Open-source groups and software firms have recently created and released a 10-point plan in order to keep open-source code safe from vulnerabilities.
Indeed, the plan is a common effort to ensure improvements in the state of open source security through a US$30 million in funding from Amazon, Google, Intel, Microsoft, and VMware. The initiative was announced by senior members of the Linux Foundation and the Open Source Security Foundation (OpenSSF) and will be working with stakeholders and new participants along the way.
By doing so, it aims to prevent security defects and vulnerabilities from getting into open source code, as well as improve vulnerability discovery and remediation, and shorten the response time for distributing and implementing fixes. The plan features 10 activity streams to meet these objectives.
The streams are:
- Have baseline secure software development education and certification by improving training materials;
- Establish a public, vendor-neutral, objective, metrics-based risk assessment dashboard for the up to 10,000 open-source software components;
- Accelerate the adoption of digital signatures on software releases to check that the components haven’t been compromised;
- Eliminate root causes of many vulnerabilities by using languages like Go and Rust;
- Establish the OpenSSF Open Source Security Incident Response Team which would assist developers when responding to a vulnerability;
- Accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance;
- Conduct third-party code reviews, and any necessary remediation work once a year;
- Co-ordinate industry-wide data sharing to improve the research to determine the most critical open-source software components;
- Improve software bill of materials (SBOM) tooling and training;
- Improve the 10 most critical open-source software build systems, package managers, and distribution systems with better supply chain security tools and best practices.
Besides, it is vital for developers to create a software bill of materials (SBOM) for every project so that application users can find and patch code when met with vulnerabilities. The plan is needed more than ever as attacks are getting stronger and more sophisticated.