourcing the GitHub Advisory Database, financial enablement for developers through GitHub Sponsors, and free security training through the GitHub Security Lab

“The security of open source is critical to the security of all software. Summit II has been an important next step in bringing the private and public sector together again and we look forward to continuing our partnerships to make a significant impact on the future of software security.”

Google

Eric Brewer, VP of Infrastructure at Google Cloud & Google Fellow

“We’re thankful to the Linux Foundation and OpenSSF for convening the community today to discuss the open source software security challenges we’re facing and how we can work together across the public and private sectors to address them. Google is committed to supporting many of the efforts we discussed today, including the creation of our new Open Source Maintenance Crew, a team of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects, and by providing support to the community through updates on key projects like SLSA, Scorecards; and Sigstore, which is now being used by the Kubernetes project. Security risks will continue to span all software companies and open source projects and only an industry-wide commitment involving a global community of developers, governments and businesses can make real progress. Google will continue to play our part to make an impact.”

IBM

Jamie Thomas, Enterprise Security Executive

“Today, we had the opportunity to share our IBM Policy Lab’s recommendations on how understanding the software supply chain is key to improving security. We believe that providing greater visibility in the software supply chain through SBoMs ( Software Bill of Materials) and using the Open Source Software  community as a valuable resource to encourage passionate developers to create, hone their skills, and contribute to the public good can help strengthen our resiliency. It’s great to see the strong commitment from the community to work together to secure open source software. Security can always be strengthened and I would like to thank Anne Neuberger today  for her deep commitment and open, constructive, technical dialogue that will help us pave the way to enhancing OSS security. ”

Intel

Greg Lavender, Chief Technology Officer and General Manager of the Software and Advanced Technology Group

“Intel has long played a key role in contributing to open source. I’m excited about our role in the future building towards Pat’s Open Ecosystem vision. As we endeavor to live into our core developer tenets of openness, choice and trust – software security is at the heart of creating the innovation platforms of tomorrow.”

Melissa Evers, Vice President, Software and Advanced Technology, General Manager of Strategy to Execution

“Intel commends the Linux Foundation in their work advancing open source security. Intel has a history of leadership and investment in open source software and secure computing: over the last five years, Intel has invested over $250M in advancing open-source software security. As we approach the next phase of Open Ecosystem initiatives, we intend to maintain and grow this commitment by double digit percentages continuing to invest in software security technologies, as well as advance improved security and remediation practices within the community and among those who consume software from the community.”

JFrog

Stephen Chin, Vice President of Developer Relations

“While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated we need a more hardened process for validating open-source repositories. As we say at JFrog, ‘with great software comes great responsibility’, and we take that job seriously. As a designated CNA, the JFrog Security Research team constantly monitors open-source software repositories for malicious packages that may lead to widespread software supply chain attacks and alerts the community accordingly. Building on that, JFrog is proud to collaborate with the Linux Foundation and other OpenSSF members on designing a set of technologies, processes, accreditations, and policies to help protect our nation’s critical infrastructure while nurturing one of the core principles of open source – innovation.” 

JPMorgan Chase

Pat Opet, Chief Information Security Officer

“We are proud to have worked with Open Source Security Foundation (OpenSSF) and its members to create the new Open Source Software Security Mobilization Plan, This plan will help to address security issues in the software supply chain which is critical to making the world’s software safer and more secure for everyone.”

Microsoft

Mark Russinovich, CTO, Microsoft Azure

“Open source software is core to nearly every company’s technology strategy. Collaboration and investment across the open source ecosystem will strengthen and sustain security for everyone. Microsoft’s commitment to $5M in funding for OpenSSF supports critical cross-industry collaboration. We’re encouraged by the community, industry, and public sector collaboration at today’s summit and the benefit this will have to strengthen supply chain security.”

OWASP Foundation

Andrew van der Stock, Executive Director

“OWASP’s mission is to improve the state of software security around the world. We are contributing to the Developer Education and Certification, as well addressing the Executive Order for improving the state and adoption of SBOMs. In particular, we would like to see a single, consumable standard across the board.” 

Mark Curphey (founder of OWASP) and John Viega (author of the first book on software security), Stream Coordinators

“We’re excited to see the industry’s willingness to come together on a single ‘bill of materials’ format. It has the potential to help the entire industry solve many important problems, including drastically improving response speed for when major new issues in open source software emerge.” 

SAP

Tim McKnight, SAP Executive Vice President & Chief Information Security Officer

“SAP is proud to be a part of the Open Source Software Security Summit II and contribute to the important dialogue on the topic of Open Source software security.

“SAP is firmly committed to supporting the execution of the Open Source Software Security Mobilization Plan and we look forward to continuing our collaboration with our government, industry, and academic partners.”

Sonatype

Brian Fox, CTO of Sonatype and stewards of Maven Central.

“It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today. It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone. The Open Source Software Security Mobilization Plan is a great step toward bringing our community together with a number of key tactics, starting with securing OSS production, which will make the entire open source ecosystem stronger and safer.” 

Wipro

Andrew Aitken, Global Head of Open Source

“Wipro is committed to helping ensure the safety of the software supply chain through its engagement with OpenSSF and other industry initiatives and is ideally suited to enhance efforts to provide innovative tooling, secure coding best practices and industry and government advocacy to improve vulnerability remediation.

“As the only global systems integrator in the OpenSSF ecosystem and in line with its support of OpenSSF objectives, Wipro will commit to training 100 of its cybersecurity experts to the level of trainer status in LF and OpenSSF secure coding best practices and to host training workshops with its premier global clients and their developer and cybersecurity teams.

“Further, Wipro will increase its public contributions to Sigstore and the SLSA framework by integrating them into its own solutions and building a community of 50+ contributors to these critical projects.”

KEY BACKGROUND

Three Goals of the 10-Point Plan

  1. Securing Open Source Security Production
    1. Make baseline secure software development education and certification the new normal for pro OSS developers
    2. Establish a public, vendor-neutral, objective-metrics based risk assessment dashboard for the top 10,000 open source components.
    3. Accelerate the adoption of digital signatures on software releases
    4. Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
  2. Improving Vulnerability Discovery and Remediation
    1. Accelerate discovery of new vulnerabilities by maintainers and experts.
    2. Establish the corps of “volunteer firefighter” security experts to assist open source projects during critical times.
    3. Conduct third-party code reviews (and any necessary remediation work) of 200 of the most-critical open source software components yearly
    4. Coordinate industry-wide data sharing to improve the research that helps determine the most critical open source software.
  3. Shorten ecosystem Patching Response Time
    1. Software Bill of Materials (SBOM) Everywhere – improve SBOM tooling and training to drive adoption
    2. Enhance the 10 most critical open source security build systems, package managers, and distribute systems with better supply chain security tools and best practices.

The 10-Point Plan Summarized (available in full here)

  1. Security Education Deliver baseline secure software development education and certification to all. 
  2. Risk Assessment Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
  3. Digital Signatures Accelerate the adoption of digital signatures on software releases.
  4. Memory Safety Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
  5. Incident Response Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
  6. Better Scanning Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
  7. Code Audits Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year. 
  8. Data Sharing Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
  9. SBOMs Everywhere Improve SBOM tooling and training to drive adoption. 
  10. Improved Supply Chains Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.

Media Contact
Edward Cooper
openssf@babelpr.com

OpenSSF Announces 15 New Members To Further Strengthen Open Source Software Supply Chain Security

By Press Release

Expands core working groups ahead of OpenSSF Day

SAN FRANCISCO, May 9, 2022 – The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important software supply chain security initiatives, today announced 15 new members from leading software development, cybersecurity, financial services, communications, and academic sectors.

This round of commitments is led by two new premier members, Atlassian and Sonatype, who will join the OpenSSF governing board. New general member commitments come from Arnica, Bloomberg, Comcast, Cycode, F5, Futurewei Technologies, Legit Security, Sectrend, SUSE, and Tenable.

“We are thrilled to welcome Atlassian and Sonatype, two companies who play critical roles in modern software development and security, to the OpenSSF governing board”, Brian Behlendorf, General Manager at OpenSSF. “Open source software supply chain attacks threaten the very foundations of innovation that billions of people rely upon. Our 15 new members join a growing community of organizations, developers, researchers, and security professionals that are investing time and resources required to respond in this constantly evolving threat landscape.”

Open source software has become the foundation on which our digital economy is built. As noted in the Linux Foundation’s 2022 Software Bill of Materials (SBOM) and Cybersecurity Readiness report, 98% of organizations use open source regularly. The same study revealed that 72% of organizations are very or extremely concerned about software security. Recent vulnerabilities, such as the one impacting Log4j, have caused many organizations to prioritize software supply chain security and realize the need to be fully abreast of the open source ecosystem, as well as contributing to it. From governments to businesses, open source security has been brought to the top of the agenda as a priority issue to address and as a result, OpenSSF is seeing membership rise at a rapid pace.

The latest commitments follow a productive period for OpenSSF in which the foundation expanded its core working groups to include Securing Software Repositories. This group aims to improve cybersecurity practices where developers download open source packages most often. 

Furthermore, on June 20th, the foundation will host a full day of sessions at OpenSSF Day. Presentations, delivered by working group leaders, will include subjects such as Best Practice Badges and Other Good Practices, Three Things Your Open Source Project Must Consider, and Securing Critical Projects. The day will conclude with a panel discussion on the Future of Securing Open Source Software. Registration and attendance are free for all those attending the Open Source Summit conference.

