More Secure Open Source Software, The Shared Goal Of The Linux Foundation and OpenSSF

Mónica Tilves,

Companies such as Amazon, Ericsson, Google, Intel, Microsoft and VMware support their plan with an initial investment of more than $30 million.

Making open source software more secure. That is the shared mission of the Linux Foundation and the Open Source Software Security Foundation (OpenSSF), which brought together executives from 37 companies and government leaders for the Open Source Software Security Summit II.

Together, they have a ten-step plan to increase the security of the open source and supply chain software.

This plan involves, first and foremost, promoting education and certification in secure software development.

It also seeks to establish a risk assessment panel that is independent of suppliers based on objective metrics, as well as an incident response team made up of experts ready to help open source projects at key moments. In this regard, they intend to coordinate data sharing in the industry to improve investigation processes.

Other measures include accelerating the discovery of vulnerabilities, reviewing third-party code for critical components and eliminating some root causes by replacing languages that are not memory-safe.

The plan also includes accelerating the adoption of digital signatures, improving SBOM tools and training, and improving supply chain tools and practices.

Ultimately, the open source community seeks to converge “a set of ideas and principles of what is broken” and see “what we can do to fix it,” as Brian Behlendorf, executive director of OpenSSF, explains.

These efforts should enable secure production, improve vulnerability discovery and remediation, and shorten the response time for patching.

Jim Zemlin, executive director of the Linux Foundation, reminds us that open source is “a critical component” that is “fundamental to today’s multi-billion dollar investment in software innovation.”

“We have a shared obligation to upgrade our collective cybersecurity resilience and improve confidence in the software itself,” he says. “This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership.”

To consolidate this plan, its backers are contemplating $150 million in funding over two years. This should enable them to move forward in discovering solutions to the list of ten problems that have already been identified, including immediate improvements.

Technology companies such as Amazon, Ericsson, Google, Intel, Microsoft and VMware will collaborate with this initiative and will provide an initial boost to the implementation of the plan with more than $30 million.