Open source leaders met in Washington yesterday to share their plans for enhancing the security of the software supply chain.
The event was held a year after President Biden’s executive order on cybersecurity and several months after the first Open Source Software Security Summit in the capital.
The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders representing the National Security Council (NSC) Cybersecurity and Infrastructure Security Agency (CISA), NIST and others.
The plan they agreed on will see $150m in funding over the next two years directed to 10 streams designed to improve resilience and security of open-source software. Companies including Amazon, Google, Intel, Ericsson, Microsoft and VMware have already pledged over $30m.
The three headline goals of the plan are to secure the production of open source code, improve vulnerability detection and remediation and shorten patching response times.
The community plans to achieve this by:
- Offering security education for everyone working in the community.
- Establishing a risk assessment dashboard for the top open-source components.
- Accelerating adoption of digital signatures.
- Replacing non-memory safe languages to eliminate the root cause of many bugs.
- Establishing an open-source incident response team.
- Better scanning of code by maintainers and experts to find bugs more quickly.
- Conducting third-party code reviews of up to 200 of the most critical components.
- Coordinating industry-wide research data sharing.
- Improving softer bill of materials (SBOM) tooling and training to drive adoption.
- Enhancing the 10 most critical build systems, package managers, and distribution systems with better security tools and best practices.
“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it,” argued Brian Behlendorf, executive director of the Open Source Security Foundation (OpenSSF).
“The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”