White House Joins OpenSSF, Linux Foundation In Securing Open-Source Software

An anonymous reader quotes a report from ZDNet: Securing the open-source software supply chain is a huge deal. Last year, the Biden administration issued an executive order to improve software supply chain security. This came after the Colonial Pipeline ransomware attack shut down gas and oil deliveries throughout the southeast and the SolarWinds software supply chain attack. Securing software became a top priority. In response, The Open Source Security Foundation (OpenSSF) and Linux Foundation rose to this security challenge. Now, they're calling for $150 million in funding over two years to fix ten major open-source security problems.

The government will not be paying the freight for these changes. $30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million. At the White House press conference, OpenSSF general manager Brian Behlendorf said, "I want to be clear: We're not here to fundraise from the government. We did not anticipate needing to go directly to the government to get funding for anyone to be successful."

Here are the ten goals the open-source industry is committed to meeting:

1. Security Education: Deliver baseline secure software development education and certification to all.
2. Risk Assessment: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
3. Digital Signatures: Accelerate the adoption of digital signatures on software releases.
4. Memory Safety: Eliminate root causes of many vulnerabilities through the replacement of non-memory-safe languages.
5. Incident Response: Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
6. Better Scanning: Accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
7. Code Audits: Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
8. Data Sharing: Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
9. Software Bill of Materials (SBOMs): Everywhere Improve SBOM tooling and training to drive adoption.
10. Improved Supply Chains: Enhance the 10 most critical open-source software build systems, package managers, and distribution systems with better supply chain security tools and best practices.

Re:

[mmell]

I see /.'s moderation system is working as well as ever. The only thing I dislike about hallkbrdz's post is that he beat me to it.

Can we get a clean up on aisle 5, please? Clean up on aisle 5.

Consultants dream

[ComputerKarate]

It starts off as a good idea until they find just how many projects, with scarce resources, are affected.

Re:

[Narcocide]

Yea and also when they make it illegal to use any language other than Rust.

Re:

[mmell]

I thought they shut down production after that shooting incident?

Honestly it's the gov't

[rsilvergun]

provided the obstructionists (we know who they are) don't get in the way, they'll just work their way through it.

If it's one thing the Dems are good at, it's boring procedural stuff. And there's nothing more boring and procedural than methodically fixing bugs in software.

Re:

[mmell]

Yes, this website [propercode.co.uk] looks pretty retarded. I suspect the fellow that created that web page did so for his doctoral thesis in Web Design.

Re:Do we really...

[Anonymous Coward]

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Black Parrot]

Wazzamadda, you afraid Biden is going to come around with Obama, and take your misinformation while he's taking your guns?

Re:

[drinkypoo]

I look forward to your insightful take on the government being arbiters of truth if/when Republicans are back in control.

The Department of Homeland Security was a Republican creation, and its primary jobs are spying on Americans [wikipedia.org] and obfuscating information [wikipedia.org]. They don't need any help from anyone else to engage in malice. Besides, they are the ones who want to be the arbiters of truth. That's why they keep trying to regulate social media, claiming that conservative voices are being silenced [pewresearch.org] when studies have proven that social media amplifies conservative messaging [theverge.com] in more cases, and actually suppresses liberal speech far more o [cbsnews.com]

Re:

[drinkypoo]

Hunter, is it you?

Release the crack pipe, bro

Re:

[iggymanz]

You quote ancient news, from back in Trump day. Fine, I'll agree that happened BUT... Now the Democrats are the ones censoring dissent on Twitter and other social media, and it's why they lost their shit when Musk offered to buy Twitter. It's why the Democrats have made the George Orwell 1984-worthy Ministry of Truth, to be the ones who control what "Disinformation" is.

The spying and invasion of privacy was expanded under Obama, just continuing and amplifying Bush agenda.

Re:

[mmell]

Don't even joke about shit like that.

Hey, mods - can we get some upmodding here? This may have been a joke on JeffOwl's part, but I'm thinking he deserves 'Insightful' on this one.

Re:

[Anonymous Coward]

You mean misinformation like: Trump colluded with the Russians, or the Hunter Biden laptop is Russian disinformation, things like that?

Re:

[mmell]

I would think more like the Steel Dossier, one of the most sterling and trustworthy reports ever compiled by agents of Western intelligence, discredited by misinformation from acolytes of a burnt-orange man-child.

Re:

[mmell]

You know, they need those guns to defend us against evil men like Putin and the discolored Americans who admire him. Also, I'm pretty sure it's the only stiff barrel a lot of those guys will ever have.

Re:

[dowhileor]

As state level propaganda tend to be more crisp.... 1st amendment and all, you see.

