Microsoft joins new open source security group
- Date: 27 October, 2020
Microsoft has joined the newly formed Open Source Security Foundation (OpenSSF), which aims to improve the security of open source software by building a broader community and developing targeted initiatives and best practices.
The new group is supported by the Linux Foundation and includes GitHub, Google, IBM, NCC Group, OWASP Foundation and Red Hat amongst its founding members.
The new group will likely be joined by members of GitHub’s Open Source Security Coalition (OSSC) and integrate the efforts of the Core Infrastructure Initiative (CII).
Open source software typically has no central authority responsible for its quality and maintenance. In addition, because source code can be copied and cloned, versioning and dependencies are particularly complex.
These key challenges strongly suggest that building better security must be a community-driven process. With this in mind, several working groups will be created to address key security concerns, such as:
- Vulnerability disclosures - aimed at speeding up the time required to fix a vulnerability and deploy the fix
- Security tooling - seeking to improve existing security tools and develop new ones
- Security threats identification - focusing on creating key metrics to better assess how each component in an open source project scores in regards to security
- Security best practices
Mark Russinovich, Microsoft’s chief technology officer, gave a further indication of some of the key areas of focus for the group when he said: “We are looking forward to participating in future OpenSSF efforts including securing critical open source projects (assurance, response), developer identity and bounty programs for open source security bugs”.