White House joins OpenSSF and Linux Foundation to secure open source software

Securing the open source software supply chain is a huge task. Last year, the Biden administration issued a decree aimed at improving the security of the software supply chain. This happened after the Colonial Pipeline ransomware attack disrupted gas and oil deliveries throughout the Southeast and the SolarWinds software supply chain attack. Securing software has become a top priority. In response, The Open Source Security Foundation (OpenSSF) and Linux Foundation met this security challenge. Now they’re asking for $150 million in funding over two years to fix ten major open source security issues.

They will need every penny and more.

The government will not pay the freight for these changes. $30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million.

At the White House press conference, OpenSSF CEO Brian Behlendorf said, “I want to be clear: we’re not here to raise money from the government. success.”

Here are the ten goals that the open source industry is committed to achieving.

  1. Security Training: Provide everyone with basic training and certification in secure software development.

  2. Risk Assessment: Build a public, vendor-neutral risk assessment dashboard based on objective metrics for the top 10,000 OSS components (or more).

  3. Digital Signatures: Accelerate the adoption of digital signatures on software releases.

  4. Memory Safety: Eliminate the root causes of many vulnerabilities by replacing in-memory insecure languages.

  5. Incident Response: Establish the Open Source OpenSSF Security Incident Response Team, security experts who can step in to help open source projects during critical moments when responding to a vulnerability.

  6. Better analysis: Accelerate the discovery of new vulnerabilities by maintainers and experts with advanced security tools and expert advice.

  7. Code Audits: Perform third-party code reviews (and any necessary remediation work) on up to 200 of the most critical OSS components once a year.

  8. Data Sharing: Coordinate industry-wide data sharing to enhance research that helps determine the most critical OSS components.

  9. Software Bill of Materials (SBOM): Everywhere Improve SBOM tooling and training to drive adoption.

  10. Improved supply chains: Improve the 10 most critical open source software builders, package managers, and distribution systems with better supply chain security tools and best practices.

I’ll go into more detail on these in later stories, but even at a glance it’s a colossal undertaking. For example, C, which is at the heart of the Linux kernel, the most important of all open source projects, contains many vulnerabilities. While the memory-safe Rust language is now used in Linux, it’s years, decades away from replacing C in Linux’s more than 27.8 million lines of code. Indeed, I doubt we’ll ever see all of Linux’s C code replaced by Rust.

We are already close to solving some of the others. The open source security company chain guard calls on the the software industry to standardize on Sigstore. Signstore allows developers to securely sign software artifacts such as release files, container images, binaries, BOM manifests. and more. This Linux Foundation project is supported by Google, Red Hat and Purdue University.

Sigstore has several cool features. These include:

  • Sigstore’s keyless signing provides a great development experience and removes the need for tedious key management.

  • Sigstore Public Transparency Log (Rekor) and APIs mean Kubernetes consumers can easily verify signed artifacts.

  • Sigstore’s use of standards, such as support for any Open Container Initiative (OCI) artifact (including containers, Helm charts, configuration files, and policy sets) and OpenID Connect (OIDC), means it integrates seamlessly with other tools and services.

  • The active, open-source and vendor-neutral Sigstore community ensures that the project will gain rapid adoption and become a de facto industry standard.

In effect, Kubernetes has already adopted Sigstore. In short, adopting a secure digital signature for your code is simple. Then the programmers who use your code can be sure that it is the code they want and can trust.

What is essential. Like Stephen Chin, software chain security company JFrog The VP of Developer Relations said, “While open source has always been seen as a seed of modernization, the recent increase in software supply chain attacks has demonstrated that we need a stronger process for validating open source repositories.”

Of course, there will always be bugs. As Behlendorf said, “Software will never be perfect. The only software that has no bugs is software without users.”

Related stories:

Margie D. Carlisle