LOS ANGELES, Oct. 13, 2021 /PRNewswire/ -- KubeCon – The
Linux Foundation, the nonprofit organization enabling mass
innovation through open source, today announced it has raised
$10 million in new investments to
expand and support the Open Source Security Foundation (OpenSSF), a
cross-industry collaboration that brings together multiple open
source software initiatives under one umbrella to identify and fix
cybersecurity vulnerabilities in open source software and develop
improved tooling, training, research, best practices and
vulnerability disclosure practices. Open source luminary
Brian Behlendorf will serve the
OpenSSF community as General Manager.
Industry leaders from technology, financial services, telco and
cyber sectors respond to Biden's Executive Order
Financial commitments from Premier members include Amazon,
Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub,
Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley,
Oracle, Red Hat, Snyk and VMware. Additional commitments come from
General members Aiven, Anchore, Apiiro, AuriStor, Codethink,
Cybertrust Japan, Deepfence, Devgistics, DTCC, GitLab, Goldman
Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift and Wind River.
"This pan-industry commitment is answering the call from the
White House to raise the baseline for our collective cybersecurity
wellbeing, as well as 'paying it forward' to open source
communities to help them create secure software from which we all
benefit," said Jim Zemlin, executive
director at the Linux Foundation. "We're pleased to have
Brian Behlendorf's leadership and
extensive expertise on building and sustaining large communities
and technical projects applied to this work. With the tremendous
growth and pervasiveness of open source software, building
cybersecurity practices and programs that scale is our biggest task
at hand."
According to industry reports ("2021 State of the Software
Supply Chain," by Sonatype), software supply chain attacks have
increased 650 percent and are having a severe impact on business
operations. In the wake of increasing security breaches, ransomware
attacks and other cybercrimes tied to open source software,
government leaders around the world are calling for private and
public collaboration. Because open source software makes up at
least 70 percent of all software ("2020 Open Source Security and
Risk Analysis Report" by Synopsys), the OpenSSF offers the natural,
neutral and pan-industry forum to accelerate the security of the
software supply chain.
"There has never been a more exciting time to work in the open
source community, and software supply chain security has never
needed more of our attention," said Brian
Behlendorf, general manager, Open Source Security
Foundation. "There is no single silver bullet for securing software
supply chains. Research, training, best practices, tooling
and collaboration require the collective power of thousands of
critical minds across our community. Funding for OpenSSF gives us
the forum and resources to do this work."
The OpenSSF is home for a variety of open source software, open
standards and other open content work for improving security.
Examples include:
- Security Scorecard - a fully automated tool that
assesses a number of important heuristics ("checks") associated
with software security
- Best Practices Badge - a set of Core Infrastructure
Initiative best practices for producing higher-quality secure
software providing a way for OSS projects to demonstrate through
badges that they are following them
- Security Policies - Allstar provides a set and enforce
security policies on repositories or organizations
- Framework - supply-chain levels for software artifacts
(SLSA) delivers a security framework for increasing levels of
software supply chain integrity
- Training - free secure software development fundamentals
courses educating community members on how to develop secure
software
- Vulnerability Disclosures - a guide to coordinated
vulnerability disclosure for OSS projects
- Package Analysis - look for malicious software in OSS
packages
- Security Reviews - public collection of security reviews
of OSS
- Research - studies on open source software and critical
security vulnerabilities conducted in association with the
Laboratory for Innovation Science at Harvard (LISH) (e.g., a preliminary census and FOSS
Contributor Survey)
For more information about OpenSSF, please visit:
https://openssf.org/
Premiere Member Quotes
AWS
"Open source software plays an increasingly crucial role across the
whole landscape of information security. Convening industry leaders
to invest in developing policies, practices, tooling, and education
around open source security benefits us all. AWS was a founding
member of the Core Infrastructure Initiative in 2014, and we will
now build on the relationships and investments that continue the
mission by joining OpenSSF as a Premiere Member. With our partners
in this initiative, and as active participants in many open source
communities, we will help raise the bar in the security of open
source software," said Mark Ryland,
Director of the Office of the CISO at AWS.
Cisco
"OpenSSF will enable the community, across
industries, to build tools and practices to
secure the software supply chain for open source and
beyond. This is crucial to the future of
API and application security, which
are fast becoming a primary attack vector for
all business going forward," says Vijoy Pandey, VP
of Emerging Technologies & Incubation at Cisco. "At Cisco,
we believe the application experience is the new brand, which
demands better app velocity, trust, security, and
availability. This belief drives our deep investment in application
security and full-stack observability, which is why joining forces
with this prestigious foundation and group as a trusted advisor and
partner was a no-brainer for us."
Dell Technologies
"The Linux Foundation's focus on security is fundamental to
addressing the increasing risks associated with software," said
John Roese, Dell Technologies'
Global Chief Technology Officer. "The Open Source Security
Foundation's work will help us collectively make sure critical
software programs and the end to end software delivery pipeline is
secure and trustworthy."