Premier Member Quotes

Atlassian

“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be joining OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. As a premier member, we’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.” – Adrian Ludwig, Chief Trust Officer, Atlassian

Sonatype

“As the maintainers of the largest repository of open source components in Maven Central, we have a unique view into how great the demand for open source has become in recent years. However, as that demand has grown, bad actors have recognized the power of open source and are seeking to use that against the industry. As these software supply chain attacks become more commonplace, open source developers have become the frontline of this battle. Our key mission at Sonatype is to help people understand their software supply chain, and harness all of the good that open source has to offer, without any of the risk. OpenSSF and its members share a similar vision. I’m excited to play a bigger role in OpenSSF as a board member and collectively work with other members to keep open source ecosystems safe and secure, as we all figure out how to battle both new and old attacks on the community.” – Brian Fox, CTO and Co-founder, Sonatype

General Member Quotes

Arnica

“Software supply chain attack vectors have consistently caught the security community off-guard. Based on Arnica’s research across all attacks since 2018, we found two consistent root causes. One, improper access management to source code and two, inability to detect abnormal behavior in the developer toolset. The journey to solve these gaps is long and we are working on perfecting each risk mitigation strategy one-by-one, starting with introducing the first-ever self-service access management for GitHub.” – Nir Valtman, Co-Founder and CEO, Arnica

Bloomberg

“We are incredibly excited to join the Open Source Security Foundation (OpenSSF), whose values of public good, openness and transparency, and diversity, inclusion, and representation, align with those of Bloomberg. As an ‘Open Source First’ organization, we greatly value open source and its use within the finance sector, and we are fully committed to helping secure the open source software supply chain, something we have invested in via an ongoing collaboration between our CTO Office and Engineering organization.” – Gavin McNay, Security Architect in Bloomberg’s CTO Office

Comcast

“Comcast is committed to open source software. We use it to build products, attract talent, and develop our technology to improve the customer experience. When it comes to open source security, everyone plays a role. We are thrilled to join OpenSSF with the global open-source community to see how we can continue to evolve to make open-source development even more secure.” – Shilla Saebi, Open Source Program Office Lead, Comcast Cable

F5

“The growth of open source usage has magnified the importance of advancing OSS supply chain security for all, which can only be achieved as a shared priority among the industry. At F5, we are committed to ensuring our customers’ apps are fast, available and secure in any environment. That is why we value the work of the Open Source Security Foundation and its participating members, and look forward to sharing our domain expertise to help advance this important work.” – Geng Lin, EVP and Chief Technology Officer, F5

Futurewei Technologies

“OpenSSF is a premier and leading organization on open source security. Futurewei is very excited to join OpenSSF, and to engage in the conversations on the important topics of open source security and sustainability. We look forward to exciting discussions and collaborations with OpenSSF.” – Chris Xie, Head of Open Source Strategy and Business Development 

Legit Security

“Legit Security is pleased to join OpenSSF to advance the security of software supply chains within the open-source ecosystem as well as giving organizations tools to secure the infrastructure that makes up the SDLC – such as pipelines and systems. Attacks on software supply chains are estimated to increase between three to six times per year and are a global threat. We look forward to working with OpenSSF to publish security research and contribute tools and code for more secure software delivery and consumption across the entire community.” – Liav Caspi, CTO of Legit Security

Sectrend

“We feel very excited to be a part of this industry-leading Open Source Security foundation (OpenSSF). Together with other top-notch peers around the globe in various sectors under this initiative, we, Sectrend, are aiming to assist organizations of any size address the security and license compliance risks from open-source software. Securing the software supply chain is very critical for every company. Within the framework of OpenSSF or the Linux Foundation, Sectrend will make a tremendous contribution to this community-driven process in tooling, training, research, best practices, and consulting. Beyond Security, More than Open Source.” – Alex Xue, CEO, Sectrend

SUSE

“According to recent research in an Economist Impact survey, 95% of organizations are practicing open innovation, demonstrating how open source software is critical to business’s infrastructure and applications. With this comes the need for software to be secure and is why SUSE takes a proactive stance against security and compliance risks, leveraging tools for full lifecycle security including vulnerability management, CI/CD pipeline security, run-time security and government security certifications. SUSE is joining OpenSSF to further collaborate with the efforts to ensure the security of the open source software supply chain.” – Brent Schroeder, Head of SUSE’s Office of the CTO

Tenable

“We’re proud to be part of OpenSSF and join so many industry peers who understand the critical importance of securing open-source software and its associated supply chain. Log4j showed the world how pervasive OSS use is and how vulnerable it can be if the proper development and controls are not put in place to protect it. Tenable’s commitment to increasing visibility in attack surfaces includes shifting left to secure software development and helping organizations understand where the risks are throughout their systems.” Glen Pendley, CTO, Tenable

The foundation also announced new Associate Members, including the Eclipse Foundation, China Academy of Information and Communications Technology (CAICT) and Chinese Academy of Sciences (ISCAS). 

Additional Resources

  • View the complete list of the OpenSSF members
  • Attend OpenSSF Day at the Linux Foundation’s Open Source Summit on June 20 
  • Contribute efforts to one or more of the active OpenSSF working groups
  • Read the OpenSSF and Harvard’s Census II Report, shedding light on the most commonly used FOSS packages at the application library level

About OpenSSF

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit: https://openssf.org/

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, ONAP, Node.js, Hyperledger, RISC-V, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at: linuxfoundation.org

Media Contacts

Babel for OpenSSF

openssf@babelpr.com

Open Source Security Foundation Attracts New Commitments, Advances Key Initiatives in Weeks Since White House Security Summit

By Press Release

SAN FRANCISCO, March 1, 2022, The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important open source security initiatives, today announced 20 new organizations have joined OpenSSF to help identify and fix security vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. It is also announcing the latest milestones achieved across a variety of its technical initiatives, all of which underscore the cross-industry momentum that is taking place as a result of increasing awareness in the wake of recent security incidents and since the recent White House Open Source Security Summit and recent Congressional hearings. 

“The time is now for this community to make real progress on software security. Since open source is the foundation on which all software is built, the work we do at OpenSSF with contributions from companies and individuals from around the world is fundamental to that progress,” said Brian Behlendorf, executive director at OpenSSF. “We’ve never had more support or focus on building, sustaining, and securing the software that underpins all of our lives, and we’re happy to be the neutral forum where this can happen.” 

New Premier Member commitments come from 1Password, Citi, Coinbase, Huawei Technologies, JFrog, and Wipro. New General Member commitments come from Accuknox, Alibaba Cloud, Block, Inc, Blockchain Technology Partners, Catena Cyber, Chainguard, Cloudsmith, DeployHub, MongoDB, NCC Group, ReversingLabs, Spotify, Teleport, and Wingtecher Technology. New Associate Members include MITRE and OpenUK. For a complete review of the OpenSSF member roster, please visit: https://openssf.org/about/members/

These commitments come on the heels of the recent White House Open Source Security Summit, where the Linux Foundation and OpenSSF represented hundreds of its project communities and discussed how best to support software security and open source security posture going forward. This summit was a major milestone in the Linux Foundation’s engagement with the public sector and underscored its position supporting not only the projects it hosts but all of the world’s most critical open source infrastructure. 

Since the OpenSSF announced initial commitments in October, the community has continued to advance the OpenSSF mission. Some selected highlights include:

New Alpha-Omega Project Launches with $5m Investment to Improve OSS Security Posture

OpenSSF also recently announced the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. It is initially supported by Microsoft and Google with a combined investment of $5 million. The Project improves global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

Automated Security Tool, Scorecards, Increases Scans from 50,000 to 1 Million Projects

Scorecards is an OpenSSF project that helps open source users understand the risks of the dependencies they consume. OpenSSF members GitHub and Google recently announced Scorecards v4, which includes Scorecards GitHub Workflow Action to automate the identification of how changes to a project affected its security. It also includes License Check to detect the presence of a project license and Dangerous-Workflow check to detect dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows. The Scorecards project has also increased the scale of scans from 50,000 projects to one million projects. These software projects are identified as most critical based on their number of direct dependencies, giving a more detailed view of the ecosystem and strengthening supply chain security as users see improved coverage of their dependencies. 

Project Sigstore Sees Massive Contribution, Adoption to Sign, Verify and Protect OSS 

Sigstore recently released a project update that reported nearly 500 contributors, 3,000 commits, and over one million entries in Rekor. For more information on what is driving this adoption, please visit the Sigstore blog.

The “Great MFA Distribution” Distributes Codes to Claim Free Hardware Security Tokens to Almost 1000 Top OSS Developers

In the pursuit of encouraging wider adoption of multi-factor authentication (MFA) by developers of critical open source projects, The Securing Critical Projects Working Group coordinated the distribution of nearly 1000 codes for free MFA tokens (graciously donated by Google and Github) to developers of the 100 most critical open source projects. This dsiribution is a small but critical step in avoiding supply chain attacks based on stolen credentials of key developers.

