Microsoft, Red Hat, Google, Red Hat, IBM, GitHub, NCC Group, and OWASP Foundation join hands with Linux Foundation to create Open Source Security Foundation (OSSF)
Microsoft has made a gigantic U-Turn from the heady days of opposing open-source software and saying Linux was cancer to now openly embracing it wholeheartedly. After making many erstwhile closed tools open-source, now, Microsoft has joined hands with the biggies in the tech industry and Linux Foundation to create the Open Source Security Foundation or OSSF.
OSSF will be open-source security focussed Linux Foundation initiative with active co-operation from Microsoft, Google, Red Hat, IBM, Microsoft-owned GitHub, NCC Group, and OWASP Foundation. OSSF will collaborate on ways and means to improve the security of open-source Apps, services, and projects.
OSSF will work as a one-stop source for reporting open-source threats, vulnerabilities, etc according to its charter which says, “Open source software has become pervasive in data centers, consumer devices, and services, representing its value among technologists and businesses alike. Because of its development process, the OSS that ultimately reaches end-users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain.”
The initial technical initiatives will focus on:
- Vulnerability Disclosures
- Security Tooling
- Security Best Practices
- Identifying Security Threats to Open Source Projects
- Securing Critical Projects
- Developer Identity Verification
Microsoft in a statement said that “Open-source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance. Because source code can be copied and cloned, versioning and dependencies are particularly complex. Open-source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process.”