The new collaboration called Open Source Security Foundation (OpenSSF) consolidates industry efforts to improve the security of open-source software
The Linux Foundation announced the formation of the Open Source Security Foundation (OpenSSF). The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open-source software (OSS) by building a broader community with targeted initiatives and best practices. It combines efforts from the Core Infrastructure Initiative, GitHub’s Open Source Security Coalition and other open-source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others. Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware.
Open-source software has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open-source that ultimately reaches end-users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain.
The OpenSSF brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are just a couple of the projects that will be brought together under the new OpenSSF. The Foundation’s governance, technical community and its decisions will be transparent, and any specifications and projects developed will be vendor agnostic. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.
“We believe open source is a public good and across every industry, we have a responsibility to come together to improve and support the security of open-source software we all depend on,” said Jim Zemlin, executive director at The Linux Foundation. “Ensuring open source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”
Security is always top of mind for Google and our users. We have developed robust internal security tools and systems for consuming open source software internally, for our users, and for our OSS-based products. We believe in building safer products for everyone with far-reaching impacts, and we are excited to work with the broader community through the OpenSSF. We look forward to sharing our innovations and working together to improve the security of open-source software we all depend on, said Director of Product Security, Google Cloud, James Higgins.
Open source has become mainstream in the enterprise. As such, the security of the open-source supply-chain is of paramount importance to IBM and our clients, said Christopher Ferris, IBM Fellow and CTO Open Technology. “The launch of the Open Source Security Foundation marks an important step towards giving open source communities the information and tools they need to improve their secure engineering practices, and the information developers need to choose their open-source wisely.