To join OpenSSF and/or contribute to these important initiatives, please visit: https://openssf.org/

Premier Member Quotes

1Password

“We’re proud to be among like-minded organizations and individuals that share a collective commitment to improving the security posture of open source software,” said Pedro Canahuati, Chief Technology Officer at 1Password. “Much of the technology we use today is built on open source software. Given 1Password’s human-centric approach to building user-friendly applications, it’s important to us that its integrity and security is protected.”

Citi

“The security of open source software and its supply chain is an essential aspect to Citi. We have worked with the open source community on bolstering security in these areas, and we look forward to strengthening this mission by joining the Open Source Security Foundation,” said Jonathan Meadows, Head of Cloud & Application Security Engineering, Citibank.

Coinbase

“Coinbase is the world’s most trusted cryptocurrency exchange, and the security of our open source dependencies — as well as the broader crypto ecosystem — is paramount. The OpenSSF’s goals align with our own, and Coinbase is proud to be contributing to increasing the security of open source software for the benefit of all,” said Jordan Harband, Staff Developer Relations Engineer, Coinbase.

Huawei Technologies

“The importance of open source software security is well recognized by the customer, industry, and government. It is time for the community to take strategic, continuous, effective, and efficient actions to advance the open source software security posture.  We are very glad to see OpenSSF launching initiatives (Scorecard, Alpha-Omega, SigStore, etc.) to improve the open source software security directly,” said Dr. Kai Chen, Chief Security Strategist, Huawei. “Huawei commits to strengthen investment on cybersecurity and to maintain a global, secure and resilient  open source software supply chain.”

JFrog

“Open source software is the foundation of today’s modern systems that run enterprises and government organizations alike – making software part of a nation’s critical infrastructure,” said Stephen Chin, VP of Developer Relations, JFrog. “JFrog is honored to be part of OpenSSF to accelerate innovation and advancement in supply chain security. Projects coming out of OpenSFF help make JFrog’s liquid software vision a secure reality.”

Wipro

“With the increasing adoption of open source software and its growing importance in enabling innovation and transformation comes commensurate cybersecurity risks. The community needs a concerted effort to address them. We are excited to join the governing board of OpenSSF to collaborate with other members on defining and building set of solutions and frameworks and best practices to help ensure the integrity of the open source software supply chain and contribute our domain expertise, breadth of resources and global reach to this important effort,”  said Subha Tatavarti, CTO, Wipro Limited.

General Member Quotes

Accuknox

“In the Shift Left, DevSecOps Developer-led adoption of Security Tools and platforms an OpenSource led approach is imperative. We are thrilled to see OpenSSF launching path-breaking initiatives to help end-users and technology providers harness the power of open source and contribute to the collective knowledge capital,” said Nat Natraj, co-founder, CEO, AccuKnox.

Alibaba Cloud

“Open Source software has become a key software supply chain of IT, and Open Source software security has a huge impact on infrastructure security. Alibaba Cloud, as the world’s leading cloud vendor that always puts security and data privacy as the priority, is keeping investing in security research. For a long time, the public has felt that open source software is very safe because of transparency, all software developers can review the code, find and fix vulnerabilities. But In fact, there are many widely used open-source software that is still possible to have security bugs that have not been noticed for a long time. It is great to have an organization like OpenSSF, which can connect so many great companies and open source communities to advance open source security for all.  As a member of Open Source Security Foundation, we’re looking forward to collaborating with OpenSSF to strengthen the Open Source security,” said Xin Ouyang, Head of Alibaba Cloud Security, Alibaba Cloud.

Block, Inc.

“Block is very excited to join with other industry leaders to help step up the quality of open source security.  I strongly believe that as an industry, it is our priority to address security concerns in a supply chain that we all use.  We may compete on products, but we should never compete on security, and OSSF is a fantastic example of this idea,” said Jim Higgins, CISO of Block.

Blockchain Technology Partners

“Open source software is mainstream and underpins much of the world’s critical infrastructure as well as powering enterprises across the globe. Against this backdrop, OpenSSF’s mission to secure the open source supply chain is fundamental to our future,” said Duncan Johnston-Watt, CEO and Co-founder of Blockchain Technology Partners. “Collaboration is key to OpenSSF’s success, and so we are delighted to contribute to this initiative which complements our existing involvement in the Hyperledger Foundation, CNCF, and LF Energy.”

Catena Cyber

“Open source leads to a massive sharing of knowledge. Beyond the quantity of information, the quality of it becomes important to bring value to society,” said Philippe Antoine, CEO of Catenacyber. “We are glad to join OpenSSF to contribute to improving the cybersecurity of open source projects through fuzzing and other means. Let’s fix all the bugs!”

Chainguard

“Making the software lifecycle secure by default is increasingly critical as open source has become the digital backbone of the world. A vibrant, open software security ecosystem is essential to that mission. We are excited to be members of the Open Source Security Foundation and to continue working with the community to make the software lifecycle secure by default,” said Tracy Miranda, head of open source at Chainguard.

Cloudsmith

“Having a single source of truth for software artifacts has never been more vital to supply chains, especially for the open-source community. OSS engineers need trust and provenance, and a trusted source for secure end-to-end software delivery, from build through to production. At Cloudsmith, our mission is to evolve the cloud-native supply chain, making it simple for the OSS community to secure their software delivery at scale through Continuous Packaging. We are thrilled to join OpenSSF, and we look forward to being part of the continued mission to improve the security posture of open source software universally,” said Alan Carson, CEO at Cloudsmith.

DeployHub

“At DeployHub, we have been laser-focused on tracking the consumption of microservices, including their versions. These relationships make up our new application-level Software Bill of Materials (SBOMS). There is no better place to have this supply chain conversation than the OpenSSF,” explains Tracy Ragan, CEO DeployHub.

MongoDB

“As all industries increasingly rely upon open source software to deliver digital experiences, it is our collective responsibility to help maintain a vibrant and secure ecosystem,” said Lena Smart, Chief Information Security Officer, MongoDB. “You can have all the tools in the world, but at the end of the day, it is people across multiple organizations around the world working together that will ensure an expansive cybersecurity program. One of MongoDB’s values is “Build Together,” and we’re excited to join and further cross-industry collaboration to move the security of open source software forward.”

NCC Group

“Even if your code is perfectly secure, chances are it has vulnerable dependencies. And the number of unpatched vulnerabilities “in the wild” outpaces the speed at which the security community can patch or even identify them. Security, as it is practiced now, doesn’t scale at the rate needed to keep things at least as secure as they were yesterday, and we have compelling reasons to expect this to get even worse for defenders. However, through harnessing dedicated investment and coordinating industry-wide efforts to improve the security of the most critical open source components and find scalable interventions for the entire ecosystem, we have an opportunity to improve software security at a massive scale. But we can only do this together, and it is for this reason that NCC Group is excited to contribute to the work of OpenSSF,” said Jennifer Fernick, SVP & Global Head of Research at cybersecurity consulting firm NCC Group.

ReversingLabs

“The software supply chain has become a major risk vector for new threats, including those from the open source ecosystem. The inherent dependencies and complexities of the modern software supply chain means that companies often lack visibility and the ability to track each component through the entire software development process. Recognizing these challenges, ReversingLabs is pleased to join the OpenSSF and offer its contributions to the community that help drive the automation of more comprehensive software bills of material and mitigate software supply chain and package release risks,” said Mario Vuksan, CEO and Co-founder, ReversingLabs.

Spotify 

“As a technical community we all have a responsibility to improve the security and trust of an open source ecosystem that so many of us rely upon. Spotify has always relied on open source software, and contributes to the community through projects like Backstage. We believe open source software forms the backbone of our industry and we look forward to supporting the foundation’s goal of ensuring everyone can depend on a healthy and secure software ecosystem,” said Tyson Singer, VP, Head of Technology and Platforms at Spotify.

Teleport

“The complexity of modern infrastructure has broadened attack surface areas to the point where data breaches are just about an everyday occurrence,” said Ev Kontsevoy, CEO of Teleport. “These risks have been exacerbated by the rise of remote and hybrid workplaces. With an eye on global attacks, the open source community’s commitment to improving open source security is critical to ushering in a new era of computing. Offering a solution to increase security, ease usability, and help scale enterprise development access, Teleport is pleased to be a part of the OpenSSF.” 

Wingtecher Technology

“As a fast-growing startup, Wingtecher focuses on exploring the technologies that secure various kinds of open source softwares. We are excited to join OpenSSF and ready to collaborate with the community to overcome the emerging open source security challenges worldwide,” said Vincent Li, COO Wingtecher Technology.

About OpenSSF

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit: https://openssf.org/

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Jennifer Cloer

503-867-2304

jennifer@storychangesculture.com

OpenSSF Announces The Alpha-Omega Project to Improve Software Supply Chain Security for 10,000 OSS Projects

By Press Release

Following a meeting with government and industry leaders at the White House, OpenSSF is excited to announce the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. Microsoft and Google are supporting the Alpha-Omega Project with an initial investment of $5 million. This builds on previous industry-wide investments into OpenSSF aiming to improve open source software security.

Widely deployed OSS projects that are critical to global infrastructure and innovation have become top targets for adversarial attacks. Following new vulnerability disclosures, adversary attacks can be seen within hours. For example, recently discovered vulnerabilities in the widely deployed Log4j library forced many organizations into crisis as they raced to update applications using the popular library before adversaries could attack. 

The Alpha-Omega Project will improve global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

“Open source software is a vital component of critical infrastructure for modern society. Therefore we must take every measure necessary to keep it and our software supply chains secure,” said Brian Behlendorf, General Manager, OpenSSF. “Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open source projects through proactively finding, fixing, and preventing vulnerabilities.  This is the start of what we at OpenSSF hope will be a major channel for improving OSS security.”

Alpha: Focusing on the Most Critical OSS Projects

Alpha will be collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. These projects will include standalone projects and core ecosystem services. They will be selected based on the work by the OpenSSF Securing Critical Projects working group using a combination of expert opinions and data, including the OpenSSF Criticality Score and Harvard’s “Census” analysis identifying critical open source software.

For these selected projects, Alpha team members will provide tailored help to understand and address security gaps. Help can include threat modeling, automated security testing, source code audits, and support remediating vulnerabilities that are discovered. It can also include implementing best practices drawn from criteria outlined by the OpenSSF Scorecard and Best Practices Badge projects.

Alpha will track a series of important metrics providing stakeholders with a better understanding of the security of the open source project they depend on. The public will receive a transparent, standardized view of the project’s security posture and compliance with security best practices. 

Omega: Focused on the Long Tail of OSS Projects

Omega will use automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely-deployed open source projects. This will be accomplished using a combination of technology (cloud-scale analysis), people (security analysts triaging findings) and process (confidentially reporting critical vulnerabilities to the right OSS project stakeholders). Omega will have a dedicated team of software engineers continually tuning the analysis pipeline to reduce false positive rates and identify new vulnerabilities.

Omega community members will provide suggestions on how to automate detection of security vulnerabilities in the future and more generally on efficient ways to implement security best practices.

Corporate Partnerships Are Key

The value of securing the OSS ecosystem has become increasingly clear to companies and organizations of all sizes. Microsoft and Google’s support of the Alpha-Omega Project with an initial investment of $5 million and committed personnel is jump-starting the initiative. Other organizations are strongly encouraged to participate as well, whether by committing volunteers or by direct funding to expand the number of OSS projects that Alpha-Omega can reach.

“The long tail of important open source software, the ‘Omega’ of this endeavor, is always the hardest part—it will require not only considerable funding and perseverance, but its scale will also drive extensive automation for tracking and ideally fixing vulnerabilities,” stated Eric Brewer, VP of Infrastructure and Fellow at Google. “Enabling automation will be one of the greatest improvements for open source security.”

“At Microsoft, we proudly support OpenSSF and the Alpha-Omega Project. Open source software is a key part of our technology strategy, and it’s essential that we understand the security risk that accompanies all of our software dependencies,” offered Mark Russinovich, Chief Technology Officer, Microsoft Azure. “Alpha-Omega will provide assurance and transparency for key open source projects through direct engagement with maintainers and by using state-of-the-art security tools to detect and fix critical vulnerabilities. We look forward to collaborating with industry partners and the open source community on this important initiative.” 

Learn More and Get Involved

For more information about Alpha-Omega, see https://openssf.org/community/alpha-omega/. Individuals interested in updates about Alpha-Omega can sign up through an announcements mailing list. Organizations considering sponsorship or engagement in Alpha-Omega should email memberships@openssf.org

The OpenSSF also encourages all individuals and organizations interested in Alpha-Omega to participate in its Securing Critical Projects working group

Additional Resources

  • Join the OpenSSF to take an active role in improving OSS security
  • Participate in one of six OpenSSF working groups to help improve open source security
  • Get involved in our OpenSSF events, planning committees, and Slack workspaces
  • Download our new State of Software Bill of Materials and Cybersecurity Readiness report
  • Get certified as a secure software development professional

About the Open Source Security Foundation (OpenSSF)

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at https://www.linuxfoundation.org/

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page. Linux is a registered trademark of Linus Torvalds.

Open Source Security Foundation Raises $10 Million in New Commitments to Secure Software Supply Chains

By Press Release

Industry leaders from technology, financial services, telecom, and cybersecurity sectors respond to Biden’s Executive Order, commit to a more secure future for software; open source luminary Brian Behlendorf becomes general manager

LOS ANGELES, Calif – KubeCon – October 13, 2021 –  The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced it has raised $10 million in new investments to expand and support the Open Source Security Foundation (OpenSSF), a cross-industry collaboration that brings together multiple open source software initiatives under one umbrella to identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. Open source luminary Brian Behlendorf will serve the OpenSSF community as General Manager. 

Financial commitments from Premier members include Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware. Additional commitments come from General members Aiven, Anchore, Apiiro, AuriStor, Codethink, Cybertrust Japan, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift, and Wind River.

“This pan-industry commitment is answering the call from the White House to raise the baseline for our collective cybersecurity wellbeing, as well as ‘paying it forward’ to open source communities to help them create secure software from which we all benefit,” said Jim Zemlin, executive director at the Linux Foundation. “We’re pleased to have Brian Behlendorf’s leadership and extensive expertise on building and sustaining large communities and technical projects applied to this work. With the tremendous growth and pervasiveness of open source software, building cybersecurity practices and programs that scale is our biggest task at hand.”

According to industry reports (“2021 State of the Software Supply Chain,” by Sonatype), software supply chain attacks have increased 650 percent and are having a severe impact on business operations. In the wake of increasing security breaches, ransomware attacks, and other cybercrimes tied to open source software, government leaders worldwide are calling for private and public collaboration. Because open source software makes up at least 70 percent of all software (“2020 Open Source Security and Risk Analysis Report” by Synopsys), the OpenSSF offers the natural, neutral, and pan-industry forum to accelerate the security of the software supply chain. 

“There has never been a more exciting time to work in the open source community, and software supply chain security has never needed more of our attention,” said Brian Behlendorf, general manager, Open Source Security Foundation. “There is no single silver bullet for securing software supply chains.  Research, training, best practices, tooling and collaboration require the collective power of thousands of critical minds across our community. Funding for OpenSSF gives us the forum and resources to do this work.”

The OpenSSF is home to a variety of open source software, open standards, and other open content work for improving security. Examples include:

  • Security Scorecard – a fully automated tool that assesses a number of important heuristics (“checks”) associated with software security
  • Best Practices Badge – a set of Core Infrastructure Initiative best practices for producing higher-quality secure software providing a way for OSS projects to demonstrate through badges that they are following them
  • Security Policies Allstar provides a set and enforce security policies on repositories or organizations
  • Research – studies on open source software and critical security vulnerabilities conducted in association with the Laboratory for Innovation Science at Harvard (LISH) (e.g., a preliminary census and FOSS Contributor Survey)

For more information about OpenSSF, please visit: https://openssf.org/

Premier Member Quotes

AWS

“Open source software plays an increasingly crucial role across the whole landscape of information security. Convening industry leaders to invest in developing policies, practices, tooling, and education around open source security benefits us all. AWS was a founding member of the Core Infrastructure Initiative in 2014, and we will now build on the relationships and investments that continue the mission by joining OpenSSF as a Premier Member. With our partners in this initiative, and as active participants in many open source communities, we will help raise the bar in the security of open source software,” said Mark Ryland, Director of the Office of the CISO at AWS.

Cisco

“OpenSSF will enable the community, across industries, to build tools and practices to secure the software supply chain for open source and beyond. This is crucial to the future of API and application security, which are fast becoming a primary attack vector for all business going forward,” says Vijoy Pandey, VP of Emerging Technologies & Incubation at Cisco. “At Cisco, we believe the application experience is the new brand, which demands better app velocity, trust, security, and availability. This belief drives our deep investment in application security and full-stack observability, which is why joining forces with this prestigious foundation and group as a trusted advisor and partner was a no-brainer for us.”

Dell Technologies 

“The Linux Foundation’s focus on security is fundamental to addressing the increasing risks associated with software,” said John Roese, Dell Technologies’ Global Chief Technology Officer. “The Open Source Security Foundation’s work will help us collectively make sure critical software programs and the end to end software delivery pipeline is secure and trustworthy.”

Ericsson

“As a leader in mobile communication, pioneering and driving 5G globally, security is at the core of the network infrastructure we build and deliver to our customers. In an industry increasingly built around open source and open standardization we are fully committed to address cybersecurity vulnerabilities in a collaborative effort. We are proud to join the Open Source Security Foundation as a founding member and we look forward to continue to work with the community and wider industry for a secure software supply chain, including the open source components,” says Erik Ekudden, Senior Vice President and Chief Technology Officer, Ericsson.

Fidelity

“Open Source Software plays a critical role in Fidelity’s technology strategy. We are proud to be part of the Open Source Security Foundation and to work with others to ensure that Open Source solutions and their supply chains are safe, secure, and reliable, enabling Fidelity to better serve our customers and clients,” said John Andrukonis, SVP, Fidelity Application Architecture.

GitHub

“The world runs on software, and most of that software includes and relies on open source,” said Mike Hanley, Chief Security Officer at GitHub. “As the home to more than 65 million developers around the world, we’re excited to continue partnering across the open source community and with other Open Source Security Foundation members to power a more secure, trustworthy future that will benefit everyone.”

Google

“We are doubling down on our OpenSSF commitment in the wake of rising open source software supply chain attacks and President Biden’s Executive Order,” said Eric Brewer, vice president of infrastructure and fellow at Google. “This decision is part of our White House pledge to spend $100 million to fund open source security foundations and follows a variety of investments we’ve made to support developers and security engineers across the public and private sectors. The OpenSSF is the best place for cross-industry leadership for these very challenging topics, and we look forward to working with the US and other governments to improve security worldwide.” 

