OpenSSF announced new membership commitments to advance open source security education and best practices. New members include Accurics, Anchore, Bloomberg Finance, Cisco Systems, Codethink, Cybertrust Japan, OpenUK, ShiftLeft, Sonatype and Tidelift.
Open source software (OSS) has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source has a chain of contributors and dependencies before it ultimately reaches its end users. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency supply chain.
“The massive support we’re seeing for the OpenSSF and its initiatives is a reflection of the industry-wide commitment to secure open source software,” said Kay Williams, Governing Board Chair, OpenSSF, and Supply Chain Security Lead, Azure Office of the CTO, Microsoft. “We welcome the latest OpenSSF new members and look forward to their contributions.“
The new Scorecard 2.0 is also available now and includes new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis. The Scorecard is gaining adoption for automating analysis and trust decisions on the security posture of open source projects.
The OpenSSF is a cross-industry collaboration that brings together technology leaders to improve the security of OSS. Its vision is to create a future where participants in the open source ecosystem use and share high quality software, with security handled proactively, by default, and as a matter of course.
Its working groups include Securing Critical Projects, Security Tooling, Identifying Security Threats, Vulnerability Disclosures, Digital Identity Attestation, and Best Practices.
OpenSSF has more than 45 members and associate members contributing to working groups, technical initiatives and governing board and helping to advance open source security best practices.
“As maintainers of multiple open source projects and a vendor working to help organizations secure their software supply chains, the current security challenges are ever present for us. Joining the OpenSSF enables us to work across the wider community to develop best practices and ensure that everyone benefits from this coordinated industry effort,” said Neil Levine, Vice President of Product at Anchore.
“As a global technology leader, Cisco has a responsibility to ensure the software that the world builds, deploys, and interacts with is secure to use, without compromising the user experience,” said Stephen Augustus, head of open source at Cisco. “Cisco is delighted to openly collaborate with the OpenSSF member organizations to define policy and deliver tooling that helps organizations build and run secure applications.”
“As a software consultancy trusted by our clients to provide impartial advice when choosing software to depend on, and processes to adopt, Codethink is pleased to join the OpenSSF to help to promote Open Source solutions to our clients and secure the future of those solutions openly and collaboratively. Codethink has long been a proponent of the use of Open Source software in industry, and in promoting participation as a way to mitigate risk. With the OpenSSF, we see many possible avenues to furthering these goals to the benefit of all,” said Javier Jardón, Head of Automotive Strategy at Codethink.
“Cybertrust Japan, a developer of embedded Linux for industrial use, is pleased to join the OpenSSF based on the agreement with the activities which continuously promote the security of OSS gathering community-centric and cross-industry participants. We are looking forward to contributing to open source community through our involvement with OpenSSF and their working groups utilizing our secure technology regarding our Linux OS for IoT devices and our trust services that protect the IoT lifecycle with a trust chain.” said Yasutoshi Magara, President & CEO, Cybertrust Japan.
“Open Technology plays a vital role in the global economy, powering services like cloud computing. It has a good reputation for software quality, stability and security, but inevitably there are issues discovered over time. Where open source has an advantage is how organisations collaborate, improve code and work together to manage notifications and updates to all the community members and users involved around a project‘s ecosystem. OpenUK is pleased to join the OpenSSF and help the development and adoption of best practices for companies, communities and users within the software supply chain,” said Amanda Brock, CEO and Chief Policy Officer, OpenUK
“We are honored to have been accepted into the Open Source Security Foundation, and support their vision to create a future where participants in the open source ecosystem use and share high quality software, with security handled proactively, by default, and as a matter of course,” said Chetan Conikee, CTO, ShiftLeft. “Like many of our customers, ShiftLeft has benefited greatly from leveraging open source software to build our differentiated products and features. This new juncture further strengthens our commitment of giving back to the community by empowering organizations with code, enabling them with the ability to build and run secure applications.”
“As the maintainers of the largest repository of open source components in Maven Central, we have a unique view into how great the demand for open source has become in recent years. However, as that demand has grown, bad actors have recognized the power of open source and are seeking to use that against the industry. As these software supply chain attacks become more commonplace, open source developers have become the frontline of this new battle,” said Brian Fox, CTO of Sonatype.
”One of our key missions at Sonatype is to help organizations continuously harness all of the good that open source has to offer, without any of the risk, and OpenSSF and its members share a similar vision. We’re thrilled to officially join OpenSSF and collectively work with other members to keep open source ecosystems safe and secure, as we all figure out how to battle both new and old attacks on the community.”
“Open source has become the de facto development platform, providing the building blocks for the majority of modern applications. Yet most organizations struggle to effectively manage the health and security of their open source software supply chain. We look forward to collaborating with the members of the OSSF and our open source maintainer partners to proactively make open source software more secure for everyone.,” said Donald Fischer, CEO and co-founder, Tidelift.