Since open-source software (OSS) became popular in the 1990s, it’s taken the world by storm. Like any technological development, OSS has its advantages and disadvantages. For example, it usually has cool features and capabilities because thousands of people contribute to open source initiatives.
However, OSS sometimes comes with cybersecurity risks. Many companies have to weigh the risks and vulnerabilities with the positive aspects of OSS before investing in an OSS project.
This month, The Linux Foundation and Open Source Software Security Foundation (OpenSSF) held an event for industry professionals and government officials. The event focused on tackling key issues related to OSS security and how to improve the resiliency of OSS.
Multiple big-name corporations made monetary pledges at the event. Continue reading to learn more about the OSS event, in which companies pledge money to boost OSS security, and why OSS security needs to be a priority.
As mentioned earlier, The Linux Foundation and OpenSSF held an event in May called the Open Source Software Security Summit II. It was a follow-up to the original Summit held in January, which the White House’s National Security Council led. The first Summit occurred at a critical time when the industry was grappling with the Log4Shell bug.
The Open Source Software Security Summit II hosted 90 executives from 37 companies. Government officials from the NSC, NIST, CISA, ONCD, DOE, and OMB also attended. OpenSSF and The Linux Foundation took input from all sectors and announced the first-of-its-kind plan, broadly addressing OSS security and the global supply chain.
Several significant tech corporations, including Amazon, Microsoft, Google, Ericsson, Intel, and VMWare, joined together to pledge around $30 million of funding to support the plan introduced at the Summit. It’s expected that more solutions will emerge, and the plan will evolve. This means it may require more funding in the future.
The plan’s goals include improving OSS security education for everyone working in the OSS community, eliminating non-memory safe programming languages (C+ and COBOL), and creating a software bill of materials (SBOM). This would help companies gain more visibility into the OSS they use in their tech stack.
No matter the type of open-source software used, good security is critical. Businesses spend thousands of dollars investing in OSS solutions, meaning keeping their data secure and out of the hands of threat actors is a top priority.
For example, if a business uses a communication platform as a service (CPaaS) that is open source, it can improve its marketing reach without overspending. OSS is typically seen as a cost-effective solution for many business processes — however, useful software must be secure for businesses to benefit from it.
Ultimately, holding events like this Summit to address the software industry’s ongoing cybersecurity challenges is essential. Maintaining national security has become increasingly difficult in the digital age, especially when hackers get more sophisticated with their attack methods.
Google Cloud even announced it would be launching an open-source maintenance crew to support the community. The dedicated staff will consist of a team of engineers who will work with upstream maintainers to boost security in OSS projects.
These types of security measures are necessary as the cybersecurity threat landscape intensifies. While OSS can be more secure because many people can access its code, it doesn’t always mean the OSS will be bug-free. Some software community members will monitor OSS and make changes, especially if bugs are reported quickly. However, if there are no people to modify the code, issues may persist for users and make it easier for cybercriminals to exploit these vulnerabilities.