IBM 

“IBM is deeply focused on developing and building highly secure hybrid cloud, AI and quantum-safe technologies that are designed to protect our clients’ most sensitive workloads both today and into the future,” said Jamie Thomas, General Manager, Strategy & Development and IBM Enterprise Security Executive. “As a long-time open source leader, IBM looks forward to working with the OSSF, our industry partners, and open source communities towards addressing the ever-increasing challenge of hardware and software open source supply chain security.”

Intel

“As a long-standing member of the open source software community, Intel contributes daily in the upstream projects we collaborate with,” said Greg Lavender, senior vice president, CTO, and general manager of Software and Advanced Technology at Intel Corporation. “Along with the Linux Foundation, we believe the Open Security Foundation (OpenSSF) is a unique opportunity to engage in projects and efforts focused on improving the quality and security for today and our future. Intel remains committed to providing contributions that benefit open source software supply chains and improving the security posture of critical projects on which our ecosystem depends.”

JPMorgan Chase

“JPMorgan Chase is deeply committed to working with the open source community to solve our most pressing security challenges. As a founding member of the Open Source Security Foundation, we have worked together to improve the security of open source and the integrity of all software. We commend the US Government’s recent initiative to raise awareness on this pressing topic and call to action the technology community to solve one of the most complex security challenges of our time.  We welcome the new members to OpenSSF and look forward to continuing the journey of innovation and bringing meaningful change to how we build, secure, and validate software,” said Pat Opet, Chief Information Security Officer, JPMorgan Chase & Co.

Microsoft

“As open source is now core to nearly every company’s technology strategy, securing open source software is an essential part of securing the supply chain for every company, including our own. All of us at Microsoft are excited to participate with others in contributing new investments to the Open Source Security Foundation and we look forward to building more secure software through community-driven efforts to create solutions that will help us all,” said Mark Russinovich, Azure CTO and Technical Fellow, Microsoft.

Morgan Stanley

“Whether we are leveraging open source in our own code, contribute to OSS projects, or consume OSS via technology we procure and utilize, the safety and security of OSS and the creation of a trustworthy supply chain is critical to all businesses. To that end, we are delighted to join the Linux Foundation’s Open Source Security Foundation project to collaborate with our cross-industry partners to improve the security, safety and trust in the OSS ecosystem,” said Neil Allen, Global Head of Cyber Security Engineering, Morgan Stanley.

Oracle

“As a contributing member of the open source software community and an inaugural Linux Foundation member, Oracle has a large number of developers that contribute to third-party open source projects daily,” said Wim Coekaerts, senior vice president of software development, Oracle. “Oracle looks forward to participating in the Open Source Security Foundation and working with other members to continue to strengthen the software supply chain, helping customers work more securely.”   

Red Hat

“Open source is pervasive in software solutions of all kinds, and cybersecurity attack rates are on the rise. Our customers look to Red Hat to provide trust and enhanced security in our open source based portfolio. Open source and community collaboration is the best way to solve big, industry-wide challenges, such as open source supply chain security. And that’s why we’re excited to join together with the Linux Foundation and other industry leaders so we can continue to improve the technologies and practices to build a more secure future from open source software,” said Chris Wright, senior vice president and CTO, Red Hat.

Snyk

“Open source is built by millions of empowered developers, who also need to secure this critical foundation of the digital world,” said Guy Podjarny, Founder & President, Snyk. “The vital work of the Linux Foundation and the OpenSSF ensures we collectively live up to this responsibility. The Snyk community is fully committed to this important, collaborative effort and we look forward to working closely with the other OpenSSF members to better secure OSS so it can continue to safely fuel innovation.”

VMware

“Every company that uses software should be concerned about their software supply chain,” said Kit Colbert, chief technology officer, VMware. “For two-plus years, VMware has engaged in contributions to open source projects in the broader software supply chain security space and invested in initiatives to help customers further strengthen their security policies and processes. As a member of the Open Source Security Foundation, we’re committed to collaborating across the industry to drive increased level of software supply chain security.”

General Member Quotes 

Apiiro

“Software supply chain risks are becoming pervasive, with the potential to slow application delivery and stunt innovation,” commented John Leon, VP of Business Development at Apiiro. “Managing application risk has become increasingly complex and requires visibility across the SDLC – including the supply chain. Apiiro is excited to partner with the open source community and support the Linux Foundation and OpenSSF as they power the collaboration that is vital to securing software.”

AuriStor

“AuriStor’s founders have contributed to the standardization of security protocols and open source development of security first software for more than 35 years. We view the OpenSSF, its working groups and projects, and those that participate in them as crucial to improving the security of every industry, service, and home. The OpenSSF has the potential to make a significant difference in everyone’s future. We encourage all members of the software development community to contribute.“, said AuriStor Founder and CEO Jeffrey Altman.

Devgistics

“We seized the opportunity to join this foundation because OpenSSF offers a real industry-neutral forum to accelerate the hardening and security of the software supply chain. Devgistics (formerly InfoSiftr) provides critical enhancements to the world’s most popular open-source repository. Devgistics has been involved in many free and open-source initiatives for years, including being a Moby (Docker Engine) maintainer, providing support to the Docker/container ecosystem, and serving in the Open Container Initiative. Devgistics continues to contribute cutting-edge solutions for security-conscious clients like the US Air Force,” said Devgistics Founder and President Justin Steele. 

DTCC

“DTCC is committed to developing highly resilient and secure code to safeguard the financial marketplace. DTCC is proud to be part of the OpenSSF community and looks forward to partnering with our fellow members on safe, secure and reliable computing,” said Ajoy Kumar, Head of Tech/Cyber Risk at DTCC.

GitLab

“As organizations modernize software development and shift security left, GitLab believes that open source will play a key role in fostering this modernization and delivering secure software with speed to the market,” said Eric Johnson, CTO at GitLab. “Supporting the Open Source Security Foundation aligns with GitLab’s mission of enabling everyone to contribute, and we look forward to supporting, collaborating, and sharing our expertise in implementing security in GitLab’s DevOps Platform to the OpenSSF community.”

Goldman Sachs

“Continuing to secure the software supply chain, in particular the many critical open source projects foundational to any modern organization’s IT architecture, is a top strategic imperative for Goldman Sachs, our peers, partners, and clients in financial services, the technology ecosystem, and the wider economy,” said Atte Lahtiranta, chief technology officer at Goldman Sachs. “This work cannot be done in individual organizational silos. We instead need to work collaboratively, across both the private and public sector, together with open source maintainers and contributors, to answer the call to action that is the recent cybersecurity executive order. The OpenSSF will provide an essential forum and associated infrastructure to allow us to share leading practices, develop improved tooling, and work together to better protect our digital infrastructure.”

JFrog

“Open-source software is the backbone of hundreds of thousands of today’s applications, making it critical that we do our best to flag new vulnerabilities and insecure components fast—before they compromise businesses or critical infrastructure,” said Asaf Karas, JFrog Security CTO. “We’re happy to expand our membership with the Linux Foundation and support this cross-industry collaboration to identify and fix open source security vulnerabilities, strengthen tools, and promote best practices to ensure developers can easily shift left and bake-in security from the start of application planning and design — all the way to software deployment, distribution, and runtime.”

Nutanix

“The world runs on open source software and Nutanix is eager to help ensure its security. This can only be achieved through broad industry collaboration. We believe in the founding vision of the Open Source Security Foundation. We hope to help empower open source developers and better protect all of our customers with the partnership it enables. As members of the Open Source Software Foundation, we join other industry leaders in strengthening the software supply chain security we all rely upon,” said Rajiv Mirani, Chief Technology Officer at Nutanix.

StackHawk

“Software development is moving faster than ever before. The industry needs tooling and processes to ensure that security can keep up with today’s pace of development. StackHawk is excited about the work that the Open Source Security Foundation is doing to improve security and we are proud to continue as a member,” said Joni Klippert, StackHawk Founder & CEO.

Tencent

“IT development to date, an increasing number of critical businesses and core competencies have been built on open source, and this trend will continue. As an important part of the software supply chain, open source security plays an important role in the entire software supply chain. Tencent Cloud has always been keen to contribute code and technology to open source projects, and also maintains a continuous huge investment in security. It is very gratifying to see that OpenSSF can be established, and we look forward to working closely with industry  partners to improve the security level of open source software and strengthen the software supply chain security,” said KK Dong, Chief Security Officer at Tencent Cloud.

Wind River

“As the dependency on open-source software becomes increasingly pervasive, the Open Source Security Foundation’s community-driven approach to developing and sharing security metrics, tools and best practices becomes an imperative. Our customers are actively interested in the health of the open source from which their solutions are constructed, and assuring secure development across open the supply chain is vital,” said Paul Miller, CTO, Wind River. “We are looking forward to collaborating more closely with the OpenSSF community. By working together, Wind River can provide customers with a level of open source security assurance that would otherwise be unobtainable.”

