Ensuring the security of open source software supply chain is a major event. Last year, the Biden Administration issued an executive order to improve the security of the software supply chain. This occurred after the colonial pipeline blackmail software attack closed the natural gas and oil transportation in the whole southeast and the solarwinds software supply chain attack. Ensuring software security has become a top priority.
In response, the open source security foundation (openssf) and the Linux foundation have come together to meet this security challenge. Now, they are calling for $150 million over two years to fix ten major open source security problems.
The US government will not pay for these changes. Amazon, Ericsson, Google, Intel, Microsoft and VMware have pledged $30 million. More manufacturers have begun to act. For example, Amazon Web services (AWS) has pledged an additional $10 million.
The following are the ten goals that the open source industry is committed to:
Safety education: provide baseline safety software development education and certification to all.
Risk assessment: establish a public, vendor neutral, objective measurement based risk assessment dashboard for the top 10000 (or more) OSS components.
Digital signature: accelerate the adoption of digital signatures in software distribution.
Memory security: eliminate the root cause of many vulnerabilities by replacing non memory safe languages.
Accident response: establish an openssf open source security incident response team, and security experts can intervene at the critical moment of dealing with vulnerabilities to assist open source projects.
Scanning technology: accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
Code audit: conduct third-party code reviews (and any necessary fixes) of up to 200 of the most critical OSS components annually.
Data sharing: coordinate industry wide data sharing to improve research that helps identify the most critical OSS components.
Software bill of materials (sboms): promote the adoption of improved SBOM tools and training.
Improve the supply chain: strengthen the 10 most critical open source software building systems, package managers and distribution systems through better supply chain security tools and best practices.
Learn more: