This article is more than 1 year old

Linux Foundation rolls bunch of overlapping groups into one to tackle growing number of open-source security vulns

OpenSSF to take projects from CII and OSSC under its umbrella

The Linux Foundation has formed the Open Source Security Foundation (OpenSSF) with founding board members representing companies including IBM, GitHub, Google, JPMorgan Chase, Microsoft, NCC Group, and Red Hat.

The OpenSSF is a consolidation of several pre-existing efforts in the same space and intends bring the Open Source Security Coalition (OSSC) and the Core Infrastructure Initiative (CII) under one roof.

The CII is an existing Linux Foundation project that has wide support, including from AWS, Facebook, Huawei, Cisco, Intel, Qualcomm, and VMware, as well as most of the OpenSSF founder members mentioned above.

The CII remains in place, but "in the long term, the CII will dissolve efforts with work happening under the OpenSSF umbrella," according to the FAQ. In the meantime, the plan is that the CII will work through the OpenSSF project approval process, and contribute its resources.

OpenSSF logo

The OpenSSF logo

The Linux Foundation said that OpenSSF is not just CII renamed. "The CII was funded largely by grants, OpenSSF will be supported by Linux Foundation membership dues with targeted organization contributions to support initiatives."

The Linux Foundation said another project to be absorbed is GitHub's OSSC, and "all of the OSSC members and their projects will now be a part of the OpenSSF". The related GitHub Security Lab will remain.

OpenSSF has five initial working groups, which other than the last one closely match the "key areas" announced by GitHub last month. These are:

  • Vulnerability disclosures
  • Security Tooling
  • Identifying security threats to open-source projects
  • Security best practices
  • Securing critical projects

Most are self-explanatory. The last is intriguing in that "critical" has not been defined. There is perhaps a clue in this FAQ from CII, which asked: "Why didn't you think about doing this before the lack of funding for OpenSSL resulted in Heartbleed?" Heartbleed was a bug in OpenSSL, disclosed in 2014, that allowed theft of keys and passwords from secure servers.

"We're doing what we can now collectively to identify critical projects being overlooked or underfunded so that we drastically reduce the chances of this happening again," said the FAQ.

OpenSSF includes a governing board, a technical advisory committee, and a separate technical steering committee for each working group.

The foundation has published resources including this paper [PDF] by Microsoft's Michael Scovetta, a principal security PM manager.

Based on data from a Sonatype report, Scovetta said that the number of days between vulnerability disclosure and actual exploits is now just three, and that more than half of JavaScript components contain at least one vulnerability.

He made several suggestions aimed at developers, including threat modelling and the use of security tools, and also suggested checking code copied and pasted from Stack Overflow for vulnerabilities. Scovetta also noted that many open-source developers are not paid, "but their work product is routinely used to power for-profit businesses and other organizations".

Such developers may not have the incentive or the funds to focus on security issues, and the OpenSSF, and the projects it consolidates, are part of the industry's response. ®

More about


Send us news

Other stories you might like