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at https://www.linuxfoundation.org/

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Jennifer Cloer

503-867-2304

jennifer@storychangesculture.com

Open Source Ecosystem Gains New Support for Securing the World’s Most Critical and Pervasive Software

By Press Release

Open Source Security Foundation adds 10 new members from around the globe

SAN FRANCISCO, Calif., July 28, 2021 OpenSSF, a cross-industry collaboration to secure the open source ecosystem, today announced new membership commitments to advance open source security education and best practices. New members include Accurics, Anchore, Bloomberg Finance, Cisco Systems, Codethink, Cybertrust Japan, OpenUK, ShiftLeft, Sonatype and Tidelift. 

Open source software (OSS) has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source has a chain of contributors and dependencies before it ultimately reaches its end users. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency supply chain.

“The massive support we’re seeing for the OpenSSF and its initiatives is a reflection of the industry-wide commitment to secure open source software,” said Kay Williams, Governing Board Chair, OpenSSF, and Supply Chain Security Lead, Azure Office of the CTO, Microsoft. “We welcome the latest OpenSSF new members and look forward to their contributions.“

The new Scorecard 2.0 is also available now and includes new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis. The Scorecard is gaining adoption for automating analysis and trust decisions on the security posture of open source projects.

The OpenSSF is a cross-industry collaboration that brings together technology leaders to improve the security of OSS. Its vision is to create a future where participants in the open source ecosystem use and share high quality software, with security handled proactively, by default, and as a matter of course. Its working groups include Securing Critical Projects, Security Tooling, Identifying Security Threats, Vulnerability Disclosures, Digital Identity Attestation, and Best Practices.  

OpenSSF has more than 45 members and associate members contributing to working groups, technical initiatives and governing board and helping to advance open source security best practices. For more information on founding and new members, please visit: https://openssf.org/about/members/

Membership is not required to participate in the OpenSSF. For more information and to learn how to get involved, including information about participating in working groups and advisory forums, please visit https://openssf.org/getinvolved

New Member Comments

Anchore

“As maintainers of multiple open source projects and a vendor working to help organizations secure their software supply chains, the current security challenges are ever present for us. Joining the OpenSSF enables us to work across the wider community to develop best practices and ensure that everyone benefits from this coordinated industry effort,” said Neil Levine, Vice President of Product at Anchore.

Cisco

“As a global technology leader, Cisco has a responsibility to ensure the software that the world builds, deploys, and interacts with is secure to use, without compromising the user experience,” said Stephen Augustus, head of open source at Cisco. “Cisco is delighted to openly collaborate with the OpenSSF member organizations to define policy and deliver tooling that helps organizations build and run secure applications.”

Codethink

“As a software consultancy trusted by our clients to provide impartial advice when choosing software to depend on, and processes to adopt, Codethink is pleased to join the OpenSSF to help to promote Open Source solutions to our clients and secure the future of those solutions openly and collaboratively. Codethink has long been a proponent of the use of Open Source software in industry, and in promoting participation as a way to mitigate risk. With the OpenSSF, we see many possible avenues to furthering these goals to the benefit of all,” said Javier Jardón, Head of Automotive Strategy at Codethink.

Cybertrust Japan

“Cybertrust Japan, a developer of embedded Linux for industrial use,  is pleased to join the OpenSSF based on the agreement with the activities which continuously promote the security of OSS gathering community-centric and cross-industry participants.  We are looking forward to contributing to open source community through our involvement with OpenSSF and their working groups utilizing our secure technology regarding our Linux OS for IoT devices and our trust services that protect the IoT lifecycle with a trust chain.” said Yasutoshi Magara, President & CEO, Cybertrust Japan.

OpenUK

“Open Technology  plays a vital role in the global economy, powering services like cloud computing. It has a good reputation for software quality, stability and security, but inevitably there are issues discovered over time. Where open source has an advantage is how organisations collaborate, improve code and work together to manage notifications and updates to all the community members and users involved around a project‘s ecosystem. OpenUK is pleased to join the OpenSSF and help the development and adoption of best practices for companies, communities and users within the software supply chain,” said Amanda Brock, CEO and Chief Policy Officer, OpenUK

ShiftLeft

“We are honored to have been accepted into the Open Source Security Foundation, and support their vision to create a future where participants in the open source ecosystem use and share high quality software, with security handled proactively, by default, and as a matter of course,” said Chetan Conikee, CTO, ShiftLeft. “Like many of our customers, ShiftLeft has benefited greatly from leveraging open source software to build our differentiated products and features. This new juncture further strengthens our commitment of giving back to the community by empowering organizations with code, enabling them with the ability to build and run secure applications.”

Sonatype 

“As the maintainers of the largest repository of open source components in Maven Central, we have a unique view into how great the demand for open source has become in recent years. However, as that demand has grown, bad actors have recognized the power of open source and are seeking to use that against the industry. As these software supply chain attacks become more commonplace, open source developers have become the frontline of this new battle,” said Brian Fox, CTO of Sonatype.”One of our key missions at Sonatype is to help organizations continuously harness all of the good that open source has to offer, without any of the risk, and OpenSSF and its members share a similar vision. We’re thrilled to officially join OpenSSF and collectively work with other members to keep open source ecosystems safe and secure, as we all figure out how to battle both new and old attacks on the community.” 

Tidelift

“Open source has become the de facto development platform, providing the building blocks for the majority of modern applications. Yet most organizations struggle to effectively manage the health and security of their open source software supply chain. We look forward to collaborating with the members of the OSSF and our open source maintainer partners to proactively make open source software more secure for everyone.,” said Donald Fischer, CEO and co-founder, Tidelift.

About the Open Source Security Foundation (OpenSSF)

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support the open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page:  https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact

Jennifer Cloer

for the Linux Foundation

503-867-2304

jennifer@storychangesculture.com

Industry-Wide Initiative to Support Open Source Security Gains New Commitments

By Press Release

Open Source Security Foundation adds new members, Citi, Comcast, DevSamurai, HPE, Mirantis and Snyk.

SAN FRANCISCO, Calif., March 9, 2021 OpenSSF, a cross-industry collaboration to secure the open source ecosystem, today announced new membership commitments to advance open source security education and best practices. New members include Citi, Comcast, DevSamurai, Hewlett Packard Enterprise (HPE), Mirantis, and Snyk.

Open source software (OSS) has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source has a chain of contributors and dependencies before it ultimately reaches its end users. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency supply chain.

“Open source software is embedded in the world’s technology infrastructure and warrants our dedication to ensuring its security,” said Kay Williams, Governing Board Chair, OpenSSF, and Supply Chain Security Lead, Azure Office of the CTO, Microsoft. “We welcome the latest OpenSSF new members and applaud their commitment to advancing supply chain security for open source software and its technology and business ecosystem.”

The OpenSSF is a cross-industry collaboration that brings together technology leaders to improve the security of OSS. Its vision is to create a future where participants in the open source ecosystem use and share high quality software, with security handled proactively, by default, and as a matter of course. Its working groups include Securing Critical Projects, Security Tooling, Identifying Security Threats, Vulnerability Disclosures, Digital Identity Attestation, and Best Practices.  

OpenSSF has more than 35 members and associate members contributing to working groups, technical initiatives and governing board and helping to advance open source security best practices. For more information on founding and new members, please visit: https://openssf.org/about/members/

Membership is not required to participate in the OpenSSF. For more information and to learn how to get involved, including information about participating in working groups and advisory forums, please visit https://openssf.org/getinvolved

New Member Comments

Citi
“Working with the open source community is a key component in our security strategy, and we look forward to supporting the OpenSSF in its commitment to collaboration,” said Jonathan Meadows, Citi’s Managing Director for Cloud Security Engineering.

Comcast
“Open source software is a valuable resource in our ongoing work to create and continuously evolve great products and experiences for our customers, and we know how important it is to build security at every stage of development. We’re honored to be part of this effort and look forward to collaborating,” said Nithya Ruff, head of Comcast Open Source Program Office. 

DevSamurai
“We are living in an interesting era, in which new IT technologies are changing all aspects of our lives everyday. Benefits come with risks, that can’t be truer with open source software. Being a part of OpenSSF we expect to learn from and contribute to the community, together we strengthen security and eliminate risks throughout the software supply chain,” said Tam Nguyen, head of DevSecOps at DevSamurai.

Hewlett Packard Enterprise
“Open source software (OSS) has grown in popularity and will power the modern enterprise infrastructure,” said Sunil James, Senior Director at Hewlett Packard Enterprise. “Its modular nature makes it difficult for customers to easily stitch together trust amongst disparate software and hardware components. Greater industry collaboration is critical to improving the security of OSS. Joining OpenSSF allows us to meaningfully collaborate with others on tooling and best practices to make OSS secure and trusted by default.”

Mirantis
“As open source practitioners from our very founding, Mirantis has demonstrated its commitment to the values of transparency and collaboration in the open source community,” said Chase Pettet, lead product security architect, Mirantis. “As members of the OpenSSF, we recognize the need for cross-industry security stakeholders to strengthen each other. Our customers will continue to rely on open source for their safety and assurance, and we will continue to support the development of secure open solutions.”

Snyk
“Snyk values the security and open source communities and have been working closely with the Linux Foundation for many years,” said Geva Solomonovich, CTO, Global Alliances, at Snyk. “We’ve been making security more accessible to developers by contributing to the Node.js Security Working Group and previous Core Infrastructure Initiative reports. Snyk also helps researchers and open source maintainers responsibly disclose vulnerabilities and assign CVEs. Snyk is thrilled to become an official OSSF member, and we look forward to working with others equally committed to advancing open source security throughout the full software development lifecycle.”

