The Linux Foundation announced the creation of the Open Source Security Foundation (OpenSSF) as the latest initiative to improve software security.
OpenSSF is a cross-industry collaboration that brings together industry leaders to work on targeted initiatives and best practices by forming a broader community targeted to improve the security of open source software. It combines the efforts of the Core Infrastructure Initiative and the Gut Hub's Open Source Security Alliance.
The new security foundation also includes the governing board's founding members Gut Hub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and other open source security functions, including the Red Hat. Is. Additional founding members include Eleven Paths, Gut Lab, Hacker Oven, Intel, Purdue, Safe Code, Stack Hawk, Trail of Bits, Ober and VMware.
Open SSF membership ranks the industry's most important open source security initiatives and the individuals and companies that support them. The Linux Foundation's Core Infrastructure Initiative (CII), which was set up in response to the 2014 Heartland bug, and the Open Source Security Alliance, formed by the GateHub Security Lab, are just two projects that open SSF together. Will be brought under
According to the LF, the foundation's governance, the technical community and its decisions will be transparent, and whatever specifications and plans are developed will be vendor agnostic. Open SSF is committed to collaborating and working with upstream and existing communities to advance open source security for all.
Open source software has become commonplace in data centers, consumer devices and services. Its technology is used by technicians and businesses alike.
Cross-industry effort
Due to its evolutionary process, open source, which ultimately reaches end users, has a chain of partners and dependencies. According to LF officials, in stating the need for this new measure, it is important that those responsible for the security of their customers or organizations understand and validate this dependence on China's security.
Jim Zemlin, Executive Director of the Linux Foundation, said, "We believe that open source is the public good, and we have a responsibility in every industry to rely on all of us to improve the security of open source software and their Get together to help. "
"Ensuring open source security is one of our most important tasks and we all need to cooperate in this effort around the world. Open SSF is a truly collaborative, cross-industry effort to bring this forum together." Will do. " involved in
The organizational structure of the Open SSF is built around an open governance structure and includes a governing board, a technical advisory council, and separate oversight for each working group and project.
OpenSSF plans to host open source technical initiatives to support the security of the world's most important open source software, all of which will be done openly on GitHub.
No expansion intention
The LF already has several subgroups and special communities under its umbrella. According to Chris Aniszak, vice president of strategic and insane programs at the Linux Foundation, he has no plans to do so.
"It's less about building a new organization than consolidating multiple efforts across the industry and LF," he told Linux Insider.
The Core Infrastructure Initiative was heavily funded through grants. He explained that Open SSF would be supported with the help of the Linux Foundation's membership obligations, in which initiatives could be supported with the help of organizations' targets. CII intends to provide Open SSF with resources and experience and works through the process of approving projects required by Open SSFTAC.
The organization is bootstrapping, so the first order of business is holding its first governing board, technical council and working group meetings this month. He said the best way to get involved is to attend one of the WG meetings.
Game plan
The Open SSF will pursue the first offensive set of activities, Aniszik noted. The agenda calls for six main activities.
Timely disclosure of damage is the vision of open source software ecosystems. This window needs to be measured in minutes, not months, to correct the risk and deploy it to the ecosystem. To this end, Open SSF seeks to create a unified format and API for threat reporting and integrated disclosure to drive widespread adoption campaigns.
Security tooling is the core mission. The goal is to provide the best security tools for open source developers and make them globally accessible.
"We want to create a place where members can improve existing security tooling and develop a new one to meet the needs of a wider open source community," said Anisa.
Identifying security threats to open source projects is another important goal.