Google, Microsoft and others join the Linux Foundation to launch the Open Source Security Foundation in order to improve the security of ope...
Google, Microsoft and others join the Linux Foundation to launch the Open Source Security Foundation in order to improve the security of open source software
Open source software has become commonplace in all kinds of environments. Because of its development process, open source software that reaches end users has a chain of contributors and dependencies. It is important that those responsible for the security of their user or organization are able to understand and verify the security of this chain of dependencies. Therefore, the Linux Foundation has initiated the creation of the Open Source Security Foundation (OpenSSF). This is a cross-sectoral collaboration that brings together leaders to improve the security of open source software by creating a broader community with targeted initiatives and best practices.
The OpenSSF brings together the industry's leading open source security initiatives and the individuals and companies that support them. The Linux Foundation's Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are just some of the projects that will be brought together under the new OpenSSF. The Foundation's governance, technical community and its decisions will be transparent, and all specifications and projects developed will be vendor-independent. The OpenSSF is committed to collaborating and working both upstream and with existing communities to advance open source security for all.
The OpenSSF was created on the premise that security researchers need a mechanism to enable them to collaboratively address the methods needed to secure the open source security supply chain. It recognizes that security researchers around the world within organizations have common interests and concerns. OpenSSF facilitates sustained dialogue and project work between private entities, foundations, and universities.
Google, Microsoft and other companies join OpenSSF
The list of initial members includes Google, Microsoft, GitHub, IBM, Red Hat, etc. Azure's CTO, Mark Russinovich, made it clear why open source security should be a community effort:
"Open source software is at the heart of almost every company's technology strategy and securing it is an essential part of securing the supply chain for everyone, including us. With the pervasiveness of open source software, attackers are exploiting vulnerabilities in a wide range of critical services and infrastructure, including utilities, medical equipment, transportation, government systems, traditional software, cloud services, hardware and IoT.
"Open source software is inherently community-oriented and as such there is no central authority responsible for quality and maintenance. Because source code can be copied and cloned, version management and dependencies are particularly complex. Open source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming project maintainers and introducing malicious software. Given the complexity and community nature of open source software, creating better security must also be a community-led process.
The initial technical initiatives of the OpenSSF will focus on:
- Vulnerability disclosures: on the page, it is explained that the vision is an open source software ecosystem where the time to fix a vulnerability and deploy that fix in the ecosystem is measured in minutes, not months. It is about creating a unified format and API for vulnerability reporting / coordinated disclosure and promoting wide adoption.
- Security tools: The declared mission is to provide the best security tools for open source developers and make them universally accessible. The collective would like to create a space where members can collaborate together to improve existing security tools and develop new ones to meet the needs of the wider open source community.
- Identifying security threats to Open Source projects: This is about enabling stakeholders to have an informed confidence in the security of Open Source projects. The collective would like to identify a set of key metrics and create tools (APIs, web user interface) to communicate these metrics to stakeholders, allowing these stakeholders to better understand the security status of individual open source components.
- Security best practices: the objective is to provide open source developers with best practice recommendations.
- Securing critical projects: the objective is to provide audits, assurances, intervention teams, improvements and practical tactical work.
In addition, the OpenSSF will aim to help critical projects get the support they need to ensure their security:
"Whether it's dedicated help from specialized experts or simply providing money or cloud credits, we recognize that no two projects are the same and that support can take many forms. We intend to work with managers at an early stage to understand the help and support they need and then develop scalable processes to make that help available.
Among others, Google and Microsoft have announced their participation in OpenSSF with a particular focus on a number of areas, including shared schemas and metadata to better enforce security best practices; dependency management and risk assessment to map vulnerabilities to specific code versions; build verification tools, such as Tekton Chains; and the use of Develop Identity to associate changes with their authors.
For this last point, it is explained that without too much effort, an attacker could insert malicious code into a popular open source library and carry out an attack. An attacker could do this by looking for a highly imported package that is at the bottom of the stack but can still affect communication, perhaps even have root access, and is little [said package] or even unmonitored.
This type of attack has been done before. For example, hackers have introduced a backdoor into a widely used open source library in order to surreptitiously steal funds stored in bitcoin wallets. The malicious code was inserted in two steps into event-stream, a library that had over two million downloads in 2018 and was used by both Fortune 500 companies and startups.
According to the GitHub discussion that exposed the backdoor, the event-stream developer no longer had time to provide updates. So, several months before this discovery, he accepted help from an unknown developer. The new developer took care to hide the backdoor. In addition to implementing it gradually, he also targeted only the Copay wallet application. The malicious code was also difficult to detect because the flatmap-stream module was encrypted.
The objectives here are therefore to :
- Give open source maintainers a way to work under the name of their choice, representing their true employers in a secure way.
- Give open source projects the tools and infrastructure to verify the identity of their maintainers.
- Give consumers of open source libraries more data to determine the risks of relying on the library.
- Give consumers and maintainers a public registry of those who have implemented changes to an open source software project.
- Respect the privacy of all those involved.
- Give OSS maintainers a better ability to ensure compliance with project governance policies (such as independent approval).
- Provide OSS consumers with tools to detect spikes in activity from unknown committers.
Sources : Microsoft, Google, Tekton Chains, Developer Identity, GitHub, Open Source Security Foundation