About the Open Source Security Foundation (OpenSSF)

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support the open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page:  https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Cloer
for the Linux Foundation
503-867-2304
jennifer@storychangesculture.com

 

Open Source Security Foundation Announces Education Courses and Participation Initiatives to Advance its Commitment to Securing the World’s Software Infrastructure

By Press Release

Free training opportunities, new member investments, consolidation with Core Infrastructure Initiative and new opportunities for anyone to contribute accelerate work on open source security

 

SAN FRANCISCO, Calif., Oct 29, 2020 OpenSSF, a cross-industry collaboration to secure the open source ecosystem, today announced free training for developing secure software, a new OpenSSF professional certificate program called Secure Software Development Fundamentals and additional program and technical initiatives. It is also announcing new contributors to the Foundation and newly elected advisory council and governing board members.

Open source software has become pervasive across industries, and ensuring its security is of primary importance. The OpenSSF, hosted at the Linux Foundation, provides a structured forum for a collaborative, cross-industry effort. The foundation is committed to working both upstream and with existing communities to advance open source security for all.

Open Source Security Training and Education

OpenSSF has developed a set of three free courses on how to develop secure software on the non-profit edX learning platform. These courses are intended for software developers (including DevOps professionals, software engineers, and web application developers) and others interested in learning how to develop secure software. The courses are specifically designed to teach professionals how to develop secure software while reducing damage and increasing the speed of the response when a vulnerability is found.

The OpenSSF training program includes a Professional Certificate program, Secure Software Development Fundamentals, which can allow individuals to demonstrate they’ve mastered this material. Public enrollment for the courses and certificate is open now. Course content and the Professional Certificate program tests will become available on November 5.

“The OpenSSF has already demonstrated incredible momentum which underscores the increasing priorities placed on open source security,” said Mike Dolan, Senior VP and GM of Projects at The Linux Foundation. “We’re excited to offer the Secure Software Development Fundamentals professional certificate program to support an informed talent pool about open source security best practices.”

New Member Investments

Sixteen new contributors have joined as members of OpenSSF since earlier this year: Arduino; AuriStor; Canonical; Debricked; Facebook; Huawei Technologies; iExec Blockchain Tech; Laboratory for Innovation Science at Harvard (LISH); Open Source Technology Improvement Fund; Polyverse Corporation; Renesas; Samsung; Spectral; SUSE; Tencent; Uber; and WhiteSource. For more information on founding and new members, please visit: https://openssf.org/about/members/

Core Infrastructure Initiative Projects Integrate with OpenSSF

The OpenSSF is also bringing together existing projects from the Core Infrastructure Initiative (CII), including the CII Census (a quantitative analysis to identify critical OSS projects) and CII FOSS Contributor Survey (a quantitative survey of FOSS developers). Both will become part of the OpenSSF Securing Critical Projects working group. These two efforts will continue to be implemented by the Laboratory for Innovation Science at Harvard (LISH). The CII Best Practices badge project is also being transitioned into the OpenSSF.

OpenSSF Leadership

The OpenSSF has elected Kay Williams from Microsoft as Governing Board Chair. Newly elected Governing Board members include:

  • Jeffrey Eric Altman, AuriStor, Inc.;
  • Lech Sandecki, Canonical;
  • Anand Pashupathy, Intel Corporation; and
  • Dan Lorenc from Google as Technical Advisory Committee (TAC) representative.

An election for a Security Community Individual Representative to the Governing Board is currently underway and results will be announced by OpenSSF in November. Ryan Haning from Microsoft has been elected Chair of the Technical Advisory Council (TAC).

There will be an OpenSSF Town Hall on Monday, November 9, 2020, 10:00a -12:00p PT, to share updates and celebrate accomplishments during the first three months of the project.  Attendees will hear from our Governing Board, Technical Advisory Council and Working Group leads, have an opportunity for Q+A and learn more about how to get involved in the project. Register here.

Membership is not required to participate in the OpenSSF. For more information and to learn how to get involved, including information about participating in working groups and advisory forums, please visit https://openssf.org/getinvolved.

 

New Member Comments

Arduino

“As an open-source company, Arduino always considered security as a top priority for us and for our community,” said Massimo Banzi, Arduino co-founder. ’”We are excited to join the Open Source Security Foundation and we look forward to collaborating with other members to improve the security of any open-source ecosystem.”

AuriStor

“One of the strengths of the open protocols and open source software ecosystems is the extensive reuse of code and APIs which expands the spread of security vulnerabilities across software product boundaries.  Tracking the impacted downstream software projects is a time-consuming and expensive process often reaching into the tens of thousands of U.S. dollars.  In Pixar’s Ratatouille, Auguste Gusteau was famous for his belief that “anyone can cook”.  The same is true for software: “anyone can code” but the vast majority of software developers have neither the resources or incentives to prioritize security-first development practices nor to trace and notify impact downstream projects.  AuriStor joins the OSSF to voice the importance of providing resources to the independent developers responsible for so many critical software components.” – Jeffrey Altman, Founder and CEO or AuriStor.

Canonical Group

“It is our collective responsibility to constantly improve the security of open source ecosystem, and we’re excited to join the Open Source Security Foundation,” said Lech Sandecki, Security Product Manager at Canonical. “As publishers of Ubuntu, the most popular Linux distribution, we deliver up to 10 years of security maintenance to millions of Ubuntu users worldwide. By sharing our knowledge and experience with the OSFF community, together, we can make the whole open source more secure.”

Debricked

“The essence of open source is collaboration, and we strongly believe that the OSSF initiative will improve open source security at large. With all of the members bringing something different to the table we can create a diverse community where knowledge, experience and best practices can help shape this space to the better. Debricked has a strong background in research and extensive insight in tooling; knowledge which we hope will be a valuable contribution to the working groups,” said Daniel Wisenhoff, CEO and co-founder of Debricked.

Huawei

“With open source software becoming a crucial foundation in today’s world, how to ensure its security is the responsibility of every stakeholder. We believe the establishment of the Open Source Security Foundation will drive common understanding and best practices on the security of the open source supply chain and will benefit the whole industry,” said Peixin Hou, Chief Expert on Open System and Software, Huawei. “We look forward to making contributions to this collaboration and working with everybody in an open manner. This reaffirms Huawei’s long-standing commitment to make a better, connected and more secure and intelligent world.”

Laboratory for Innovation Science at Harvard

“We are excited to bring the Core Infrastructure Initiative’s research on the prevalence and current practices of open source into this broader network of industry and foundation partners,” said Frank Nagle, Assistant Professor at Harvard Business School and Co-Director of the Core Infrastructure Initiative at the Laboratory for Innovation Science at Harvard. “Only through coordinated, strategically targeted efforts – among competitors and collaborators alike – can we effectively address the challenges facing open source today.”

Open Source Technology Improvement Fund

“OSTIF is thrilled to collaborate with industry leaders and apply it’s methodology and broad expertise for securing open-source technology on a larger scale. The level of engagement across organizations and industries is inspiring, and we look forward to participating via the Securing Critical Projects Working Group,” said Chief Operating Officer Amir Montazery. “Linux Foundation and OpenSSF have been instrumental in aligning efforts towards improving open-source software, and OSTIF is grateful to be involved in the process.”

Polyverse

“Polyverse is honored to be a member of OpenSSF. The popularity of open source as the ‘go-to’ option for mission critical data, systems and solutions has brought with it increased cyberattacks. Bringing together organizations to work on this problem collaboratively is exactly what open source is all about and we’re eager to accelerate progress in this area,” said Archis Gore, CTO, Polyverse.

Renesas

“Renesas provides embedded processors for various application segments, including automotive, industrial automation, and IoT. Renesas is committed to ensuring the integrity and confidentiality of systems and data while mitigating cybersecurity risks. To enable our customers to develop robust systems, it is essential to provide root-of-trust of the open source software that runs on our products,” said Shinichi Yoshioka, Senior Vice President and CTO of Renesas. “We are excited to join the Open Source Security Foundation and to collaborate with industry-leading security professionals to advance more secure computing environments for the society.”

Samsung

“Samsung is trying to provide best-in-class security with our technologies and activities. Not only are security risks reviewed and removed in all development phases of our products, but they are also monitored continuously and patched quickly,” said Yong Ho Hwang, Corporate Vice President and Head of Samsung Research Security Team, Samsung Electronics. “Open source is one of the best approaches to drive cross-industry effort in responding quickly and transparently to security threats. Samsung will continue to be a leader in providing high-level security by actively contributing and collaborating with the Open Source Security Foundation.”

Spectral

“Spectral’s mission is to enable developers to build and ship software at scale without worry. We feel that the OpenSSF initiative is the perfect venue to discuss and improve open source security and is a natural platform that empowers developers. The Spectral team is happy to participate in the working groups and share their expertise in security analysis and research of technology stacks at scale, developer experience (DX) and tooling, open source codebases analysis and trends, developer behavioral analysis, though the ultimate goal of improving open source security and developer happiness,” said Dotan Nahum, CEO and co-founder of Spectral.

