Skip to main content

Tech giants commit $10M annually to Open Source Security Foundation

Open source code vector

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

The Linux Foundation has received a $10 million annual commitment from across the technology, finance, telecom, and cybersecurity industries to secure the software supply chain. The recurring investment will be targeted at the Open Source Security Foundation (OpenSSF), a cross-industry collaboration initiative launched by the Linux Foundation last August, and will be funded by most of its member organizations including Amazon, Facebook, Google, Microsoft, Ericsson, JPMorgan Chase, Red Hat, Dell, and Oracle.

The announcement comes a time when supply chain attacks have gone through the roof, leading President Joe Biden to issue an executive order back in May outlining various measures to improve the nation’s cybersecurity defenses, including securing open source software that is used within federal information systems.

Open source pioneer Brian Behlendorf, who was the principal creator of the now-omnipresent Apache web server, will also now head up the OpenSSF as the full-time general manager, tasked in the first instance with building an “effective and collaborative community.”

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

“My job will always be to channel the energy, enthusiasm, and resources of the individuals and organizations converging on OpenSSF into one community, into our existing working groups and projects, and into creating new projects as the opportunities and needs arise,” Behlendorf told VentureBeat.

Attacks go upstream

While it’s well documented that open source codebases contain myriad vulnerabilities, as enterprise developers have improved at keeping their software up to date with the latest components, this has apparently led attackers to go further “upstream” closer to the origins of the source code. This way, the “bad code” can propagate to the broader supply chain further downstream. A recent report from Sonatype, a software composition analysis (SCA) platform that companies use to scan their codebases for security and compliance shortfalls, found that these so-called “next generation” software supply chain attacks have increased 650% in 2021.

“Adversary attacks on popular open source code are on the rise,” Behlendorf said. “If a popular open source component has a new vulnerability discovered in it, thousands of organizations could become vulnerable through that attack vector all at once.”

There has been a marked increase in open source security activities in recent times, particularly from within “big tech,” which relies heavily on open source libraries and components. Earlier this year, Google revealed it would fund Linux kernel developers, for example, before going on to unveil a $10 billion cybersecurity commitment to support President Biden’s executive order. In the months that followed, the internet giant revealed it was sponsoring the Open Source Technology Improvement Fund (OSTIF), which is concerned with conducting security reviews in select critical open source software projects. And a couple of weeks back, Google committed $1 million to a new Linux Foundation open source security rewards program.

The OpenSSF had minimal funding for its first year in operation, something that was “not even close” to what it needed to have any meaningful impact, according to Behlendorf.

“This new effort remedies that,” Behlendorf said. “In its first year, it [OpenSSF] was able to establish six critical working groups focused on providing education around secure coding practices, as well as improving automation, prioritization, and remediation of open source software vulnerabilities — the new funding will further enhance each of these efforts and support the formation of additional working groups.”

What’s perhaps most notable about the OpenSSF, beyond the $10 million cash injection it now has at its disposal, is the cross-industry input it has from some of the world’s biggest companies. And this is very much indicative of how pervasive open source software is — the vast majority of software contain at least some open source components, with the inherent vulnerabilities showing no discrimination for the industry it’s used in. Put simply, open source software affects everyone.

“Developers are no longer coding 100% of their applications from scratch, and now heavily rely on these open source software components to bring new capabilities to market sooner,” Behlendorf said. “Industry has recognized that not all open source components are created equal and that they must incorporate only the safest, highest quality open source in their applications.”

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.