Birth of the Open Source Security Initiative

Share on twitter
Share on facebook
Share on telegram
Share on reddit
Share on pinterest
Share on linkedin
Share on tumblr
Share on email
The new OpenSSF logo.
The new OpenSSF logo. (Credit: Jakub Lewkowicz on sdtimes.com)

The Linux Foundation has been an instrumental organization for open-source software all around the world, including paying the man with the plan — Linus Torvalds — to work full time on the development of our favorite operating system kernel. However, the Foundation isn’t really about promoting open-source software — its about building partnerships with the top enterprise organizations that rely on the stability of Linux and other open-source projects to operate, which includes funding from these enterprise organizations.

For instance, when you look at the list of companies that are members of The Linux Foundation, you will find a Who’s Who of the top tech corporations— Google, Facebook, Microsoft, Intel, Huawei, Oracle, IBM, AT&T, Qualcomm, Samsung, AMD, VMware, GitHub, GitLab, Panasonic, Fujitsu, the Linux-centric companies like Red Hat, SUSE, and Canonical, of course, and a whole lot more. The reason? Linux is vital to their business and infrastructure in more ways than one and it is in their best interest to make sure the project is as good as it can possibly be. The Linux Foundation is the organization that allows that to happen.

Earlier this month, a new initiative was announced by The Linux Foundation, one that deals with an extremely important subject effecting any kind of software — security. From the official announcement:

The OpenSSF [Open Source Security Foundation] is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building broader community with targeted initiatives and best practices…

Open source software has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source that ultimately reaches end users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain.

Listen, in the 1980’s, the GNU Project started the free software movement. Back then, the cybersecurity landscape was nothing like it is today (thanks, Internet!). When free or open-source software was first being built, most of the software was built from scratch to resemble components of proprietary software like the GNU C Compiler (gcc) replacing the original UNIX C Compiler (cc). 

The GNU Project's official logo.
The GNU Project’s official logo. (Credit: Etienne Suvasa on gnu.org)

Today, you would be hard pressed to find a software project or product that doesn’t contain or depend on open-source software somewhere down the stack. Many of the most basic system components that allow the creation of applications on top of applications are built with open-source — and the deeper down the stack that an exploit is found — the more projects it will inevitably effect.

We’ve seen the destruction that can be caused by a flaw in an extremely popular open source technology— one of the bigger and better maintained projects — with 2014’s Heartbleed effecting any project using OpenSSL. This should definitely cause concern in the open-source community. From the new OpenSSF homepage:

The initial technical initiatives will focus on:

  • Vulnerability Disclosures
  • Security Tooling
  • Security Best Practices
  • Identifying Security Threats to Open Source Projects
  • Securing Critical Projects
  • Developer Identity Verification”

Because open-source projects are, for the most part, created and built in volunteer’s free time, there just can’t be the attention to detail that would happen in a major project that had an entire security team paid to consistently look for vulnerabilities. Sometimes, an open-source project can absolutely explode — causing it to scale up to millions of users in a short period of time. Just look at technologies like Kubernetes, TensorFlow, or even a language like Kotlin, and you can see how a project goes from a few hundred users to literally millions and millions of users in a few years time. The ecosystems around these projects are massive now — and they all rely on the base system for their deepest security.

Unfortunately, there are major issues with The Linux Foundation, namely that it really isn’t an organization dedicated to promoting open-source software or even Linux itself to new or prospective users. The ultimate goal of The Linux Foundation is to garner funding from large companies for continued work on open-source projects and, therefore, those projects become influenced by corporate agendas. That means, they focus heavily on work for Linux as a server system, a base for Android, and other specific corporate interests. Obviously, this has caused a major area of contention within the open-source community.

Artwork for The Linux Foundation.
Artwork for The Linux Foundation. (Credit: AIT News Desk on aithority.com)

No matter your view on The Linux Foundation itself, this is a move that has been needed for a long time in the open-source community. Of course, the argument can be made that open-source projects have better security overall because of the ability for anyone to audit and fix the source code — but this only works for major projects, where many thousands of people are actively engaged in them. However, many of the essential lower-level system components don’t always have the mass appeal to new developers as projects like Node.js, Kubernetes, or TensorFlow do.

Take, for instance, the Perl programming language. It is an essential tool used in basically any Linux build (in fact, it’s one of the first pieces of software installed on a Unix-like system), which was one of the most popular languages in existence in the late 1980s through the early 2000s and was instrumental on Unix-like systems as well as the tool that bootstrapped the early Internet. Today, however, Perl is falling out of favor with newer developers due to the rise of other languages like Python and Ruby that are considered more developer friendly. Every Linux distribution and many Unix-like tools rely heavily on Perl, yet with a dwindling number of developers actually looking at the core project, it becomes increasingly open to potentially vulnerabilities.

Having a specific organization that is paid to investigate and audit these critical open-source projects will only make them more secure and reduce the ability for something like Heartbleed to happen once again. I’m happy that this is at least being discussed and some action is being taken to address these critical issues that have the potential to negatively effect billions of users around the world today.

Heartbleed was so massive, it got its own logo.
Heartbleed was so massive, it got its own logo. (Credit: synopsys.com)

It will certainly be interesting to see exactly what actions the OpenSSF will take and what projects they will prioritize in the massive open-source ecosystem. I only hope that this initiative will help do what it is meant to — ensure better security across the major open-source projects that millions of users depend on–instead of simply fund money for critical infrastructure decided on by the tech megaliths of our day.

If you would like to read the official announcement from The Linux Foundation, you can find it here. If you would like to learn more about OpenSSF, you can find their official website here.

This is an excerpt from Linux++ Issue 23. You can read the full issue here.

Tweets