Supported by The Linux Foundation, the Open Source Security Foundation (OpenSSF) aims to create a cross-industry forum for a collaborative effort to improve open source software security. The list of initial members includes Google, Microsoft, GitHub, IBM, Red Hat, and more.
“As open source has become more pervasive, its security has become a key consideration for building and maintaining critical infrastructure that supports mission-critical systems throughout our society. It is more important than ever that we bring the industry together in a collaborative and focused effort to advance the state of open source security. The world’s technology infrastructure depends on it.”
Microsoft CTO for Azure Mark Russinovich explained clearly why open source security must be a community effort:
“Open-source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance. […] Open-source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process.”
Also joining the group are Intel, IBM, Uber, and VMWare, according to Foundation’s inaugural announcement, which promises its governance and decisions “will be transparent, and any specifications and projects developed will be vendor agnostic.”