The Linux Foundation announced recently that it’s launching a new foundation. Yes, a Foundation is creating a Foundation. But it’s not what it looks like. The goal is actually very specific.
The new Open Source Security Foundation (OpenSSF) has one main goal – to bring the most important security initiatives together and improve the overall security of open source platforms. OpenSSF already has a lot of big names as members. Among them are Google, Microsoft, Red Hat, VMware, GitHub, IBM, Intel, Uber and more.
OpenSSF will help these companies work together on their most popular projects and ease their support and integration. Despite the fact that the Linux Foundation presides over OpenSSF, the work won’t be limited to just Linux projects. It will cover a wide array of open source work and help bring the long list of contributors together.
OpenSSF has a Governing Board and a Technical Advisory Council. They will help to improve the security of the most popular open source software. “We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open-source software we all depend on,” said Jim Zemlin, executive director at the Linux Foundation to the SiliconAngle.
“Ensuring open source security is one of the most important things we can do and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort”, he adds.
More focus where it matters the most
It’s important to ensure that cybersecurity takes a priority role in the open source world. Especially since the open code is becoming increasingly popular among companies of all industries and sizes. Statistics by Synopsys show that in 2019 99% of commercial codebases contain at least one open source component. And open source comprises 70% of code overall.
While this is great, the details aren’t all that positive. 75% of audited codebases contain open source components with known security vulnerabilities. 49% are with high-risk issues. And 91% contain components that are 4 years out of date or haven’t been developed in two years. As such, it’s obvious that security is a very sensitive issue.
Security, though, is also a complex topic and it has long suffered from not enough attention, negligence and a skills gap. It needs all the help it can get in order to be improved as hackers don’ have any of these issues. OpenSSF is a step in the right direction, but it will need more proactive work from the industry to achieve the desired results.