Greguti
Related Articles
DevSecOps, next generation technologies and secure development
Proposed investment areas include SBOMs, software supply chains
Brian Pereira (digital_belief) •
May 13, 2022
See also: Live Webinar | Remote Employees and the Big Resignation: How Do You Handle Insider Threats?
“We are here to respond with a plan that is achievable, because open source is a critical part of our national security, and it is fundamental for billions of dollars to be invested in software innovation today. We have shared obligation to improve our collective cybersecurity resilience and improve trust in the software itself. This plan represents our unified voice and common call to action,” said Jim Zemlin, Executive Director of Linux Foundation during the summit, which was held on the one-year anniversary of President Joe Biden’s executive order to strengthen the nation’s cybersecurity.
The event brought together 90 executives from 37 companies, representing a cross section of the business and open source development ecosystem. Attendees also included heads of federal agencies, including the National Security Council, Cybersecurity and Infrastructure Security Agency, National Institute of Standards and Technology, U.S. Department of Energy, and Office of Management and Budget. .
The previous Open Source Software Security Summit, held on January 13, 2022, was led by the White House National Security Council.
The plan
The Linux Foundation and OpenSSF have identified 10 investment streams for the $150 million, to be spread over two years.
| Investment area | First year | Second year |
|---|---|---|
| safety education | $4.5 million | $3.45 million |
| Risk assessment | $3.5 million | $3.9 million |
| Digital signatures* | $13 million | $4 million | Memory Security | $5.5 million | $2 million |
| Incident Response | $2.75 million | $3.05 million |
| Better digitization | $15 million | $11 million |
| Code audits | $11 million | $42 million |
| Data sharing | $1.85 million | $2.05 million |
| Software BOMs | $3.2 million | To be determined |
| Improved software supply chains | $8.1 million | $8.1 million |
*Digital signatures will receive a one-time boost of $10 million after the first year.
The plan, according to OpenSSF executive director Brian Behlendorf, is to “bring together a set of ideas and principles about what’s going on out there and what we can do about it.” The 10 areas of investment identified, he adds, represent the “10 flags in the ground, as a basis to start”.
The summit “was dedicated to crafting an action plan for the wider community to adopt that includes a comprehensive portfolio of 10 open source activity streams focused on strengthening the software supply chain. said Stephen Chin, vice president of developer relations at JFrog, a DevOps platform for the software supply chain who was invited to join the summit.
“We believe that open source security will only succeed if we give OSS projects the same tools and services available to enterprises. Access to automated tools and high-quality security databases for open source projects is essential,” he adds.
SBOMs everywhere
One of the investment streams that has grown in prominence over the past year is software bill of materials, or SBOM. The plan details an investment of $3.2 million in this area in the first year, while the amount for the following year remains to be determined.
The plan announced at the summit recognizes that companies often have no inventory of the software assets they deploy and no data on the software components they have acquired. When considering the acquisition of new software, companies often have no way of measuring the risk that its components contain, including known vulnerabilities.
“SBOMs are one of the most critical elements in ensuring transparency of vulnerabilities in the open source supply chain. The challenge today is that building an end-to-end SBOM comes down to precariously stacking a hand-built Jenga tower that is fragile to change. To be successful, standards and tools must be automated and integrated like Lego pieces that stack and integrate seamlessly,” Chin says.
In their plan, the Linux Foundation and OpenSSF claim that several industries have identified SBOM as fundamental to solving the open source security problem. But to address the challenge appropriately, SBOM adoption must be widespread, standardized, and accurate. “By focusing on tools and advocacy, we can remove barriers to the generation, consumption, and overall adoption of SBOMs everywhere. We can improve the security of the entire open source ecosystem: producers , consumers and maintainers,” the organizations state.
They recommend hiring a team of developers to improve the tools and integrate SBOMs into the most popular software building tools and framework in all major programming languages.
According to Chin, focusing on strengthening the “10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices will help deal with vulnerable software repositories.” – the largest attack vector for enterprise software”.
About the Author
Pereira has nearly three decades of journalism experience. He is the former editor of CHIP, InformationWeek and CISO MAG. He has also written for The Times of India and The Indian Express.
You might also be interested in…
