Alpha-Omega Dishes out Cash to Secure Open Source Projects
Securing software supply chains isn’t easy technically. But you already knew that. Many new security programs and projects, such as Sigstore, Supply-Chain Levels for Software Artifacts (SLSA, pronounced “salsa”), and Software Bill of Materials (SBOMs), are being improved and fine-tuned every day. But there’s another major security issue: Who pays for all those security improvements? One answer for high-level, open source projects is Google, Microsoft, and the Open Source Security Foundation (OpenSSF)‘s Alpha-Omega Project.
This project’s job is to “improve global open source software supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open-source code” and then fix them, according to project documentation.
Part of Alpha-Omega’s work is technical. At the recent Open Source Summit Europe in Dublin, its security team announced the release of the first version of the Omega Analysis Toolchain. This program orchestrates over 27 different security analyzers to identify critical security vulnerabilities in open source packages. This program was launched by Microsoft and donated to OpenSSF. It’s already proved useful. It’s been used to identify the CVE-2022-32222 and CVE-2022-38018 vulnerabilities. It’s also been used with the OpenSSF Security Reviews project to experiment with a “fully automated security review.”
The Omega Analysis Toolchain is still a very new project. More work will be done with it. And, given its nature, it will always be constantly updated. As the saying goes, “security is a process and not a project.
As Eric Brewer, Google VP of Infrastructure, said, “The long tail of important open source software, the ‘Omega’ of this endeavor, is always the hardest part — it will require not only considerable funding and perseverance, but its scale will also drive extensive automation for tracking and ideally fixing vulnerabilities. Enabling automation will be one of the greatest improvements for open source security.” The Omega Analysis Toolchain is the first of these automated security tools to see the light of day. There will be more.
In the meantime, Alpha-Omega is also sponsoring critical security work with a $460K grant to the Rust Foundation, a $300K to Node.js, and a $400K grant for the Eclipse Foundation. The goal, while different in the fine details, is always the same at the top level: Improve security.
Because no matter how much we all think security is important until someone is willing to pay for it, nothing gets done. By pouring cash into securing these major projects, the Alpha-Omega project is doing as much, or more, as the latest technical security improvements, to improve overall software security.