Google and Microsoft Support Alpha-Omega Project to Strengthen Software Supply Chain
Missed a session from the Future of Work Summit? Visit our Future of Work Summit on-demand library to stream.
Let the OSS Enterprise Newsletter guide your open source journey! Register here.
The Linux Foundation-supported Open Source Security Foundation (OpenSSF) has launched a new project to secure the software supply chain.
The Alfa-Omega Project, as it’s called, works directly with project managers to find zero-day vulnerabilities (i.e. previously unknown bugs) in open source codebases and work on fixing them. Microsoft and Google will provide an initial cash injection of $5 million, which follows another recent recurring $10 million pledge the duo made to the OpenSSF along with fellow member organizations such as Amazon, Facebook and Oracle.
The OpenSSF is a cross-sector collaboration launched by the Linux Foundation back in 2020and has been led by an open source pioneer since October last year Brian Behlendorfthe main creator of the Apache web server.
The timing of this latest announcement is no coincidence. The White House recently hosted an open source security summit, with members from across the public and private divide meeting to discuss how best to address flaws in community-driven software. The meeting was organized in the wake of the critical Log4j vulnerability called Log4Shell, which had been around for many years but was only recently discovered. Both Microsoft and Google attended the summit, as did the Linux Foundation, so it’s clear that last month’s meeting helped boost at least some momentum to strengthen the software supply chain.
The Log4j vulnerability raised age-old questions about the inherent security of open source software, especially those not supported by squads of full-time developers and security personnel. Indeed, one of the main administrators of the Log4j project – someone who played a key role in fixing the vulnerability – has a full-time job elsewhere as a software architect. He is working on “Log4j and other open source projects” in his spare time.
And against that background, the Alpha-Omega Project aims to improve the security of the OSS supply chain. As the name suggests, the project has two core components: Alpha will work with project managers of “the most critical open source projects”, enabling them to identify and fix security vulnerabilities and improve their overall security posture. Omega, on the other hand, will identify “at least” 10,000 of the most widely used OSS projects and apply “automatic security analysis, scoring and remediation guidelines” to the respective administrator communities.
So who exactly are the members of these open source communities – is it just the existing administrators and contributors? That will be part of it, but the OpenSSF will also try to involve other professionals – including volunteers and paid individuals – to take the lead.
“For example, we would like to see cybersecurity professionals participate as well,” Behlendorf told VentureBeat. “To be clear, there will be paid staff who will lead engagement on key open source (Alpha) projects and conduct research using automated tooling to find problematic areas in the long tail of open source (Omega) projects. .”
As the Log4j vulnerability highlighted, a common complaint from the open source world is that administrators of some of the most critical software components receive little compensation. While the Alpha-Omega project may be able to put an end to that, it’s not just a matter of throwing money at administrators – there’s a clear multiple strategy behind the investment.
“I don’t know of any (credible) open source developers who would write more secure code if someone just gave them some money,” explains Behlendorf. “However, the administrators are probably aware of the best ways to deploy a modest amount of money to fix a serious known issue, update dependencies, update their OpenSSF Best Practices Badge, or more. So working with administrators to get that picture and ensure funding is targeted at the right opportunities is key.”
Alpha will be a collaborative project focusing on the most critical open source projects, as identified through the work of the OpenSSF Securing Critical Projects Working Group, which combines expert opinions and data. Omega, meanwhile, will use a range of software tools to automatically identify vulnerabilities — this could be anything from security scanners from companies like Snyk to open source tools like Google’s OSS-Fuzz and other proprietary internal tools that could eventually be made open source. However, Behlendorf also noted that they anticipate the creation of new tools, which can intelligently answer questions such as, “that feature that made Log4J so hard to secure….what other projects have a similar feature?”
“We expect our paid workforce and the community to collaborate on new tools to answer those and other questions that arise as new attack vectors are better understood,” Behlendorf said.
When all is said and done, it’s clear that some effort has been made over the past year to better support open source security, especially from “big tech”. Last year, Google revealed it would fund Linux kernel developers; $1 million pledged to an open source Linux Foundation security rewards program; and also disclosed that it sponsored the Open Source Technology Improvement Fund (OSTIF), which is specifically aimed at conducting security assessments in critical open source software projects.
There seems to be at least some alignment – and even overlap – between these various initiatives, with OSTIF in particular sharing some common goals with those of Alpha-Omega.
“We view the kind of assistance we expect to give to open source projects and developers through Alpha-Omega as a strict addition to other support efforts that those projects may already be receiving,” Behlendorf said. “We are also working hard to ensure that the efforts of all OpenSSF members are harmonized and focused to maximize impact.”
And that’s a point that picks up work. Sarah Novotny, Microsoft’s open source lead for the CTO’s Azure Office, noted last year that open source is now the accepted model for business collaboration. This ethos is very clear here – the OpenSSF has members who are otherwise great commercial rivals, but they must come together for the greater good of their respective products, customers and bottom line. Open source is the strand that connects the dots.
“Open source software is an essential part of critical infrastructure for modern society – so we must take all necessary steps to keep it and our software supply chains secure,” said Behlendorf.
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more