Vendor agnostic platform promised by newly-formed Open Source Security Foundation

IBM, Microsoft, and Google have set aside their differences and joined a newly created foundation geared towards improving the security of open source software.

The newly unveiled Open Source Security Foundation (OpenSSF) also boasts the support of GitHub, Linux distro Red Hat, and the OWASP Foundation. Others founding members include HackerOne, Intel, NCC, VMWare, Uber, and JPMorgan.

Don’t fork! Fold

OpenSSF aims to combine efforts from the Core Infrastructure Initiative, GitHub’s Open Source Security Coalition, and other open source security projects from members in order to “consolidate industry efforts to improve the security of open source software”.

The Linux Foundation’s Core Infrastructure Initiative (CII), created in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are examples of some of the projects that will be brought together under the OpenSSF umbrella.

OpenSSF has pledged transparency and promised that any specifications and projects developed by the foundation will be “vendor agnostic”, according to a statement by The Linux Foundation.

The newly created foundation plans to host open source technical initiatives for projects through GitHub.


Read more of the latest GitHub security news


“Securing open source software is an essential part of securing the supply chain for every company, including our own,” said Mark Russinovich, chief technology officer at Microsoft Azure, in a canned statement. “As with everything open source, building better security is a community-driven process.”

In a blog post, Russinovich expands on how Microsoft hopes to work through the OpenSSF to pool security best practices as well as helping open source developers to get their hands on better tools.

A similarly enthusiastic blog post by Google’s Kim Lewandowski and Dan Lorenc can be found here.

Duck duck logo

OpenSSF launched with both a dedicated website, an FAQ explaining how the organization will work, and its very own logo/mascot, specifically a duck with a shield.

While years ago the initial focus of open source in the enterprise was on building out web server infrastructure and consolidating workloads, the focus of OpenSSF looks more towards the cloud, a key platform for both consumer and enterprise open technologies in general.

Chris Aniszczyk of the Linux Foundation hinted that bringing the foundation together was a tricky process that took some time.

“[I’m] happy to have helped this happen behind the scenes... [it was a] longer journey than I would have liked but thrilled to see folks collaborate together versus silo off,” he said in a post on Twitter.

Reaction to the formation of the foundation from the community has largely being positive.

Darren Shepherd, CTO and co-founder at Rancher Labs, commented: “It’s almost impossible to predict the usefulness of a foundation, but I like the intention that security of open source should not be a proprietary feature.”


READ MORE Open source community toasts efforts of EU-FOSSA 2 bug bounty program