OpenSSF has announced the launch of its Alpha-Omega Project in order to enhance the security posture of open source software (OSS) by means of direct engagement of software security experts and automated security testing. With an initial investment of $5 million, Microsoft and Google have shown their support for the latest project.
OpenSSF's General Manager, Brian Behlendorf stated:
We must recognize open source software as a vital component of critical infrastructure for modern society and therefore take every measure necessary to keep it and our software supply chains secure. Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open source projects through proactively finding, fixing, and preventing vulnerabilities. This is the start of what we at OpenSSF hope will be a major channel for improving OSS security.
The Alpha-Omega Project seeks to upgrade global OSS supply chain security by "systematically looking for new, as-yet-undiscovered vulnerabilities in open source code, and then working with project maintainers to get them fixed."
Chief Technology Officer at Microsoft Azure, Mark Russinovich stated:
At Microsoft, we proudly support OpenSSF and the Alpha-Omega Project. Open source software is a key part of our technology strategy, and it's essential that we understand the security risk that accompanies all of our software dependencies. Alpha-Omega will provide assurance and transparency for key open source projects through direct engagement with maintainers and by using state-of-the-art security tools to detect and fix critical vulnerabilities. We look forward to collaborating with industry partners and the open source community on this important initiative."
Alpha will aid maintainers of the most critical open source projects, including standalone projects and core ecosystem services, in identifying and fixing security vulnerabilities, and boosting their security posture. These projects will be chosen depending on the work by the OpenSSF Securing Critical Projects working group with the help of a combination of expert opinions and data.
Omega will "identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities." Omega's team of software engineers will tune the analysis pipeline to mitigate false-positive rates and detect new vulnerabilities.
VP of Infrastructure and Fellow at Google, Eric Brewer had the following to say about Omega:
The long tail of important open source software, the ‘Omega’ of this endeavor, is always the hardest part—it will require not only considerable funding and perseverance, but its scale will also drive extensive automation for tracking and ideally fixing vulnerabilities. Enabling automation will be one of the greatest improvements for open source security.
For more information about the Alpha-Omega Project, sign up through OpenSSF's mailing list here.