A $150 Million Plan to Secure Open-Source SoftwareAreas of Proposed Investments Include SBOMs, Software Supply Chains
The Linux Foundation and the Open Source Security Foundation have put forth a nearly $150 million investment plan, spread across two years, to strengthen open-source security in the United States. The plan was announced at the Open Source Software Security Summit II in Washington, D.C., on Thursday.
It’s unclear how the plan might be funded. Both Linux Foundation and Open SSF declined to immediately respond to Information Security Media Group’s query.
"We are here to respond with a plan that is actionable, because open source is a critical component of our national security, and it is fundamental to billions of dollars being invested in software innovation today. We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in software itself. This plan represents our unified voice and our common call to action," Jim Zemlin, executive director of the Linux Foundation, said at the summit, which was held on the one-year anniversary of President Joe Biden's executive order to strengthen the country's cybersecurity.
The event was attended by 90 executives from 37 companies, representing a cross-section of the open-source developer and commercial ecosystem. The attendees also included executives from federal agencies, including the National Security Council, the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the U.S. Department of Energy and the Office of Management and Budget.
The previous Open Source Software Security Summit, held on Jan. 13, 2022, was led by the White House's National Security Council.
The Linux Foundation and OpenSSF have identified 10 streams of investment for the $150 million, to be spread over two years.
|Investment Area||First Year||Second Year|
|Security education||$4.5 million||$3.45 million|
|Risk assessment||$3.5 million||$3.9 million|
|Digital signatures*||$13 million||$4 million||Memory safety||$5.5 million||$2 million|
|Incident response||$2.75 million||$3.05 million|
|Better scanning||$15 million||$11 million|
|Code audits||$11 million||$42 million|
|Data sharing||$ 1.85 million||$2.05 million|
|Software bills of materials||$3.2 million||TBD|
|Improved software supply chains||$8.1 million||$8.1 million|
*Digital signatures will receive a one-time $10 million push after the first year.
The plan, according to OpenSSF Executive Director Brian Behlendorf, is to "converge a set of ideas and principles of what is broken out there and what we can do to fix it." The 10 investment areas identified, he adds, represent the "10 flags in the ground, as the base for getting started."
The summit "was dedicated to devising an action plan the wider community can adopt that includes a comprehensive portfolio of 10 open-source activity streams focused on hardening the software supply chain," says Stephen Chin, vice president of developer relations at JFrog, a DevOps platform for the software supply chain that was invited to join the summit.
"We believe open-source security will only be successful if we give OSS projects the same tools and services available to enterprises. Access to automated tools and high-quality security databases for open-source projects is essential," he adds.
One of the investment streams that has gained prominence in the past year is software bills of materials, or SBOMs. The plan details a $3.2 million investment in this area in the first year, while the amount for the year beyond is yet to be determined.
The plan announced at the summit acknowledges that enterprises often have no inventory of the software assets they deploy and no data about the components within the software they have acquired. When they consider acquiring new software, enterprises often have no way to measure the risk that its components contain, including known vulnerabilities.
"SBOMs are one of the most critical parts of providing transparency to open-source supply chain vulnerabilities. The challenge today is that building an end-to-end SBOM is like precariously stacking a Jenga tower that is manually constructed and fragile to changes. To be successful, standards and tools need to be automated and integrated like Lego pieces that stack and integrate seamlessly," Chin says.
In their plan, the Linux Foundation and OpenSSF say multiple industries have identified the SBOM as a fundamental building block for solving the open-source security problem. But to suitably address the challenge, the adoption of SBOMs must be widespread, standardized and accurate. "By focusing on tools and advocacy, we can remove the barriers to generation, consumption and overall adoption of SBOMs everywhere. We can improve the security posture of the entire open-source ecosystem: producers, consumers and maintainers," the organizations say
They recommend resourcing a team of developers to improve tooling and bake SBOMs into the most popular software build tooling and infrastructure across all major programming languages.
According to Chin, focusing on boosting the "10 most critical OSS build systems, package managers and distribution systems with better supply chain security tools and best practices will help address vulnerable software repositories - the largest attack vector for enterprise software."