Ericsson
"As a leader in mobile communication, pioneering and driving 5G
globally, security is at the core of the network infrastructure we
build and deliver to our customers. In an industry increasingly
built around open source and open standardization we are fully
committed to address cybersecurity vulnerabilities in a
collaborative effort. We are proud to join the Open Source Security
Foundation as a founding member and we look forward to continue to
work with the community and wider industry for a secure software
supply chain, including the open source components," says Erik
Ekudden, Senior Vice President and Chief Technology Officer,
Ericsson.
Fidelity
"Open Source Software plays a critical role in Fidelity's
technology strategy. We are proud to be part of the Open Source
Security Foundation and to work with others to ensure that Open
Source solutions and their supply chains are safe, secure, and
reliable, enabling Fidelity to better serve our customers and
clients," said John Andrukonis, SVP,
Fidelity Application Architecture.
GitHub
"The world runs on software, and most of that software includes and
relies on open source," said Mike
Hanley, Chief Security Officer at GitHub. "As the home to
more than 65 million developers around the world, we're excited to
continue partnering across the open source community and with other
Open Source Security Foundation members to power a more secure,
trustworthy future that will benefit everyone."
Google
"We are doubling down on our OpenSSF commitment in the wake of
rising open source software supply chain attacks and President
Biden's Executive Order," said Eric
Brewer, vice president of infrastructure and fellow at
Google. "This decision is part of our White House pledge to spend
$100 million to fund open source
security foundations and follows a variety of investments we've
made to support developers and security engineers across the public
and private sectors. The OpenSSF is the best place for
cross-industry leadership for these very challenging topics, and we
look forward to working with the US and other governments to
improve security worldwide."
IBM
"IBM is deeply focused on developing and building highly secure
hybrid cloud, AI and quantum-safe technologies that are designed to
protect our clients' most sensitive workloads both today and into
the future," said Jamie Thomas,
General Manager, Strategy & Development and IBM Enterprise
Security Executive. "As a long-time open source leader, IBM looks
forward to working with the OSSF, our industry partners and open
source communities towards addressing the ever increasing challenge
of hardware and software open source supply chain security."
Intel
"As a long-standing member of the open source software community,
Intel contributes daily in the upstream projects we collaborate
with," said Greg Lavender, senior
vice president, CTO and general manager of Software and Advanced
Technology at Intel Corporation. "Along with the Linux Foundation,
we believe the Open Security Foundation (OpenSSF) is a unique
opportunity to engage in projects and efforts focused on improving
the quality and security for today and our future. Intel remains
committed to providing contributions that benefit open source
software supply chains and improving the security posture of
critical projects on which our ecosystem depends."
JPMorgan Chase
"JPMorgan Chase is deeply committed to working with the open source
community to solve our most pressing security challenges. As a
founding member of the Open Source Security Foundation, we have
worked together to improve the security of open source and the
integrity of all software. We commend the US Government's
recent initiative to raise awareness on this pressing topic and
call to action the technology community to solve one of the most
complex security challenges of our time. We welcome the new
members to OpenSSF and look forward to continuing the journey of
innovation and bringing meaningful change to how we build, secure,
and validate software," said Pat
Opet, Chief Information Security Officer, JPMorgan Chase
& Co.
Microsoft
"As open source is now core to nearly every company's technology
strategy, securing open source software is an essential part of
securing the supply chain for every company, including our own. All
of us at Microsoft are excited to participate with others in
contributing new investments to the Open Source Security Foundation
and we look forward to building more secure software through
community-driven efforts to create solutions that will help us
all," said Mark Russinovich, Azure CTO and Technical Fellow,
Microsoft.
Morgan Stanley
"Whether we are leveraging open source in our own code, contribute
to OSS projects, or consume OSS via technology we procure and
utilize, the safety and security of OSS and the creation of a
trustworthy supply chain is critical to all businesses. To that
end, we are delighted to join the Linux Foundation's Open Source
Security Foundation project to collaborate with our cross-industry
partners to improve the security, safety and trust in the OSS
ecosystem," said Neil Allen, Global
Head of Cyber Security Engineering, Morgan Stanley.
Oracle
"As a contributing member of the open source software community and
an inaugural Linux Foundation member, Oracle has a large number of
developers that contribute to third-party open source projects
daily," said Wim Coekaerts, senior vice president of software
development, Oracle. "Oracle looks forward to
participating in the Open Source Security Foundation and working
with other members to continue to strengthen the software supply
chain, helping customer work more securely."
Red Hat
"Open source is pervasive in software solutions of all kinds, and
cybersecurity attack rates are on the rise. Our customers look to
Red Hat to provide trust and enhanced security in our open source
based portfolio. Open source and community collaboration is the
best way to solve big, industry wide challenges, such as open
source supply chain security. And that's why we're excited to join
together with the Linux Foundation and other industry leaders so we
can continue to improve the technologies and practices to
build a more secure future from open source software," said
Chris Wright, senior vice president
and CTO, Red Hat.
