The Open Source Security Foundation (OpenSSF) announced Tuesday a new two-track initiative to find vulnerabilities in open-source software.
The effort, backed by a $5 million grant from Microsoft and Google, will be known as the Alpha-Omega Project. The "Alpha" side will emphasize vulnerability testing by hand in the most popular open-source projects, developing close working relationships with a handful of the top 200 projects for testing each year. "Omega" will look more at the broader landscape of open source, running automated testing on the top 10,000.
"They will find a vulnerability and try to answer how many other bugs are there like this?" said Brian Behlendorf, OpenSSF general manager. "Can you find some way to characterize that bug in some way a script could scan for it? How many of the other things like this are happening at other open-source projects, and when we find them, how do we connect to those those developers and try to engage them in fixing in a constructive way, rather than simply dumping a CVE on their shoulders."
The idea for the project came four years ago when Michael Scovetta, principal security project manager at Microsoft, set up an internal team to do security reviews of the open source products Redmond was using.
"What we realized was that it was really hard to scale this team out," he said. "It was very labor intensive. But we assumed that other organizations were doing similar work against the same projects, and from just an efficiency perspective, we would love to pool resources."
While gears started turning on the project before Log4j, Scovetta said the recent java library vulnerability brought added urgency to founding the project.
Log4j would be a prototypical vulnerability that the Alpha team might look for — an unknown problem in a high-impact project that automated tools would not be able to pick up before a human discovered it. The goal is not to use the personnel engaged with Alpha to replicate dependency analysis, for example.
"I don't think any of us want to sit here and say, 'If we just shut up nine months earlier, Log4J wouldn't happen,'" said Michael Winser, Google group product manager for software supply chain security and CI/CD. "But there's a whole lot of engagement and work that's not done at all ends of that spectrum and every point in between. Whether it's due to lack of resources or understanding on the part of the maintainers, it just don't get done. And we think there's a way that we can systematically help do it," he said.