With the broad adoption of open source software by both vendors and enterprises, security has become a critical focus area for those responsible for its deployment. The Open Source Security Foundation (OpenSSF) was organized by the Linux Foundation earlier this month and VMware is proud to be a founding member. “Strengthening the security posture, policies and processes in the open source community and in widely used open source projects, is strengthening the whole software ecosystem – for all players,” said Joshua Lock, Security Tech Lead, Open Source Technology Center, VMware. “VMware strongly supports the goal of making our software ecosystem more resilient and more secure. By joining forces with other similar efforts and inviting wider and more diverse contributions to further collaborate towards this goal enables a much greater impact.”
Security for Container Technologies
The VMware Open Source Technology Center (OSTC) has taken a special interest in open source security technologies to support both proprietary and open source projects. With a specific interest in container security, Dirk Hohndel asked, “Do I know what’s inside the container, or if there are any backdoors, or if there is any spyware in it?” These questions “typically don’t get answered in the container environment and that’s really why I’ve been trying to talk about this topic for a couple of years now.” Nisha Kumar adds that container images should be repeatable, have identifiable contents and feature up-to-date content. In “Using Linux Distribution Tools To Build Container Images,” she adds, “Distribution tools have historically been difficult to both understand and use. They also typically suffer from a tension between the need to be developer-friendly and the need for them to be sophisticated enough to let you deliver production-grade software.” Joshua and Nisha conclude that, “Managing container bloat and layer dependencies has been a problem for years and many projects have tried to solve it in various ways. So far, nobody has figured out how to create an app-centric container image while at the same time maintaining build repeatability and keeping the dependencies up-to-date.” It’s proof that the timing is right for OpenSSF.
OpenSSF is focused on improving the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It will start with a focus on metrics, tooling, best practices, developer identity validation and vulnerability disclosures best practices. In the future, there is a plan to focus resources on the most mission-critical software identified by Harvard’s Lab for Innovation Science.
The OpenSSF was established on the premise that security researchers need a mechanism to allow them to collaboratively address methods needed to secure the open source security supply chain. It recognizes that security researchers across the globe within organizations have common interests and concerns. OpenSSF facilitates sustained dialogue and project work among private entities, foundations and academia.
Finding Ways to Participate
GitHub Security Lab’s Open Source Security Coalition was formed to encourage a collective effort to help secure open source software. Its evolution into the OpenSSF is an extremely encouraging development. If you have a passion for security or security supply chains, you can get involved in one of the technology initiatives. The full scope of each project can be found on the Github OpenSSF page.
- Vulnerability Disclosures
- Security Tooling
- Security Best Practices
- Identifying Security Threats to Open Source Projects
- Securing Critical Projects
- Developer Identity Verification
“Our own efforts in the Open Source Technology Center are focused on software supply chain and open source ecosystem security, which is why I am particularly interested in the OpenSSF’s nascent Developer Identity Verification Working Group, and its rejuvenated Securing Critical Projects Working Group – a re-homing of the Linux Foundation’s Core Infrastructure Initiative,” says Lock. “Both of these working groups aim to tackle long-standing, yet very different, problems affecting the security of open source software – trusting contributors and securing widely used (yet often under-resourced) projects. I’m looking forward to seeing what tools and processes these working groups, and the others in the OpenSSF, come up with.”
Watch this space as the VMware OSTC leans in on several of the initiatives, and stay tuned to the Open Source Blog for future updates around the Open Source Security Foundation.