White House Joins OpenSSF, Linux Foundation In Securing Open-Source Software
Saturday May 14, 2022. 03:00 PM , from Slashdot
An anonymous reader quotes a report from ZDNet: Securing the open-source software supply chain is a huge deal. Last year, the Biden administration issued an executive order to improve software supply chain security. This came after the Colonial Pipeline ransomware attack shut down gas and oil deliveries throughout the southeast and the SolarWinds software supply chain attack. Securing software became a top priority. In response, The Open Source Security Foundation (OpenSSF) and Linux Foundation rose to this security challenge. Now, they're calling for $150 million in funding over two years to fix ten major open-source security problems.
The government will not be paying the freight for these changes. $30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million. At the White House press conference, OpenSSF general manager Brian Behlendorf said, 'I want to be clear: We're not here to fundraise from the government. We did not anticipate needing to go directly to the government to get funding for anyone to be successful.'
Here are the ten goals the open-source industry is committed to meeting:
1. Security Education: Deliver baseline secure software development education and certification to all.
2. Risk Assessment: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
3. Digital Signatures: Accelerate the adoption of digital signatures on software releases.
4. Memory Safety: Eliminate root causes of many vulnerabilities through the replacement of non-memory-safe languages.
5. Incident Response: Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
6. Better Scanning: Accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
7. Code Audits: Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
8. Data Sharing: Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
9. Software Bill of Materials (SBOMs): Everywhere Improve SBOM tooling and training to drive adoption.
10. Improved Supply Chains: Enhance the 10 most critical open-source software build systems, package managers, and distribution systems with better supply chain security tools and best practices.
Read more of this story at Slashdot.
Nov, Wed 30 - 16:01 CET