OpenSSF looks to further strengthen supply chain security

As we reported a few weeks ago, OpenSSF in conjunction with the White House and others has launched a 10-point plan and funding with the aim of improving the security of the software supply chain.

OpenSSF has also announced a number of new members including premier members, Atlassian and Sonatype, who will join the OpenSSF governing board.

The organization has been expanding its core working groups as well, to include Securing Software Repositories. This group aims to improve cybersecurity practices where developers download open source packages most often.

“There’s not one small set of components whose improvement is going to suddenly prevent the next Log4J, that was just the latest in the stream of incidents that help frame the importance of looking at the supply chain,” says Brian Behlendorf, general manager at OpenSSF. “Really, the systematic issue here is that open source software was developed historically in a very high trust environment, in a place where as a software developer, using an open source component, you actually had a reasonable chance of either socially knowing the developers behind that code or being just one hop removed from them. That high trust environment worked when you had dozens or hundreds or maybe even a little over 1,000s of modules, but not where you have 40 million different software components as you’d have these days.”

As the 10-point plan states, conducting regular code audits and establishing the use of software bills of materials (SBOMs) is key to quantifying the risks that the software supply chain presents.

“I’d like to see some of the work that we’re doing tied into more objective metric systems so that we can start to really guide investments into things like replacements of core open source software,” adds Behlendorf. “What we don’t want to do is wake up to another Log4J, or another open SSL type of vulnerability where there is a component that was used very widely. There’s a bunch of things going on at OpenSSF that do deal with metrics, everything from the scorecard Initiative and the best practices badge and the project called Allstar, all of which are about trying to assess the safety of a component and its likelihood that it’ll have a vulnerability.”

Behlendorf recently testified to the US House of Representatives Committee on Science, Space, and Technology on the work being done to strengthen supply chain security. You can see his full testimony on the OpenSSF site.

Image credit: Chan2545/

Author: Martha Meyer