Since the emergence of the Log4Shell vulnerability in December 2021, one of the narratives that has emerged in the tech and cybersecurity communities is that open-source software may be fundamentally broken.
While nearly all organizations — including million- and billion-dollar companies — rely in part on open-source software, most of that code is essentially maintained and protected by a small, ragtag band of volunteers, most of whom work on projects as a side gig or hobby in addition to their full-time jobs.
Further, while a security crisis like Log4Shell winds up affecting almost everyone, few companies are incentivized to fund the kind of broad-based effort needed to secure the thousands of open source projects that form the soft underbelly of the cybersecurity ecosystem.
Following the emergence of the Apache bug, the Biden White House sent a letter to tech companies noting that the lack of resources and unclear lines of responsibility in the open-source community was a "key national security concern" and calling for better collaboration between the private and public sectors to tackle the problem.
Enter Project Alpha Omega.
One of the projects launched by the non-profit Open Source Security Foundation shortly after the White House held a summit with tech companies last year was an ambitious pair of open-source initiatives known as Alpha-Omega. The overarching goal of the twin efforts is nothing less than restoring trust in the open source software that quietly powers much of the tech world.
"Open-source software is the foundation of practically all modern technology," Brian Behlendorf, general manager at the OpenSSF, told SC Media in an interview. "And Alpha-Omega aims to help make that foundation safe, secure and resilient."
The effort, composed of four individuals and backed by a $5 million grant from Google and Microsoft, aims to provide both the funding (via Alpha) and tooling (via Omega) to help thousands of open-source projects identify and patch critical vulnerabilities more effectively and efficiently. Thus far, the project has been able to fix 28 critical vulnerabilities, identify 11 previously undiscovered critical vulnerabilities, and help fund dedicated security staff across five unique open source ecosystems.
While that ultimately represents a minor drop in the bucket compared to the tens of millions of open-source projects used today, Michael Scovetta, the initiator of Alpha-Omega and a principal security project manager at Microsoft, described 2022 as "a year of experimentation" for the nascent program. One that helped the team lay a foundation for its high-level mission that can be built on in future years.
"[Alpha-Omega] is a new attempt that does not have a playbook, so we did various experiments to understand the open-source projects' needs and provide solutions accordingly,” Scovetta said in an interview. “That said, there are more challenges ahead that await to be addressed, and we welcome input and ideas from the community.”
Alpha: open-source security from the top down
The "Alpha" half of Alpha-Omega is designed to fund a handful of the most critical and widely used open-source projects and help them improve their security postures.
The Alpha team asked the Security Critical Projects working group within OpenSSF to make a list of the Top 100 critical open-source projects in order to determine where interventions might yield the greatest impact. Based on that list, the team invested over $2 million in five important programming ecosystems: Node.js, the Rust Foundation, JQuery, the Eclipse Foundation, and the Python Software Foundation.
That said, one of the questions the team has struggled with is how to accurately quantify the criticality of many projects, believing that nearly all are important and many can be leveraged by malicious hackers to target businesses and users downstream. These five organizations were chosen because they already have relationships with security talent and the ability to hire and manage their work — something that allows the Alpha team to do more with fewer resources.
Christopher Robinson, director of security communications at Intel and member of the OpenSSF Technical Advisory Council, called this approach was a "smart move" because it routes badly needed resources to open source maintainers with a much larger reach.
"These organizations touch many small but critical projects and can help allocate resources reasonably and efficiently," said Robinson.
The Eclipse Foundation, which owns an extensive list of critical projects centered around the Java ecosystem, has been one of the biggest benefactors of the Alpha initiative. After receiving $500,000 in a grant from Alpha last year, the foundation funded security audits of three high-profile projects, including Eclipse Jetty, Eclipse Mosquitto, and Eclipse JKube, with each audit focused on sensitive parts of the codebase. Another $1 million grant from Alpha this year will help Eclipse fund an additional round of audits for three other critical projects that have yet to be decided, said Mikael Barbero, head of security at the Eclipse Foundation.
Alpha’s grants have “given us a great deal of flexibility and autonomy to address the projects and issues that we find important," said Mike Milinkovich, executive director at the Eclipse Foundation.
In addition, both the Eclipse Foundation and the Rust Foundation were able to use part of their grant funding to grow their own security team — Eclipse hired two managers and three engineers, and the Rust Foundation also hired an engineer to support the workflow.
Milinkovich and Joel Marcey, director of technology at the Rust Foundation, told SC Media that having dedicated full-time staff has significantly improved their work quality and efficiency.
Omega: developing the right tools for the job
The "Omega" component of the project is about building and providing new capabilities to help a broader range of open-source projects detect critical vulnerabilities with minimal false positives.
Over the past year, one of the major developments has been the release of the Omega Analysis Toolchain. Contributed by Microsoft, the toolchain runs 27 different security programs — like CodeQL, which can query multiple versions of codebase for vulnerabilities and Semgrep, an open-source static analysis tool that can detect vulnerabilities in third-party dependencies and enforce code standards that developers can run against open-source packages. Thus far, the tool has helped to flag 11 previously unknown security vulnerabilities in critical projects.
Scovetta said the Omega team plans to continue refining tools for the open source community and promote greater adoption this year. He stressed that they should complement — not replace — existing approaches to security, like running static and dependency analysis tools during a build or pull request validation.
"As the toolings become mature, we want to make them available to open-source maintainers to find these vulnerabilities themselves, ideally before they release new versions of their projects,” he said.
Big challenges ahead
While 2022 was in many respects a year of testing the capabilities of Alpha-Omega and developing a proof of concept, there remain a number of challenges that need to be addressed in order to scale the impact.
In particular, Scovetta acknowledged that one of the most trickiest aspects of the effort is figuring out how to define and measure what success actually looks like. He said the team hopes to develop metrics that can help demonstrate measurable impacts in the projects they have invested in.
The team plans to start collecting data on improvements to the open source software ecosystem based on the monthly reports that Alpha engagements provide. They are also working on developing key metrics to track, including where projects fall on Google’s SLSA maturity model for software security, data from Security Scorecard, and the number of vulnerabilities found and fixed over time.
As for the long term, Scovetta said he would declare Alpha-Omega a success if Alpha-granted organizations could eventually develop their own funding and security resources without having to rely on regular grants from the initiative.
"Instead of just making one-off improvements, we hope to experiment with different approaches and find successful security models that can be spread to the rest of open-source projects," he said.
To help achieve the goal, the team aims to raise an additional $10 million from a broad set of organizations this year. AWS will provide $2.5 million in funding to the initiative this year, according to David Nalley, head of open source strategy at AWS. This also marks the technology giant's first-ever donation to Alpha-Omega.
"When we looked at various venues where we could make investments to impact open-source security, we were pleased with the efficacy and speed that Alpha-Omega was moving. And that is certainly a large factor in our decision to help fund the project," Nalley said.
Until then, Scovetta and others will continue plugging along, trying to make a dent in the problem and finding new ways to maximize impact with the resources at their disposal.
While that likely won’t be enough on its own to change the paradigm around our collective open source software insecurity, Dan Lorenc, founder of Chainguard and member of the OpenSSF Technical Advisory Council, told SC Media the emergence of projects like Alpha Omega should not be overlooked.
For the first time, the information security community is coalescing around a viable — and real — model for securing the vast universe of open source code we all rely on. That energy and commitment can help water the seeds of projects like Alpha Omega into something far mightier in the future.
"Since Heartbleed in 2014, the community has tried many things over the past decade in the hope of improving open-source security. Although not perfect and [while it] still has a long way to go, Alpha-Omega is the best attempt so far," said Lorenc.