Commentary: For years we’ve tried tackling security at the company or organizational level. The new Alpha-Omega Project seems to be taking a true industry-wide approach, and that’s promising.
Security has always been an unsexy investment that tends to make more sense in hindsight than in planning. More recently, as security breaches have become the daily norm rather than the occasional exception, companies and open-source projects have started to make security a priority, though it’s arguably still lacking in our software development processes.
The problem with this approach is that it remains atomistic, fragmented. As noted in a recent ZDNet article, “The state of security is massively uneven across the industry, with pretty good security at some of the top vendors, but the vast majority … lacking basic security investments.” This misses the point. Security isn’t something that one company or project can do on its own. It’s inherently a community affair.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Which is why I find some recent news from the Linux Foundation (LF) heartening…precisely because it’s not about the Linux Foundation. Or not exclusively, that is.
The news behind the news
Two things were announced. First, the Open Source Security Foundation (OpenSSF), which operates under the LF, added another 20 members to its roster. What do these members do? Ostensibly, they “help identify and fix security vulnerabilities in open source software and develop improved tooling, training, research, best practices and vulnerability disclosure practices.” In practice, many of these companies simply want to virtue signal their concern for security, but real good also comes from such organizations.
For example, I’d assume that while the OpenSSF now counts 60 total members, the likely reality is that a few key members (think Google and Microsoft in this case) will assign developers to collaborate closely with other OpenSSF members to improve security around particular open source projects to avoid scenarios like the Log4j vulnerability.
In other words, some organizations can afford to invest in security and have the expert resources to do so. Everyone benefits when they share that information openly in a community forum.
The second aspect of the LF announcement is arguably even more interesting. OpenSSF also announced the Alpha-Omega Project, a project that attempts to identify all of the world’s most critical, foundational open-source software libraries and packages and audit them and then support them as necessary. From the release:
“The Project improves global OSS supply-chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring and remediation guidance to their open source maintainer communities.”
Funded by an initial $5 million from Microsoft and Google, and supported by Harvard University and the LF, this census of open-source projects helps companies as they assemble their software bill of materials, as mandated by U.S. executive order. As noted by the census authors, the lists they’ve compiled “represent our best estimate of which FOSS [free and open source software] packages are the most widely used by different applications, given the limits of time and the broad, but not exhaustive, data we have aggregated.”
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
It’s an impressive start to much-needed work, and it isn’t focused on any particular organization’s software projects.
And that’s the real news. Not the executive order. Not the Google/Microsoft involvement. Not even the LF tackling cross-industry initiatives. No, the real news is that security is bigger than any trade organization like the LF. Those 10,000 open-source projects that the LF is helping to catalog? Most don’t sit under the LF’s purview. Or Google’s. Or Microsoft’s. Or [insert name of any organization].
Security affects everyone, but we’ve tried to tackle it piecemeal. From a post written by Alpha-Omega Project lead and Harvard Professor Frank Nagle, a great deal of work is needed to improve the security posture of open source software across projects. For example, there is no standard naming schema across open source projects, leading to confusion: “There is no centralized body to coordinate FOSS component names, and thus there can be multiple components that have the same name but are not the same component.” We’ve shown that open-source developers can fix problems fast when they surface (perhaps faster than anyone else), but can we band together to structure projects similarly such that some needless security problems can be avoided?
Alpha-Omega is a great start to trying to resolve such issues across the industry, rather than piecemeal. After Heartbleed, we had similar ambitions to tackle our security problems. Let’s hope this time it’s truly different … and communal.
Disclosure: I work for MongoDB but the views expressed herein are mine.