Alpha-Omega Project aims to improve software supply chain security for 10,000 OSS projects
The Open Source Security Foundation (OpenSSF) has launched a project to improve the security of the open source software ecosystem, backed by a $5 million investment from Microsoft and Google.
The Linux Foundation’s announcement of the Alpha-Omega Project follows a meeting with government and industry leaders at the White House in response to the Log4j security incident.
The aim is to improve global open source software supply chain security by working with project maintainers to uncover new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed.
“It’s essential that we understand the security risk that accompanies all of our software dependencies,” says Mark Russinovich, chief technology officer at Microsoft Azure.
“Alpha-Omega will provide assurance and transparency for key open source projects through direct engagement with maintainers, and by using state-of-the-art security tools to detect and fix critical vulnerabilities.”
Alpha to Omega
The ‘Alpha’ part of the project involves selecting the most critical open source projects, as identified by a mix of expert opinions and data, including the OpenSSF Criticality Score and Harvard’s Census analysis.
The team will then offer threat modeling, automated security testing, and source code audits, and will help fix any vulnerabilities that are discovered.
Omega, meanwhile, will use automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely deployed open source projects.
This means using cloud-scale analysis, manual triaging by security analysts, and confidential reporting to project stakeholders.
A dedicated team of software engineers will work to continually tune the analysis pipeline to cut false positive rates and identify new vulnerabilities.
“The long tail of important open source software, the ‘Omega’ of this endeavor, is always the hardest part – it will require not only considerable funding and perseverance, but its scale will also drive extensive automation for tracking and ideally fixing vulnerabilities,” says Eric Brewer, vice president of infrastructure and fellow at Google.
“Enabling automation will be one of the greatest improvements for open source security.”
The Log4j vulnerability – and many others – have highlighted the fact that open source software is generally highly under-resourced.
And the success of the Alpha-Omega project, says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, will hinge on increasing the number of active contributors working on projects.
“Looking at the GitHub issues list of any popular open source [project], you can see proposals and bug reports that go unaddressed, actions that are symptomatic of a development team that has limited bandwidth to invest in evolving their code,” he says.
“Attracting new contributors to open source projects starts with users of those projects recognizing the value they obtain from open source and investing some of their developer time to ensure sustainability for all of the open source powering their business.”