“Alpha” works with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” identified at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.
Alpha-Omega partners with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code – and get them fixed – to improve global software supply chain security.
Nov 15, 2023 |
Today, Alpha-Omega is excited to announce our second year of supporting the Rust Foundation Security Initiative. We believe that this funding will build on the good work and momentum established by the Rust Foundation in 2023. Through this partnership, we are helping relieve maintainer burdens while paving an important path…
Nov 6, 2023 |
Alpha-Omega is pleased to announce a grant to the Homebrew project to enable Sigstore attestations and verification of Homebrew packages. When complete the project will allow organizations to securely verify the provenance of the toolchains on their workstations and in their build environments. This is a critical part of securing…
Jun 22, 2023 |
Through funding by the OpenSSF’s Alpha-Omega Project, the Python Software Foundation (PSF) has hired a new security developer in residence as part of a year-long security enhancement initiative. PSF announced their intention to fill this role back in January, and after a thorough search, they have chosen Seth Michael Larson!
Dec 14, 2022 |
Alpha-Omega is an OpenSSF project, established in February 2022, with a mission to protect society by improving the security of open source software through direct maintainer engagement and expert analysis, trying to build a world where critical open source projects are secure and that security vulnerabilities are found and fixed…
More About Alpha and Omega
Alpha: Focusing on the Most Critical OSS Projects
Alpha is collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. These projects will include standalone projects and core ecosystem services. They will be selected based on the work by the OpenSSF Securing Critical Projects working group using a combination of expert opinions and data, including the OpenSSF Criticality Score and Harvard’s “Census” analysis identifying critical open source software.
For these selected projects, Alpha team members provide tailored help to understand and address security gaps. Help can include threat modeling, automated security testing, source code audits, and support remediating vulnerabilities that are discovered. It can also include implementing best practices drawn from criteria outlined by the OpenSSF Scorecard and Best Practices Badge projects.
Alpha tracks a series of important metrics providing stakeholders with a better understanding of the security of the open source project they depend on. The public will receive a transparent, standardized view of the project’s security posture and compliance with security best practices.
Omega: Focusing on the Long Tail of OSS Projects
Omega uses automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely-deployed open source projects. This will be accomplished using a combination of technology (cloud-scale analysis), people (security analysts triaging findings) and process (confidentially reporting critical vulnerabilities to the right OSS project stakeholders). Omega has a dedicated team of software engineers continually tuning the analysis pipeline to reduce false positive rates and identify new vulnerabilities.
Omega community members will provide suggestions on how to automate detection of security vulnerabilities in the future and more generally on efficient ways to implement security best practices.
Frequently Asked Questions
What is the engagement model for the public? How can individuals get involved?
For now, the best way for the public to engage is through the OpenSSF working groups. In particular the Securing Critical Projects, Best Practices for OSS Developers, and Vulnerability Disclosures groups. We will also be hosting a monthly public meeting on the first Wednesday of each month.
How can organizations get involved?
Please direct colleagues from your organizations to the working groups. If you’re interested in helping fund Alpha-Omega please contact us directly at http://members.openssf.org/.
Will the Omega group of security researchers be community-driven, where contributors come and go, or selected, consistent individuals?
Initially, these will be staff positions, hired by the Linux Foundation and working in a dedicated manner on Omega. We’re exploring ways for the community to be engaged and contribute meaningfully.
How will critical projects be identified?
An OpenSSF working group has created an initial critical projects list to begin prioritizing the work. The initial focus will be on areas where we can learn and have impact quickly.
How will you interact with the OSS projects for which you find vulnerabilities?
We will continue to lean on the OpenSSF working groups and our own internal teams for guidance. It is unlikely that we will diverge from normal best practices. Working directly with the maintainers is key and we won’t start finding vulnerabilities without an initial relationship in place.
Is Alpha-Omega a security project to prevent hacking attacks, or is another layer of security going to be added using Alpha-Omega?
Alpha-Omega is neither the beginning nor the end of good security practices. The goal is to reduce the volume of serious exploitable vulnerabilities from the ecosystem, making it harder for attackers to carry out an attack. This complements many other efforts, so in that way, yes, Alpha-Omega is like an additional layer of protection that will be directed to have the most impact.