Following GitHub’s announcement of its new Security Lab at last week’s GitHub Universe 2019, I’m thrilled to share that VMware will be a founding member, along with thirteen other companies, that will contribute time and expertise to the effort.
The announcement summarized it perfectly: “We all share a collective responsibility to keep open source software secure—none of us can do it alone.”
Our industry is now building product after product using open source software, yet it feels like in many projects, security is treated as an afterthought.
That’s led to security issues across a wide range of projects and, thankfully, to more people paying attention to the security of the individual efforts they are connected to. But the reality is that there’s only so much we can achieve independently. Fortunately, we can follow the open source model – where companies talk to each other and collaborate regardless of corporate or product interests – and work together to make real progress.
This is particularly true when it comes to addressing open source security from an ecosystem perspective. Until now, we’ve had no good space to do that. By pulling together people who really care about the overall health of open source under the auspices of a major open source organization, we will be able to address security in a much more holistic fashion.
It’s early days, of course, and GitHub Security Lab partner organizations are still determining exactly how they will contribute to the coalition. But simply by getting us all to share what we’re doing, the Security Lab will have a pretty immediate impact. Those conversations will let us identify areas where we can collaborate and, just as importantly, ensure that we’re not duplicating each other’s efforts.
In addition, many smaller or medium sized projects may not have the resources to do security well. I’m interested, therefore, in ways we can improve security for projects of that scale. GitHub has been doing some great work to add features to their platform to make that easier. I hope through the lab we can encourage more to be done.
VMware’s own efforts around open source security currently focus on improving the viability of open source projects. In that context we’re looking at contributing to tooling around software supply chain security, with an emphasis on more effectively-secured community content repositories and container pipelines. We’re also hoping to help improve awareness of, and education around, security mindedness and secure development best practices. To that end, check out this recent post on Project Clair, a new open source project with the goal of keeping containers secure.
We’re excited to see how other groups’ interests might intersect with ours and to figure out how we can potentially work together. We’ll also be interested to hear what other people want to work on and seeing where it makes sense for us to join them.
