In January, I published a blog post about attending the first White House Open Source Security Summit, a gathering precipitated by the Log4j vulnerability, a hole in a ubiquitous open source logging framework for java applications. Log4j was a huge wake-up call — not just for industry, but for the United States government, as well. Because almost all enterprise software leverages open source software (OSS) components, it was a stark reminder that securing source code, build, and distribution integrity is mission-critical. On May 12, the Linux Foundation and the Open Source Software Security Foundation (OpenSSF, of which VMware is a Premier Member) assembled over 90 executives from 37 companies, as well as six government agencies, to establish key actions required to improve OSS resiliency and security. I attended this Open Source Software Security Summit II along with Tim Pepper, VMware’s interim Chief Open Source Operating Officer, in Washington, DC.
The group agreed upon a plan that would include the following areas:
- Delivering security education
- Developing a public, vendor-neutral, risk-assessment dashboard for the top OSS components
- Accelerating the adoption of digital signatures
- Replacing non-memory-safe languages
- Establishing an OpenSSF OSS incident-response team
- Developing advanced security tools and expert guidance
- Conducting annual third-party code audits of the most critical OSS components
- Coordinating industry-wide data sharing to improve OSS security research
- Improving Software Bill of Materials (SBOM) tooling
- Enhancing the most critical OSS build systems, package managers, and distribution systems via best practices and supply-chain security tools
This ambitious agenda provides for an initial investment of approximately $150M, with Amazon, Ericsson, Google, Intel, Microsoft, and VMware pledging over $30M (in funds, talent commitments, and more) towards the cause. However, that sum is really just a starting point. It will require much greater investment to build out a comprehensive, ecosystem-oriented approach to drive a dramatic and durable long-term improvement to the security of the entire software supply chain — including OSS.
VMware continuously demonstrates technical and community leadership in key facets of supply-chain security. Sponsoring and championing projects such as The Update Framework (TUF, a blueprint for signing, publishing, and safely receiving the content in a content repository) and the Tern project (a software composition-analysis tool and Python library that generates SBOMs for container images and Dockerfiles) places our developers on the forefront of the emerging foundational technologies required to close the security gaps in the software supply chain.
The industry faces a huge collective challenge, which will require a fundamental change in traditional approaches to security. In 2021, we saw the disclosure of almost 29,000 vulnerabilities, with about 4,000 of those being the most severe type of remote code execution. We both feel that it is critical for all software companies to dramatically improve our development practices, information sharing, and response times.
I continue to be impressed by the participants of the OpenSSF. This unique alignment of the open source ecosystem, government, and industry is born from an incredible passion for engineering quality and collaborative solutions. I am reassured that this is the right path forward for all affiliate sponsors and for all industries that will come to rely on the secure supply chains of the future. I encourage everyone to read the Mobilization Plan, whether you want to identify a role for your organization or want to be prepared for the coming changes in securing the software supply chain. You can also learn more about how to get involved with OpenSSF.