While proprietary software vendors and security companies still often sow FUD around open source security, the "many eyeballs" theory -- formulated by the open source pioneer Eric S. Raymond as, "Given enough eyeballs, all bugs are shallow" -- remains true. Open source software is generally as safe, if not safer, than its proprietary counterparts.
However, there are problems unique to open source that need addressing, such as underfunded and understaffed projects, and open source development practices like copying and pasting code into new projects. The latter means that even when a security vulnerability is found in one project, it might go undetected within numerous other projects.
Linux Foundation's new Open Source Security Foundation, announced last week, is meant to address such issues. It seeks to build a community combining efforts of the Core Infrastructure Initiative (CII), the Open Source Security Coalition started by GitHub last November, and the security expertise of open source players like GitLab, Google, JPMorgan Chase, Uber, VMware, Red Hat, and others, all of whom have signed on as founding members.
"Ensuring open source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort," Jim Zemlin, the executive director of the Linux Foundation said in a statement. "The OpenSSF will provide that forum for a truly collaborative, cross-industry effort."
OpenSSF isn't Linux Foundation's first foray into security. It was designed in part to leverage CII, which LF started in 2015 as a response to the Heartbleed bug, a serious vulnerability in the OpenSSL cryptographic software library.
Although the OpenSSL project was a key component of the open source ecosystem, commonly installed and enabled on Linux servers, the discovery of Heartbleed revealed that the project was vastly underfunded, maintained by a single developer. CII was created to rectify the issue of small, underfunded but crucial open source projects -- primarily by identifying them and supplying the needed funds.
"Strengthening the security posture, policies, and processes in the open source community and in widely used open source projects is strengthening the whole software ecosystem – for all players," Joshua Lock, the security tech lead at VMware's Open Source Technology Center, said in a statement about the creation of OpenSSF. "VMware strongly supports the goal of making our software ecosystem more resilient and more secure."
Almost every Linux Foundation project contains a security component. The Cloud Native Computing Foundation, where Kubernetes lives, is home to Falco, focused on container runtime security; Notary, a project originally developed by Docker that uses strong cryptographic signatures to maintain security; and TUF, a recently graduated project that supplies a framework for securing software update systems.
CII has already funded important security oriented open source projects. This includes Reproducable Builds, meant to ensure that compiling source code always results in a binary product that is bit-by-bit identical, and the Fuzzing Project, which uses "fuzzing," generating randomly malformed inputs for software to parse, as a relatively effective and simple way to find bugs. (If a program crashes, something is likely wrong, and it may well pose a security threat.)
OpenSSF bringing in GitHub's Open Source Security Coalition only makes sense, since the coalition is designed much along the lines of what the Linux Foundation is trying to do with OpenSSF. It means much of the early organizational work has already been done.
"GitHub founded the Open Source Security Coalition in 2019 to bring together industry leaders around this mission and ensure the consumption of open source software is something that all developers can do with confidence," Jamie Cool, GitHub's VP of product management and security, said in a statement. "We look forward to this next step in the evolution of the coalition and serving as a founding member of the Open Source Security Foundation."