Hot Topics
Analytics & Intelligence Application Security CISO Suite Cloud Security Cyberlaw Cybersecurity Data Security DevOps Endpoint Featured Governance, Risk & Compliance Identity & Access Incident Response IoT & ICS Security Malware Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Do You Want Secure Supply Chains? SHOW ME THE MONEY

by Richi Jennings on May 16, 2022

The Open Source Security Foundation and Linux Foundation have a plan to fix our broken software supply chains. OpenSSF has published the 10-step program and asked industry to pony up $150 million as a down payment.

Pledges of $40 million have already been made. “Only” $110 million to go. Great news.

Cui bono? In today’s SB Blogwatch, we hope it’s us.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Stefania, subtitled.

1.5 Million Benjamins Needed

What’s the craic? Steven Vaughan-Nichols reports—“White House joins OpenSSF and the Linux Foundation in securing open-source software”:

This is a massive undertaking
Securing the open-source software supply chain is a huge deal. … OpenSSF and Linux Foundation [are] calling for $150 million in funding over two years to fix ten major open-source security problems. They’ll need every penny … and more.

[$40] million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. … This is a massive undertaking. … Of course, there will always be bugs. As … OpenSSF general manager Brian Behlendorf said … ”Software will never be perfect. The only software that doesn’t have any bugs is software with no users.”

$150 Million? Sean Michael Kerner counts the cost—“How much will it cost to secure open-source software? OpenSSF says $147.9M”:

Foundational element of the software supply chain
In recent years there have been multiple vulnerabilities in open-source software that have been exploited, leaving organizations of all sizes at risk. Vulnerabilities in software components like the open-source Log4j java library have impacted millions of users around the world.

As open source is increasingly part of all software, it has also become a foundational element of the software supply chain. … While open-source software itself can sometimes be freely available, securing it will have a price.

OpenSSwhatnow? Christine Hall fills us in—“OpenSSF Protecting Open Source Security”:

Requires developers to be trained in security
Recognizing that the expanding scope of security attacks affects open source as well as proprietary software … the Linux Foundation formed the Open Source Security Foundation, a cross-industry collaborative effort devoted to improving open source software security. The project’s founding members, who brought to the table both money and expertise, include … A-list tech stars such as GitHub, Microsoft, Google, IBM, Red Hat, GitLab, Uber, VMware, and others. Since then the membership has grown to include 74 companies.

The main focus at OpenSSF hasn’t been so much on the traditional bolted-on security that’s designed to keep attackers out of a system, or heuristics programs that look for suspicious behavior. … Although traditional software and hardware security solutions remain an essential element in any security program, OpenSSF places an emphasis on making sure that all of the applications running on the system are designed with security in mind.

This requires developers to be trained in security best practices. … In addition to the training on secure coding practices and the security-focused software tools it makes available, OpenSSF sponsors Working Groups, which are collaborative projects for the planning, design, and delivery of security tooling, and best practices to secure critical open source projects. [And it] hosts Town Halls, where people can stay informed about the latest happenings in open source security while engaging with security experts.

Any specifics? Brian Behlendorf and chums have a plan—“The Open Source Software Security Mobilization Plan”:

During the Open Source Software Security Summit II in Washington, DC on May 12 – 13, 2022, The Linux Foundation and OpenSSF … agreed to focus on 10 streams of investment, with concrete action steps: …

    1. Deliver baseline secure software development education and certification. …
    2. Establish a public, vendor-neutral, objective, metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components. …
    3. Accelerate the adoption of digital signatures on software releases. …
    4. Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages. …
    5. Establish an OpenSSF Incident Response Team of security experts to assist open source projects to accelerate their responses to newly discovered vulnerabilities. …
    6. Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance. …
    7. Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most critical OSS components once per year. …
    8. Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components. …
    9. Improve SBOM tooling and training to drive adoption. …
    10. Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.

What was number four again? u/caiuscorvus sounds confused:

Wait. … Is this saying they want to write everything in Rust?

And Narcocide follows the money:

Consultants dream … when they make it illegal to use any language other than Rust.

Duck and cover. u/circorum foresees a religious war:

So HolyC is the only C you’re allowed to use now?

Donning a double-layered tinfoil hat, it’s Ubi_NL:

I’m guessing here the NSA/CIA/ABC is sitting on a bunch of exploits that they believe they need for their job (and thus stay secret by obscurity). If so, the White House could contribute quite a lot by providing these exploits to the maintainers, for no expense on their side. Alternatively, could this be a method to ensure that these exploits stay secret (e.g., by deliberately sabotaging others from working on them)?

It all sounds incredibly complicated. u/sweats_while_eating leans in for a KISS: [You’re fired—Ed.]

Just fork it and secure it. Mandate that government computers remain on that fork only.

Meanwhile, mmell chugs a draught of copium and pulls up the covers:

The only safe computing device left is the abacus. Please shut your computer off now and migrate to using an abacus (or, if you prefer, a slide rule) for all of your computing needs. It’s the only way you’ll ever be sure you’re secure.

And Finally:

This subtitled music video for Ukraine’s Eurovision winner is a tough watch

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Adam (via Unsplash; leveled and cropped)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi

Secure Guardrails