Google and Microsoft back Project Alpha-Omega to strengthen software supply chain

0

Missed a Future of Work Summit session? Head over to our Future of Work Summit on-demand library to stream.


Leave him OSS Enterprise Newsletter guide your open source journey! register here.

The Open Source Security Foundation (OpenSSF), supported by the Linux Foundation, has launched a new project designed to secure the software supply chain.

The Alpha-Omega project, as it is called, will work directly with project maintainers to find zero-day vulnerabilities (i.e. previously unknown bugs) in open source codebases, and will work to fix them. Microsoft and Google will provide an initial cash injection of $5 million, which follows another recent recurring commitment of $10 million the duo made to OpenSSF alongside other member organizations such as Amazon, Facebook, and Oracle.

The OpenSSF is a cross-industry collaboration launched by the Linux Foundation in 2020 and, since last October, has been led by open source pioneer Brian Behlendorf, the main creator of the Apache web server.

Correct defects

The timing of this latest announcement is no coincidence. The White House recently hosted an open source security summit, with members from all walks of life, public and private, coming together to discuss how best to fix flaws in community software. The meeting was organized following the critical vulnerability of Log4j called Log4Shell, which existed for many years but was only recently discovered. Microsoft and Google were both present at the summit, as was the Linux Foundation, so it’s clear that last month’s meeting helped create at least some momentum to strengthen the software supply chain.

The Log4j vulnerability has resurfaced age-old questions around the inherent security of open-source software, especially those not supported by squadrons of full-time developers and security personnel. Indeed, one of the main maintainers of the Log4j project – the one who was instrumental in patching the vulnerability – has a full-time job elsewhere as a software architect. He works on “Log4j and other open source projects” during his free time.

And it is in this context that the Alpha-Omega project aims to improve the security of the OSS supply chain. As the name suggests, the project has two main components – Alpha will work with project maintainers of the “most critical open source projects”, helping them identify and fix security vulnerabilities and improve their overall security posture . Omega, on the other hand, will identify “at least” 10,000 of the most widely used OSS projects and apply “automated security analysis, scoring, and remediation guidance” in the respective maintainer communities.

So who exactly are the members of these open source communities — are they just the existing maintainers and contributors? This will be part of it, but the OpenSSF will also seek to engage other professionals – including volunteers and paid individuals – to run its campaign.

“For example, we would like to see cybersecurity professionals participate as well,” Behlendorf told VentureBeat. “However, to be clear, there will be paid staff leading engagements with major open source (Alpha) projects and conducting research using automated tools to find problem areas in the long tail of open source projects. spring (Omega).”

Multi-pronged strategy

As the Log4j vulnerability pointed out, a common complaint from the open source field is that maintainers of some of the most critical software components receive little compensation. While Project Alpha-Omega can help solve this problem, it’s not just about throwing money at maintainers – there’s a clear multi-pronged strategy behind the investment.

“I don’t know of any (credible) open source developer who would write more secure code if only someone slipped them money,” Behlendorf explained. “However, maintainers are likely to know the best ways to apply a modest amount of funds to fix a serious known issue, update dependencies, set up their OpenSSF Best Practices badge, or more. So it’s essential to work with maintainers to get that picture and ensure funding is targeted to the right opportunities.

Alpha will be a collaborative project targeting the most critical open source projects, as identified by work conducted by the OpenSSF Securing Critical Projects working group, which combines expert opinion and data. Omega, meanwhile, will use a suite of software tools to automatically identify vulnerabilities – this could be anything from security scanners from companies such as Snyk, to open source tools such as Google’s OSS-Fuzz, and other internal proprietary tools that may eventually be made open source. However, Behlendorf also noted that they plan to have to create new tools, ones that can intelligently answer questions like: “that feature that made Log4J so difficult to secure….what other projects have similar functionality?”

“We expect our paid staff and the community to work together on new tools to help address this, and other questions that arise, as new attack vectors are better understood” , Behlendorf said.

Ultimately, it’s clear that there have been efforts over the past year to better support open source security, especially within big tech. Last year, Google revealed that it would fund Linux kernel developers; committed $1 million to a Linux Foundation open-source security rewards program; and also revealed that it sponsors the Open Source Technology Improvement Fund (OSTIF), which specifically focuses on conducting security reviews in critical open source software projects.

There appears to be at least some alignment – ​​and even overlap – between these various initiatives, with OSTIF in particular sharing some common goals with those of Alpha-Omega.

“We view the type of support we plan to provide to open source projects and developers through Alpha-Omega as strictly complementary to other support efforts these projects may already be receiving,” Behlendorf said. “We also work hard to ensure that the efforts of all OpenSSF members are aligned and targeted to maximize impact.”

And this is a point that work resumes. Sarah Novotny, Microsoft’s open source lead for the CTO’s Azure desktop, noted last year that open source is now the accepted model for cross-enterprise collaboration. This philosophy is very evident here – the OpenSSF has members who are otherwise major business rivals, but they must come together for the greater good of their respective products, customers and bottom line. Open source is the strand that connects the dots.

“Open source software is a vital part of the critical infrastructure of modern society – so we must take all necessary steps to secure it and our software supply chains,” Behlendorf said.

VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Learn more

Share.

Comments are closed.