The Open Source Security Foundation (OpenSSF) has launched a project to improve the security of the open source software ecosystem, backed by a $5 million investment from Microsoft and Google.
The Linux Foundation’s announcement of the Alpha-Omega Project follows a meeting with government and industry leaders at the White House in response to the Log4j security incident.
Omega, meanwhile, will use automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely deployed open source projects.
This means using cloud-scale analysis, manual triaging by security analysts, and confidential reporting to project stakeholders.
A dedicated team of software engineers will work to continually tune the analysis pipeline to cut false positive rates and identify new vulnerabilities.
Solid foundations
“The long tail of important open source software, the ‘Omega’ of this endeavor, is always the hardest part – it will require not only considerable funding and perseverance, but its scale will also drive extensive automation for tracking and ideally fixing vulnerabilities,” says Eric Brewer, vice president of infrastructure and fellow at Google.
“Enabling automation will be one of the greatest improvements for open source security.”
The Log4j vulnerability – and many others – have highlighted the fact that open source software is generally highly under-resourced.
And the success of the Alpha-Omega project, says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, will hinge on increasing the number of active contributors working on projects.
“Looking at the GitHub issues list of any popular open source [project], you can see proposals and bug reports that go unaddressed, actions that are symptomatic of a development team that has limited bandwidth to invest in evolving their code,” he says.
“Attracting new contributors to open source projects starts with users of those projects recognizing the value they obtain from open source and investing some of their developer time to ensure sustainability for all of the open source powering their business.”
Source: https://portswigger.net/daily-swig/open-source-security-foundation-launches-new-initiative-to-stem-the-tide-of-software-supply-chain-attacks