OpenSSF Outlook Q1 2023: How to avoid the next Log4Shell and other OSS security reflections
The Linux Foundation | 12 January 2023
Happy 2023 Linux Foundation members and open source community readers! Recently at the Open Source Security Foundation, we shared several notable updates you won’t want to miss, including:
- A retrospective on Log4Shell in which Brian Behlendorf, General Manager of the OpenSSF, takes a look at what we’ve learned over the past year related to the core issues around software supply chain security and vulnerability disclosure, the unique nature of securing open source software (OSS), and the best techniques for improving OSS security moving forward.
- News about our global engagement efforts focused on collaborating with leaders in the public and private sectors to further the ecosystem understanding of open source software security.
- A recap of our year that highlighted the many accomplishments of OpenSSF working groups and projects. As we reflect on the past year and forge ahead, we invite you to get involved and help make the OSS ecosystem more secure.
Avoiding the Next Log4Shell: Learning from the Log4j Event
In a fascinating retrospective, Brian Behlendorf describes what we’ve learned about open source software security, vulnerability disclosure, and software supply chain issues since the Log4Shell incident roughly one year ago. He explains, “Log4j has been around for 20 years; it’s become embedded into nearly every meaningful Java application; and the Log4Shell event led to compromises in everything from iCloud to physical security systems. Moreover, malware groups are continuing to exploit unpatched Log4j instances. We will likely see additional Log4Shell-like events unless we address its root issues.” To learn more about those root issues and gain insight into how to prevent the next Log4Shell, take a look at Brian’s blog taking stock of where we’ve learned and the best techniques for improving OSS security moving forward.
Engaging Policy Makers and the Ecosystem on Open Source Software
The Linux Foundation and OpenSSF, in particular, have been at the heart of several important conversations concerning the open source software (OSS) community and the sustainability of the ecosystem. Many of our global engagement efforts has been focused on collaborating with leaders in the public and private sectors to further the ecosystem understanding of open source software security. Amit Elazari Bar On, Chair of OpenSSF Public Policy Committee, and Brian Behlendorf take a look at the past year as the Linux Foundation and OpenSSF focused on three key priority areas:
- Improving security and reducing systemic risk in the OSS ecosystem,
- Closing talent shortages through improved training and educational initiatives, and,
- Imparting the value of openness and the importance of the community.
OpenSSF Year in Review
The OpenSSF is a thriving, diverse, nonstop community. Across more than 30 different active software projects and other technical initiatives, we’ve had the reach and impact we need to put a dent in global software security challenges that are getting more intense and more costly. Read the OpenSSF Year in Review by Brian Behlendorf.
This post also introduces our first-ever annual report, which describes our activities and highlights throughout 2022. In it, we hear from the Chairs of the Governing Board (GB) and Technical Advisory Council (TAC), take a look at a few of the top highlights of 2022, introduce you to our Working Groups (WGs) and Associated Projects, review the Open Source Software (OSS) Mobilization Plan we released at the OSS Summit II in collaboration with the US White House, and discuss the impact the OpenSSF has had throughout the year.
A few highlights include the following:
- Sigstore Reaches General Availability: In October 2022, Sigstore reached general availability at its first ever namesake event, SigstoreCon North America. Sigstore, which facilitates signing, verifying, and protecting software, has continued to see massive contributions and adoption, improving the integrity of the software supply chain and reducing the friction developers face around security. In June 2022, a new course on Sigstore was released, Securing Your Software Supply Chain with Sigstore.
- Launch of the Alpha-Omega Project: In February 2022, OpenSSF launched the Alpha-Omega Project, an effort to improve the security posture of open source software, with an initial investment of $5 million. In 2022, Alpha-Omega issued a cumulative total of over $2 million in grants to projects including Node.js, jQuery, the Eclipse Foundation, the Python Software Foundation, and the Rust Foundation.
- Security Training: The Best Practices for Open Source Developers WG increased awareness and education of security best practices through improvements and updates to its free training course: Developing Secure Software. This included making the course available for integration into organization Learning Management Systems (LMSs) and a translation into Japanese. The working group also released Concise Guides on Developing More Secure Software and Evaluating Open Source Software and provided an npm Best Practices Guide for those using the popular npm package manager.
- OSS Security Mobilization Plan: Following two US White House convenings bringing together open source developers, companies, and federal policymakers around securing open source software, the OpenSSF released the Open Source Software Security Mobilization Plan and announced $30 million in pledges to improve the resiliency and security of the OSS ecosystem. The Mobilization Plan outlines ten streams of investment to rapidly advance well-vetted solutions to make immediate improvements to OSS security worldwide. Throughout 2022, the OpenSSF community has acted on the Mobilization Plan and will continue to do so into 2023 and beyond.
- Policy: In May 2022, OpenSSF GM Brian Behlendorf testified to the U.S. House of Representatives Committee on Science, Space, and Technology about the work being done within the OpenSSF and broader OSS community to improve the security and trustworthiness of open source software. In June 2022, Jim Zemlin, Executive Director of the Linux Foundation, participated along with government and private-sector leaders in the White House Cyber Workforce and Education Summit, where he discussed approaches on how to develop cybersecurity education that benefits the OSS ecosystem. In December 2022, David A. Wheeler, Director of Open Source Supply Chain Security, was a panelist in a workshop on trustworthy and secure OSS organized by the European Commission.
- Convening OpenSSF Days: We hosted OpenSSF Days in Austin, Dublin, and Yokohama at Open Source Summits North America, Europe, and Japan, as well as a separate OpenSSF Summit China in Shenzhen. These brought together the global open source community to discuss the challenges, big-picture solutions, ongoing work, and successes in securing the OSS supply chain.
- MFA Security Efforts: The OpenSSF Technical Advisory Council publicly supported various efforts to increase the use of MFA in various organizations. The Best Practices Working Group (WG) coordinated the distribution of hundreds of codes for free MFA tokens to developers of the 100 most critical open source projects in 2021–2022 in what was known as the “Great MFA Distribution.”
For many more highlights and achievements, check out the OpenSSF annual report!
How can you help secure the OSS supply chain?
As you can see, we’ve been busy over the past year tackling some of the biggest security challenges facing the software supply chain. The OpenSSF remains committed to securing the open source ecosystem and continues to make strides in improving open source software (OSS) security. If our work interests you, please join us in advancing open source security for all. We’d love for you and your organization to get involved at the OpenSSF, whether through giving feedback, participating in our working groups, or helping with other initiatives. To join us, please check out some of the many ways to get involved. The OpenSSF has had a whirlwind year and has an exciting 2023 ahead!
Cloud Computing Compliance and Security 2023 Projects Linux How-To Diversity & Inclusion Events Open Source Best Practices 2022 Cross Technology Open Source Training and Certification LFX Blockchain Research Legal Networking and Edge Blog Data Governance LF Energy LF Research OpenChain System Administration