• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • Latest News
  • About Us
    SEARCH
News

How the IT Industry is Securing Open-Source Software

The IT industry and the U.S. government have outlined a 10-step plan to secure open-source software and the IT supply chain.

May 16, 2022 Zachary Comeau Leave a Comment

Open Source Security

The IT industry and the U.S. government have outlined a 10-step plan to ensure the security of open-source software and the IT supply chain after a series of supply chain attacks and open-source software vulnerabilities were discovered in recent years.

The plan is designed to secure the production of open-source software, improve vulnerability discovery and remediation and reduce the amount of time it takes to patch security bugs. It comes after The Linux Foundation and Open Source Software Security Foundation (OpenSSF) brought together executives from 37 companies and government leaders at the Open Source Software Security Summit II last week, a follow-up to a previous Summit held in January.

The initiative also comes one year after President Joe Biden’s executive order on cybersecurity that came in the wake of the SolarWinds supply chain attack that resulted in the compromise of several government networks, and several months after a critical vulnerability was discovered in Log4j. 

In addition to a 10-point plan to address open source and software supply chain security, the plan outlines $150 million of funding over two years to advance well-vetted solutions to the plan’s 10 points. In addition, some of the larger companies involved have pledged more than $30 million to implement the plan, including Amazon, Google, Microsoft, Intel, VMware and Ericsson.

According to the Linux Foundation and OpenSSF, an informal poll of organizations that consume open-source software reveals that they spend over $110 million and employ nearly 100 full-time equivalent employees focused on securing the open source software landscape.

The plan focuses on education, digital signatures, open-source vulnerability detection and remediation and the increased adoption of software bills of materials (SBOM).

Per the Linux Foundation and OpenSFF, these are the 10 points, summarized:

  1. Security Education Deliver baseline secure software development education and certification to all.
  2. Risk Assessment Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
  3. Digital Signatures Accelerate the adoption of digital signatures on software releases.
  4. Memory Safety Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
  5. Incident Response Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
  6. Better Scanning Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
  7. Code Audits Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
  8. Data Sharing Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
  9. SBOMs Everywhere Improve SBOM tooling and training to drive adoption.
  10. Improved Supply Chains Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.

Tagged With: open-source software, Supply Chain

Related Content:

  • Google Password Manager Google Updates Password Manager For Unified Experience
  • VMware vSphere+ vSAN+ VMware Releases vSphere+ and vSAN+ to Enhance On…
  • Microsoft Cybersecurity Architect Expert Microsoft Adds New Expert-level Cybersecurity Architect Certification
  • Microsoft Basic Auth Prepare: Microsoft Begins Disabling Basic Auth in Exchange…

Free downloadable guide you may like:

  • Windows 11Blueprint Series: Upgrading to Windows 11

    Upgrading end users to Windows 11 could be one of the most challenging tasks IT has to face in the coming years. Although the new version is touted to provide many benefits, including some important security enhancements, when and how to roll out the upgrade will vary significantly by organization.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Uber Advanced Technologies Group Drives its Business Forward

The guiding principle for the new Uber meeting room redesign was “invisible comfort” to ensure that everyone could maximize productivity.

Windows 11
Blueprint Series: Upgrading to Windows 11

Upgrading end users to Windows 11 could be one of the most challenging tasks IT has to face in the coming years. Although the new version is touted...

The State of the IT Department in 2022

The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to ma...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2022 Emerald X, LLC. All rights reserved.