Several major technology organizations have pledged more than $30 million to bolster the security of open-source software.
The pledge was made during a meeting in Washington, D.C. last week headed up by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF), as they delivered a first-of-its-kind plan to broadly address open source and software supply chain security.
Several tech-sector stalwarts – including Amazon, Ericsson, Google, Intel, Microsoft, and VMware – pledged a collective $30 million to fund the 10-point plan that aims to boost the security of open-source software. The initial plan includes concrete action steps for both more immediate improvements to security, and building strong foundations for a more secure future.
As the plan evolves further, more funding will be identified, and work will begin as additional work streams are agreed upon.
Last week’s meeting – a follow-up to a summit event held in January 2022 and led by the White House’s National Security Council – brought together over 90 executives from 37 companies and government leaders from several Federal agencies, including the Office of Management and Budget, to reach consensus on key actions to take to improve the resiliency and security of open-source software.
“On the one-year anniversary of President Biden’s executive order, today we are here to respond with [an actionable plan] because open source is a critical component of our national security and it is fundamental to billions of dollars being invested in software innovation today,” Jim Zemlin, the executive director for the Linux Foundation, said in a statement.
The Software Supply Chain Security Mobilization Plan outlines plans for approximately $150 million of funding over two years to rapidly advance well-vetted solutions to the ten major problems the plan identifies. Those include creation of a software bill of materials allowing companies to gain visibility of the software that they are using in their tech stacks.
The plan also calls for security education for everyone working in the open-source community, the elimination of non-memory safe programming languages like C+ and COBOL, and for annual third-party code reviews of 200 of the most critical open-source software components.
“We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in the software itself. This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership,” Zemlin said.
“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it,” said Brian Behlendorf, executive director of OpenSSF. “The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”