TOKYO, August 23, 2022 – The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) backed by the Ministry of Economy, Trade and Industry, today convene cybersecurity experts from Japanese companies, government agencies, and research institutes at the Open Source Security Summit Japan to share open source software (OSS) security issues and how to accelerate improvements. The meeting will bring together cyber security officers and experts from 27 organizations, including leading OSS companies.
The modern software supply chain relies pervasively on open source software for both underlying components and operation. Organizations (including companies and governments) often use OSS to improve development speed and quality and aim for technological innovation. By adopting OSS, the benefits of OSS can be shared across industries, but if vulnerabilities in OSS components are found, the impact will be widespread across organizations and communities around the world. Ensuring OSS security is of the utmost importance, and for that purpose, cooperative efforts across countries and industries are required.
Open Source Security Summit Japan follows the January 13 meeting on improving OSS security hosted by the U.S. White House and the May 12 follow-up meeting “Open Source Security Summit II” hosted by the Linux Foundation / OpenSSF led by the White House’s National Security Council. Through this meeting, we will share “The Open Source Software Security Mobilization Plan ” which reached consensus at the Open Source Security Summit II and also will provide the opportunity to participate in global collaborations to OSS security improvement.
Mr. Masahiro Uemura, Ministry of Economy, Trade and Industry, the keynote speaker of Open Source Security Summit Japan commented,
“While reliance on software technology, including OSS, is increasing, software management methods, vulnerability handling and license support are becoming increasingly important, such as the announcement of the Log4j vulnerability. As I will introduce today, the Ministry of Economy, Trade and Industry is also making various efforts to ensure the security of software including OSS, by developing a collection of practices for OSS management methods and conducting a demonstration of the use of SBOM. Through this meeting, we hope to deepen our knowledge of software security including OSS, and to promote more active efforts in Japan to resolve issues such as management methods and vulnerability countermeasures.”
* For the original Japanese comment please see here.
The event host, Linux Foundation Executive Director Jim Zemlin commented,
“Open Source Software is now at the heart of critical infrastructure around the world. The stakes are much higher now, and the potential damage from a major vulnerability much greater than they ever have been. Governments of the world are now calling on the Open Source Software community to uplevel and ensure that our development processes and the software supply chain is centered around better security and mitigating risk. The Linux Foundation’s various projects, from the Linux Kernel to Kubernetes to Let’s Encrypt, have long led the industry in definition and adoption of better security practices. We are eager to work with businesses and government agencies in Japan to enhance their security posture and collaborate to improve the global software landscape.”
General Manager of the Open Source Security Foundation, Brian Behlendorf commented,
“The OpenSSF stands ready to engage with the business and policy community in Japan to develop a security-centered approach to the use and development of the Open Source Software that underpins modern global society. We expect today’s conversation to accelerate the pace of collaboration and implementation of important security standards, practices, and software both here in Japan and with global partners. This will ensure the global software supply chain is robust and resilient to cyberattacks and vulnerabilities.”
Vice President of Japan Operations of the Linux Foundation, Noriaki Fukuyasu commented,
“It is now said that it is impossible to develop software products and services without using OSS. It is also said that the average percentage of OSS in their products and services is about 80% and it is no exaggeration to say that OSS is the infrastructure of society. We believe that infrastructure security measures are one of the most important issues in cyber security measures. I hope that this mobilization plan and the Open Source Security Summit Japan will help raise awareness of the importance of “OSS security” in Japan and provide one opportunity for the industry to unite in addressing this important issue.”
Background of the Open Source Security Summit Japan
The large-scale cyber attacks that occurred in the United States in 2020 and 2021 (SolarWinds Inc. incident in 2020 and Colonial Pipeline Inc. incident in 2021) have made the threat of cyber attacks on U.S. government agencies and social infrastructure a pressing issue, and President Joe Biden signed a presidential decree to strengthen cyber security on May 12, 2021 to strengthen cybersecurity, and indicated a direction to deepen public-private partnerships in the field of cybersecurity between the government and information and communication service companies that contract with the government, aiming to develop this field.
It is said that 70% to 90% of the software included in corporate products and services these days is OSS. At the end of 2021, a serious vulnerability was discovered in an extremely widely used OSS called “Log4j.” The U.S. government, feeling a growing sense of urgency, convened the first “Open Source Security Summit” on January 13, 2022, led by Deputy National Security Advisor Anne Neuberger, bringing together U.S. government officials and the heads of major domestic technology companies at the White House to discuss how to improve the security of OSS. The event discussed efforts to improve the security of OSS and how new collaborations can help speed improvements.
On May 12, 2022, the “Open Source Security Summit II” was held (hosted by the Linux Foundation). The participants agreed on “The Open Source Software Security Mobilization Plan,” a concrete plan to improve OSS security and announced a plan to raise $150M in funding from companies and other organizations over the next two years to implement the plan as specific activities.
The Open Source Security Summit Japan is hosted by the Linux Foundation under the auspices of the Ministry of Economy, Trade and Industry, in response to the above efforts in the United States.
The Open Source Software Security Mobilization Plan
The Linux Foundation and the Open Source Security Foundation, with input from a variety of economic sectors, have released their first mobilization plan that broadly addresses OSS and software supply chain security. The plan identifies 10 key issues for the following three goals to implement the vetted solutions:
- Creating Secure OSS
- Enhanced vulnerability detection and remediation
- Reduce ecosystem patch response time
Amazon, Ericsson, Google, Intel, Microsoft, and VMWare have committed more than $30 million in funding to implement the solution. The plan builds on the OSS security efforts already underway by OpenSSF participants (over $110 million and approximately 100 full-time employees dedicated to securing OSS).
The full text (white paper) can be found here:
- Japanese: OSSセキュリティのための動員プラン
- Original (English): The Open Source Software Security Mobilization Plan
Efforts to Ensure Software Security, Including OSS, at the Ministry of Economy, Trade and Industry
The Cyber Security Division of the Commerce and Information Policy Bureau of the Ministry of Economy, Trade and Industry has established a task force to study software management methods to ensure cyber-physical security. The task force is working to develop a collection of management practices for utilizing OSS and ensuring its security and to conduct a demonstration project (PoC) to promote SBOM utilization.
- サイバー・フィジカル・セキュリティ確保に向けたソフトウェア管理手法等検討タスクフォースの検討の方向性 (令和4年7月26日)
- OSS の利活用及びそのセキュリティ確保に向けた管理手法に関する事例集 (令和4年5月10日拡充版)
- English version:Collection of Use Case Examples Regarding Management Methods for Utilizing OSS and Ensuring Its Security
The Linux Foundation, OpenSSF’s OSS Security Initiatives
Hosted by the Linux Foundation, OpenSSF was launched in August 2020 as a center for cross-industry collaboration to improve OSS security. OpenSSF connects the industry’s most important OSS security initiatives with the individuals and companies that support them. The Core Infrastructure Initiative (CII), founded to address the Heartbleed bug (2014), and the Open Source Security Coalition, founded by the GitHub Security Lab, also became part of the OpenSSF. The organization’s governance, technical community, and decision-making are transparent, and the specifications and projects developed are vendor-independent.
To help open source projects better address some of the responsibilities tied to security, many communities hosted by the Linux Foundation have invested countless hours, resources, and code into some important efforts and have worked to improve the security of the Linux kernel, hosted Let’s Encrypt and sigstore, helped steward the ISO standardization for SPDX, and brought together a community building metrics for OSS health and risk through the CHAOSS project — among many others.
###
About OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.
About the Linux Foundation
Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.