Skip to main content

OpenSSF Announces The Alpha-Omega Project to Improve Software Supply Chain Security for 10,000 OSS Projects

By February 1, 2022Press Release

Following a meeting with government and industry leaders at the White House, OpenSSF is excited to announce the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. Microsoft and Google are supporting the Alpha-Omega Project with an initial investment of $5 million. This builds on previous industry-wide investments into OpenSSF aiming to improve open source software security.

Widely deployed OSS projects that are critical to global infrastructure and innovation have become top targets for adversarial attacks. Following new vulnerability disclosures, adversary attacks can be seen within hours. For example, recently discovered vulnerabilities in the widely deployed Log4j library forced many organizations into crisis as they raced to update applications using the popular library before adversaries could attack. 

The Alpha-Omega Project will improve global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

“Open source software is a vital component of critical infrastructure for modern society. Therefore we must take every measure necessary to keep it and our software supply chains secure,” said Brian Behlendorf, General Manager, OpenSSF. “Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open source projects through proactively finding, fixing, and preventing vulnerabilities.  This is the start of what we at OpenSSF hope will be a major channel for improving OSS security.”

Alpha: Focusing on the Most Critical OSS Projects

Alpha will be collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. These projects will include standalone projects and core ecosystem services. They will be selected based on the work by the OpenSSF Securing Critical Projects working group using a combination of expert opinions and data, including the OpenSSF Criticality Score and Harvard’s “Census” analysis identifying critical open source software.

For these selected projects, Alpha team members will provide tailored help to understand and address security gaps. Help can include threat modeling, automated security testing, source code audits, and support remediating vulnerabilities that are discovered. It can also include implementing best practices drawn from criteria outlined by the OpenSSF Scorecard and Best Practices Badge projects.

Alpha will track a series of important metrics providing stakeholders with a better understanding of the security of the open source project they depend on. The public will receive a transparent, standardized view of the project’s security posture and compliance with security best practices. 

Omega: Focused on the Long Tail of OSS Projects

Omega will use automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely-deployed open source projects. This will be accomplished using a combination of technology (cloud-scale analysis), people (security analysts triaging findings) and process (confidentially reporting critical vulnerabilities to the right OSS project stakeholders). Omega will have a dedicated team of software engineers continually tuning the analysis pipeline to reduce false positive rates and identify new vulnerabilities.

Omega community members will provide suggestions on how to automate detection of security vulnerabilities in the future and more generally on efficient ways to implement security best practices.

Corporate Partnerships Are Key

The value of securing the OSS ecosystem has become increasingly clear to companies and organizations of all sizes. Microsoft and Google’s support of the Alpha-Omega Project with an initial investment of $5 million and committed personnel is jump-starting the initiative. Other organizations are strongly encouraged to participate as well, whether by committing volunteers or by direct funding to expand the number of OSS projects that Alpha-Omega can reach.

“The long tail of important open source software, the ‘Omega’ of this endeavor, is always the hardest part—it will require not only considerable funding and perseverance, but its scale will also drive extensive automation for tracking and ideally fixing vulnerabilities,” stated Eric Brewer, VP of Infrastructure and Fellow at Google. “Enabling automation will be one of the greatest improvements for open source security.”

“At Microsoft, we proudly support OpenSSF and the Alpha-Omega Project. Open source software is a key part of our technology strategy, and it’s essential that we understand the security risk that accompanies all of our software dependencies,” offered Mark Russinovich, Chief Technology Officer, Microsoft Azure. “Alpha-Omega will provide assurance and transparency for key open source projects through direct engagement with maintainers and by using state-of-the-art security tools to detect and fix critical vulnerabilities. We look forward to collaborating with industry partners and the open source community on this important initiative.” 

Learn More and Get Involved

For more information about Alpha-Omega, see https://openssf.org/community/alpha-omega/. Individuals interested in updates about Alpha-Omega can sign up through an announcements mailing list. Organizations considering sponsorship or engagement in Alpha-Omega should email memberships@openssf.org

The OpenSSF also encourages all individuals and organizations interested in Alpha-Omega to participate in its Securing Critical Projects working group

Additional Resources

  • Join the OpenSSF to take an active role in improving OSS security
  • Participate in one of six OpenSSF working groups to help improve open source security
  • Get involved in our OpenSSF events, planning committees, and Slack workspaces
  • Download our new State of Software Bill of Materials and Cybersecurity Readiness report
  • Get certified as a secure software development professional

About the Open Source Security Foundation (OpenSSF)

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at https://www.linuxfoundation.org/

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page. Linux is a registered trademark of Linus Torvalds.

This post represents the views of the authors & does not necessarily reflect those of all OpenSSF members.