Recently the Linux Foundation unveiled via a blog post commitment by the OpenSSF (Open Source Security Foundation) to fund the Linux Foundation with $ 10 million, this as part of an effort to improve the security of open source software.
It is mentioned that funds raised are through royalties from OpenSSF parent companies, including Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware.
“This industry-wide commitment responds to the White House's call to raise the baseline for our collective cybersecurity well-being, as well as 'pay forward' to open source communities to help them create secure software that we all love. We benefit, ”said Jim Zemlin, CEO of the Linux Foundation. “We are pleased to have Brian Behlendorf's leadership and extensive experience in building and maintaining large communities and technical projects applied to this work. With the tremendous growth and pervasiveness of open source software, creating cybersecurity programs and practices that scale is our biggest task. "
This financing is part of a collaboration between industries that brings together multiple open source software initiatives under the same purpose to identify and correct cybersecurity vulnerabilities in open source software and develop improved tools, training, research, best practices, and vulnerability disclosure practices.
As a reminder, OpenSSF's work focuses on areas such as coordinated vulnerability disclosure, patch distribution, security tool development, best practice publishing for secure development organization, identification of security-related threats in open source software, auditing and Strengthening work, mission-critical open source projects, creation of tools to verify the identity of developers.
- security scorecard- A fully automated tool that evaluates a number of important heuristics ("checks") associated with software security.
- Best Practices Badge- A set of best practices from the Core Infrastructure Initiative to produce higher quality secure software that provides a way for OSS projects to demonstrate through badges that they are following them.
- Security Policies: Allstar provides a set and enforces security policies in repositories or organizations.
- Frameworks: supply chain tiers for software artifacts (SLSAs) provide a security framework for increasing levels of integrity in the software supply chain.
- Training- Free courses on secure software development fundamentals that educate community members on how to develop secure software
- Vulnerability Disclosures: A Guide to Coordinated Vulnerability Disclosure for OSS Projects
- Packet analysis: search for malicious software in OSS packages
- Security checks- Public collection of OSS security patches
- Research- Studies on open source software and critical security vulnerabilities conducted in partnership with the Harvard Laboratory for Innovation Sciences (LISH) (for example, a preliminary census and a FOSS Contributor Survey)
La OpenSSF continues to build on initiatives such as the Central Infrastructure Initiative and the Open Source Security Coalition and brings together other security-related work being done by companies that have joined the project.
"There has never been a more exciting time to work in the open source community, and software supply chain security has never needed more of our attention," said Brian Behlendorf, CEO of the Open Source Security Foundation. “There is no magic formula for securing software supply chains. Research, training, best practices, tools, and collaboration require the collective power of thousands of critical minds throughout our community. OpenSSF funding gives us the forum and resources to do this work. "
Finally if you are interested in knowing more about it, you can check the original publication in the following link.