In an attempt to coalesce the efforts and opinions of numerous players in the open source software (OSS) space, and bring about industry-wide security solutions for open source software, the Linux Foundation has launched the Open Source Security Foundation (OpenSSF).
Open source software faces some unique security challenges as a result of its collaborative development process, and it is, therefore “important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain,” as the OpenSSF website states. With OSS becoming increasingly pervasive, addressing the security issues around it is likewise becoming increasingly important.
“We are bringing a broader community of initiatives, interests, and resources that have been put into place to tackle the open source security challenge, and bringing those together under one home. We’re trying to come up with a more coordinated response to the massively expanding security challenge around open source software,” said Mike Dolan, senior vice president and general manager of Linux Foundation Projects. “At the end of the day, what the OpenSSF is focused on is helping to improve the upstream open source projects so that they are more easily usable, consumable, supportable, and maintainable as downstream product dependencies or infrastructure dependencies. Whether it’s protocols, specifications, best practices, or interface tooling, all of those things are areas of potential investment by this community, because they’re all trying to help improve the upstream to be a better source to build from.”
The OpenSSF will act as an umbrella organization, with a governing board, a technical advisory committee (TAC), and several independent working groups and projects below them. As with any new endeavor, it is easy to read the list of founding members – in this case, GitHub, Google, IBM, JP Morgan Chase, Microsoft, NCC Group, and Red Hat are listed as the “initiating members” in the OpenSSF founding charter — and see the potential for power grabs and undue influence. After all, although Microsoft and GitHub, as well as IBM and Red Hat, all tout the independence of each company, they are in some ways one and the same, with one the subsidiary of the other.
While both the TAC and the governing board will consist of these seven members initially, Chris Aniszczyk, vice president of strategic and developer programs at the Linux Foundation, says the OpenSSF governance structure, as with any foundation created by the Linux Foundation, is designed to mitigate any such power imbalances.
“The working groups are the key place to focus on where the actual decisions are made. The people making those decisions are the ones who show up, who make a contribution, who are able to build consensus with their peers, from other organizations,” said Aniszczyk in an interview. “It doesn’t matter if they’re part of the initial seven, or if they’re the fifteenth company to join. What matters is who’s showing up, who’s actually making contributions, who’s actually getting the buy-in from their respective peers around the world. That’s what makes the difference. I understand from an outside perspective, it may look like these companies are paying money to certain projects, and so, therefore, they get better standing, but the reality is in the technical projects, we don’t actually tie the membership or any sort of funding level to any real rights in the technical community.”
Currently, those working groups span six specific areas: identifying security threats in open source projects, providing security tooling, providing information around best practices, securing critical projects in the open source supply chain, creating a unified format and process for handling vulnerability disclosure, and providing a method for handling developer identity for those open source projects that wish to use it. Within the working groups themselves, the participants extend far beyond the initial seven founding companies, and Aniszczyk says that, for the moment, they are mostly in the “awkward bootstrapping phase” of determining scope and figuring out how they will all work together.
“The biggest effort initially was just getting folks to come to the table, agree on rules of order and operation, and the initial set of focus areas in the working groups, because everything was very disjointed,” said Aniszczyk. “In the security space, folks tend to be a little more private than maybe other open source focus areas. This is really trying to bring together these security folks who are generally not used necessarily working in the open and putting them under Linux Foundation guardrails.”
This joining together of disparate entities, however, is where many see hope in the creation of the OpenSSF. Not only does the OpenSSF bring together these initiating members, but the list of founding members beyond them is extensive, with ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware among them. Beyond corporate entities, the foundation also coalesces several previous efforts at addressing open source security, with both the Core Infrastructure Initiative (CII) and GitHub’s Open Source Security Coalition (OSSC) joining the OpenSSF and eventually fully dissolving under its umbrella.
Sonatype Chief Technology Officer Brian Fox expressed hope in response to the founding of the OpenSSF, also noting that the Linux Foundation governance would help to bring together competing companies to provide “a scalable cross-industry solution to easily and accurately associate reported vulnerabilities with implicated projects and versions of projects.”
“Earning trust starts with ‘picking up a shovel’ and solving a problem on behalf of a community to help it grow and flourish. Community trust is further amplified when you can muster enough resources to solve really hard problems in a reliable and scalable manner over a period of many years. When leading companies allocate resources to support initiatives like OpenSSF, we view it as good for the community,” said Fox in an email. “Because of the very nature of open source, there will always be questions and potential negatives associated with commercial companies lending their support to initiatives like OpenSSF.”
“Challenge is that the most efficient solution is to standardize on one tool set. To date that has been more challenging but with Git now 95%+ I think we have a chance. The question now becomes what happens if you standardize on a tool set and what if that tool set is not open and controlled by another company,” said Jung.
At the same time, Jung poses the question of potential influence exerted by member companies, citing tooling as a possible inroad.
“The hardest part is going to be, in open source you are always under-resourced. The lure of free stuff is hard to pass up on,” said Jung. “That is going to be the part that is going to be a challenge, because if you need to get it done and someone’s willing to give you something but it’s proprietary, it’s locked in, and it’s not open source, but it helps your project, that’s a hard thing to pass up on. I’m hoping that we can come to some standards that are open, and things can become way more transferable.”
Not Picking Winners
The Linux Foundation’s Dolan did not see the same potential for abuse, noting that “if you look at the initiatives, they’re not picking winners or picking tools that everybody’s going to have to use.” Instead, he said that the focus is on tooling independent best practices, with more of a focus on specifications or interfaces.
“I don’t anticipate that we’ll see them anoint or bless the tool everybody should be using, but maybe focus more on the specifications or the interface that would be open,” he said.
Indeed, best practices and education around them is where Dolan sees the OpenSSF making some of its biggest strides in the near future, with the foundation being able to provide training that might be otherwise unavailable to those without the deep pockets of a corporate backer.
While the current focus of the OpenSSF is decidedly around security for open source software, Dolan also says that he thinks its effects could extend beyond OSS to open source hardware, and even software in general.
“This isn’t really only about open source. This is about software, and the reality is that a lot of organizations now are totally dependent on open source for their software delivery. It’s interesting because I think this is a space where the ‘open source problem’ is really just a software problem. Open source can help organizations across the world, across industries, figure out a path for how they can solve the broader software problem,” said Dolan. “It’ll be interesting to see where this goes in terms of the applicability beyond just open source software to all software in general. That might be something to look back on in five years and say, ‘What was the real influence of these types of initiatives in the greater software world as well?'”
GitLab, the Linux Foundation and Red Hat are sponsors of The New Stack.