OpenSSF members, along with US Government leadership, tackle OSS consumption security challenges in critical infrastructure sectors and beyond
Washington, DC, September 13, 2023 – The Open Source Security Foundation (OpenSSF), a cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), brought together US Government (USG) officials from the National Security Council (NSC), Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA) among others with industry leaders at the Secure Open Source Software (SOSS) Summit 2023. Participants at the Summit discussed the security challenges for the consumption of OSS in critical infrastructure sectors and beyond and highlighted the shared responsibility needed to ensure the resilience of OSS in critical infrastructure.
During the summit, the OpenSSF released a SOSS Vision Brief detailing the community’s work over the past year to further secure OSS and plan for the future. Given this track record of success, the Sector Risk Management Agencies (SRMAs) expressed support for partnering with OpenSSF. Each SRMA was encouraged to form partnerships with the OpenSSF as well as critical infrastructure Sector Coordinating Councils (SCCs) and Information Sharing and Analysis Centers (ISACs). Section 9 entities in each critical infrastructure sector were also encouraged to participate in the OpenSSF community. Section 9 entities are critical infrastructure providers that, subject to a cybersecurity incident, could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.
Participants at the Summit expressed the need for greater collaboration and coordination among incident response entities, access to more tabletop exercises, well-coordinated vulnerability disclosures, and cross-industry threat information exchanges. Industry and government leaders determined a collaborative agenda for OSS security objectives over the course of the next year with a focus on:
- Providing Security Education to OSS Maintainers, Contributors, and Consumers
- Securing OSS Repositories
- Enabling Cross-Industry OSS Incident Response (IR) Capabilities
Participants of the SOSS Summit also discussed the need for a comprehensive secure software workbench for OSS developers and kickstarted the exploration of the nexus between OSS, Security, and AI:
- Supply Chain Security of OSS Packages (e.g., PyTorch) used in AI
- Security of Open Sourced AI Packages (e.g., Falcon)
- AI in the Augmentation (e.g., DARPA AIxCC) of Security for OSS
- Applied Security of Open Source Inputs/Outputs in AI
The Secure Open Source Software Summit 2023 set the stage for impactful initiatives and cross-collaboration among the OSS community, government, and critical infrastructure sector. OpenSSF invites all stakeholders and interested parties to join the journey toward a more secure open source software ecosystem.
Quotes
Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, The White House
“Last year we set aggressive goals to create a more secure open-source environment. We are proud to see the achievements from that January 2002 White House Summit – educating over 20,000 developers on the fundamentals of developing secure software, improving tooling for digital signatures for software packages, and investing in open source software maintainers to find and fix vulnerabilities – but we have more work to do. We thank OpenSSF for spearheading the second Secure Open Source Software Summit as we look to set new goals, such as building tools to generate Software Bills of Materials (SBOMs) and using AI for more secure open source software.”
Kemba Walden, Acting National Cyber Director, The White House
“Open-source software is a critical tool used to shift power towards the stewards of democracy and demonstrate our values. And so, we must defend the security and resilience of this ecosystem. I am particularly proud that under ONCD’s vision and leadership, the Open-Source Software Security Initiative (OS3I) is the trusted hub for the open-source software community to engage directly with the U.S. government. This is only possible because of the community’s early and continuous partnership with us.”
Jen Easterly, Director, U.S. Cybersecurity and Infrastructure Security Agency (CISA)
“Open source software is part of the foundation of the software that underpins every critical infrastructure sector. At CISA, we are set on working hand-in-hand with the open source community to ensure that we can continue to reap the benefits of open source software in a secure manner. Our Open Source Software Security Roadmap released this week details exactly how we plan to accomplish that.“
Perri Adams, Program Manager, DARPA
“The open-source ecosystem forms the bedrock of modern technology. As part of its mission to create breakthrough technologies and capabilities for national security, DARPA will continue to invest in efforts like the AI Cyber Challenge and the Open Source Software Security Initiative that will help defend and secure open source software.”
Jim Zemlin, Executive Director, The Linux Foundation
“Open source software doesn’t just fuel innovation across industries, from satellites to cars to banks and whole institutions. It also underpins national security and critical infrastructure like water, energy, and manufacturing. As a result of this summit today, it is clear that government and industry leaders are committed to a shared vision where, together, we’ll forge ahead in sustainably securing the open source software ecosystem.”
Omkhar Arasaratnam, General Manager, OpenSSF
“Open source software powers our critical infrastructure. Ensuring the security of open source software is not just the responsibility of individual organizations but a shared duty of the open source community, enterprises, consumers, and government. By bringing together a diverse group of stakeholders, we aim to foster a culture of collaboration and innovation in addressing the most critical security challenges facing open source software for the public good.”
Jamie Thomas, General Manager, Technology Lifecycle Services, IBM Enterprise Security Executive, IBM – OpenSSF Governing Board Chair
“An early champion of open source, IBM has helped establish vibrant communities including Linux, Apache, and Eclipse. Today, open source is used ubiquitously in the private and public sectors; it is a vital digital public good. We are committed to working to sustain and secure OSS to accelerate innovation, including in emerging technologies areas such as AI and quantum. IBM urges others to join the OpenSSF and advance security execution. All who regularly consume OSS should directly contribute to it, support it, or acquire open source software through those that do.”
Pat Opet, CISO, JPMorgan Chase
“Since OpenSSF hosted the Open Source Software Security Summit II in May 2022, we have seen tangible outputs such as Sigstore, which enables secure validation of software, and Alpha-Omega, which finds and fixes vulnerabilities in the most commonly used open source software. There is more to be done in improving integrated tooling to address software supply chain attacks and we look forward to continuing our support of these important initiatives as a founding member of OpenSSF. Securing the open source ecosystem is critical for securing a large enterprise like JPMorgan Chase on behalf of our clients, customers, and the global financial system.”
Phil Venables, CISO, Google Cloud
“Open source software is key to innovation and the connective tissue to the online world. As a result, securing open source across the broader technology ecosystem has never been more important – which is why Google has prioritized supporting these efforts since the beginning. We are proud to partner with OpenSSF, who is bringing organizations together to collectively address this issue.”
Participating Organizations in the SOSS Summit
US Government: Advanced Research Projects Agency for Health (ARPA-H), Cybersecurity and Infrastructure Security Agency (CISA), Defense Advanced Research Projects Agency (DARPA), Department of Energy, Department of the Treasury, National Science Foundation (NSF), National Security Council (NSC), Office of Management and Budget (OMB), Office of the National Cyber Director (ONCD)
Industry: Amazon, Apple, Bank of America, Boeing, Capital One, Cisco, Citi, Dell, Ericsson, GitHub, Google, IBM, Intel, JFrog, JPMorgan Chase, Lockheed Martin, Microsoft, Morgan Stanley, Oracle, Red Hat, RTX, Sonatype, VMware
Non-Profit: Alperovitch Institute for Cybersecurity Studies, Linux Foundation (LF), FS-ISAC, ISC2, Open Source Security Foundation (OpenSSF), Fintech Open Source Foundation (FinOS)
About the OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.
About the Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
Media Contact
Jennifer Bly, OpenSSF