Eric S. Raymond, one of open-source's founders, famously said, "Given enough eyeballs, all bugs are shallow," which he called "Linus's Law." That's true. It's one of the reasons why open-source has become the way almost everyone develops software today. That said, it doesn't go far enough. You need expert eyes hunting and fixing bugs and you need coordination to make sure you're not duplicating work.
So, it is more than past time that The Linux Foundation started the Open Source Security Foundation (OpenSSF). This cross-industry group brings together open-source leaders by building a broader security community. It combines efforts from the Core Infrastructure Initiative (CII), GitHub's Open Source Security Coalition, and other open-source security-savvy companies such as GitHub, GitLab, Google, IBM, Microsoft, NCC Group, OWASP Foundation, Red Hat, and VMware.
Since open source has become vital to technology and affects all users, the open-source supply chain of contributors and dependencies must have its security verified from start to finish. It will start doing that by unifying existing open-source security initiatives CII, which was founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition.
Jamie Cool, GitHub's VP of Product Management, Security, said in a statement:
GitHub founded the Open Source Security Coalition in 2019 to bring together industry leaders around this mission and ensure the consumption of open source software is something that all developers can do with confidence. We look forward to this next step in the evolution of the coalition, and serving as a founding member of the Open Source Security Foundation.
Microsoft, once an open-source enemy, is also throwing its resources behind the new foundation. Mark Russinovich, Microsoft Azure's Chief Technology Officer, blogged, "As open source is now core to nearly every company's technology strategy, securing open-source software is an essential part of securing the supply chain for every company, including our own. As with everything open source, building better security is a community-driven process."
Russinovich also spelled out what you can expect to see from the OpenSSF:
Identifying security threats to open-source projects
Helping developers to better understand the security threats that exist in the open-source software ecosystem and how those threats impact specific open source projects.
Providing the best security tools for open source developers, making them universally accessible, and creating a space where members can collaborate to improve upon existing security tooling and develop new ones to suit the needs of the broader open source community.
Security best practices
Providing open-source developers with best practice recommendations, and with an easy way to learn and apply them. Additionally, we have been focused on ensuring best practices will be widely distributed to open source developers and will leverage an effective learning platform to do so.
Creating an open-source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months.
Red Hat, a leading Linux and cloud company, agrees. Chris Wright, Red Hat's CTO said, "Now, more than ever, is the time for us to join together with other leaders to help ensure key projects are secure and consumable in our products, across enterprises, and as part of the hybrid cloud. We are excited to help found this Open Source Software Foundation."
"We believe open source is a public good and across every industry, we have a responsibility to come together to improve and support the security of open-source software we all depend on," concluded Jim Zemlin, The Linux Foundation's executive director. "Ensuring open-source security is one of the most important things we can do and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort."
Moving forward, the Foundation's governance, technical community, and its decisions will be done in a transparent way. In addition, all resulting specifications and projects will be vendor-agnostic. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open-source security for all.
The group will use an open governance structure model. This includes a Governing Board (GB), a Technical Advisory Council (TAC), and a separate oversight for each working group and project. OpenSSF intends to host open-source security initiatives on GitHub.