monsitj – stock.adobe.com
A 10-point plan to improve the security and resilience of open source software was presented this week at a summit in the US
Published: 13 May 2022 13: 00
The open source community has presented a 10-point plan to improve the security and resilience of its software, bringing together more than 90 executives from 37 organisations, alongside US government officials, at a summit in Washington DC.
Held a year on from president Biden’s executive order on improving US cyber security, the Open Source Software Security Summit II was organised by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF).
The plan outlines a two-year, $150m (PS123m) programme to advance vetted solutions to the 10 major problems identified in the plan, as well as to establish a firm pathway to both more immediate improvements and underpinnings for future development.
A group of companies, Amazon, Ericsson, Google, Intel, Microsoft and VMware have already pledged over $30m of the total needed, with more funding to be identified as the plan develops further.
“To mark the one-year anniversary of President Biden’s executive orders, we are here today to present a plan for action, because open source is an essential component of our national security, and it is fundamentally to billions of dollars currently being invested in software innovation,” stated Jim Zemlin, executive director of Linux Foundation.
” We have a common obligation to improve our collective cyber security resilience, and increase trust in software. This plan is our collective voice and our call to action. Leadership .”
is the most important task before us.
OpenSSF executive Director, said: “What are we doing here together? Converging an idea and principles of what’s broken out there and how we can fix it.” The plan we have put together represents the 10 flags in the ground as the base for getting started. We would love to hear from you and get your commitments to move us from plan to actual .
The 10-point plan, which can be read in full on OpenSSF’s website, is as follows:
- To deliver baseline secure software development education and certification;
- To establish a public, supplier-neutral, objective-metrics-based risk assessment dashboard for 10,000 widely used open source software (OSS) components;
- To accelerate the adoption of digital signatures on OSS releases;
- To eliminate the root causes of many vulnerabilities by replacing non-memory-safe languages;
- To establish an OpenSSF-backed incident response team to help open source projects respond to vulnerability disclosures;
- To improve the ability of maintainers and experts to discover new vulnerabilities in open source projects;
- To establish a programme of third-party code audits and remediation for up to 200 of the most-critical OSS components;
- To improve industry-wide data sharing and how the community determines which OSS components are most critical ;
- To improve the adoption of software bill of materials (SBOM) tooling and training;
- And finally, to enhance the 10 most-critical OSS build systems, package managers and distribution systems with improved supply chain security tools and practices.
Commenting on the plan, Mike Hanley, chief security officer (CSO) at GitHub, said: “Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain.
“As home to 83 million developers around the world, GitHub is uniquely positioned and committed to advance these efforts, and we’ve continued our investments to help developers and maintainers realize improved security outcomes through initiatives including 2FA enforcement on GitHub.com and NPM, open sourcing the GitHub Advisory Database, financial enablement for developers through GitHub Sponsors, and free security training through the GitHub Security Lab.
” Security of open source software is crucial to all software’s security. Summit II has been