It has been announced that, following a meeting with government and industry leaders at the White House, OpenSSF has announced the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. Microsoft and Google are supporting the Alpha-Omega Project with an initial investment of $5 million. This builds on previous industry-wide investments into OpenSSF aiming to improve open source software security.
Widely deployed OSS projects that are critical to global infrastructure and innovation have become top targets for adversarial attacks. Following new vulnerability disclosures, adversary attacks can be seen within hours. For example, recently discovered vulnerabilities in the widely deployed Log4j library forced many organizations into crisis as they raced to update applications using the popular library before adversaries could attack. The Alpha-Omega Project will improve global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed.
<p>Supply chain, once an arcane concept in operations management and logistics, has nearly become a household term to explain disruptions in everything from furniture delivery to grocery store shelves, and now even to software security. Open source is no longer the domain of scrappy startups and progressive cloud-based software; but forms a major foundation of all modern software in every sector of our economy. Widely deployed open source projects have become critical to many functions of the economy, from banking to critical infrastructure. The beauty of open source is how its collective, distributed ownership and network of volunteer maintainers results in unbounded creativity, productivity, and innovation when a project reaches critical mass. But with collective ownership of the projects, comes collective, yet diffused ownership for the security of the projects. This risk is passed along to whoever then embeds the open source in their software; the people primarily responsible for open source risk end up being those in the organizations that bring these software components into their own software. They adopt the responsibility for security risk along with the open source projects.</p>
<p>There are pockets of expertise in proactively managing open source risk, whether from license rights or security threats in many advanced software development organizations and well-funded, mature cybersecurity programs. Yet open source, and the risks that go along with their usage, have rapidly become mainstream far faster than security assurance within the projects themselves. The Alpha-Omega Project’s efforts to bring this security assurance expertise and automation to the source of these widely used projects is a welcome development in bring proactive risk management to the headwaters of these software supply chains.</p>
<p>Supply chain, once an arcane concept in operations management and logistics, has nearly become a household term to explain disruptions in everything from furniture delivery to grocery store shelves, and now even to software security. Open source is no longer the domain of scrappy startups and progressive cloud-based software; but forms a major foundation of all modern software in every sector of our economy. Widely deployed open source projects have become critical to many functions of the economy, from banking to critical infrastructure. The beauty of open source is how its collective, distributed ownership and network of volunteer maintainers results in unbounded creativity, productivity, and innovation when a project reaches critical mass. But with collective ownership of the projects, comes collective, yet diffused ownership for the security of the projects. This risk is passed along to whoever then embeds the open source in their software; the people primarily responsible for open source risk end up being those in the organizations that bring these software components into their own software. They adopt the responsibility for security risk along with the open source projects.</p>
<p>There are pockets of expertise in proactively managing open source risk, whether from license rights or security threats in many advanced software development organizations and well-funded, mature cybersecurity programs. Yet open source, and the risks that go along with their usage, have rapidly become mainstream far faster than security assurance within the projects themselves. The Alpha-Omega Project’s efforts to bring this security assurance expertise and automation to the source of these widely used projects is a welcome development in bring proactive risk management to the headwaters of these software supply chains.</p>
<p>While improving overall security of software, be it open source or commercial, should be a priority for all development teams, this initiative works best by increasing the number of active contributors working on projects. Automated testing of code will naturally uncover issues, and those issues will need to be resolved. Without an increase in contributors, there will be an expectation that current team will work to resolve identified issues. Such expectations stem from a roadmap driven and product manager led paradigm common with commercial software development teams wherein customers identify areas of improvement and in exchange for licensing fees, they then expect the commercial software team to address those areas of improvement. Looking at the GitHub issues list of any popular open source, you can see proposals and bug reports that go unaddressed, actions that are symptomatic of a development team that has limited bandwidth to invest in evolving their code. Attracting new contributors to open source projects starts with users of those projects recognizing the value they obtain from open source and investing some of their developer time to ensure sustainability for all of the open source powering their business. After all, risks present in any software impact the businesses using that software and business leaders should always be looking for strategies to reduce business risk.</p>