A non-profit organization run under the banner of the Linux Foundation and dedicated to securing open-source software has bolstered its ranks with 13 new members from private industry, the finance sector and academia.
The Open Source Security Foundation (OpenSSF) announced Wednesday that it will be adding more than a dozen new entities to its membership. It will include financial titan Capital One as a premier member who will receive a seat on the foundation’s governing board. The other new members are Akamai, Indeed, Kasten by Veeam, Scantist, SHE BASH, Socket Security, Sysdig, Timesys, ZTE, Eclipse Foundation, Perdue University and TODO Group.
The foundation already counts notable tech and open source companies like GitHub, Google, IBM, Microsoft, AWS, Meta, Fidelity, Morgan Stanley, Tencent and others as members.
David A. Wheeler, director of open source supply chain security at the Linux Foundation, told SC Media in an interview that while some of the foundations they create are more restrictive, the criteria for OpenSSF membership is as wide as the impact of the problem they’re trying to collectively solve.
“Every different foundation has rules about who can join and who can’t, but in the case of the OpenSSF, it’s extremely broad and intentionally so because basically everybody is impacted by the security or lack of security in open-source software,” Wheeler said.
Each member brings their own expertise and knowledge about the way open source software is used or deployed throughout society or their particular sectors. Adding new members from the banking and financial sectors or other critical infrastructure is critical to the foundation’s long-term work and impact.
“As a company that widely adopts this technology, Capital One is incredibly proud to join the OpenSSF and the world’s technology leaders as we collaborate to strengthen the software security supply chain,” said Chris Nims, an executive vice president at Capital One, in a statement. “As a highly regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration. We look forward to working together to identify solutions that advance the OpenOSSF mission and give back to the open source community.”
There’s also a financial incentive, as entities pay a fee for membership that goes toward funding the work done by OpenSSF. According to their website, participation in the foundation’s work does not require paying a fee, and working groups and project-related decisions are made by steering committees and project maintainers without regard to membership. But Wheeler did say that entities like Capital One who opt for the more expensive premier memberships are given seats on the governing board.
“We want all our software to be secure, but clearly some software is especially important, so we’re always excited when organizations that manage these critical services get involved and we’d love to see more,” he said. “We want to get the expertise from as many different sources as we can because we want to create guidelines that really think things through.”
While open source software is no more or less inherently vulnerable than proprietary software, it’s become a focus of both government and industry because open source code is widely used in commercial software as well as systems developed by governments, non-profits and universities. While high-profile cyber incidents like Log4j often dominate the news headlines, corrupting open source code to compromise the companies and entities that use them downstream has become an increasingly popular tactic for malicious hackers.
For instance, Sonatype said in March that it identified more than 130 typosquatting packages targeting npm and more than a dozen targeting popular Python repositories. The end goals of the Python attacks have ranged from installing cryptomining software and stealing credentials and authentication tokens to creating hidden backdoors for access into victim systems.
More recently, OpenSSF unveiled a 10-point plan at the Open Source Security Summit hosted by the White House in May. That plan will feed into 10 different workstreams, like finding ways to reduce patching response times for open source software, developing new metrics to track code and components, moving the industry away from non-memory safe programming languages that make it difficult to find and fix vulnerabilities, establishing a framework for incident response teams that can be deployed across the open source community and conduct annual third-party reviews of the top 200 most critical open source security components.