OpenSSF Takes a Collaborative Approach to Open Source Security
Published November 18, 2020 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel Open source software is essential to application development, particularly for the web. At the same time, it also represents a key source of application vulnerabilities. To help make open source software more secure, the Linux Foundation has announced a cross-industry collaboration with open source leaders including GitHub, Google, IBM, JP Morgan Chase, Microsoft, Red Hat, the OWASP Foundation, and others. This collaboration is called the Open Source Security Foundation, or OpenSSF. In an August blog post, Microsoft Azure CTO Mark Russinovich explained the OpenSFF’s impetus and mission as follows: Open source is everywhere and essential for just about every company’s strategy Securing open source is essential to security the supply chain for all parties, including Microsoft itself Because open source software is so widely used, attackers can exploit many vulnerabilities. These cover most critical services and their supporting infrastructures, across industries such as utilities, healthcare, transportation, government, and IT (especially traditional software, cloud services and IoT) The community-driven nature of open source software means no central authority is responsible for its quality control and maintenance Because open source code may be copied and cloned, versioning and dependencies are particularly complex and can be hard to follow Open source is vulnerable to developer attack, wherein attackers can become maintainers of open source projects and introduce malware Given all these factors, especially how complex and intertwined open software can be, it’s fair to say that building and securing open source software must be a community-oriented and -supported effort. The OpenSSF home page states that its first group of technical initiatives will include the following areas of focus: Vulnerability Disclosures Security Tooling Security Best Practices Identifying Security Threats to Open Source Projects Securing Critical Projects Developer Identity Verification The site also offers related security resources from the OSSC ( an analysis of the Open Source ecosystem in pdf format), the Linux Foundation’s CII (a discussion of vulnerabilities in the Internet core), and Red Hat’s Product Security Risk Report, to help readers get started on understanding open source threats and mitigation approaches and strategies. The OpenSSF GitHub repository is also likely to be of great interest. What is the Kiuwan response to the formation of the OpenSSF? Kiuwan welcomes the formation of the OpenSFF and Microsoft’s participation and leadership role in that initiative. Because open source is such an important part of application development, the Kiuwan team is excited to see community initiatives that are focused on improving the security of open source projects. Information and collaboration are key tools in combating the proliferation of security threats. Kiuwan solutions currently supports OWASP, the Open Web Application Security Project, as well as FS-ISAC, the Financial Services Information Sharing and Analysis Center, and is open to additional opportunities for promoting application security. How does Kiuwan acquire open source software vulnerability and security data? Kiuwan draws its OSS data primarily from the NIST NVD (National Institute of Standards and Technology’s National Vulnerability Database), with a handful of additional feeds. How does Kiuwan obtain implementation recommendations and best practices […]
