A $150 million plan to secure open source software

DevSecOps, next generation technologies and secure development

Proposed investment areas include SBOMs, software supply chains

Brian Pereira (digital_belief) •
May 13, 2022

the The Linux Foundation and the Open Source Security Foundation have presented an investment plan of nearly $150 million, spread over two years, to strengthen open source security in the United States. The plan was announced at the Open Source Software Security Summit II in Washington, DC on Thursday.

See also: Live Webinar | Remote Employees and the Big Resignation: How Do You Handle Insider Threats?

“We are here to respond with a plan that is achievable, because open source is a critical part of our national security, and it is fundamental for billions of dollars to be invested in software innovation today. We have shared obligation to improve our collective cybersecurity resilience and improve trust in the software itself. This plan represents our unified voice and common call to action,” said Jim Zemlin, Executive Director of Linux Foundation during the summit, which was held on the one-year anniversary of President Joe Biden’s executive order to strengthen the nation’s cybersecurity.

The event brought together 90 executives from 37 companies, representing a cross section of the business and open source development ecosystem. Attendees also included heads of federal agencies, including the National Security Council, Cybersecurity and Infrastructure Security Agency, National Institute of Standards and Technology, U.S. Department of Energy, and Office of Management and Budget. .

The previous Open Source Software Security Summit, held on January 13, 2022, was led by the White House National Security Council.

The plan

The Linux Foundation and OpenSSF have identified 10 investment streams for the $150 million, to be spread over two years.

Investment area First year Second year
safety education $4.5 million $3.45 million
Risk assessment $3.5 million $3.9 million
Digital signatures* $13 million $4 million
Memory Security $5.5 million $2 million
Incident Response $2.75 million $3.05 million
Better digitization $15 million $11 million
Code audits $11 million $42 million
Data sharing $1.85 million $2.05 million
Software BOMs $3.2 million To be determined
Improved software supply chains $8.1 million $8.1 million

*Digital signatures will receive a one-time boost of $10 million after the first year.

The plan, according to OpenSSF executive director Brian Behlendorf, is to “bring together a set of ideas and principles about what’s going on out there and what we can do about it.” The 10 areas of investment identified, he adds, represent the “10 flags in the ground, as a basis to start”.

The summit “was dedicated to crafting an action plan for the wider community to adopt that includes a comprehensive portfolio of 10 open source activity streams focused on strengthening the software supply chain. said Stephen Chin, vice president of developer relations at JFrog, a DevOps platform for the software supply chain who was invited to join the summit.

“We believe that open source security will only succeed if we give OSS projects the same tools and services available to enterprises. Access to automated tools and high-quality security databases for open source projects is essential,” he adds.

SBOMs everywhere

One of the investment streams that has grown in prominence over the past year is software bill of materials, or SBOM. The plan details an investment of $3.2 million in this area in the first year, while the amount for the following year remains to be determined.

The plan announced at the summit recognizes that companies often have no inventory of the software assets they deploy and no data on the software components they have acquired. When considering the acquisition of new software, companies often have no way of measuring the risk that its components contain, including known vulnerabilities.

“SBOMs are one of the most critical elements in ensuring transparency of vulnerabilities in the open source supply chain. The challenge today is that building an end-to-end SBOM comes down to precariously stacking a hand-built Jenga tower that is fragile to change. To be successful, standards and tools must be automated and integrated like Lego pieces that stack and integrate seamlessly,” Chin says.

In their plan, the Linux Foundation and OpenSSF claim that several industries have identified SBOM as fundamental to solving the open source security problem. But to address the challenge appropriately, SBOM adoption must be widespread, standardized, and accurate. “By focusing on tools and advocacy, we can remove barriers to the generation, consumption, and overall adoption of SBOMs everywhere. We can improve the security of the entire open source ecosystem: producers , consumers and maintainers,” the organizations state.

They recommend hiring a team of developers to improve the tools and integrate SBOMs into the most popular software building tools and framework in all major programming languages.

According to Chin, focusing on strengthening the “10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices will help deal with vulnerable software repositories.” – the largest attack vector for enterprise software”.

About the Author

Brian Pereira

Pereira has nearly three decades of journalism experience. He is the former editor of CHIP, InformationWeek and CISO MAG. He has also written for The Times of India and The Indian Express.

Our website uses cookies. Cookies allow us to provide the best possible experience and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.

About Jon Moses

Check Also

NSA, CISA say: don’t block PowerShell, here’s what to do instead

Image: Getty Images/iStockphoto Cybersecurity authorities in the United States, United Kingdom, and New Zealand have …