The OpenSSF Foundation (Open Source Security Foundation) presented the Alpha-Omega project, aimed at improving the security of open source software. The initial investment for the development of the project in the amount of $5 million and the staff to launch the initiative will be provided by Google and Microsoft. Other organizations are also invited to participate, both through the provision of engineering staff and at the level of funding, which will help expand the number of open projects that will be covered by the initiative. In addition, at the end of last year, $ 10 million was allocated to the OpenSSF Foundation, whether these funds will be used for the Alpha-Omega initiative is not specified.
The Alpha-Omega project consists of two components:
- The Alpha part involves conducting a manual security audit of 200 widely used open source projects, the most popular in terms of their use in the form of dependencies or in infrastructure elements. The work will be carried out in collaboration with maintainers and will include systematic code review to identify new vulnerabilities and patch them promptly.
- Part of Omega is focused on automated testing of the 10 most popular open source projects. A separate team of engineers will be created to conduct testing, improve methods used, analyze test results, communicate information to project developers and coordinate joint work to eliminate critical problems. The main task of this team will be to reject false positives and identify real vulnerabilities in automated reports.
The need for a manual audit at the Alpha stage is due to the need to identify hidden problems that are difficult to identify during automated testing. As an example of such problems, recent critical vulnerabilities in Log4j are mentioned, which have put the infrastructure of a large number of large companies at risk. Projects for audit will be selected taking into account the recommendations of the expert community and data from previously generated Critically Score and Census ratings.
Recall that the OpenSSF Foundation was created under the auspices of the Linux Foundation and focuses on work in areas such as coordinated disclosure of information about vulnerabilities, distribution of patches, development of security tools, publication of best practices for secure organization of development, identification of security-related threats in the open Software, conducting work on auditing and strengthening the security of critical open source projects, creating tools for verifying the identity of developers. OpenSSF continues the development of initiatives such as the Core Infrastructure Initiative and the Open Source Security Coalition, and also integrates other security-related work undertaken by companies that have joined the project. OpenSSF founding companies include Google, Microsoft, Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, IBM, Intel, JPMorgan Chase, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware.
Source: opennet.ru