The maintainers of thousands of critical open-source projects and the developers who build on the foundation of that code will both benefit from 10 security initiatives launched late last week.
The Linux Foundation, the Open Source Security Foundation (OpenSSF), and 37 technology companies — including tech bigwigs Amazon, Google, and Microsoft -- have committed to the project, which is estimated to cost $150 million. And in tandem with the announcement came $30 million in initial funding.
During a second summit of software industry professionals and government officials, the organizations committed to supporting a 10-step plan to shore up open source maintainers, provide tools to improve software security, and secure the software supply chain.
The Open Source Software Security Mobilization Plan groups the 10 steps into three broad initiatives: securing open source software production, improving the discovery and remediation of vulnerabilities, and speeding the ecosystem's time to patch.
To show their commitment, a group of companies has pledged $30 million of the estimated $150 million needed to fund all 10 initiatives for the first two years, Brian Behlendorf, general manager of the OpenSSF, said during a press conference on Thursday. This initial $30 million comes from Amazon, Ericsson, Google, Intel, Microsoft, and VMWare.
"We realize that [$150 million] is a meaningful amount," he said. "It is an amount more than any one open source developer has, or even most open source projects. But when compared to the cost of remediating a major vulnerability out there, like we have seen in the last few years, it is a drop in the bucket — a very small ounce of prevention to spend for many, many pounds of cure."
The 10-step plan calls for educating and certifying developers in secure programming, creating and maintaining security metrics for the top 10,000 OSS components, promote digital signing of software releases, and replacing non-memory-safe languages, such as C and C++, with more modern alternatives, such as Go and Rust. The plan also calls for improving the discovery of vulnerabilities and their remediation by funding a team of experts to assist open source projects during incidents, provide advanced security tools, fund third-party reviews, and coordinate sharing of data to determine the most critical components.
The intent is to improve security without increasing workload, the open source foundations stated in the report.
"[A]ll forms of investment and intervention should be focused on delivering new value to OSS maintainers — from making it easier to adopt practices that enhance the security and integrity of their work, to funding activities like third party code reviews that most projects struggle to afford to perform on their own," the report stated. "Any investments or policies that place additional burdens on developers, increase their personal or professional liability for working on code, or issue unfunded mandates upon them, would struggle for adoption and potentially inhibit further advancements in open source software."
Developers & Maintainers to See More Tools
The main focus of the $150 million effort will be to produce tools, training. and services for developers and maintainers to create more secure software. Already, some tools have been released as part of the efforts of the OpenSSF and other supporters, such as Google.
Google, for example, released a tool known as AllStars that automatically vets GitHub projects to flag any anomalies, which could indicate a security issue in the maintenance of the project. The company has also released a system, Scorecard, for rating projects in 18 different areas to give them a security rating. Google and the Linux Foundation, meanwhile, released a tool, sigstore, to help verify the integrity of software supply chains.
Such efforts are extremely important to reduce the impact of security efforts on developers' work, Stephen Chin, vice president of developer relations at software supply chain security firm JFrog, said in a statement.
"We believe open-source security will only be successful if we give OSS projects the same tools and services available to enterprises," he said. "Access to automated tools and high-quality security databases for open-source projects is essential and something that JFrog is committed to helping make happen."
Even more important than the tools are that the efforts create standards that allow interoperability between tool sets, Dan Lorenc — CEO and co-founder at Chainguard and a co-creator of sigstore — said in a statement.
"Interoperability is the linchpin in securing software throughout the supply chain," he said, adding: "These open source tools and projects are the core infrastructure for securing our digital world. But we know not every organization is in a position to go deep on learning each project, nor do they have dedicated staff to understand and integrate all of these tools."
Gaining Momentum for Open Source Security Support
In October, the OpenSSF announced that 16 premier members — including Amazon, Cisco, Facebook, Fidelity, Google, Microsoft, and Red Hat — along with 15 general members had committed $10 million to expand and support the organization.
The broad base of support shows that open source security is a problem that affects every business using software, Brian Fox, CTO at Sonatype, said in a statement.
"It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today," he said. "It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone."