オープンソース セキュリティ向上のための取り組みを集約、テクノロジーリーダーとエンタープライズリーダーが協力

By 8月 3, 20208月 25th, 2020Press Release

新コラボレーションOpen Source Security Foundation (OpenSSF) が、オープンソース ソフトウェアのセキュリティ向上を目的とした業界の取り組みを集約

2020年8月3日 サンフランシスコ発 ー Linux Foundationは本日、Open Source Security Foundation (OpenSSF) の設立を発表しました。OpenSSFでは、オープンソース業界リーダーが集結し、ターゲットを絞ったイニシアチブとベストプラクティスによる広範なコミュニティを構築することで、オープンソース ソフトウェア (OSS) のセキュリティを向上させる業界横断的なコラボレーションを実現します。OpenSSFは、Core Infrastructure Initiative、GitHubのOpen Source Security Coalitionの取り組み、および設立時の理事会メンバーであるGitHub、Google、IBM、JPMorgan Chase、Microsoft、NCC Group、OWASP Foundation、Red Hatによるオープンソースセキュリティ関連プロジェクトを組み合わせます。また、ほかの設立メンバーとして、ElevenPaths、GitLab、HackerOne、Intel、Okta、Purdue、SAFECode、StackHawk、Trail of Bits、Uber、VMwareなどが参加します。

オープンソース ソフトウェアは、データセンター、コンシューマ デバイス、サービスなどで広く普及しており、技術者と企業の間で価値が認められています。その開発プロセスが理由で、最終的にエンドユーザーに届くオープンソースには、ひとつながりのコントリビューターと依存関係が存在します。ユーザーや組織のセキュリティ責任者が、この依存関係のセキュリティを理解し、検証できることが重要です。

OpenSSFは、業界で最も重要なオープンソース セキュリティ イニシアチブとそれをサポートする個人・企業を結び付けます。Heartbleedバグ (2014年) に対処するために設立されたLinux FoundationのCore Infrastructure Initiative (CII) と、GitHub Security Labによって設立されたOpen Source Security Coalitionは、新しいOpenSSFに集約されるプロジェクトのほんの一部です。ファウンデーションのガバナンス、技術コミュニティ、意思決定は透明性が保たれ、開発される仕様とプロジェクトはベンダーに依存しません。OpenSSFは、すべての人のためのオープンソース セキュリティを推進するために、アップストリームおよび既存のコミュニティの両者と協力してコラボレーションを推進します。

Linux Foundation のエグゼクティブ ディレクターであるJim Zemlinは、次のように述べています。
「私たちはオープンソースは公益であり、業界全体が協力し全員が依存しているオープンソース ソフトウェアのセキュリティを改善しサポートする責任があると考えています。オープンソースのセキュリティを確保することは、私たちができる最も重要なことの一つであり、世界中の全員がこの取り組みを支援する必要があります。OpenSSFは、真に協力的で業界横断的な取り組みのためのフォーラムを提供します。」

組織の設立に伴い、理事会 (Governing Board : GB)、技術諮問委員会(Technical Advisory Council : TAC)、および各ワーキング グループとプロジェクトの監督担当によるオープン ガバナンス構造が確立されます。OpenSSFは、世界で最も重要なオープンソース ソフトウェアのセキュリティをサポートするために、さまざまなオープンソース技術イニシアチブをホストする予定であり、すべてGitHubでオープンに管理します。

詳細およびプロジェクトへの貢献は https://openssf.org をご覧ください。

参考資料

Threats, Risks & Mitigations of the Open Source Ecosystem : Open Source Security Coalition
Vulnerabilities in the Core : Harvard’s Lab for Innovation Science and Linux Foundation
Red Hat Product Security Risk Report : Red Hat

理事会メンバーの声 (原文)

GitHub
“Every industry is using open source software, and it is our collective responsibility to help maintain a healthy and secure ecosystem,” said Jamie Cool, Vice President of Product Management, Security at GitHub. “GitHub founded the Open Source Security Coalition in 2019 to bring together industry leaders around this mission and ensure the consumption of open source software is something that all developers can do with confidence. We look forward to this next step in the evolution of the coalition and serving as a founding member of the Open Source Security Foundation.”

Read more in GitHub’s blog.

Google
“Security is always top of mind for Google and our users. We have developed robust internal security tools and systems for consuming open source software internally, for our users, and for our OSS-based products. We believe in building safer products for everyone with far-reaching impacts, and we are excited to work with the broader community through the OpenSSF. We look forward to sharing our innovations and working together to improve the security of open source software we all depend on,” said Director of Product Security, Google Cloud, James Higgins.

IBM
“Open source has become mainstream in the enterprise. As such, the security of the open source supply-chain is of paramount importance to IBM and our clients,” said Christopher Ferris, IBM Fellow and CTO Open Technology. “The launch of the Open Source Security Foundation marks an important step towards giving open source communities the information and tools they need to improve their secure engineering practices, and the information developers need to choose their open source wisely.”

JPMorgan Chase
“Developing, growing and using open source software is a top priority for JPMorgan Chase. We are committed to partner with the community through the Open Source Security Foundation to ensure trust and security in open source software for everyone,” stated Lori Beer, Global Chief Information Officer, JPMorgan Chase.

Microsoft
“As open source is now core to nearly every company’s technology strategy, securing open source software is an essential part of securing the supply chain for every company, including our own,” said Mark Russinovich, Chief Technology Officer, Microsoft Azure. “As with everything open source, building better security is a community-driven process. All of us at Microsoft are excited to be a founding member of the Open Source Security Foundation and we look forward to partnering with the community to create new security solutions that will help us all.”

