Offer open source software practical benefits for the developer, professional or company for their access to the source code and the ability to use and modify it without licensing restrictions. In addition to the ethical or freedom issues that usually accompany it, Open Source is now a giant incubator of innovation, accelerates the development of entire industries and sets de facto standards in world technology. But like other software development models, it needs to improve security at all ends.

Last year, President Biden ‘s administration issued a powerful command to improve cyber security software supply chain. It was a response to incidents such as SolarWinds (classified as the most serious disruption of the century) or a ransomware attack on the Colonial Pipeline infrastructure that forced the closure of oil and gas distribution in part of the United States.

By raising the baton of the executive order, Open Source Security Foundation (OpenSSF) a Linux Foundation accepted the call to improve the security of open source software throughout the supply chain and requested funding of $ 150 million over two years.

Some of the major technology companies that are part of these organizations (Amazon, Ericsson, Google, Intel, Microsoft and VMWare) have already committed funding for this program, and others such as AWS have pledged additional funding.

Open source software security: 10 goals

OpenSSF CEO Brian Behlendorf has stopped at the White House to secure executive support for a plan where the open source industry is committed to the following: goals describe on ZDNet:

1. Security Education: Basic education and certification in secure software development for everyone.
2. Risk Assessment: Create a vendor-independent public risk assessment panel based on objective metrics for more than 10,000 major open source software (OSS) components.
3. Digital signatures to speed up the acceptance of digital signatures in all software versions.
4. Memory security: Eliminate the root causes of many vulnerabilities by replacing languages ​​that are not safe for memory.
5. Incident Response: Establish an OpenSSF Open Source Security Incident Response Team, security experts who will be able to assist open source projects at critical times and in responding to vulnerabilities.
6. Better scanning, faster detection of new vulnerabilities by administrators through advanced security tools and expert guidance.
7. Code audits. Once a year, perform third-party code checks (and any necessary corrective work) on up to the 200 most critical OSS components.
8. Data exchange. Industry-wide data sharing coordination to improve research to help identify the most critical components of OSS.
9. Software BOM. Improve SBOM tools and training to support adoption.
10. Supply Chain. Improving the top 10 open source software development systems, package managers and distribution systems with best practices and better security tools throughout the supply chain.

ambitious goals

The described program is as ambitious as complex and it will require a lot of investment, time and work from stakeholders, especially from large companies that take advantage of (and make money from) advanced tasks such as application deployment, data analysis or distributed communications, which today would be based on proprietary software. was not possible.

In ZDNet they gave the example of Linux, the most important of all open source projects, as example of complexity. The C language used for the Linux kernel has vulnerabilities, and although sections such as memory are managed using more secure Rust, it would take years or decades to change its nearly 28 million lines of code.

Other components are being successfully replaced, such as the Sigstore designed by Chainguard. It is a Linux Foundation project supported by Google and Red Hat that allows developers to securely sign their software, such as release files, container images, binaries, BOM manifest manifestations, and more.

Kubernetes, an open-source system for automating the deployment, scaling and management of container applications, already uses it to facilitate the adoption of a secure digital signature for its code.

However, much remains to be done. “While open source has always been seen as a germ of modernization, the recent rise in attacks on the software supply chain has shown that we need a more robust source and storage validation process.”they explain.

And as the OpenSSF administrator said, There will always be errors that need to be discovered and corrected: “Software will never be perfect. The only software without errors is software without users. “. The open source software industry has at least a plan to improve its delivery throughout the supply chain.

And it’s important. The value of Open Source is simple incalculable and the technical industry could not function without its values, such as developer reviews, transparency, reliability, flexibility, lower costs, open collaboration, and no supplier locking.