The OpenSSF has announced the Alpha-Omega Project, which aims to improve security of the open source software (OSS) supply chain through direct engagement of project maintainers, software security experts, and automated security testing.
Critical OSS projects have become prime targets for attack, with the recent Log4j exploit, for example, garnering national security attention and sparking a high-profile White House meeting attended by leaders of major tech companies.
The Alpha-Omega Project, formed in the wake of that meeting, will work directly with project maintainers “to systematically look for new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed,” according to the announcement.
The “Alpha” portion of the project will be collaborative in nature, working “with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture.”
The “Omega” portion will take a broader view, identifying “at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.”
Microsoft and Google are initially investing $5 million in the Alpha-Omega Project, according to the announcement. And, all individuals and organizations interested in the project are encouraged to participate in the OpenSSF’s Securing Critical Projects working group.