The first among (hopefully) many also includes GitHub, JPMorgan Chase, NCC Group, the Open Web Application Security Project (OWASP) and Red Hat. In its construction, OpenSSF is an amalgamation of the Core Infrastructure Initiative (CII), the Open Source Security Coalition (OSSC) and other open source security efforts focused on building a broader community, targeted initiatives and best practices, the members said.
Securing is vital to safeguarding the supply chain, said Mark Russinovich, Microsoft Azure chief technology officer, in a blog post. “With the ubiquity of open source software, attackers are currently exploiting vulnerabilities across a wide range of critical services and infrastructure, including utilities, medical equipment, transportation, government systems, traditional software, cloud services, hardware and IoT,” he said.
Microsoft said it will move several open-source security initiatives it is working on with OSSC to the OpenSFF, including efforts to help identify security threats to open source projects, security tooling, best practices and vulnerability disclosure.
On security threats.
Help developers to better understand the security threats that exist in the open-source software ecosystem and how those threats impact specific open source projects.
On security tooling.
Make the best security tools for open source developers universally accessible. Create a space where members can collaborate to improve upon existing security tooling and develop new ones for the broader open source community.
On security best practices.
Provide open-source developers with best practice recommendations, a path to learn and apply them, ensure they are widely distributed and establish an effective learning platform.
On vulnerability disclosure.
Create an open-source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes not months.
Given the “complexity and communal nature” of open source software, building better security must be a “community-driven process,” Russinovich said. Open-source software is “vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware.”
Future OpenSSF projects include securing critical open source projects (assurance, response), developer identity and bounty programs for open-source security bugs, Russinovich said.
The CII will continue to contribute resources and experience to the OpenSSF but in the long term its efforts will dissolve with work happening under the OpenSSF umbrella. All of the OSSC members and their projects will now be a part of the OpenSSF.