The Open Source Security Foundation, an industry group backed by some of the world’s largest tech firms, today launched a new initiative focused on finding and fixing vulnerabilities in open-source software.

The initiative is known as the Alpha-Omega Project. It’s launching following a meeting at the White House where officials from major tech firms, federal agencies and nonprofits discussed open-source security.

The Open Source Security Foundation, or OpenSSF, was established in 2020 with backing from Google LLC, Microsoft Corp., Intel Corp. and other leading tech industry players. The group’s newly launched Alpha-Omega Project will be financed with an initial investment of $5 million from Microsoft and Google. The two companies are also committing personnel to the effort.

Practically all enterprises use open-source software in their information technology environments. Some open-source tools are used by upwards of thousands of companies. As a result, a vulnerability in a popular open-source tool can potentially enable hackers to launch broad cyberattacks targeting a large number of organizations.

“Open-source software is a vital component of critical infrastructure for modern society. Therefore we must take every measure necessary to keep it and our software supply chains secure,” said OpenSSF General Manager Brian Behlendorf. “Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open source projects through proactively finding, fixing, and preventing vulnerabilities. This is the start of what we at OpenSSF hope will be a major channel for improving OSS security.”

The OpenSSF’s new Alpha-Omega Project comprises not one but two separate initiatives. They are called Alpha and Omega, respectively, and each seeks to improve the cybersecurity of the open-source software landscape in different ways.

Alpha, the first initiative, focuses on fixing vulnerabilities in the “most critical open-source projects.” Through Alpha, OpenSSF plans to help maintainers of critical open-source projects with tasks such as auditing their software for cybersecurity issues and rolling out fixes to vulnerable code.

To reduce the risk of vulnerabilities emerging in the first place, Alpha participants will help open-source project maintainers ensure that their projects comply with cybersecurity best practices. OpenSSF plans to draw on, among other resources, its Best Practices Badge framework as part of the effort. The framework specifies encryption techniques and other methods that developers can implement to reduce the amount of potentially vulnerable code in their software. 

The other major focus of the Alpha initiative will be helping users of open-source projects to evaluate the cybersecurity of the software they rely on. OpenSSF plans to provide the public with a standardized overview of critical open-source projects’ cybersecurity posture. Additionally, the group will track how effectively open-source projects implement cybersecurity best practices.

Omega, the other initiative in the Alpha-Omega Project, focuses not on the most critical open-source projects but rather the broader ecosystem. Through Omega, OpenSSF will run automated cybersecurity tests across at least 10,000 open-source projects to find vulnerabilities. OpenSSF plans to assign a team of engineers to improve continuously the software workflow that it will use to run the cybersecurity tests. 

Photo: Unsplash