Open Source Security Foundation and Linux Foundation Call for $150 Million to Improve Open Source Security
In response to President Biden's executive order on supply chain security, the Open Source Security Foundation (OpenSSF) and Linux Foundation are calling for $150 million in funding over two years to fix ten major open-source security problems. Amazon, Ericsson, Google, Intel, Microsoft, and VMWare have pledged $40M in support of the effort to address issues such as replacing non-memory-safe programming languages, expanded and improved code audits, increased penetration of Software Bills of Materials (SBOM) and a focus on enhancing the security the 10 most critical open-source software build systems, package managers, and distribution systems.
From Heartbleed to Log4j, progress in this area has long been badly needed and it would be good to see more big tech companies step up and join Amazon, AWS. Ericsson, Google, Intel, Microsoft, and VMWare in committing funding. Start now educating app dev and IT about the areas of improvement that will be rolling out over the next two years and push for rapid adoption. (See Google’s Open-Source Maintenance Crew related news item.)
The ten goals they hope to address include security education, risk assessment, digital signatures (for code), memory safety, incident response, better (security) scanning, code audits, data sharing, SBOMs and improved supply chains. The last being the 10 most critical build systems and includes the C and Rust languages, subsequently this is a huge undertaking. Some of the other areas are already being addressed by emerging standards such as Sigstore for code signing, which is backed by RedHat, Perdue University and Google. Using this approach in multiple areas should help meet the aggressive timeline.