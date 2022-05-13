Security

Open Source Leaders Push WH for Security Action

Open Source

A first-of-its-kind plan to broadly address open source and software supply chain security is waiting for White House support.

The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE, and OMB on Thursday to reach a consensus on key actions to take to improve the resiliency and security of open-source software.

A subset of participating organizations has collectively pledged an initial tranche of funding towards the implementation of the plan. Those companies are Amazon, Ericsson, Google, Intel, Microsoft, and VMWare, pledging over $30 million. As the plan evolves further, more funding will be identified and work will begin as individual streams are agreed upon.

Open Source Software Security Summit II is a follow-up to the first Summit held in January, led by the White House’s National Security Council. That meeting, convened by the Linux Foundation and OpenSSF, came on the one-year anniversary of President Biden’s Executive Order on Improving the Nation’s Cybersecurity.

As part of this second White House Open Source Security Summit, open source leaders called on the software industry to standardize on the Sigstore developer tools and support a 10-point plan to upgrade open source’s collective cybersecurity resilience and improve trust in software itself, according to Dan Lorenc, CEO and co-founder of Chainguard, co-creator of Sigstore.

“On the one year anniversary of President Biden’s executive order, today we are here to respond with a plan that is actionable, because open source is a critical component of our national security, and it is fundamental to billions of dollars being invested in software innovation today,” announced Jim Zemlin, executive director of the Linux Foundation, during his organization’s press conference on Thursday.

Pushing the Support Envelope

Most major software packages contain elements of open source software, including code used by the national security community and critical infrastructure. Open-source software supports billions of dollars in innovation but also carries with it unique challenges for managing cybersecurity across its software supply chains.

“This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership,” said Zemlin. “This is the first time I have seen a plan and industry will to foster a plan that will work.”

The Summit II plan outlines approximately $150 million of funding over two years to rapidly advance well-vetted solutions to the 10 major problems the plan identifies. The 10 streams of investment include concrete action steps for both more immediate improvements and building strong foundations for a more secure future.

“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action,” said Brian Behlendorf, executive director of Open Source Security Foundation.

Open Source Software Security Summit II in Washington D.C., May 12, 2022.

Open Source Software Security Summit II in Washington D.C., May 12, 2022. [L/R] Sarah Novotny, Open Source Lead at Microsoft; Jamie Thomas, Enterprise Security Executive at IBM; Brian Behlendorf, executive director of Open Source Security Foundation; Jim Zemlin, executive director of The Linux Foundation.

Highlighting the Plan

The proposed plan is founded on three primary goals:

  • Securing open source security production
  • Improving vulnerability discovery and remediation
  • Shorten ecosystem patching response time

The full plan contains elements to achieve those goals. They include security education that delivers a baseline for software development education and certification. Another element is to establish a public, vendor-neutral objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.

The plan proposes the adoption of digital signatures on software releases and establishing the OpenSSF Open Source Security Incident Response Team to assist open source projects during critical times when responding to a vulnerability.

Another plan detail focuses on better code scanning to accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.

Code audits conducted by third-party code reviews and any necessary remediation work would detect up to 200 of the most-critical OSS components once per year.

Coordinated data sharing industry wide would improve the research that helps determine the most critical OSS components. Providing Software Bill of Materials (SBOM) everywhere would improve tooling and training to drive adoption and provide build systems, package managers, and distribution systems with better supply chain security tools and best practices.

The Storehouse Factor

Chainguard, who co-created the Sigstore repository, is committing financial resources towards the public infrastructure and network proposed by OpenSSF and will collaborate with industry peers to deepen work on interoperability to ensure Sigstore’s impact is felt across the software supply chain and every corner of the software ecosystem. This commitment includes a minimum of $1 million a year in support of Sigstore and a pledge to run it on its own node.

Designed and built with maintainers for maintainers, it has already been widely adopted by millions of developers worldwide. Now is the time to formalize its role as the de facto standard for digital signatures in software development, said Lorenc.

“We know the importance of interoperability in increasing adoption of these critical tools because of our work on the SLSA Framework and SBOM. Interoperability is the linchpin in securing software throughout the supply chain,” he said.

Related Support

Google on Thursday announced that it is creating an “open -source maintenance crew” tasked with improving the security of critical open-source projects.

Google also unveiled Google Cloud Dataset and Open-Source Insights projects to help developers better understand the structure and security of the software they use.

“This dataset provides access to critical software supply chain information for developers, maintainers and consumers of open-source software,” according to Google.

“Security risks will continue to span all software companies and open-source projects and only an industry-wide commitment involving a global community of developers, governments, and businesses can make real progress. Google will continue to play our part to make an impact,” said Eric Brewer, vice president of infrastructure at Google Cloud and Google Fellow, at the security summit conference.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Get Permission to License or Reproduce this Article

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
Linux security
Linux Security Study Reveals When, How You Patch Matters
April 25, 2022
US Cybersecurity Plan Welcomed, but Software Tracking Troubles IT Sector
August 3, 2021
Administration Takes Aggressive Approach to Stimulate Tech Investments
June 2, 2021
AI Contract Spending Set to Grow in Federal Market
March 9, 2021
More by Jack M. Germain
view all
Open Source
Distro Delights, New Release Mania, Forking KDE, Windows in a Bottle
May 19, 2022
InnoView’s 15.6″ 4K Portable Panel Could Be the Ultimate Touchscreen Accessory
May 10, 2022
software engineer
Open-Source Code a Marginal Problem, Managing It the Key Challenge: Report
May 9, 2022
Linux security
Linux Security Study Reveals When, How You Patch Matters
April 25, 2022
Canonical Ubuntu 22.04 LTS (Jammy Jellyfish)
Canonical Lets Loose Ubuntu 22.04 LTS ‘Jammy Jellyfish’
April 21, 2022
open-source software
Platform Plans To Plunder Poor Tools, Free Forensic Forays To Forestall Breaches
April 18, 2022
Appdome CEO on Mobile App Security: No Developer, No Code, No Problem
April 14, 2022
Linux Review
RebornOS Brings Choice and Simplicity to Arch Linux
April 13, 2022
Nasuni Founder Andres Rodriguez: Object Storage Offers More Cloud Benefits, Lower Cost
April 4, 2022
New Platform Pushes Data, Dirty Pipe and DNS Tunnel Pollute Linux Plumbing
March 28, 2022
More in Security
Foundries and Arduino Team To Patch IoT Devices
March 24, 2022
Cyber Asset Management Overwhelming IT Security Teams
March 22, 2022
Linux
Linux Lingers, Anbox Cloud Smartphone Brain Booty, Critical Census Supports Security
March 15, 2022
1Password Encourages Developer Security With New Tool Set
March 15, 2022
Low-Code Platforms Help Ease the Shadow IT Adversity Pain
March 4, 2022
CyberSec Firms Give Advice, Services To Quell Fallout From Malware Aimed at Ukraine
March 1, 2022
Russia-Linked Cyclops Blink Malware Identified as Potential Cyberwarfare Weapon
February 24, 2022
Linux security
New Cloud Cybersafety, Malware Miseries, Snap Snafus Lavish Linux
February 23, 2022
Looking for Love Online? Advice To Protect Your Wallet
February 10, 2022
Reports Warn of Worsening Warfare From Cyber Criminals in 2022
January 27, 2022

Which device do you use most for digital communication?
Loading ... Loading ...

LinuxInsider Channels

Business

 Business

Forrester Predicts Net Loss of 1.42 Million US Jobs to Automation by 2032

War in Ukraine Takes Toll on European Software Development Market

Tech Real Estate Grab Headed to a Small Town Near You

Community

 Community

Don’t Become a Fool in the IT Gold Rush

Study Reveals Open-Source Community’s Diversity Pain Points, Progress

OSS News: Learn More Linux, More Zen for ML, Desktop Linux New and Old

Developers

 Developers

Reality Check on the Virtual Universe: Metaverse or Metamess?

Average Tech Salary Breaks Six Figures, Some Workers Still Feel Underpaid

Practical Ideas To Make Money With Software

Enterprise

 Enterprise

OSS News: Enterprise Linux, Microsoft Replacements, Fuzzy Linux Solutions

The Rise of Digital Ad Taxes Could Impact Online Marketplaces

The Global Information Network

Exclusives

 Exclusives

Remote Work Transformation Calls for Prioritizing Employee Tech Choices

How Merchants Can Better Battle Chargebacks and Fraud

Future-Proofing Retail Operations in the Era of Supply Chain Chaos

Mobile

 Mobile

InnoView 15.8″ Portable Display: More Screen Space for Small Devices

What’s in Store for Next-Gen Digital Wallets

Snapdragon 8 Suggests the End of PCs and Smartphones as We Know Them

Reviews

 Reviews

4 Industries on the Brink of Technological Disruption

New Breeze Theme Gives KDE Neon Release Lots of Sparkle

CES 2022 Predictions

Security

 Security

Covid Domain Registrations Soar, Many by Bad Actors

Data Breaches Affected Nearly 6 Billion Accounts in 2021

Russia’s REvil Takedown Sets Stage for Several Scenarios

Software

 Software

OSS News: Court, Governments Newfound Support, Plus Latest Linux Niceties

OSS News: A Linux Takeover in Germany, Distro Updates, New Projects, Linux Tutelage

Canonical Launches Ubuntu 21.10 With Few Surprises

Tech Blog

 Tech Blog

Intel’s Mega-Site Fab Is Critical to the US Tackling International Conflicts

How To Fix the Autonomous Electric Car Demand Problem

When the Metaverse Comes to Life

More from ECT News Network

E-Commerce Times

Marketers: Beware Florida's Mini-TCPA
Marketers: Beware Florida's Mini-TCPA
May 18, 2022
Hackers Cast LinkedIn as Most-Popular Phishing Spot
Hackers Cast LinkedIn as Most-Popular Phishing Spot
May 16, 2022
E-Commerce Fulfillment Gains Driving Global, Channel Expansion
E-Commerce Fulfillment Gains Driving Global, Channel Expansion
May 13, 2022

TechNewsWorld

Don't Become a Fool in the IT Gold Rush
Don't Become a Fool in the IT Gold Rush
May 19, 2022
NSA's Claim Backdoor Off Encryption Table Draws Skepticism from Cyber Pros
NSA's Claim Backdoor Off Encryption Table Draws Skepticism from Cyber Pros
May 18, 2022
Study Finds Sports Is King Among Livestreamers
Study Finds Sports Is King Among Livestreamers
May 17, 2022

CRM Buyer

Oracle Service Empowers Organizational Growth With Automation
Oracle Service Empowers Organizational Growth With Automation
May 20, 2022
Zoho Consolidates Marketing Functions
Zoho Consolidates Marketing Functions
May 16, 2022
How Oracle’s Digital-First Service Drives Sustainable Differentiation
How Oracle’s Digital-First Service Drives Sustainable Differentiation
May 10, 2022