At the second Open Source Software Security Summit, which brought together tech industry leaders as well as representatives of key U.S. federal agencies, The Linux Foundation and Open Source Security Foundation (OpenSSF) outlined a 10-point plan to address open source software supply chain security.
The Open Source Software Security Mobilization plan describes open source software (OSS) as “a form of digital public good, creating wealth and capability for society as a whole in a continuously renewing form” and calls on public and private sectors to “work together to meet the collective security and safety needs of citizens and stakeholders.”
The plan lists 10 streams of investment and outlines “approximately $150M of funding over two years to rapidly advance well-vetted solutions,” according to the announcement.
The investment streams fall under three main goals, which were discussed at the previous summit:
- Securing open source software production
- Improving vulnerability discovery and remediation
- Shortening ecosystem patching response time
The plan details the 10 streams as follows:
- Stream 1: Deliver baseline secure software development education and certification to all.
- Stream 2: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
- Stream 3: Accelerate the adoption of digital signatures on software releases.
- Stream 4: Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
- Stream 5: Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
- Stream 6: Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
- Stream 7: Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
- Stream 8: Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
- Stream 9: SBOM everywhere — Improve SBOM tooling and training to drive adoption.
- Stream 10: Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.
“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it,” says Behlendorf. “The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”
This plan is part of ongoing work done in response to the Biden administration’s executive order issued in May of 2021, which called for “bold changes and significant investments” and specifically mentioned the need for companies to provide a Software Bill of Materials (SBOM) as part of their efforts to improve software supply chain security.
- Key Convener Releases Plan for Securing Open Source Software with White House from Next.gov
- Software Security Guidance Issued by NIST from FOSSlife
- Tech giants pledge $30M to boost open source software security from TechCrunch
- Testimony to the U.S. House Committee on Science and Technology from OpenSSF