Protecting open source software will protect you
The security of open source software may finally get the attention it deserves. Or, to make it more personal, the attention you deserve. Because you use it and depend on it. Everybody does.
That’s the primary reason some of the biggest names in tech — including members of the trillion-dollar club — have collectively pledged $30 million to support an initiative by the Linux Foundation and the Open Source Security Foundation (OpenSSF) to improve open source software security. They include Amazon, Ericsson, Google, Intel, Microsoft, and VMware.
The 10-point initiative, titled The Open Source Software Security Mobilization Plan, was announced May 12 at a meeting in Washington, D.C.—the one-year anniversary of President Biden’s executive order “Improving the Nation’s Cybersecurity” (more bureaucratically known as EO 14028).
According to a press release from OpenSSF, the event drew more than 90 executives from 37 companies plus government leaders including Anne Neuberger, White House deputy national security advisor, cyber and emerging tech, at the National Security Council, and representatives of other federal agencies including the Cybersecurity and Information Security Agency and the National Institute of Standards and Technology.
Welcome and overdue
The initiative could be described as both welcome and overdue.
Everybody needs — and has needed for a long time — their software to be secure from cyberattacks, because everybody uses it, whether they create and sell software products or not. That is especially true of open source software.
At a press conference after the meeting, Linux Foundation Executive Director Jim Zemlin said the goal is to “bring help to all the developers who write the code that makes up 80% to 90% of the technology products and services most of us rely on every day.”
Indeed, open source components are in virtually every codebase in use, and make up an average of about 78% of those codebases, according to the latest “Open Source Security and Risk Analysis” (OSSRA) report by the Synopsys Cybersecurity Research Center (CyRC). The report is based on analysis of more than 2,400 commercial codebases across 17 industries in 2021.
That means software isn’t just in your phone, laptop, and tablet — it’s in just about everything you use, from your appliances to your car to your smart home security system and smart wearables. It is essential to run any business. Hence the morphing of the label Internet of Things to Internet of Everything.
If software is not secure — if it has vulnerabilities cybercriminals can exploit — the risks range from annoyances like a flood of spam, to financial devastation from identity or credential theft, to physical danger like having your vehicle controls taken over by hackers or your home security system disarmed.
That need for better security is especially true of open source software — the kind built and maintained by volunteer communities that is almost always free to use and modify as you please.
Not because open source is any less secure than the proprietary or commercial variety, but because, as noted, there’s so much of it, which makes it the biggest software attack surface, by far. And since the bad guys are paying so much attention to it, illustrated by catastrophic software supply chain vulnerabilities including the notorious Log4Shell group in the open source Apache logging library Log4j and vulnerabilities that allowed hackers to insert malware into a SolarWinds/Orion update, it makes existential sense for the good guys to focus on it as well.
Not a one-and-done fund
The $30 million pledged on May 12 is just 20% of the $150 million funding goal that is expected to pay for the first two years of the initiative. TechTarget reported last week that the pledges were up to $45 million and also included the donation of a prototype toolchain called Secure Software Factory created by financial services giant Citi. The toolchain is designed to follow a set of best practices established by the Cloud Native Computing Foundation.
It’s also important to note that this kind of funding is not a one-and-done. According to the plan, the $150 million is expected to cover just the first two years of the initiative, meaning it will need an ongoing funding stream.
The plan spells that out more specifically in each of what are called 10 “streams.” For example, Stream 1, which calls for better security education for software developers, is expected to cost $4.5 million the first year and $3.45 million every year after that.
The plan has three overall goals, with the 10 streams setting out more detail in how to achieve them. The plan summarizes them as follows.
Goal 1: Secure open source software (OSS) production. The four streams dedicated to achieving that are
- Security education: Deliver baseline secure software development education and certification to all. According to the plan, software developers now get little to no security training. “A modest amount of training — 10 hours at the very least, 40 to 50 hours ideally — could make a huge difference in developer performance,” it states.
- Risk assessment: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components. According to the plan, the platform would also “track vulnerabilities in dependencies with software composition analysis (SCA) tools, to understand how a bug in an upstream com- ponent affects others. This provides ‘situational awareness’ for organizations that deploy OSS and provides clear guidance to [open source] projects wishing to attract more users by reducing their risk.”
- Digital signatures: Accelerate the adoption of digital signatures on software releases.
- Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
Goal 2: Improve vulnerability discovery and remediation.
- Incident response: Establish the OpenSSF Open Source Security Incident Response Team, security experts who can assist open source projects during critical times such as responding to a vulnerability.
- Improve scanning: Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
- Code audits: Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
- Data sharing: Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
Goal 3: Decrease patching response time.
- SBOMs (software Bills of Materials) everywhere: Improve SBOM tooling and training to drive adoption. This aligns with one of the goals of the Biden executive order, which calls for federal agencies not to purchase any software products that lack an SBOM.
- Improved supply chains: Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.
What are its chances? Members of the OpenSSF board couldn’t be reached. Their public relations agency said that following the announcement they were too busy to comment.
But as is the case with any ambitious initiative, it will come down to the classic cliché — only time will tell.
At one level, it seems that while $150 million is, as OpenSSF Executive Director Brian Behlendorf put it, “a meaningful amount,” it won’t be nearly enough, given that open source software is embedded into every codebase in the world.
And while Linux and the OpenSSF were lavish in their praise of the initial donors, $30 million doesn’t even amount to a rounding error in the $1 trillion-plus value of corporations like Amazon, Google, and Microsoft.
A long game
Zemlin acknowledged at the press conference that “this is the first five minutes of a long game.” But he said he has worked in the open source software field for more than 20 years, during which there have been numerous efforts to help “hundreds of thousands of developers and leaders who are responsible for critical components of the open source supply chain.”
“Today is first time I’ve seen an actionable plan with concrete goals, but most importantly the industry will to offer that help in a meaningful way,” he said.
Evidence for that, he said, is that pledges are for time and expertise as well as money. “Folks from Google are saying, ‘We have people who we’re going to put on this to go and fix vulnerabilities.’ I’ve never seen that amount of unified will to raise the security baseline for us collectively.”
Behlendorf also said the current plan “should be viewed as a first draft — in fact I think we labeled it Version 0.9.1 — but with some specific goals and approaches to addressing key problems. Now that it’s public we’ll be looking for further participants.”
He added that $150 million is more than the budget of “any open source developer or even most open source projects. But when you compare it to the cost of remediating a major vulnerability like we’ve seen in the last few years, it’s a drop in the bucket — an ounce of prevention for many pounds of cure.”
The urgency here could not be greater,” Zemlin said. “Adversaries are becoming more sophisticated, supply chain attacks are happening more often, and cyber conflict is escalating around the globe.”