The News: A detailed 10-point plan to tighten and strengthen open source software security was announced by The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) in recognition of its importance in enterprises, research, education, national security, the internet and a wide range of other critical uses. The document was created in response to a 2021 executive order from The White House which called for the pursuit of improved cybersecurity protections for the nation by creating a partnership with private industry to achieve these goals. For the full Press Release, click here.
10-Point Open Source Software Security Mobilization Plan Unveiled by Linux Foundation, OpenSSF, to Strengthen Open Source Security in Pursuit of White House Goal
Analyst Take: Following 2021’s serious ransomware cyberattack on the Colonial Pipeline and a software supply chain attack on SolarWinds, the Biden administration issued an executive order that called business, industry, governmental and other leaders together to work toward dramatically improving the nation’s cybersecurity.
Over the last year, the first part of that goal – getting all the players together and hammering out initial plans to build a national cybersecurity strategy and road map – came to fruition. That is how this newly-released 10-point Open Source Software Security Mobilization Plan came to be from The Linux Foundation and the OpenSSF.
This is an important step toward solving this problem and finding credible, reliable, and repeatable processes that can make software creation and use safer from cyberattacks and cybercriminals. Absolute security is never possible but attacking security challenges using every means is a smart strategy in the constant battle against hackers. By developing this mobilization plan and fully integrating it, the U.S. will be in a better position to defend its infrastructure against cyberattacks in the future.
Supporting the 10-point open source software security mobilization plan are 90 executives from 37 companies and governmental agencies, including Amazon, Google, Microsoft, the National Security Council and the Department of Energy, who contributed input to the plan.
What impresses me most so far about this nascent open source software security plan effort is that it brings together a long list of major U.S. technology companies and their executives who collaborated and proposed strategies to get this effort to the starting line. This is a big deal when an organization can gain broad consensus from a large and diverse number of players and organizational needs.
The 51-page plan lays out a detailed, well-organized path to making serious inroads on these critical issues in open source software, calling for three main goals:
- Securing open source software production by focusing on preventing security defects and vulnerabilities in code and open source packages as it is created and written.
- Improving vulnerability discovery and remediation by improving the processes that find code defects and fix them.
- Shortening open source ecosystem patching response times so that the distribution of code fixes and the implementation of those fixes are done more quickly.
To accomplish these goals, the open source software security plan lays out 10 “activity streams” which are designed to bring each needed step into compliance. The streams cover topics including software security education, the creation of a risk assessment dashboard for the top 10,000 open source software components, accelerating the adoption of digital signatures on software releases, the importance of eliminating the root causes of many vulnerabilities by replacing non-memory-safe languages, and conducting third-party code reviews and any necessary remediation work on up to 200 of the most-critical open source components once each year.
To get the plan underway, it will take about $150 million in new funding over two years to put the 10 activity streams – the specific infrastructure and processes that will be needed to make the plan a success – into place, according to the document.
Several of the participating tech companies – Amazon, Ericsson, Google, Intel, Microsoft, and VMWare – combined to pledge the first $30 million for the project. This is a good start, but another $120 million still must be funded.
Other companies involved in the process include Atlassian, Cisco, Dell, Ericsson, GitHub, IBM, Intel, JFrog, JPMorgan Chase, OWASP Foundation, SAP, Sonatype, and Wipro.
Software Supply Chains Getting Recognition
An important point cited throughout the open source software security mobilization plan is the need to change past approaches to software creation by building security into applications as they are built and written, instead of just adding security components in later as a stop-gap measure.
This idea of creating more secure software supply chains – by looking at everything that goes into an application’s code, from binaries to package managers, repositories, authors, known vulnerabilities and more – is critically important because it begins before the first lines of code are ever written. By integrating the idea of safer and better written code from the start, applications can be more secure and less vulnerable to security concerns and successful attacks in the future.
This topic is so important that earlier this month Steven Hernandez, a top federal cybersecurity official, revealed that a new mandate on software supply chain security is in the works at the Office of Management and Budget, to make this step a critical mandate to better protect government agencies when deploying and using software applications.
So many businesses, organizations and government agencies adopt and use software built on open source components and code that this issue has huge consequences for the global economy and security. About 70 to 90 percent of any software stack used by organizations consists of open source code or components, according to a 2022 open source security and risk analysis report from Synopsis, making that impact a serious matter.
Final Thoughts on the Mobilization Plan
I am upbeat about this open source software security plan and how it’s being organized and built. It’s fitting that many of the world’s largest and most successful technology and software companies are participating in this effort and are providing much of the brainpower and services to make it happen. Their work in creating applications is incredibly important to the success of these bold efforts to make open source software more secure. It will be interesting to watch how the plans proceed and we will be monitoring it to share its progress in the future.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum Research as a whole.