Supply chain security takes center stage at OpenJS World 2022
At OpenJS World 2022, the Open Source Security Foundation outlined two ambitious initiatives to fix supply chain security issues in open source software.
AUSTIN, Texas -- From serious vulnerabilities to tarnished developer reputations, supply chain security is everyone's problem.
To tackle the issue, the Open Source Security Foundation (OpenSSF) has ambitious plans to implement core security practices for every major open source project, starting with Node.js, said Brian Behlendorf, general manager of OpenSSF, in his OpenJS World keynote.
Open source software is a diverse industry that requires a broad approach to supply chain security. The last few years have seen many major open source breaches such as the SolarWinds hack, which affected thousands of enterprise and government agencies in 2020, and the Log4j vulnerability, which affected millions of applications starting last December.
OpenSSF, a cross-industry collaboration backed by the Linux Foundation to improve open source software security, aspires to strengthen supply chain security with two major projects: Alpha-Omega, which is committed to the widespread adoption of open source security teams, and the Open Source Software Security Mobilization Plan, which was born from a desire to prevent future disasters of Log4j's magnitude. The new security plans will benefit all developers in the Java ecosystem because they'll have to worry less about code vulnerabilities, according to OpenSSF.
It's starting with Node.js because of its ubiquity and high criticality score, a measure of influence and importance by OpenSSF security experts, according to a press release.
The measures may also prevent tarnished reputations, Behlendorf said. For example, Log4j developers received an unfair chunk of the blame for the vulnerability.
"It really sucks when you become a poster child for something that you don't really deserve," he said.
Project aims for across the board security for all
The OpenSSF Alpha-Omega project has two main goals: to scan every major open source repository for vulnerabilities and to fund key projects that don't have core security practices such as dedicated security teams, Behlendorf said.
The project received an initial investment of $5 million from Google and Microsoft. One of the first places slated for funding is the Node.js community, which will receive $300,000 to bolster its core security practices. Like all large open source projects, Node.js suffers from security issues, and there aren't enough people to fix those issues, said software engineer Dan Lorenc, founder and CEO of Chainguard Inc. and a member of OpenSSF's technical advisory council.
We're never going to fix it, because all code has bugs. We're just going to make it better.
Dan LorencFounder and CEO of Chainguard, Inc and OpenSSF technical advisory council member
The Alpha-Omega initiative aims to fix that problem by hiring security experts who can tackle vulnerabilities before they get exploited. The money is there, he said, so it's a matter of figuring out how OpenSSF can make security practices scalable, so that it can be applied as a security template for every major open source project.
However, Holger Mueller, vice president and analyst at Constellation Research, was unsure if $300,000 will fix Node.js' significant supply chain security problem. "We'll see," he said.
But Lorenc isn't looking for perfection. "We're never going to fix it," he said, "because all code has bugs. We're just going to make it better."
Log4j leads to Open Source Security Mobilization Plan
A second project on OpenSSF's roadmap is the Open Source Security Mobilization Plan, which was sparked by the Log4j vulnerability. When OpenSSF investigated the breach, it realized vulnerabilities were missed that a third-party audit might have turned up, Behlendorf said, such as code that allowed parsing of untrusted user input format strings.
Typically, the OpenSSF takes a passive role in facilitating development, Behlendorf said, but the result of the Log4j debacle created incentive to be more top-down and impact the developer community by tackling the security problem head-on.
The initiative is focused on investing $150 million in a 10-point plan that covers items such as education, risk assessment and the formation of an incident response team. To date, companies such as Amazon, Google and Microsoft have pledged a collective $30 million toward the initiative. But exactly where the funding will be distributed is a work in progress, Behlendorf said.
Constellation Research's Mueller said he was happy to see open source communities focus on security hygiene.
"Improving supply chain security is a new aspect learned the hard way," he said.