Read more in Microsoft’s blog.

NCC Group
“The security and privacy of the internet is essential for the protection of individuals, organizations and critical infrastructure, and also the future of democracy and our civil liberties. Given the fundamental role open source plays in powering our world, creating scalable resources and tools to help software maintainers, developers, and users understand and improve their projects’ security is a significant step toward a safer and more secure world. By bringing together a dedicated group of technologists with a shared desire to improve the security of open source software, together we can begin to remediate – or even prevent – security vulnerabilities at a scale not previously possible,” stated Jennifer Fernick, Head of Research at global cyber security expert NCC Group.”

OWASP
“Joining the Linux Foundation and the Open Source Security Foundation is central to our mission to advance the state of application security, especially as OpenSSF is already aligned with OWASP’s core philosophies of openness, transparency and innovation,” said Andrew van der Stock, Executive Director of OWASP, the Open Web Application Security Project. “We look forward to working with all of the participating organizations to improve the state of software security and work together on projects of vital interest to software developers, organizations, and governments around the world.”

Red Hat
“Red Hat is unrelenting in our commitment to open source and in participating to make upstream projects successful. We believe security is an essential part of healthy project communities,” said Chris Wright, CTO of Red Hat. “Now, more than ever, is the time for us to join together with other leaders to help ensure key projects are secure and consumable in our products, across enterprises, and as part of the hybrid cloud. We are excited to help found this Open Source Software Foundation.”

設立メンバーの声 (原文)

ElevenPaths
“The security of an enterprise application or services depends mainly on the security of all its components. The vast majority of business applications and services are not fully developed in-house as they make use of open source components that help accelerate the development cycle and extend their functionality. Therefore, it is essential to ensure that all open source components comply with the best practices of secure development and periodic reviews are carried out to positively impact all software that makes use of these components. Joining the Open Source Security Foundation is fully aligned with our vision and principles.”

GitLab
“GitLab is excited to play a part in the creation of the Open Source Security Foundation (OpenSSF) to further cross-industry collaboration and move the security of open source projects forward as it is key to the future of technology,” said David DeSanto, director of product for Secure and Defend at GitLab. “Aligning with GitLab’s mission of ‘everyone can contribute,’ we look forward to supporting and contributing to the community to bring together security-conscious developers to change open source development in a collaborative and fundamental way.”

HackerOne
“Open source software powers HackerOne,” said Reed Loden, Head of Open Source Security, HackerOne. “It powers our software, our infrastructure, and our model for engaging with our community. As part of our mission to make the internet safer, we want to make it easier for open source projects to remain secure. For over three years, we’ve given the open source community our platform for free, and we’ve been long-time supporters of initiatives like Internet Bug Bounty. Joining the Linux Foundation and the Open Source Security Foundation allows us to continue on our mission and make the internet safer alongside some of the foremost visionaries in security. We look forward to seeing the change we can make together.”

Intel
“It takes the industry working together to advance technology and accelerate open source security initiatives. Hardware and software are inextricably linked to deliver security, transparency and trust in open source software. Together with the OpenSSF, Intel will continue to play a key role in mobilizing the industry at large and solving security challenges from the cloud to the edge,” said Anand Pashupathy, GM of System Security Software, Intel.

SAFECode
“Open source software is a major component in today’s software supply chain and thus comprises a significant fraction of the software that individuals and organizations rely upon. Supporting the secure development of open source software is of critical importance to SAFECode members and the software community,” said Steve Lipner, executive director of SAFECode. “We are looking forward to bringing our software security experience to bear as we participate in the Open Source Security Foundation’s mission to build a collaborative, cross-industry community to support the security of open source software.”

StackHawk
“The use of open source has undoubtedly reached critical mass, with ever increasing dependency trees and software complexity. Equipping engineering teams to deliver secure applications simply and scalably is core to our mission at StackHawk. We are excited to be one of the founding members of the Open Source Security Foundation to ensure that this can be a reality across software development as a whole and look forward to continued partnership with the community,” said StackHawk’s Founder & CEO, Joni Klippert.

Uber
“Security and Privacy is always top of mind at Uber to ensure we are responsible stewards of our user’s data. We’re always focused on mitigating all types of software vulnerabilities and as such the security of open source software is a top priority. Historically, we’ve worked with other industry leaders to help build a strong security community around open source software and we are excited to expand those efforts with the OpenSSF,” said Rob Fletcher, Sr Manager, Security Engineering.

VMware
“Strengthening the security posture, policies, and processes in the open source community and in widely used open source projects is strengthening the whole software ecosystem – for all players,” said Joshua Lock, security tech lead, Open Source Technology Center, VMware. “VMware strongly supports the goal of making our software ecosystem more resilient and more secure.”

Linux Foundationについて

2000年に設立されたLinux Foundationは、1,000を超えるメンバーによってサポートされており、オープンソース ソフトウェア、オープン スタンダード、オープン データ、およびオープン ハードウェアに関するコラボレーションにおいて世界をリードしています。Linux、Kubernetes、Node.jsをはじめとするLinux Foundationのプロジェクトは、世界のインフラに必要不可欠な存在です。Linux Foundationは、ベスト プラクティスを活用し、貢献者、ユーザー、およびソリューション プロバイダーのニーズに対応することにより、サステナブルなオープン コラボレーション モデルを生み出します。詳細については、www.linuxfoundation.org をご覧ください。

###

The Linux Foundation はさまざまな商標を登録および使用しています。The Linux Foundation の商標一覧はこちらのページでご確認いただけます。
Linux は Linus Torvalds の登録商標です。

The Linux Foundation
Follow Us