Tech giants commit $10M annually to Open Source Security Foundation

That Transform Technology Summits launch on October 13 with Low-Code / No Code: Enabling Enterprise Agility. Register now!

Let it OSS Enterprise newsletter your guide open source trip! Sign up here.

The Linux Foundation has received an annual commitment of $ 10 million across the technology, finance, telecom and cybersecurity industries to secure the software supply chain. The recurring investment will be aimed at the Open Source Security Foundation (OpenSSF), an interdisciplinary collaboration launched by the Linux Foundation last August, and will be funded by most of its member organizations, including Amazon, Facebook, Google, Microsoft, Ericsson, JPMorgan Chase, Red Hat, Dell and Oracle.

The announcement comes at a time when supply chain attacks have gone through the roof, prompting President Joe Biden to issue an executive order back in May outlining various measures to improve the country’s cyber security defense, including securing open source software used before. for federal information systems.

Open source pioneer Brian Behlendorf, the creator of the now ubiquitous Apache web server, will also now head OpenSSF as a full-time manager, initially tasked with building an “effective and collaborative community.”

“My job will always be to channel the energy, enthusiasm and resources of the individuals and organizations that converge on OpenSSF into one community, into our existing workgroups and projects, and to create new projects as opportunities and needs arise,” Behlendorf said. . VentureBeat.

Attacks go upstream

Although it is well documented that open source code bases contain innumerable vulnerabilities, as enterprise developers have become better at keeping their software up to date with the latest components, this has apparently led attackers to go further “upstream” closer to the source code. In this way, the “bad code” can spread to the wider supply chain further downstream. A recent report from Sonatype, a software composite analytics (SCA) platform that companies use to scan their code bases for security and compliance vulnerabilities, found that these so-called “next-generation” software supply chain attacks have increased 650% by 2021.

“Opponents’ attacks on popular open source code are on the rise,” Behlendorf said. “If a popular open source component has a new vulnerability discovered in it, thousands of organizations could become vulnerable through this attack vector all at once.”

There has been a marked increase in open source security activities in recent times, especially in “big tech”, which is heavily dependent on open source libraries and components. Earlier this year, Google revealed that it e.g. Wanted to fund Linux core developers before revealing a $ 10 billion cyber security commitment to support President Biden’s announcement. In the following months, the internet giant revealed that it sponsored the Open Source Technology Improvement Fund (OSTIF), which deals with conducting security reviews in selected critical open source software projects. And a few weeks back, Google committed $ 1 million to a new Linux Foundation open source security premium program.

OpenSSF had minimal funding for its first year of operation, something that “was not even close” to what it needed to have a meaningful impact, according to Behlendorf.

“This new effort is remedying that,” Behlendorf said. “In his first year, that [OpenSSF] was able to set up six critical working groups focusing on providing training on secure coding practices as well as improving automation, prioritization and addressing vulnerabilities in open source software – the new funding will further strengthen each of these efforts and support the creation of additional work areas groups. ”

What is perhaps most notable about OpenSSF, in addition to the $ 10 million cash injection it now has at its disposal, is the cross-industry input it has from some of the world’s largest companies. And this is very much an indication of how pervasive open source software is – the vast majority of software contains at least some open source components, as the inherent vulnerabilities do not discriminate against the industry in which it is used. In short, open source software affects everyone.

“Developers no longer code 100% of their applications from scratch, and are now heavily dependent on these open source software components to bring new opportunities to market faster,” said Behlendorf. “The industry has recognized that not all open source components are created equal and that they may only incorporate the safest open source of the highest quality into their applications.”


VentureBeat’s mission is to be a digital urban space for technical decision makers to gain knowledge about transformative technology and transactions. Our site provides important information about data technologies and strategies to guide you as you lead your organizations. We invite you to join our community to access:

  • updated information on topics that interest you
  • our newsletters
  • gated thought-leader content and discount access to our valued events, such as Transform 2021: Learn more
  • networking features and more

sign up

Leave a Comment