Snyk
"Open source is built by millions of empowered developers, who also
need to secure this critical foundation of the digital world," said
Guy Podjarny, Founder & President, Snyk. "The vital work of the
Linux Foundation and the OpenSSF ensures we collectively live up to
this responsibility. The Snyk community is fully committed to this
important, collaborative effort and we look forward to working
closely with the other OpenSSF members to better secure OSS so it
can continue to safely fuel innovation."
VMware
"Every company that uses software should be concerned about their
software supply chain," said Kit
Colbert, chief technology officer, VMware. "For two-plus
years, VMware has engaged in contributions to open source projects
in the broader software supply chain security space and invested in
initiatives to help customers further strengthen their security
policies and processes. As a member of the Open Source Security
Foundation, we're committed to collaborating across the industry to
drive increased level of software supply chain security."
General Member Quotes
Devgistics
"We seized the opportunity to join this foundation, because OpenSSF
offers a real industry neutral forum to accelerate the hardening
and security of the software supply chain. Devgistics (formerly
InfoSiftr) provides critical enhancements to the world's most
popular open-source repository. Devgistics has been involved in
many free and open-source initiatives for years, including being a
Moby (Docker Engine) maintainer, providing support to the
Docker/container ecosystem, and serving in the Open Container
Initiative. Devgistics continues to contribute cutting-edge
solutions for security-conscious clients like the US Air Force,"
said Devgistics Founder and President Justin Steele.
DTCC
"DTCC is committed to developing highly resilient and secure code
to safeguard the financial marketplace. DTCC is proud to be part of
the OpenSSF community and looks forward to partnering with our
fellow members on safe, secure and reliable computing," said
Ajoy Kumar, Head of Tech/Cyber Risk
at DTCC.
GitLab
"As organizations modernize software development and shift security
left, GitLab believes that open source will play a key role in
fostering this modernization and delivering secure software with
speed to the market," said Eric
Johnson, CTO at GitLab. "Supporting the Open Source Security
Foundation aligns with GitLab's mission of enabling everyone to
contribute and we look forward to supporting, collaborating, and
sharing our expertise in implementing security in GitLab's DevOps
Platform to the OpenSSF community."
Goldman Sachs
"Continuing to secure the software supply chain, in particular the
many critical open source projects foundational to any modern
organization's IT architecture, is a top strategic imperative for
Goldman Sachs, our peers, partners, and clients in financial
services, the technology ecosystem, and the wider economy," said
Atte Lahtiranta, chief technology officer at Goldman Sachs. "This
work cannot be done in individual organizational silos. We instead
need to work collaboratively, across both the private and public
sector, together with open source maintainers and contributors, to
answer the call to action that is the recent cybersecurity
executive order. The OpenSSF will provide an essential forum and
associated infrastructure to allow us to share leading practices,
develop improved tooling, and work together to better protect our
digital infrastructure."
JFrog
"Open-source software is the backbone of hundreds of thousands of
today's applications, making it critical that we do our best to
flag new vulnerabilities and insecure components fast—before
they compromise businesses or critical infrastructure," said
Asaf Karas, JFrog Security CTO.
"We're happy to expand our membership with the Linux Foundation and
support this cross-industry collaboration to identify and fix
open source security vulnerabilities, strengthen tools, and promote
best practices to ensure developers can easily shift left and
bake-in security from the start of application planning and design
— all the way to software deployment, distribution and
runtime."
StackHawk
"Software development is moving faster than ever before. The
industry needs tooling and processes to ensure that security can
keep up with today's pace of development. StackHawk is excited
about the work that the Open Source Security Foundation is doing to
improve security and we are proud to continue as a member," said
Joni Klippert, StackHawk Founder
& CEO.
Wind River
"As the dependency on open-source software becomes increasingly
pervasive, the Open Source Security Foundation's community-driven
approach to developing and sharing security metrics, tools and best
practices becomes an imperative. Our customers are actively
interested in the health of the open source from which their
solutions are constructed, and assuring secure development across
open the supply chain is vital," said Paul
Miller, CTO, Wind River. "We are looking forward to
collaborating more closely with the OpenSSF community. By working
together, Wind River can provide customers with a level of open
source security assurance that would otherwise be
unobtainable."
About the Linux Foundation
Founded in 2000, the Linux
Foundation is supported by more than 1,800 members and is the
world's leading home for collaboration on open source software,
open standards, open data, and open hardware. Linux Foundation's
projects are critical to the world's infrastructure including
Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more.
The Linux Foundation's methodology focuses on leveraging best
practices and addressing the needs of contributors, users and
solution providers to create sustainable models for open
collaboration. For more information, please visit us at
https://www.linuxfoundation.org/
The Linux Foundation has registered trademarks
and uses trademarks. For a list of trademarks of The Linux
Foundation, please see its trademark usage
page: www.linuxfoundation.org/trademark-usage. Linux is
a registered trademark of Linus Torvalds.
Media Contacts
Jennifer Cloer
503-867-2304
jennifer@storychangesculture.com
View original content to download
multimedia:https://www.prnewswire.com/news-releases/open-source-security-foundation-raises-10-million-in-new-commitments-to-secure-software-supply-chains-301399530.html
SOURCE The Linux Foundation