A 10-point plan to improve the security of open source software

The Linux Foundation and the Open Source Software Security Foundation, with input provided by executives from 37 companies and many U.S. government leaders, delivered a 10-point plan to broadly address open source and software supply chain security, by securing open source security production, improving vulnerability discovery and remediation, and shortening the patching response time of the ecosystem.

The then points can be summarized thusly:

1. Security Education – Deliver baseline secure software development education and certification to all.
2. Risk Assessment – Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
3. Digital Signatures – Accelerate the adoption of digital signatures on software releases.
4. Memory Safety – Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
5. Incident Response – Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
6. Better Scanning – Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
7. Code Audits – Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
8. Data Sharing – Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
9. SBOMs Everywhere – Improve SBOM tooling and training to drive adoption.
10. Improved Supply Chains – Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.

An open source security plan executed by participating organizations

The plan outlines approximately $150M of funding over two years to rapidly advance well-vetted solutions to the ten major problems the plan identifies. The 10 streams of investment include concrete action steps for both more immediate improvements and building strong foundations for a more secure future.

A subset of participating organizations have come together to collectively pledge an initial tranche of funding towards implementation of the plan. Those companies are Amazon, Ericsson, Google, Intel, Microsoft, and VMWare, pledging over $30M. As the plan evolves further funding will be identified, and work will begin as individual streams are agreed upon.

This builds on the existing investments that the OpenSSF community members make into open source software. An informal poll of their stakeholders indicates they spend over $110M and employ nearly a hundred full-time equivalent employees focused on nothing but securing the open source software landscape. This plan adds to those investments.

“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it,” noted Brian Behlendorf, Executive Director at the OpenSSF. “The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”

“Google is committed to supporting many of the efforts we discussed today, including the creation of our new Open Source Maintenance Crew, a team of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects, and by providing support to the community through updates on key projects like SLSA, Scorecards; and Sigstore, which is now being used by the Kubernetes project,” said Eric Brewer, VP of Infrastructure at Google Cloud & Google Fellow.

“Security risks will continue to span all software companies and open source projects and only an industry-wide commitment involving a global community of developers, governments and businesses can make real progress. Google will continue to play our part to make an impact.”

Stephen Chin, Vice President of Developer Relations at JFrog, noted that as a designated CNA, the JFrog Security Research team constantly monitors open-source software repositories for malicious packages that may lead to widespread software supply chain attacks and alerts the community accordingly.

“Building on that, JFrog is proud to collaborate with the Linux Foundation and other OpenSSF members on designing a set of technologies, processes, accreditations, and policies to help protect our nation’s critical infrastructure while nurturing one of the core principles of open source – innovation.”