Dedicated to protecting open source software, the Linux Foundation is a non-profit organisation that has added 13 new members from the business world, the financial world, and academia. More than a dozen new organisations will join the Open Source Security Foundation (OpenSSF), according to an announcement made on Wednesday. Capital One, a financial powerhouse, will be a premium member and hold a seat on the foundation’s governing board. The other new members include ZTE, the Eclipse Foundation, Perdue University, the TODO Group, Indeed, Akamai, Kasten by Veeam, Scantist, SHE BASH, Socket Security, Sysdig, Timesys, and SHE BASH.
Notable IT and open source firms including GitHub, Google, IBM, Microsoft, AWS, Meta, Fidelity, Morgan Stanley, Tencent, and others are already members of the organisation. While some of the foundations they establish are more restrictive, David A. Wheeler, director of open source supply chain security at the Linux Foundation, told SC Media in an interview that the requirements for membership in OpenSSF are as broad as the impact of the issue they’re trying to collectively solve.
“Every different foundation has rules about who can join and who can’t, but in the case of the OpenSSF, it’s extremely broad and intentionally so because basically everybody is impacted by the security or lack of security in open-source software,” Wheeler said.
Additionally, there is a financial incentive because organisations must pay a membership fee that supports OpenSSF’s operations. According to their website, there are no fees associated with participating in the foundation’s activities, and steering committees and project maintainers make choices on working groups and projects regardless of membership. But Wheeler did mention that organisations like Capital One that choose the more expensive premier memberships are awarded board seats.
Open source code is widely utilised in commercial software as well as in systems created by governments, non-profits, and universities. While open source software is neither more or less fundamentally dangerous than proprietary software, it has been a focus of both government and industry. While prominent cyber incidents like Log4j frequently make the news, malevolent hackers are increasingly using open source code corruption to target the businesses and other entities who use it.
For instance, Sonatype reported in March that it had discovered over 130 typosquatting packages aimed towards npm and over a dozen that were directed at popular Python repositories. The ultimate results of the Python attacks have included everything from installing cryptomining software, collecting login information, and establishing covert backdoors to gain access to victim systems.
More recently, at the Open Source Security Summit held in May at the White House, OpenSSF revealed a 10-point strategy. This strategy will be implemented through 10 different workstreams, including establishing a framework for incident response teams that can be deployed throughout the open source community, conducting annual third-party reviews of the top 200 most critical open source software components, finding ways to speed up the process of patching open source software, developing new metrics to track code and components, and moving the industry away from non-memory safe programming languages that make it difficult to find and fix vulnerabilities.
