Jane Edwards
The Linux Foundation and the Open Source Software Security Foundation have come up with a 10-point plan to address and improve the security of open source and software supply chain.
The plan has three goals and these are securing open source security production, improving vulnerability discovery and remediation and shortening ecosystem patching response time, the Linux Foundation said Thursday.
Several companies have initially pledged more than $30 million to support the plan’s implementation, including Amazon, Microsoft, Google, VMware, Intel and Ericsson.
“We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in software itself. This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership,” said Jim Zemlin, executive director of the Linux Foundation.
The 10-point plan outlines several actions to improve open source software security, such as delivering baseline secure software development education and certification to all, accelerating the adoption of digital signatures on software releases, establishing the OpenSSF Open Source Security Incident Response Team and improving software bill of materials tooling and training to advance adoption.
“The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action,” said Brian Behlendorf, executive director of OpenSSF.
