Open source software offers practical benefits for a developer, professional or company for its access to the source code and the possibility to use and modify it without license restrictions. Beyond the ethical or freedom issues that usually accompany it, Open Source is today a gigantic incubator of innovation, accelerates the development of entire industries and creates de facto standards in world technology. But like the rest of the software creation models, it needs to improve security at all ends.
Last year, the administration of President Biden issued a executive order to improve cybersecurity of the software supply chain. It was the response to incidents such as SolarWinds (qualified as the most serious breach of the century) or the ransomware attack on the Colonial Pipeline infrastructure that forced the shutdown of oil and gas distribution in a part of the United States.
Picking up the baton of the executive order, The Open Source Security Foundation (OpenSSF) and the Linux Foundation accepted the challenge of improving the security of open source software throughout the supply chain, requesting $150 million in funding over two years.
Some of the big tech companies that are part of those organizations (Amazon, Ericsson, Google, Intel, Microsoft, and VMWare) have already committed funds to this program, and others like AWS have pledged additional funding.
Open Source Software Security: 10 Goals
The general director of OpenSSF, Brian Behlendorf, has stopped by the White House to secure the support of the executive for a plan where the open source industry commits to comply with the following objectives they describe on ZDNet:
- Security Education: Basic education and certification on secure software development for everyone.
- Risk Assessment: Establish a public, vendor-neutral risk assessment panel based on objective metrics for the 10,000+ major open source software (OSS) components.
- Digital signatures to accelerate the adoption of digital signatures in all versions of software.
- Memory Safety: Elimination of the root causes of many vulnerabilities by replacing languages that are not memory safe.
- Incident Response: Establish the OpenSSF Open Source Security Incident Response Team, security experts who will be able to step in to assist open source projects during critical times and in response to a vulnerability.
- Better scanning, accelerating the discovery of new vulnerabilities by maintainers through advanced security tools and expert guidance.
- Code audits. Perform third-party code reviews (and any necessary remediation work) on up to 200 of the most critical OSS components once a year.
- Data exchange. Coordination of data sharing across the industry to enhance research to help determine the most critical OSS components.
- Software Bill of Materials (SBOM). Improve SBOM tools and training to drive adoption.
- Supply chain. Enhancing the top 10 critical open source software build systems, package managers, and distribution systems with best practices and better security tools across the supply chain.
The program described is as ambitious as complex and it will require a lot of investment, time and work from the parties involved, especially from the large companies that take advantage of it (and earn money from it) advanced tasks such as the deployment of applications, data analysis or distributed communication whose scope would be impossible today based on proprietary software.
In ZDNet they put the example of Linux, the most important of all open source projects, as sample of complexity. The C language used for the Linux kernel has vulnerabilities within it and although sections such as memory are managed with the safer Rust, it would take years or decades to change its almost 28 million lines of code.
Other components are being successfully replaced, such as the Sigstore proposed by Chainguard. It is a project of the Linux Foundation supported by Google and Red Hat that allows developers to securely sign their software, such as release files, container images, binaries, BOM manifests, and others.
The open-source system for automating the deployment, scaling, and management of containerized applications, Kubernetes, already uses it to simplify the adoption of a secure digital signature for its code.
But much remains to be done. “While open source has always been seen as a seed for modernization, the recent rise in attacks on the software supply chain has shown that we need a more robust process for validating source code and repositories”they explain.
And as the OpenSSF maintainer said, there will always be bugs to discover and fix: “Software will never be perfect. The only software without bugs is software with no users.”. At least the open source software industry has a plan to improve its delivery throughout the supply chain.
And it is important. The value of Open Source is simply incalculable and the tech industry couldn’t function without its values of developer review, transparency, reliability, flexibility, lower costs, open collaboration, and no vendor lock-in.