In addition to economic headwinds, the technology industry is also increasingly concerned about the ever-worsening cybersecurity attacks. The General Manager of the Open Source Security Foundation finds himself at the intersection of the two.
Formerly known as the Foundation, OpenSSFNearly 18 months after its founding, has set ambitious fundraising and mobilization goals to improve the security of the open source software supply chain. These efforts include the backing of the Biden administration and its members Amazon, Google, Microsoft and other big companies. But he’s still short of his $150 million initial fundraising goal from last year.
Brian Behlendorf, General Manager of OpenSSF, is facing the second year of a campaign inspired by Log4j to promote joint action to improve the security of open source. And pending EU cybersecurity legislation weighs heavily on the minds of open source advocates. around the world. TechTarget Editorial caught up with him this month to discuss these trends and more with Behlendorf.
TechTarget Editorial: [Linux Foundation Executive Director] Jim Zemlin is KubeCon OpenSSF has yet to reach its $150 million funding goal. Now that we are in 2023, what is the status of that funding?
Brian Behlendorf: Mobilization Plan, [and] The $150 million figure there was meant to represent true North. It’s kind of like the first business plan that an entrepreneur has, and it’s the first step that very smart people have put together in about three-week sprints. There have been further evolutions, such as the OpenSSF Incident Response Team’s proposal. [and] The proposal is to invest more in education to acquire best practices and training developed for developers and university students. This year, he also plans to update that plan to reflect a year of research.
Meanwhile, we raised $7.5 million last year for Alpha-Omega. [raise] Same amount this year. Frankly, with the economic headwinds, what we’re looking at is, ‘How do we ensure that the resources we have now continue?’
What is Alpha Omega?
Behlendorf: There are two parts to this. The first is to fund the security teams of major open source foundations and upgrade their security processes. This Alpha side of Alpha-Omega gave grants totaling about $2 million last year. [groups] favorite [the] python [Software Foundation], the Node.js Foundation, and the Eclipse Foundation security teams.If you can help them understand the value of resources [security] By assembling teams to proactively implement better processes, rather than just as a defensive measure, those communities will fund for the long term. On the Omega side, you can think of it like the open source equivalent of Google’s Project Zero. How do you set up both your team and your infrastructure to systematically scan your top 10,000 open source projects for new vulnerabilities and attempt to close them at scale? Can you go to and see if anyone else is vulnerable to the same thing and systematically open a pull request to close 100 bugs at once? [We could] Manage it the same way you do a coordinated vulnerability disclosure process.
When the mobilization plan was announced last year, several companies invested heavily toward the $150 million goal. Were you surprised that you didn’t meet that goal last year? White House involved Are many big companies participating?
Behlendorf: What we got is $30 million in pledges from existing OpenSSF members. On that day in May when we released the report, it wasn’t “Here’s the cash, we’re going to go and get away”, it was “Come up with things and prove them.” And we made a deliberate decision over time to further explore and demonstrate many of these projects.
I would have hoped that with the government declaring this a priority, there would probably be a new class of actors, such as insurance companies starting to develop cyber risk policies, and other sources of funding out there. rice field. But their sales cycle and their opportunities are long. There is still talk in Washington about policies going in the right direction and funding that could help as well.
Second, we see the European Union moving in a direction in line with cyber resilience legislation that we believe can actively harm the efforts of not just open source, but the software industry as a whole. . I haven’t published any comments yet, but the Eclipse Foundation recently published a blog on this. We may announce something in the next week about this as well.
What is harmful about the Cyber Resilience Act?
Behlendorf: The Cyber Resilience Act is a proposed policy that would impose obligations on publishers of open source software used in critical infrastructure. Open source software, as they define it, is expensive to trigger in response to code publication alone, not just code publication. use. What they suggest is that even if you publish open source code, you must follow a set of rigor and procedures, and have your processes, etc., audited. I don’t think that’s the way to get there in the open source community or technology in general.
Compare that to the US government’s approach to something more specific like SBOM. They have been working with the industry to discuss what the right standards are and what the right nudges are. And ultimately, he may need SBOM for government procurement of things like medical equipment, but he hasn’t yet said, “We need SBOM to publish open source code in the US.” . The CRA specifies many more additions.
at the same time, Growing sense of crisis about cyber securityon how attacks continue to increase, violation It’s getting louder and more frequent. Do you have that frustration? what do you think the answer is?
Behlendorf: It would be great if Log4Shell was the last major supply chain breach, but it’s unlikely. There is a constant escalation between defensive and offensive techniques. And just as quickly as they find ways to tighten their ships across domains like typosquatting, for example, villains move on to the next level. What you want is that it doesn’t devolve into just a war of attrition, and you do something that helps lock down all categories of vulnerabilities at once.
In the early days of the Internet, we didn’t encrypt our communications. Because I thought I could trust the people running the network not to read my email or snoop on my web traffic. Now we know that we do everything over TLS. Along the same lines, I think we’ll see a lot of movement toward memory-safe languages like Rust and Go. People will start requiring signing using Sigstore and other tools, not just SBOM, and will raise the bar on what kind of packages a company decides to use and components he pulls into platforms like Kubernetes.
This is a space of constant diligence, and it’s the price of being on the cutting edge and making choices about using innovative technology. defaults can be set appropriately. This is important. That way we can tend towards a safer internet and look for ways to measure success other than not having the next big crisis. . You can objectively look at the amount of 1 million repositories scanned and ask, “Has the average score improved over the year?” Could we move the masses and not only set a high bar, but set a high acceptable floor for software quality and security?”
But you say that it’s overkill to say it’s just a requirement to create software.
Behlendorf: CRA, the proposed policy will trigger it upon publication. Like any open source project doing a release, it has to prove otherwise. [vulnerable to] X, Y, Z and their subsets, the most significant, have been verified by independent third party audits. That would be expensive, rather cumbersome from a process standpoint, and would at least put a brake on much of the use of open source code by the European Union. It’s not great for them, but considering there’s so much open source code coming from Europe these days, it’s going to affect the rest of us as well.
There’s a different kind of funding problem here – others have talked about how Open Source Developers Need RewardsWhat do you think about it?
Behlendorf: I have never been directly compensated for working on open source code. And most people I know don’t, but they worked with open source code not out of charity, but because it was indirectly required by their job. The majority of open source development has always been done by people doing it for commercial purposes, to incorporate it into websites they’re launching or services they’re building. The crisis goes beyond funding developers of open source code. It’s about funding the kinds of services and initiatives that lead to safer software. It’s about providing value to third parties, and sometimes encouraging people to do so. Getting a sense of collective action has been a challenge for open source code for 25 years. But doing so, especially when it comes to security, is both our opportunity and our challenge, driving a sense of collective action.
Beth Pariseau, Senior News Writer at TechTarget, is an award-winning veteran of IT journalism.she can be reached at [email protected] Or on Twitter @PariseauTT.