The new Open Source Security foundation was introduced this week by the Linux Foundation, combining two previous projects and designed to focus on the security of open source software.
- “security researchers need a mechanism to allow them to collaboratively to address methods needed to secure the open source security supply chain,
- As cloud services make it easier to use parts of different open-source software projects to build their own software, companies have increasingly started to worry about the security of their “supply chains.”
- And, lots of newer open-source projects depend on older projects, which can create cascading failures.
- The new group hopes to prevent a repeat of the OpenSSL/Heartbleed disaster in 2014, during which a huge flaw in a widely used piece of open-source software left a large number of the world’s web servers — 20% of them, by some estimates — vulnerable to attacks.
Microsoft/GitHub, Google, and IBM/Red Hat are inaugural members, along with open-source end user JPMorgan Chase. AWS, however, is not.
The foundation will be focused on prioritization – figuring out which projects are most critical and thus worthy of scrutiny.
Why do we care?
Open source software has taken over so much of enterprise and data center software that this initiative is incredibly welcome. This is a way to collaborate and focus effort on making sure the right things are getting attention.
There are a lot of competitors here working together – it’s an example to others. Why do we care then? Because the criminals on the other side benefit more when organizations do not collaborate, and remember, they already don’t play by the rules. I’m far more afraid of them than working with a competitor. Remember that.
Source: Silicon Angle