The Linux Foundation has launched a new collaborative project designed to address security vulnerabilities in open source software, bringing together some of the most influential players in technology.
The Open Source Security Foundation (OpenSSF) will see founding members – including Microsoft, Github, Google, IBM, Red Hat and JPMorgan – combine resources to tackle various security challenges specific to the open source ecosystem.
The new entity will fold together a few different overlapping initiatives, including the Open Source Security Coalition (OSSC) and the Core Infrastructure Initiative (CII), which will now operate under the umbrella of the OpenSSF.
The CII already enjoys the backing of AWS, Cisco, Qualcomm, Intel and more (on top of the support of founding members of the OpenSSF). The main difference, under the new model, is that the project will not rely exclusively on grants, but will also be funded in part by Linux Foundation membership subs.
Open source software security
According to Mark Russinovich, Microsoft Azure CTO, the new project will allow its members to better navigate the security considerations unique to the open source ecosystem.
“Open source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance. Because open source code can be copied and cloned, versioning and dependencies are particularly complex,” he wrote in a blog post.
“Open source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process.”
In light of this complexity, the new initiative is split into five working groups, each of which is responsible for a distinct aspect of open source security:
- Vulnerability disclosures
- Security tooling
- Identifying threats to open source projects
- Security best practices
- Securing critical projects
Operating underneath the governing board of the new foundation, there exists a technical advisory committee and separate technical committees that oversee each working group.
The overarching hope is that, by consolidating various disparate projects and pooling resources, the OpenSSF will be able to address issues with open source security that could not otherwise be resolved.
Via The Register