InfoQ HomepageNewsGoogle, Microsoft, GitHub, and Others Join the Open Source Security Foundation
Google, Microsoft, GitHub, and Others Join the Open Source Security Foundation
This item injapanese
Lire ce contenu enfrançais
Aug 14, 20202min read
Write for InfoQ
Feed your curiosity.Help 550k+ globalsenior developers
each month stay ahead.Get in touch
Supported byThe Linux Foundation, theOpen Source Security Foundation (OpenSSF) aims to create a cross-industry forum for a collaborative effort to improve open source software security. The list of initial members includes Google, Microsoft, GitHub, IBM, Red Hat, and more.
As open source has become more pervasive, its security has become a key consideration for building and maintaining critical infrastructure that supports mission-critical systems throughout our society. It is more important than ever that we bring the industry together in a collaborative and focused effort to advance the state of open source security. The world’s technology infrastructure depends on it.
Microsoft CTO for Azure Mark Russinovich explained clearly why open source security must be a community effort:
Open-source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance. [...] Open-source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process.
The OpenSSF will bring together diverse open source security initiatives starting with theCore Infrastructure Initiative (CII) and GitHub'sOpen Source Security Coalition. In addition, it will createseveral working groups to address key security concerns. Those include vulnerability disclosure, with the aim to speed up the time required to fix a vulnerability and deploy the fix; security tooling, with the aim to improve existing security tools and develop new ones; security threats identification, focusing on creating key metrics to better asses how each component in an open source project fares in regard to security; and security best practices.
Additionally, the OpenSSF will aim tohelp critical projects to get the support they need to guarantee their security.
Whether it is dedicated help from specialized experts or simply grant money or cloud credits, we recognize that no two projects are the same, and support can come in many shapes. We intend to work with upstream maintainers to understand what help and support they need, and then develop scalable processes to make this help available.
Among others,Google andMicrosoft announced their participation to the OpenSSF with specific focus on a number of areas, including shared schemas and metadata to better enforce security best practices; dependency management and risk assessment to map vulnerabilities to specific code versions; tools for build verification, like its ownTekton; and usingdeveloper identity to associate changes to their authors.
Besides joining the OpenSSF,GitHub confirmed its commitment to open source security and stated it will continue investing and building new security features free to public repositories.
This content is in theGoogle topic
Related Topics:
Related Editorial
Thriving in the Age of Agentic AI
Related Sponsors
Related Sponsor
%2ffilters%3ano_upscale()%2fsponsorship%2ftopic%2f56693164-d46e-497b-8f4c-f081ba291d9f%2fBoomiLogoRSB-1763407847346.png&f=jpg&w=240)
See Boomi AI Agents in action and unlock integration hyperproductivity responsibly. Embedded directly in the platform, Boomi AI Agents empower you to fast-track integrations, optimize workflows, and leverage agentic power across your digital landscape.Learn more.
The InfoQ Newsletter
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers.View an example