OpenSSF announces Alpha-Omega Project to improve global OSS supply chain security

Following a meeting with government and industry leaders at the White House, OpenSSF announced the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing.

Microsoft and Google are supporting the Alpha-Omega Project with an initial investment of $5 million. This builds on previous industry-wide investments into OpenSSF aiming to improve open source software security.

Widely deployed OSS projects that are critical to global infrastructure and innovation have become top targets for adversarial attacks. Following new vulnerability disclosures, adversary attacks can be seen within hours. For example, recently discovered vulnerabilities in the widely deployed Log4j library forced many organizations into crisis as they raced to update applications using the popular library before adversaries could attack.

The Alpha-Omega Project aims to improve global OSS supply chain security by systematically looking for new, as-yet-undiscovered vulnerabilities in open source code, and then working with project maintainers to get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

“We must recognize open source software as a vital component of critical infrastructure for modern society and therefore take every measure necessary to keep it and our software supply chains secure,” said Brian Behlendorf, General Manager, OpenSSF. “Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open source projects through proactively finding, fixing, and preventing vulnerabilities. This is the start of what we at OpenSSF hope will be a major channel for improving OSS security.”

Alpha: Focusing on the most critical OSS projects

Alpha will be collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. These projects will include standalone projects and core ecosystem services. They will be selected based on the work by the OpenSSF Securing Critical Projects working group using a combination of expert opinions and data, including the OpenSSF Criticality Score and Harvard’s “Census” analysis identifying critical open source software.

For these selected projects, Alpha team members will provide tailored help to understand and address security gaps. Help can include threat modeling, automated security testing, source code audits, and support remediating vulnerabilities that are discovered. It can also include implementing best practices drawn from criteria outlined by the OpenSSF Scorecard and Best Practices Badge projects.

Alpha will track a series of important metrics providing stakeholders with a better understanding of the security of the open source project they depend on. The public will receive a transparent, standardized view of the project’s security posture and compliance with security best practices.

Omega: Focused on the long tail of OSS projects

Omega will use automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely-deployed open source projects. This will be accomplished using a combination of technology (cloud-scale analysis), people (security analysts triaging findings) and process (confidentially reporting critical vulnerabilities to the right OSS project stakeholders). Omega will have a dedicated team of software engineers continually tuning the analysis pipeline to reduce false positive rates and identify new vulnerabilities.

Omega software engineers will provide suggestions on how to automate detection of security vulnerabilities in the future and more generally on efficient ways to implement security best practices.

Microsoft and Google’s support of the Alpha-Omega Project with an initial investment of $5 million will jump start the initiative. The OpenSSF encourages all individuals and organizations wanting to support Alpha-Omega to participate in its Securing Critical Projects working group.

“The long tail of important open source software, the ‘Omega’ of this endeavor, is always the hardest part—it will require not only considerable funding and perseverance, but its scale will also drive extensive automation for tracking and ideally fixing vulnerabilities,” stated Eric Brewer, VP of Infrastructure and Fellow at Google. “Enabling automation will be one of the greatest improvements for open source security.”

“At Microsoft, we proudly support OpenSSF and the Alpha-Omega Project. Open source software is a key part of our technology strategy, and it’s essential that we understand the security risk that accompanies all of our software dependencies,” offered Mark Russinovich, Chief Technology Officer, Microsoft Azure. “Alpha-Omega will provide assurance and transparency for key open source projects through direct engagement with maintainers and by using state-of-the-art security tools to detect and fix critical vulnerabilities. We look forward to collaborating with industry partners and the open source community on this important initiative.”