Let the OSS Enterprise newsletter guide your open source journey! Sign up here.
The Linux Foundation has received a $10 million annual commitment from across the technology, finance, telecom, and cybersecurity industries to secure the software supply chain. The recurring investment will be targeted at the Open Source Security Foundation (OpenSSF), a cross-industry collaboration initiative launched by the Linux Foundation last August, and will be funded by most of its member organizations including Amazon, Facebook, Google, Microsoft, Ericsson, JPMorgan Chase, Red Hat, Dell, and Oracle.
The announcement comes a time when supply chain attacks have gone through the roof, leading President Joe Biden to issue an executive order back in May outlining various measures to improve the nation’s cybersecurity defenses, including securing open source software that is used within federal information systems.
Open source pioneer Brian Behlendorf, who was the principal creator of the now-omnipresent Apache web server, will also now head up the OpenSSF as the full-time general manager, tasked in the first instance with building an “effective and collaborative community.”
“My job will always be to channel the energy, enthusiasm, and resources of the individuals and organizations converging on OpenSSF into one community, into our existing working groups and projects, and into creating new projects as the opportunities and needs arise,” Behlendorf told VentureBeat.
Attacks go upstream
While it’s well documented that open source codebases contain myriad vulnerabilities, as enterprise developers have improved at keeping their software up to date with the latest components, this has apparently led attackers to go further “upstream” closer to the origins of the source code. This way, the “bad code” can propagate to the broader supply chain further downstream. A recent report from Sonatype, a software composition analysis (SCA) platform that companies use to scan their codebases for security and compliance shortfalls, found that these so-called “next generation” software supply chain attacks have increased 650% in 2021.
“Adversary attacks on popular open source code are on the rise,” Behlendorf said. “If a popular open source component has a new vulnerability discovered in it, thousands of organizations could become vulnerable through that attack vector all at once.”
There has been a marked increase in open source security activities in recent times, particularly from within “big tech,” which relies heavily on open source libraries and components. Earlier this year, Google revealed it would fund Linux kernel developers, for example, before going on to unveil a $10 billion cybersecurity commitment to support President Biden’s executive order. In the months that followed, the internet giant revealed it was sponsoring the Open Source Technology Improvement Fund (OSTIF), which is concerned with conducting security reviews in select critical open source software projects. And a couple of weeks back, Google committed $1 million to a new Linux Foundation open source security rewards program.
The OpenSSF had minimal funding for its first year in operation, something that was “not even close” to what it needed to have any meaningful impact, according to Behlendorf.
“This new effort remedies that,” Behlendorf said. “In its first year, it [OpenSSF] was able to establish six critical working groups focused on providing education around secure coding practices, as well as improving automation, prioritization, and remediation of open source software vulnerabilities — the new funding will further enhance each of these efforts and support the formation of additional working groups.”
What’s perhaps most notable about the OpenSSF, beyond the $10 million cash injection it now has at its disposal, is the cross-industry input it has from some of the world’s biggest companies. And this is very much indicative of how pervasive open source software is — the vast majority of software contain at least some open source components, with the inherent vulnerabilities showing no discrimination for the industry it’s used in. Put simply, open source software affects everyone.
“Developers are no longer coding 100% of their applications from scratch, and now heavily rely on these open source software components to bring new capabilities to market sooner,” Behlendorf said. “Industry has recognized that not all open source components are created equal and that they must incorporate only the safest, highest quality open source in their applications.”
VentureBeatVentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more