Open source software is essential to application development, particularly for the web. At the same time, it also represents a key source of application vulnerabilities.
To help make open source software more secure, the Linux Foundation has announced a cross-industry collaboration with open source leaders including GitHub, Google, IBM, JP Morgan Chase, Microsoft, Red Hat, the OWASP Foundation, and others. This collaboration is called the Open Source Security Foundation, or OpenSSF.
In an August blog post, Microsoft Azure CTO Mark Russinovich explained the OpenSFF’s impetus and mission as follows:
- Open source is everywhere and essential for just about every company’s strategy
- Securing open source is essential to security the supply chain for all parties, including Microsoft itself
- Because open source software is so widely used, attackers can exploit many vulnerabilities. These cover most critical services and their supporting infrastructures, across industries such as utilities, healthcare, transportation, government, and IT (especially traditional software, cloud services and IoT)
- The community-driven nature of open source software means no central authority is responsible for its quality control and maintenance
- Because open source code may be copied and cloned, versioning and dependencies are particularly complex and can be hard to follow
- Open source is vulnerable to developer attack, wherein attackers can become maintainers of open source projects and introduce malware
- Given all these factors, especially how complex and intertwined open software can be, it’s fair to say that building and securing open source software must be a community-oriented and -supported effort.
The OpenSSF home page states that its first group of technical initiatives will include the following areas of focus:
- Vulnerability Disclosures
- Security Tooling
- Security Best Practices
- Identifying Security Threats to Open Source Projects
- Securing Critical Projects
- Developer Identity Verification
The site also offers related security resources from the OSSC ( an analysis of the Open Source ecosystem in pdf format), the Linux Foundation’s CII (a discussion of vulnerabilities in the Internet core), and Red Hat’s Product Security Risk Report, to help readers get started on understanding open source threats and mitigation approaches and strategies. The OpenSSF GitHub repository is also likely to be of great interest.
What is the Kiuwan response to the formation of the OpenSSF?
Kiuwan welcomes the formation of the OpenSFF and Microsoft’s participation and leadership role in that initiative.
Because open source is such an important part of application development, the Kiuwan team is excited to see community initiatives that are focused on improving the security of open source projects. Information and collaboration are key tools in combating the proliferation of security threats.
Kiuwan solutions currently supports OWASP, the Open Web Application Security Project, as well as FS-ISAC, the Financial Services Information Sharing and Analysis Center, and is open to additional opportunities for promoting application security.
How does Kiuwan acquire open source software vulnerability and security data?
Kiuwan draws its OSS data primarily from the NIST NVD (National Institute of Standards and Technology’s National Vulnerability Database), with a handful of additional feeds.
How does Kiuwan obtain implementation recommendations and best practices data?
Kiuwan utilizes a variety of sources for implementation and best practices, mainly because the threat landscape frequently changes, exposing new threats, tactics and technologies. At the core of our recommendations is our scholarly background in software development. That is augmented with well-known knowledge and subject matter resources such as OWASP, NIST and more.
How do Kiuwan’s tools leverage open source software and security intelligence?
Kiuwan provides specific recommendations for mitigation efforts. Those recommendations are based on several factors, including the signals from OSS and security intelligence, influence priorities, and what is actively being exploited in production environments. For more information about Kiuwan’s products and services, please visit Kiuwan.com. To learn more about the company’s open source risk management toolset, visit the Insights (SCA) home page.
Are you interested in an automated solution for mitigating the risks from open source code? Get in touch with our Kiuwan team! We love to talk about security.