How the IT Industry is Securing Open-Source Software

The IT industry and the U.S. government have outlined a 10-step plan to ensure the security of open-source software and the IT supply chain after a series of supply chain attacks and open-source software vulnerabilities were discovered in recent years.

The plan is designed to secure the production of open-source software, improve vulnerability discovery and remediation and reduce the amount of time it takes to patch security bugs. It comes after The Linux Foundation and Open Source Software Security Foundation (OpenSSF) brought together executives from 37 companies and government leaders at the Open Source Software Security Summit II last week, a follow-up to a previous Summit held in January.

The initiative also comes one year after President Joe Biden’s executive order on cybersecurity that came in the wake of the SolarWinds supply chain attack that resulted in the compromise of several government networks, and several months after a critical vulnerability was discovered in Log4j. 

In addition to a 10-point plan to address open source and software supply chain security, the plan outlines $150 million of funding over two years to advance well-vetted solutions to the plan’s 10 points. In addition, some of the larger companies involved have pledged more than $30 million to implement the plan, including Amazon, Google, Microsoft, Intel, VMware and Ericsson.

According to the Linux Foundation and OpenSSF, an informal poll of organizations that consume open-source software reveals that they spend over $110 million and employ nearly 100 full-time equivalent employees focused on securing the open source software landscape.

The plan focuses on education, digital signatures, open-source vulnerability detection and remediation and the increased adoption of software bills of materials (SBOM).

Per the Linux Foundation and OpenSFF, these are the 10 points, summarized:

1. Security Education Deliver baseline secure software development education and certification to all.
2. Risk Assessment Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
3. Digital Signatures Accelerate the adoption of digital signatures on software releases.
4. Memory Safety Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
5. Incident Response Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
6. Better Scanning Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
7. Code Audits Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
8. Data Sharing Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
9. SBOMs Everywhere Improve SBOM tooling and training to drive adoption.
10. Improved Supply Chains Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.