The Open Source Security Foundation is launching a new effort to help the maintainers of thousands of critical open source software projects find and fix security vulnerabilities in their code.
The Alpha-Omega Project, backed by a $5 million investment from MIcrosoft and Google, comprises two separate initiatives. The Alpha portion is focused on evaluating the security of a small number of highly critical open source projects and services, those that are deeply integrated into the fabric of the Internet. Those projects will get specifically tailored assistance from members of the Alpha team to help the maintainers identify security issues and develop solutions for them. The Omega project will look at the much broader field of the thousands of open source projects that are widely deployed but not necessarily critical to the Internet’s operation. Omega will use a combination of large-scale analysis tools and human triage to find, evaluate, and report bugs in those projects.
“The long tail of important open source software, the ‘Omega’ of this endeavor, is always the hardest part—it will require not only considerable funding and perseverance, but its scale will also drive extensive automation for tracking and ideally fixing vulnerabilities,” said Eric Brewer, vice president of infrastructure and Fellow at Google. “Enabling automation will be one of the greatest improvements for open source security.”
The new effort arrives at a time when the security of open source software has evolved from a concern for maintainers and users to a talking point in Washington. The vulnerabilities identified in the Apache Log4j logging tool that emerged in December and January and affected an untold number of applications and other projects attracted the attention of the Biden administration and generated a multipronged response from the Cybersecurity and Infrastructure Security Agency and other federal agencies. Attackers have been scanning for and targeting vulnerable apps for several weeks and CISA has issued directives requiring civilian federal agencies to find and fix any vulnerable systems.
There have been other large-scale vulnerabilities in open source projects over the last few years, as well, most notably the Heartbleed bug in OpenSSL and the Shellshock bugs that affected several open source projects. Those flaws had significant downstream effects, as did the Log4j bugs, something that has shone the spotlight on the criticality of the open source ecosystem and the vital role it plays in the health and resiliency of the Internet as a whole. The Open Source Security Foundation (OSSF) began in 2020 as a way to help focus the resources and talent of companies such as Amazon, Cisco, Google, Microsoft, and GitHub on solving difficult security issues in a wide range of open source projects.
“Open source software is a key part of our technology strategy, and it’s essential that we understand the security risk that accompanies all of our software dependencies,” said Mark Russinovich, Chief Technology Officer, Microsoft Azure. “Alpha-Omega will provide assurance and transparency for key open source projects through direct engagement with maintainers and by using state-of-the-art security tools to detect and fix critical vulnerabilities.”
There will be some public output from the Alpha-Omega Project, including a view of the security posture of each open source project that’s involved.