The Linux Foundation has announced the formation of a new project called "OpenSSF" (Open Source Security Foundation) which Its main objective is to gather the work of the industry leaders in the field of open source software security enhancement.
With it OpenSSF will continue to develop initiatives such as the Infrastructure Initiative and the Open Source Security Coalition (Central Infrastructure Initiative and the Open Source Security Coalition) and will bring together other security-related work being done by companies that have joined the project.
The founding members of OpenSSF include GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, and Red Hat.
While for his part GitLab, HackerOne, Intel, Uber, VMware, ElevenPaths, Okta, Purdue, SAFECode, StackHawk, and Trail of Bits joined as participants.
La OpenSSF is a collaboration between industries bringing together leaders to improve the security of open source software by creating a wider community, specific initiatives and best practices.
The reason for the creation of this project is born from the study of the modern world in which the Open source software is in high demand in many areas of the industry, but due to the details of development, its security is influenced by chains of dependencies and development participants.
OpenSSF is a cross-industry collaboration that brings together leaders to improve open source software (OSS) security by building a broader community with targeted initiatives and best practices.
Therefore, to confirm the security of open source projects, it is important to check not only the main code, but also the dependencies, as well as the identification of the developers whose code is accepted in the project and the reliable authentication during the review and the commitment.
In addition, security requires the use of secure build systems and build verification.
Open source software has become widespread in data centers, consumer devices, and services, representing its value among technologists and businesses alike.
Due to its development process, open source that eventually reaches end users has a chain of contributors and dependencies. It is important that those responsible for the security of your user or organization can understand and verify the security of this chain of dependency.
OpenSSF's work will focus on areas such as the coordinated disclosure of vulnerability information y patch distribution, developing tools for security, publishing best practices for secure development organization, identify security-related threats to open source software, perform Audit work and increase the security of critical open source projects, creating tools to verify the identity of developers.
Among the threats caused by the lack of identification of the developers, mention is made of the possibility that an attacker may obtain maintainer rights to make malicious changes, duplicate accounts to review their own code, the participation of imposters posing as other people or claiming work for certain companies.
"We believe that open source is a public good and in all industries we have a responsibility to come together to improve and support the security of the open source software that we all depend on," said Jim Zemlin, CEO of The Linux Foundation.
For example, identification issues include an incident with a dependency on the event stream library after transferring an escort to an unverified person with whom the former manager contacted only via email, or numerous cases of plug-in sales and third party browser add-ons.
Finally if you want to know more about it, you can check the details in the original publication of the Linux Foundation In the following link.
Or also you can visit the OpenSSF website In the following link.