Since 41% of organizations are still not confident about their open-source software security, more innovations are needed to change this narrative.

Even though software bill of materials offer more visibility, the Open Source Security Foundation seeks to alter SBOMs from just being a mechanism to be organism-based so that they address issues such as changes in metadata and compiler flags, according to Omkhar Arasaratnam (pictured, left), general manager of OpenSSF at The Linux Foundation.

“If we look back to the SANS Top 20 — or I guess this is now known the CIS Top 20 — number one has been asset management for the last three decades,” Arasaratnam said. “If we extend that thinking to our assets no longer being servers, laptops and network kit, but also software assets, that is what the SBOM seeks to address. Talking about how that evolves and how the data structures are supported through operational process, now I know I have Log4j.”

Arasaratnam and Brian Behlendorf (right), chief technology officer of OpenSSF at The Linux Foundation, spoke with theCUBE industry analyst John Furrier and guest analyst Rob Strechay at Open Source Summit NA, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the importance of SBOMs in the open-source software security landscape and how OpenSSF fits in the picture.

Want to stop Log4Shell vulnerabilities? Here’s the perfect answer

As a critical weakness in Log4j — a Java-based logging tool used by millions of computers — Log4Shell can be addressed by coupling SBOMs with common exposures and vulnerabilities, or CVE. Tackling gaps in the build process is also helpful in mitigating supply chain attacks, according to Behlendorf.

“We’ve got to have SBOMs, because the biggest perception is we don’t know what we’re running in this infrastructure. And when the Log4Shell breach hit, governments didn’t know when they were done in remediating,” he said. “But even just that listing isn’t enough. You want to know are there outstanding CVEs that aren’t yet addressed.”

Since OpenSSF’s mission is to ensure that the software supply chain is secure for the benefit of the public good, it works with other organizations, such as the CD Foundation. As a result, risks are minimized in the open-source ecosystem, Behlendorf pointed out.

“The project really got started in 2020 as a coming together of a whole bunch of initiatives that kind of touched on the security of open-source code and the software supply chain after things like the SolarWinds hack,” he said. “Then in 2021, we pivoted to kind of a funded operation to allow us to go and be a bit bolder about our initiatives.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of Open Source Summit NA:

Photo: SiliconANGLE