Multiple vulnerabilities in open source software have been exploited in recent years, putting enterprises of all kinds at risk. Vulnerabilities in software components such as the open source Log4j java library have affected millions of users worldwide. According to a Synopsys analysis from 2021, at least one open source vulnerability exists in 84 percent of all codebases.
As open source becomes more integrated into all software, it has become a critical component of the software supply chain. The Biden administration issued an executive order a year ago to try to strengthen software supply chain security, which led to efforts to embrace a software bill of materials (SBOM), which helps to reveal what’s within an open source application.
The Linux Foundation and its Open Source Security Foundation (OpenSSF), which has a rising user base, are among the main open source organisations. OpenSSF launched an ambitious, multipronged plan with ten main targets to better secure the whole open source software ecosystem today at the Open Source Software Security Summit II in Washington, D.C.
While open source software is sometimes freely available, protecting it comes at a cost. OpenSSF estimates that its strategy will cost $147.9 million over two years to implement. Brian Behlendorf, general manager of OpenSSF, revealed that $30 million has already been pledged by OpenSSF members such as Amazon, Intel, VMware, Ericsson, Google, and Microsoft during a press conference held after the summit.
The Linux Foundation launched the Core Infrastructure Initiative eight years ago, in response to the Heartbleed vulnerability in the open source OpenSSL cryptography package (CII). The CII was also an attempt to improve open source security by raising funds from suppliers.
The new OpenSSF strategy intends to provide direct assistance to developers in order to address difficulties and to audit code bases in order to discover potential vulnerabilities. The use of authenticated package signing for the delivery of software components adds to the added security.
While OpenSSF was in Washington to meet with government and industry executives regarding open source security, the organisation is not looking for a government handout to assist defray costs.