Security has continued to be a focus across all our project communities at the Linux Foundation. We’d like to spotlight more about our communities’ work over the past year and look forward to the work we can do in 2024 and beyond.
Today we highlight the recent efforts and impact of four Linux Foundation project communities: The Open Source Security Foundation (OpenSSF), FINOS Common Cloud Controls Project, OpenChain, and SPDX. Each community addresses aspects of security from a different perspective and helps contribute to our shared goal of having a more secure software ecosystem for everyone.
The Open Source Security Foundation (OpenSSF) is an organization housed in the Linux Foundation that seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. This includes fostering collaboration, establishing best practices, and developing innovative solutions.
The OpenSSF has over 100 members in a variety of different industries. In addition, the OpenSSF has 10 working groups, which include, among others, the working groups on Best Practices for Open Source Developers and on Supply Chain Integrity. Other initiatives within the OpenSSF are projects such as Sigstore — a project used to secure and verify build artifacts and components — and Alpha-Omega — an initiative to partner with OSS maintainers, through funding and tooling, to systematically find and fix undiscovered vulnerabilities.
In 2023, the OpenSSF had over 22K software developers enrolled in their course on the fundamentals of developing secure software. They also launched new guides to help the community, such as their Concise Guide for Developing More Secure Software, Concise Guide for Evaluating Open Source Software, and Compiler Options Hardening Guide for C and C++. The OpenSSF Best Practices Badge program, which provides a larger checklist of best practices, now has over 6,400 participating projects. New initiatives were launched in 2023, including new working groups on Artificial Intelligence / Machine Learning (AI/ML) security and Diversity, Equity, and Inclusion (DEI).
The OpenSSF also meaningfully engaged with the public sector like at the Secure Open Source Software Summit in September to collaborate on securing critical infrastructure and in its response to the Request For Information (RFI) on open source software (OSS) security and memory safe programming languages from the US White House Office of the National Cyber Director (ONCD) and its partners in the Open-Source Software Security Initiative (OS3I). OpenSSF is also serving as a research challenge advisor on the DARPA AI Cyber Challenge (AIxCC), whose purpose is to bring together the “best and brightest in AI and cybersecurity” to improve the security of software. The OpenSSF also worked to increase participation worldwide, including convening OpenSSF Days in Canada, Spain, and Japan. For more information, see 2023 OpenSSF Annual Report.
The FINOS Common Cloud Controls (FINOS CCC) is an open standard project designed to describe consistent controls for compliant public cloud deployments in the financial services sector. The standard aims to be a unified set of cybersecurity, resiliency, and compliance controls for common services across the major cloud service providers. Creating a unified taxonomy of services and threats can also help alleviate the systemic risk of cloud concentration. Originally proposed by Citi, FINOS CCC was formed within FINOS, the Fintech Open Source Foundation, in July 2023. In October 2023, the project was open sourced and is now officially open for participation and contribution. The project is now available on GitHub for public participation and contribution.
On November 1, 2023, FINOS CCC was showcased at the Open Source in Finance Forum (OSFF) in New York. Led by Citi CTO Jim Adams, introducing FINOS’ approach, which includes a common services taxonomy, threat-aware controls, and automated assessments using the Open Security Controls Assessment Language (OSCAL). OSCAL is a machine-readable framework to represent security control-related information and is being developed in collaboration with industry and NIST. The goal of FINOS CCC and related initiatives is to create a collaborative ecosystem that brings industry and standards organizations together to address the financial services industry’s needs.
OpenChain is a Linux Foundation project that develops and maintains international standards on the key requirements for high-quality open source license compliance programs and open source security assurance programs. The OpenChain Project has an extensive global community of over 1,000 companies that work to improve the security and resiliency of our software supply chains.
In December 2023, the OpenChain Project’s ISO/IEC 18974:2023 was published as a formal ISO standard. ISO/IEC 18974:2023, formerly known as the OpenChain Security Assurance Specification 1.1, is the de facto industry standard that defines the key requirements of a quality open source security assurance program. By adopting this standard, organizations can better check open source software for security vulnerability issues such as CVEs, GitHub dependency alerts, and package manager alerts. To learn more, please visit https://www.openchainproject.org/security-assurance.
Finally, we’d like to highlight the work of the SPDX project. SPDX is an open standard that describes SBOMs (Software Bill of Materials), which are a list of components that make up software. As a common format, SPDX reduces redundant work related to sharing important release data and thus streamlines distribution and compliance. The SPDX specification is an international open standard (ISO/IEC 5692:2021).
In 2023, work continued towards the launch of SPDX 3.0. A release candidate for SPDX 3.0 was announced in May. This new version helps extend the SPDX standard into new security use cases, as well as improving traceability of AI & Data provenance. The focus is making it easier to onboard and consume for software engineers, security professionals, data scientists and legal and compliance professionals. The SPDX community continues to be open to feedback and contributions to the SPDX 3.0 Model on GitHub.
Finally, we’re committed to maintaining security across our projects at the Linux Foundation. We have a vulnerability disclosure policy for Linux Foundation-hosted projects available on this page, which describes how you can report a security vulnerability if you discover it in anything that we do.
In 2024, we are looking forward to building on all these initiatives around cybersecurity to ensure a more ecosystem for all. We will continue to host events focused on advancing the state of the art in security, for example CloudNativeSecurityCon North America from June 26-27, 2024 in Seattle, Washington and future OpenSSF Days. To stay current on the latest trends and best practices around software security, consider taking courses offered by LF Training & Certifications specific to cybersecurity, from Kubernetes Security Essentials to Security and the Linux Kernel. We hope to continue this work and see you participate in future events and initiatives to strengthen the security of all our communities!