The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation, today announced 20 new organizations have joined OpenSSF to help identify and fix security vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. It is also announcing the latest milestones achieved across a variety of its technical initiatives, all of which underscore the cross-industry momentum taking place as a result of increasing awareness in the wake of recent security incidents and since the recent White House Open Source Security Summit and recent Congressional hearings.
“The time is clearly now for this community to make real progress on software security. Since open source is the foundation on which all software is built, the work we do at OpenSSF with contributions from companies and individuals from around the world is fundamental to that progress,” said Brian Behlendorf, executive director at OpenSSF. “We’ve never had more support or focus on building, sustaining and securing the software that underpins all of our lives, and we’re happy to be the neutral forum where this can happen.”
New Premier Member commitments come from 1Password, Citi, Coinbase, Huawei Technologies, JFrog and Wipro. New General Member commitments come from Accuknox, Alibaba Cloud, Block, Inc, Blockchain Technology Partners, Catena Cyber, Chainguard, Cloudsmith, DeployHub, MongoDB, NCC Group, ReversingLabs, Spotify, Teleport and Wingtecher Technology. New Associate Members include MITRE and OpenUK. For a complete review of the OpenSSF member roster, please visit: https://openssf.org/about/members/
These commitments come on the heels of the recent White House Open Source Security Summit where the Linux Foundation and OpenSSF represented hundreds of its project communities and discussed how best to support software security and open source security posture going forward. This underscored a major milestone in the Linux Foundation’s engagement with the public sector and underscores its position to support not only the projects it hosts but all of the world’s most critical open source infrastructure.
Since the OpenSSF announced initial commitments in October, the community has continued to advance the OpenSSF mission. Some selected highlights include:
New Alpha-Omega Project Launches with $5m Investment to Improve OSS Security Posture
OpenSSF also recently announced the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. It is initially supported by Microsoft and Google with a combined investment of $5 million. The Project improves global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.
Automated Security Tool, Scorecards, Increases Scans from 50,000 to 1 Million Projects
Scorecards is an OpenSSF project that helps open source users understand the risks of the dependencies they consume. OpenSSF members GitHub and Google recently announced Scorecards v4, which includes Scorecards GitHub Workflow Action to automate identification of how changes to a project affected its security. It also includes License Check to detect the presence of a project license and Dangerous-Workflow check to detect dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows. The Scorecards project has also increased the scale of scans from 50,000 projects to one million projects identified as most critical based on their number of direct dependencies, giving a more detailed view of the ecosystem and strengthening supply chain security as users see improved coverage of their dependencies.
Project Sigstore Sees Massive Contribution, Adoption to Sign, Verify and Protect OSS
Sigstore recently released a project update that reported nearly 500 contributors, more than 3,000 commits and more than one million entries in Rekor. For more information on what is driving this adoption, please visit the Sigstore blog.
The “Great MFA Distribution” Distributes Codes to Claim Free Hardware Security Tokens to Almost 1000 Top OSS Developers.
In the pursuit of encouraging wider adoption of multi-factor authentication (MFA) by developers of critical open source projects, The Securing Critical Projects Working Group coordinated the distribution of nearly 1000 codes for free MFA tokens (graciously donated by Google and Github) to developers of the 100 most critical open source projects. This is a small but critical step in avoiding supply chain attacks based on stolen credentials of key developers.