3rd Party Risk Management , DevSecOps , Governance & Risk Management

A $150 Million Plan to Secure Open-Source Software

Areas of Proposed Investments Include SBOMs, Software Supply Chains
A $150 Million Plan to Secure Open-Source Software

The Linux Foundation and the Open Source Security Foundation have put forth a nearly $150 million investment plan, spread across two years, to strengthen open-source security in the United States. The plan was announced at the Open Source Software Security Summit II in Washington, D.C., on Thursday.

See Also: Digital Transformation: Better Ops, Agile Apps, Faster Business

It’s unclear how the plan might be funded. Both Linux Foundation and Open SSF declined to immediately respond to Information Security Media Group’s query.

"We are here to respond with a plan that is actionable, because open source is a critical component of our national security, and it is fundamental to billions of dollars being invested in software innovation today. We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in software itself. This plan represents our unified voice and our common call to action," Jim Zemlin, executive director of the Linux Foundation, said at the summit, which was held on the one-year anniversary of President Joe Biden's executive order to strengthen the country's cybersecurity.

The event was attended by 90 executives from 37 companies, representing a cross-section of the open-source developer and commercial ecosystem. The attendees also included executives from federal agencies, including the National Security Council, the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the U.S. Department of Energy and the Office of Management and Budget.

The previous Open Source Software Security Summit, held on Jan. 13, 2022, was led by the White House's National Security Council.

The Plan

The Linux Foundation and OpenSSF have identified 10 streams of investment for the $150 million, to be spread over two years.

Investment Area First Year Second Year
Security education $4.5 million $3.45 million
Risk assessment $3.5 million $3.9 million
Digital signatures* $13 million $4 million
Memory safety $5.5 million $2 million
Incident response $2.75 million $3.05 million
Better scanning $15 million $11 million
Code audits $11 million $42 million
Data sharing $ 1.85 million $2.05 million
Software bills of materials $3.2 million TBD
Improved software supply chains $8.1 million $8.1 million

*Digital signatures will receive a one-time $10 million push after the first year.

The plan, according to OpenSSF Executive Director Brian Behlendorf, is to "converge a set of ideas and principles of what is broken out there and what we can do to fix it." The 10 investment areas identified, he adds, represent the "10 flags in the ground, as the base for getting started."

The summit "was dedicated to devising an action plan the wider community can adopt that includes a comprehensive portfolio of 10 open-source activity streams focused on hardening the software supply chain," says Stephen Chin, vice president of developer relations at JFrog, a DevOps platform for the software supply chain that was invited to join the summit.

"We believe open-source security will only be successful if we give OSS projects the same tools and services available to enterprises. Access to automated tools and high-quality security databases for open-source projects is essential," he adds.

SBOMs Everywhere

One of the investment streams that has gained prominence in the past year is software bills of materials, or SBOMs. The plan details a $3.2 million investment in this area in the first year, while the amount for the year beyond is yet to be determined.

The plan announced at the summit acknowledges that enterprises often have no inventory of the software assets they deploy and no data about the components within the software they have acquired. When they consider acquiring new software, enterprises often have no way to measure the risk that its components contain, including known vulnerabilities.

"SBOMs are one of the most critical parts of providing transparency to open-source supply chain vulnerabilities. The challenge today is that building an end-to-end SBOM is like precariously stacking a Jenga tower that is manually constructed and fragile to changes. To be successful, standards and tools need to be automated and integrated like Lego pieces that stack and integrate seamlessly," Chin says.

In their plan, the Linux Foundation and OpenSSF say multiple industries have identified the SBOM as a fundamental building block for solving the open-source security problem. But to suitably address the challenge, the adoption of SBOMs must be widespread, standardized and accurate. "By focusing on tools and advocacy, we can remove the barriers to generation, consumption and overall adoption of SBOMs everywhere. We can improve the security posture of the entire open-source ecosystem: producers, consumers and maintainers," the organizations say

They recommend resourcing a team of developers to improve tooling and bake SBOMs into the most popular software build tooling and infrastructure across all major programming languages.

According to Chin, focusing on boosting the "10 most critical OSS build systems, package managers and distribution systems with better supply chain security tools and best practices will help address vulnerable software repositories - the largest attack vector for enterprise software."


About the Author

Brian Pereira

Brian Pereira

Sr. Director - Editorial, ISMG

Pereira has nearly three decades of journalism experience. He is the former editor of CHIP, InformationWeek and CISO MAG. He has also written for The Times of India and The Indian Express.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.