At the Open Source Security Summit II in Washington D.C. last week, leaders of the open source community suggested a 2-year $150 million investment plan for improving open-source security in the U.S and upgrading cybersecurity resilience.
More than 90 executives from over three dozen companies and government leaders were brought together by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF) for the summit, which sought to put forward an actionable plan to address the security issues associated with open source software.
“We are here to respond with a plan that is actionable, because open source is a critical component of our national security, and it is fundamental to billions of dollars being invested in software innovation today,” said Jim Zemlin, executive director of the Linux Foundation. “We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in software itself. This plan represents our unified voice and our common call to action.”
The Linux Foundation and OpenSSF have laid out a 2-year plan that will see the $150 million divided across 10 streams for improving the security of open source software and resilience to cyberattacks. There are three main aims of the plan:
- Secure the production of open source software
- Improve vulnerability detection and remediation
- Shorten patching response times
The 10 areas that will receive investments are:
- Security education -The delivery of baseline secure software development education for all
- Risk assessment – Establish a public, vendor-neutral, objective, metrics-based risk assessment dashboard for the top 10,000+ OSS components.
- Digital signatures – Accelerate adoption of digital signatures for all software releases
- Memory safety – Improve the root cause of many vulnerabilities by eliminating non-memory safe languages
- Incident response – establishing an incident response team at OpenSSF to accelerate the response to newly discovered vulnerabilities
- Better scanning – The use of advanced tools and expert guidance to accelerate the discovery of new vulnerabilities
- Code audits – Conduct annual code audits of the 200 most critical OSS components
- Data sharing -Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
- Software bills of materials – Improve SBOM tooling and training to ensure SBOMs are everywhere
- Improved software supply chains – Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.
These areas for investment serve as the starting point. The plan includes ideas and principles for identifying what is broken and for provides a way to fix it. “Ad-hoc efforts to improve security have reached a limit. We believe for the value invested these new, organized approaches to improving security across the board will have an outsized impact,” concluded the Linux Foundation and OpenSSF.