Following security scandals such as SolarWinds and Colonial Pipeline, the White House decided to make software security a priority with a May 2021 executive order . Most recently, the institution decided to join forces with the Open Source Security Foundation (OpenSSF) and The Linux Foundation to request $150 million in funding to address open source’s biggest security challenges over the next two years.
It appears that the US government will not provide money to fund the program, which is why companies such as Amazon, Ericsson, Google, Intel, Microsoft, and VMware have pledged about $30 million in total, while Amazon Web Services (AWS) promised an additional 10 million for his part. Brian Behlendorf, general manager of OpenSSF, told a White House press conference that the intention is not to raise public funds and that they do not see it as necessary for the success of the program.
The program promoted by OpenSSF and The Linux Foundation is designed to achieve the following 10 goals:
- Offer training and basic certification in secure software development.
- Build a public, vendor-independent risk dashboard based on objective metrics for 10,000 open source core components.
- Accelerate the adoption of digital signatures across software releases.
- Fix the root causes of many vulnerabilities by replacing memory-unsafe languages (this may sound like a push to bring Rust into the Linux kernel to some ).
- Establish an OpenSSF Incident Response Team that will be comprised of security experts who can step in to help open source projects at critical times and get them to respond appropriately to a vulnerability.
- Accelerate the discovery of new vulnerabilities by maintainers and experts with advanced security tools. Here we are likely to face possible competition from those companies and institutions that are given to keep day zero.
- Conduct reviews and audits of third-party code and any other work once a year to cover the 200 most important open source components.
- Coordinate industry data sharing in a way that improves research to identify the most important open source components.
- Enhance Software Declaration of Materials (SBOM) tools and training to drive adoption.
- Enhance ten of the most important open source tools, including build systems, package managers, and distribution systems, with supply chain security best practices and tools.
To improve security, open source security company Chainguard created Sigstore , a standard by which developers can securely sign software artifacts such as files, container images, binaries, and more. Far from being a song for the sun, it is maintained by The Linux Foundation, Red Hat, and Purdue University and has been adopted by Kubernetes.
The security of software released as open source has been a growing concern in recent decades. Scandals such as Heartbleed and the Apache Log4j vulnerability have shown that many projects do not have the necessary tools to maintain the proper level of security, so such programs are welcome if they really improve the security of the software used by users and the company.
Finally, the White House has a closer relationship with open source than it might seem, to the point of releasing its modules built with Drupal, a CMS that who knows if it still uses .