Re:

[VeryFluffyBunny]

...want to get more involved with a White House that is creating a literal Ministry of Propaganda?

They had one in the early C20th but then along came Sigmund Freud's nephew who privatised it: https://en.wikipedia.org/wiki/... [wikipedia.org] Knowing about Bernays & how he worked gives us valuable insights into the govt & corporate propaganda we see these days. Most people are blissfully unaware.

Re:

[mmell]

Most people are blissfully unaware.

Ah, but you see clearly, yes? Despite everyone around you lying, even the news, even your friends, even your family, even the mirror lying to you, you see the Truth. Only you have the vision and the clarity to see it, and you must defend what you know at all costs. Unbelievers must be made to see.

I'm pretty sure Sigmund Freud could've helped you with that.

Re:

[VeryFluffyBunny]

Nope. We're all just as susceptible to propaganda, PR & marketing. That's what makes it a $multi-billion industry. How else do we get people to vote to shoot themselves in the foot?

On Windows?

[VeryFluffyBunny]

Weren't the Solar Winds & Colonial Pipeline Microsoft Windows vulnerabilities?

Re:

[drinkypoo]

I read that they got into Solarwinds somehow through a compromised O365 account. But that could have happened even through no fault of Microsoft's (I don't know either way) and I don't know if it was an actual exploit that got them in to begin with, social engineering, or what.

Colonial Pipeline is supposedly similar, a password leak is suspected. So it may be that neither of these hacks was actually caused by a security vulnerability in software.

Re:

[VeryFluffyBunny]

So the two incidents they've listed have little relation to FOSS.

Re:

[mmell]

Donald Trump never did anything clever. It must've been someone he appointed.

Re:

[drinkypoo]

That's right, not only are they unrelated to FOSS but they are also likely unrelated to security vulnerabilities in software at all, unless you count a lack of 2FA. But since they could have been using 2FA if they wanted to, you can't really blame that either...

Re:

[mmell]

You have to admit, though, it's kinda nice to see human factors engineering still works.

double agenda?

[Ubi_NL]

I'm guessing here the NSA/CIA/ABC is sitting on a bunch of exploits that they believe they need for their job (and thus stay secret by obscurity). If so, the whitehouse could contribute quite a lot by providing these exploits to the maintainers, for no expense on their side. Alternatively, could this be a method to ensure that these exploits stay secret (e.g. by deliberately sabotaging other from working on them).

Re:

[AlanObject]

I'm guessing here the NSA/CIA/ABC is sitting on a bunch of exploits that they believe they need for their job (and thus stay secret by obscurity).

You don't need to guess. It is pretty well documented how many security agencies by all participating governments collect and hoard zero-day exploits for use in cyber warfare. They have a definite interest in not releasing them to be fixed by either open-source or proprietary actors when potential targets have a widely or critically deployed exploit.

Recommended reading: This Is How They Tell Me the World Ends: The Cyberweapons Arms Race [amazon.com].

I hope a few distros survive

[FudRucker]

When government gets involved with software you can bet they want back doors installed

Re: I hope a few distros survive

[JeffOwl]

But the back doors will just be there so they can come in and remove malware and to root out (ha) distributors of illicit imagry of vulnerable people. Trust us. That's the goal. If you see any contrary info let us know so our ministry of truth can ensure it is corrected.

Re:

[mmell]

So I'm guessing you know of a backdoor in SELinux, something you'd like to share with the rest of the class? I mean, SELinux is the biggest example of government involvement with FOSS that I know of, to date. Lots of people have built the kernel from source since its release - unlike, say Microsoft, they don't have to reverse engineer it to find the "bugs". If there are backdoors, I'm sure they've been identified, yes?

Re:

[jmccue]

Well there is always OpenBSD :)

But if a backdoor is put in Linux, it would be in the kernel, so it will probably impact all distros. But the kernel is so complex now I kind of believe you will need a more more than "many eyes" to find any vulnerabilities>

Re:

[mmell]

The only safe computing device left is the abacus. Please shut your computer off now and migrate to using an abacus (or, if you prefer, a slide rule) for all of your computing needs. It's the only way you'll ever be sure you're secure. Surveys show that people the color of Tang agree!

Re:

[mmell]

Look up the history of SELinux for a past example of government involvement in FOSS.

I'll admit to trusting the US government little more than any other government on Earth. However, since the source code is open to examination, we can go with "Trust, but verify!"

Re:

[mmell]

I'll take that bet. SELinux, anyone?

The White House?

[oldgraybeard]

I could not figure out what OpenSSF was for yesterday when I read the article. Besides that they wanted 150m and the richest companies on the planet threw in 30m and they were fishing around for the rest from somewhere.