SUSE

“At SUSE, we power innovation in data centers, cars, phones, satellites and other devices. It has never been more critical to deliver trustworthy security from the core all the way to the edge,” said Markus Noga, VP Solutions Technology at SUSE. “We are committed to OpenSSF as the forum for the open source community to collaborate on vulnerability disclosures, security tooling, and to create best practices to keep all users of open source solutions safe.”

Tencent

“Tencent believes in the power of open source technology and collaboration to deliver incredible solutions to today’s challenges. As open source has become the de facto way to build software, its security has become a critical component for building and maintaining the software and infrastructure,” said Mark Shan, Chair of Tencent Open Source Alliance and Board Chair of the TARS Foundation. “By bringing different organizations together, OpenSSF provides a platform where developers can collaboratively build solutions needed to protect the open source security supply chain. Tencent is very excited to join this collaborative effort as an OpenSSF member and contribute to its open source security initiatives and best practices.

WhiteSource

“In today’s world, software development teams simply cannot develop software at today’s pace without using open source. Our goal has always been to empower teams to harness the power of open source easily and securely. We’re honored to get the opportunity to join the Open Source Security Foundation where we can join forces with others to contribute, together, towards open source security best practices and initiatives.” David Habusha, VP Product.

About the Open Source Security Foundation (OpenSSF)

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support the open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page:  https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Cloer
Story Changes Culture
503-867-2304
jennifer@storychangesculture.com

Technology and Enterprise Leaders Combine Efforts to Improve Open Source Security

By Press Release

New collaboration called Open Source Security Foundation (OpenSSF) consolidates industry efforts to improve the security of open source software

SAN FRANCISCO, Calif., Aug 3, 2020 – The Linux Foundation, today announced the formation of the Open Source Security Foundation (OpenSSF). The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It combines efforts from the Core Infrastructure Initiative, GitHub’s Open Source Security Coalition and other open source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others. Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware.

Open source software has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source that ultimately reaches end users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain.

The OpenSSF brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are just a couple of the projects that will be brought together under the new OpenSSF. The Foundation’s governance, technical community and its decisions will be transparent, and any specifications and projects developed will be vendor agnostic. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

“We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on,” said Jim Zemlin, executive director at The Linux Foundation. “Ensuring open source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”

With the formalization of the group, the open governance structure is established and includes a Governing Board (GB), a Technical Advisory Council (TAC) and a separate oversight for each working group and project. OpenSSF intends to host a variety of open source technical initiatives to support security for the world’s most critical open source software, all of which will be done in the open on GitHub.

For more information and to contribute to the project, please visit https://openssf.org

Resources

Threats, Risks & Mitigations of the Open Source Ecosystem, Open Source Security Coalition
Vulnerabilities in the Core, Harvard’s Lab for Innovation Science and Linux Foundation
Red Hat Product Security Risk Report, Red Hat

Governing Board Member Quotes

GitHub
“Every industry is using open source software, and it is our collective responsibility to help maintain a healthy and secure ecosystem,” said Jamie Cool, Vice President of Product Management, Security at GitHub. “GitHub founded the Open Source Security Coalition in 2019 to bring together industry leaders around this mission and ensure the consumption of open source software is something that all developers can do with confidence. We look forward to this next step in the evolution of the coalition and serving as a founding member of the Open Source Security Foundation.”

Read more in GitHub’s blog.

Google
“Security is always top of mind for Google and our users. We have developed robust internal security tools and systems for consuming open source software internally, for our users, and for our OSS-based products. We believe in building safer products for everyone with far-reaching impacts, and we are excited to work with the broader community through the OpenSSF. We look forward to sharing our innovations and working together to improve the security of open source software we all depend on,” said Director of Product Security, Google Cloud, James Higgins.

IBM
“Open source has become mainstream in the enterprise. As such, the security of the open source supply-chain is of paramount importance to IBM and our clients,” said Christopher Ferris, IBM Fellow and CTO Open Technology. “The launch of the Open Source Security Foundation marks an important step towards giving open source communities the information and tools they need to improve their secure engineering practices, and the information developers need to choose their open source wisely.”

JPMorgan Chase
“Developing, growing and using open source software is a top priority for JPMorgan Chase. We are committed to partner with the community through the Open Source Security Foundation to ensure trust and security in open source software for everyone,” stated Lori Beer, Global Chief Information Officer, JPMorgan Chase.

Microsoft
“As open source is now core to nearly every company’s technology strategy, securing open source software is an essential part of securing the supply chain for every company, including our own,” said Mark Russinovich, Chief Technology Officer, Microsoft Azure. “As with everything open source, building better security is a community-driven process. All of us at Microsoft are excited to be a founding member of the Open Source Security Foundation and we look forward to partnering with the community to create new security solutions that will help us all.”

Read more in Microsoft’s blog.

NCC Group
“The security and privacy of the internet is essential for the protection of individuals, organizations and critical infrastructure, and also the future of democracy and our civil liberties. Given the fundamental role open source plays in powering our world, creating scalable resources and tools to help software maintainers, developers, and users understand and improve their projects’ security is a significant step toward a safer and more secure world. By bringing together a dedicated group of technologists with a shared desire to improve the security of open source software, together we can begin to remediate – or even prevent – security vulnerabilities at a scale not previously possible,” stated Jennifer Fernick, Head of Research at global cyber security expert NCC Group.”

OWASP
“Joining the Linux Foundation and the Open Source Security Foundation is central to our mission to advance the state of application security, especially as OpenSSF is already aligned with OWASP’s core philosophies of openness, transparency and innovation,” said Andrew van der Stock, Executive Director of OWASP, the Open Web Application Security Project. “We look forward to working with all of the participating organizations to improve the state of software security and work together on projects of vital interest to software developers, organizations, and governments around the world.”

Red Hat
“Red Hat is unrelenting in our commitment to open source and in participating to make upstream projects successful. We believe security is an essential part of healthy project communities,” said Chris Wright, CTO of Red Hat. “Now, more than ever, is the time for us to join together with other leaders to help ensure key projects are secure and consumable in our products, across enterprises, and as part of the hybrid cloud. We are excited to help found this Open Source Software Foundation.”

Additional Founding Member Quotes

ElevenPaths
“The security of an enterprise application or services depends mainly on the security of all its components. The vast majority of business applications and services are not fully developed in-house as they make use of open source components that help accelerate the development cycle and extend their functionality. Therefore, it is essential to ensure that all open source components comply with the best practices of secure development and periodic reviews are carried out to positively impact all software that makes use of these components. Joining the Open Source Security Foundation is fully aligned with our vision and principles.”

GitLab
“GitLab is excited to play a part in the creation of the Open Source Security Foundation (OpenSSF) to further cross-industry collaboration and move the security of open source projects forward as it is key to the future of technology,” said David DeSanto, director of product for Secure and Defend at GitLab. “Aligning with GitLab’s mission of ‘everyone can contribute,’ we look forward to supporting and contributing to the community to bring together security-conscious developers to change open source development in a collaborative and fundamental way.”

HackerOne
“Open source software powers HackerOne,” said Reed Loden, Head of Open Source Security, HackerOne. “It powers our software, our infrastructure, and our model for engaging with our community. As part of our mission to make the internet safer, we want to make it easier for open source projects to remain secure. For over three years, we’ve given the open source community our platform for free, and we’ve been long-time supporters of initiatives like Internet Bug Bounty. Joining the Linux Foundation and the Open Source Security Foundation allows us to continue on our mission and make the internet safer alongside some of the foremost visionaries in security. We look forward to seeing the change we can make together.”

Intel
“It takes the industry working together to advance technology and accelerate open source security initiatives. Hardware and software are inextricably linked to deliver security, transparency and trust in open source software. Together with the OpenSSF, Intel will continue to play a key role in mobilizing the industry at large and solving security challenges from the cloud to the edge,” said Anand Pashupathy, GM of System Security Software, Intel.

SAFECode
“Open source software is a major component in today’s software supply chain and thus comprises a significant fraction of the software that individuals and organizations rely upon. Supporting the secure development of open source software is of critical importance to SAFECode members and the software community,” said Steve Lipner, executive director of SAFECode. “We are looking forward to bringing our software security experience to bear as we participate in the Open Source Security Foundation’s mission to build a collaborative, cross-industry community to support the security of open source software.”

StackHawk
“The use of open source has undoubtedly reached critical mass, with ever increasing dependency trees and software complexity. Equipping engineering teams to deliver secure applications simply and scalably is core to our mission at StackHawk. We are excited to be one of the founding members of the Open Source Security Foundation to ensure that this can be a reality across software development as a whole and look forward to continued partnership with the community,” said StackHawk’s Founder & CEO, Joni Klippert.

Uber
“Security and Privacy is always top of mind at Uber to ensure we are responsible stewards of our user’s data. We’re always focused on mitigating all types of software vulnerabilities and as such the security of open source software is a top priority. Historically, we’ve worked with other industry leaders to help build a strong security community around open source software and we are excited to expand those efforts with the OpenSSF,” said Rob Fletcher, Sr Manager, Security Engineering.

VMware
“Strengthening the security posture, policies, and processes in the open source community and in widely used open source projects is strengthening the whole software ecosystem – for all players,” said Joshua Lock, security tech lead, Open Source Technology Center, VMware. “VMware strongly supports the goal of making our software ecosystem more resilient and more secure.”

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Cloer
reTHINKit Media
503-867-2304
jennifer@rethinkitmedia.com