The World’s Major Technology Providers Converge to Improve the Security of Software Supply Chains
The Linux Foundation | 13 October 2021
Imagine you have created an open source project that has become incredibly popular. Thousands, if not millions, of developers worldwide, rely on the lines of code that you wrote. You have become an accidental hero of that community — people love your code, contribute to improving it, requesting new features, and encouraging others to use it. Life is amazing, but with great power and influence comes great responsibility.
When code is buggy, people complain. When performance issues crop up in large scale implementations, it needs to be addressed. When security vulnerabilities are discovered — because no code or its dependencies are always perfect — they need to be remediated quickly to keep your community safe.
To help open source projects better address some of the responsibilities tied to security, many communities hosted by the Linux Foundation have invested countless hours, resources, and code into some important efforts. We’ve worked to improve the security of the Linux kernel, hosted Let’s Encrypt and sigstore, helped steward the ISO standardization for SPDX, and brought together a community building metrics for OSS health and risk through the CHAOSS project — among many others.
Today, we are taking steps with many leading organizations around the world to enhance the security of software supply chains. The Linux Foundation has raised $10 million in new investments to expand and support the Open Source Security Foundation (OpenSSF) and its initiatives. This cross-industry collaboration brings together an ecosystem to collectively identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. We are also proud to announce that open source luminary, Brian Behlendorf, will serve the OpenSSF community as General Manager.
Financial commitments for OpenSSF include Premier members such as AWS, Cisco, Dell Technologies, Ericsson, Meta, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware. Additional commitments come from General members, including Aiven, Anchore, Apiiro, AuriStor, Codethink, Cybertrust, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift, and Wind River.
To learn more about how to join the OpenSSF or to get involved in one of its six working groups, listen in to this brief introduction from Brian Behlendorf recorded this week at KubeCon:
In 2021, the Linux Foundation and its community will continue to support education and share resources critical to improving open source cybersecurity. For example, this week, we also hosted SupplyChainSecurityCon, where the SLSA and sigstore projects were heavily featured.
If you are an open source software developer, user, or other community participant who just wants to help further protect the software that accelerates innovation around the world, please consider joining one of our six OpenSSF working groups, or suggest a new working group that addresses gaps in software supply chain security needs.
You can follow the latest news from OpenSSF here on our blog, Twitter (@TheOpenSSF), and LinkedIn.
Similar Articles
Browse Categories
2023 Compliance and Security Cloud Computing Projects Open Source Linux How-To Diversity & Inclusion Open Source Best Practices 2024 Blog LF Research 2022 Training and Certification Newsletter Cross Technology Linux Foundation LFX Research cybersecurity software development AI Legal Linux Topic: Data Announcements Cloud Native Computing Foundation Networking and Edge OpenSearch lf blog Data Governance Energy In the news Interoperability LF Energy Open Mainframe Open Models OpenChain System Administration Topic: Security Topic: Sustainability brand perception confidential computing challenges eBPF generative AI human capital kernel license compliance linux blog maintainer openssf project news research report sbom tech talent techtalentsurvey