What is the Open Source Security Foundation?

Many open source software projects started life as collaborations between developers keen to develop an alternative to major software developers such as Microsoft and SAP, who were making huge profits from renting out software when that software often failed to live up to the high prices. While these projects were initially only used by a small number of companies, today open source software is relied upon, to varying degrees, by virtually all businesses.

However, the increase in open source usage has led to an increase in vulnerabilities. With so many companies relying on open source codebases, if cybercriminals can identify and exploit vulnerabilities in open source code, it would allow them to attack huge numbers of companies and the security of open source software is a major concern.

What is the Open Source Security Foundation?

The Open Source Security Foundation, or OpenSSF, is a cross-industry collaboration whose aim is to improve open source security. Associated with the Linux Foundation, the Open Source Security Foundation is committed to driving innovation through all of the major open source projects and brings them all under the same umbrella.

The Open Source Security Foundation seeks to identify and address cybersecurity vulnerabilities in open source software and develop the necessary tools, training, best practices, and vulnerability disclosure guidelines to ensure that open source is secure.

Premier members of the Open Source Security Foundation include the likes of Amazon, Cisco, Dell Technologies, Google, IBM, Intel, Microsoft, Oracle, Snyk, and VMware, with many more companies participating as general members – all of which believe in improving the security of open source is in the public good and have made commitments to address open source security for the commonwealth of the community.

Aims of the Open Source Security Foundation

The Open Source Security Foundation strives for a future in which all participants in the open source ecosystem use and share high-quality software, where all security issues are proactively handled, software developers have easy access to resources to help them learn secure development practices, and all users of open source projects are automatically informed when security issues are identified to allow them to take the necessary steps to prevent, remediate, and mitigate those issues.

The open source software that reaches end users has usually had many different contributors and uses many different dependencies. It is vital that all individuals responsible for security can understand the source of the code and verify its security.

Securing open source software is vital for ensuring the security of the supply chain for all companies as virtually all companies use open source software in their technology strategies. Consequently, creating a trustworthy supply chain is therefore critical for all businesses.

The Open Source Security Foundation maintains transparency so all stakeholders can participate in the foundation, ensures open source maintainers and developers are given credit for their contributions, that perspectives are gained from a wide range of users with diverse levels of experience, and helps everyone work together to ensure open source is made more secure.

Open Source Security Standards

Members of the Open Source Security Foundation have played key roles in developing a range of open source software standards, tools, training material, and open content work to improve open source software security, including the following:

  • Security Scorecard – An automated tool for assessing heuristics associated with software security.
  • Vulnerability Disclosures – A guide for responsible, coordinated vulnerability disclosures for open source security projects.
  • Package Analysis – Components to aid in the analysis of open source packages.
  • Security Policies – A GitHub App for setting and enforcing security policies.
  • Security Framework – A security framework from source to service for improving artifact integrity across the supply chain.
  • Security Reviews – The collection of security reviews of open source software projects
  • Best Practices Badge – A method for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices
  • Research – Extensive research is conducted on open source software and critical security vulnerabilities

Why the Open Source Security Foundation is so Important

Securing the software supply chain is vital for all businesses, and it has never been more important than it is today. Sonatype, a provider of a software composition analysis (SCA) platform used by companies to scan their codebases for known vulnerabilities, recently reported the market for open source packages increased by 73% in 2021 and that developers had downloaded more than 2.2 trillion open source packages in 2021.

As more businesses leverage open source codebases, vulnerabilities in those codebases are incorporated in an increasing number of software solutions and could easily be exploited. Sonatype says 2021 has seen a 650% increase in open source software supply chain attacks where vulnerabilities are exploited or malicious code is added to open source software.

In response to the call from the White House to improve the baseline for collective cybersecurity, the Linux Foundation has recently secured an additional $10 million in new commitments to help secure software supply chains and pay it forward to open source communities to help address cybersecurity issues before they can be exploited.