10項目のオープンソースおよびソフトウェアサプライチェーン セキュリティ行動計画をリリース、初回の資金提供は3,000万ドル以上に
2022年5月12日 ワシントンD.C.発 ー Linux FoundationとOpen Source Security Foundation (OpenSSF) は、オープンソースソフトウェアの回復力とセキュリティ向上のために取るべき主要行動について合意するために、37社90人以上の企業幹部、NSC、ONCD、CISA、NIST、DOE、OMBから政府指導者を集めました。
オープンソースソフトウェア セキュリティサミットII は、2022年1月13日に開催されたホワイトハウス国家安全保障会議による第1回サミットに続くものです。今回は、バイデン大統領の「国家サイバーセキュリティ改善に関する大統領令」1周年の記念日にLinux FoundationとOpenSSFにより招集されました。
Linux FoundationとOpenSSFは、あらゆるセクターからの情報提供を受けて、オープンソースとソフトウェア サプライチェーン セキュリティに幅広く対応する、これまでにない計画を策定しました。サミット II 計画は、計画が特定する10項目の主要な問題に対して十分に精査された解決策を迅速に進めるために、2年間で約1億5,000万ドルのファンディングを概算しています。10項目の投資の流れには、より迅速な改善と、よりセキュアな未来への強固な基盤作り両方のための具体的なアクションプランが含まれています。
参加組織の一部は、計画の実施に向けた最初の資金提供を誓約するために集まりました。これらの企業は、Amazon、Ericsson、Google、Intel、Microsoft、VMWareであり、3,000万ドル以上を約束しています。 計画がさらに進展するにつれて、より多くの資金が特定され、個々の流れが合意されたときに作業が開始されます。
これは、OpenSSFコミュニティメンバーがオープンソース ソフトウェアに対して行っている既存の投資に基づいています。 Linux Foundationのステークホルダーの非公式な調査によると、1億1000万ドル以上を費やし、オープンソースソフトウェアランドスケープの保護に焦点を当てた100人近くのフルタイム相当の従業員を雇用しています。 この計画はそれらの投資に追加されます。
おもなバックグラウンド
10項目計画の3つの目標
- オープンソース セキュリティ製品の保護
- 安全なソフトウェア開発の基本となる教育と認定を、プロフェッショナルなOSS開発者のための新しい標準にする。
- 上位 10,000 のオープンソース コンポーネントについて、ベンダーニュートラルで客観的な指標に基づく公開のリスク評価ダッシュボードを確立する。
- ソフトウェアリリースにおけるデジタル署名の採用を促進する。
- メモリセーフでない言語を置き換えることにより、多くの脆弱性の根本原因を排除する。
- 脆弱性検出と修正の強化
- メンテナーや専門家による新しい脆弱性の発見を加速させる。
- オープンソース プロジェクトが危機的状況のときに支援する「ボランティア消防士」のセキュリティ専門家部隊を設立する。
- 最も重要なオープンソース ソフトウェア コンポーネント200件について、サードバーティによるコードレビュー(および必要な修正作業)を毎年実施する。
- 業界全体のデータ共有を調整し、最も重要なオープンソース ソフトウェアを決定するのに役立つ調査を改善する。
- エコシステムのパッチング レスポンス タイムの短縮
- ソフトウェア部品表 (SBOM) の普及 – SBOMツールとトレーニングを改善し普及を促進する。
- より優れたサプライチェーン セキュリティ ツールとベストプラクティスで、最も重要な10件のオープンソース ソフトウェア ビルド システム、パッケージ マネージャー、ディストリビューション システムを強化する。
10項目計画の概要
- セキュリティ教育:安全なソフトウェア開発の基本となる教育と認定を、すべての人に提供する。
- リスク評価:トップ1万件(またはそれ以上)のOSSコンポーネントについて、一般に公開され、ベンダーニュートラルで、客観的指標に基づくリスク評価ダッシュボードを確立する。
- デジタル署名:ソフトウェア リリースにおけるデジタル署名の採用を加速させる。
- メモリの安全性:メモリセーフでない言語を置き換えることにより、多くの脆弱性の根本原因を排除する。
- インシデントへの対応:OpenSSF Open Source Security Incident Response Team(OpenSSF オープンソース セキュリティ インシデント対応チーム:脆弱性対応の重要な時期に、オープンソースプロジェクトを支援できるセキュリティ専門家の集団)を設置する。
- スキャン機能の向上:高度なセキュリティツールと専門家によるガイダンスを通じて、メンテナーや専門家による新しい脆弱性の発見を加速させる。
- コード監査:最も重要なOSSコンポーネントの最大200件について、サードパーティのコードレビュー(および必要な修正作業)を年に1回実施する。
- データ共有:業界全体のデータ共有を調整し、最も重要なOSS コンポーネントを決定するのに役立つ調査を改善する。
- SBOMの普及:SBOMツールとトレーニングを改善して採用を促進する。
- サプライチェーンの改善:より優れたサプライチェーン セキュリティ ツールとベストプラクティスで、最も重要な10件のOSS ビルド システム、パッケージ マネージャー、ディストリビューション システムを強化する。
コメント
Jim Zemlin – Executive Director, Linux Foundation: 「バイデン大統領の大統領令から1周年を迎えた今日、私たちは実行可能な計画で対応するためにここにいます。なぜなら、オープンソースは私たちの国家安全保障にとって重要な要素であり、今日のソフトウェアのイノベーションに何十億ドルも投資されている基礎となるものだからです。私たちは、集団でサイバーセキュリティの回復力を高め、ソフトウェア自体への信頼を向上させるという共通の義務を負ってます。この計画は、私たちの統一された声と共通の行動への呼びかけを表しています。これからの最重要課題はリーダーシップです。」
Brian Behlendorf – Executive Director, Open Source Security Foundation (OpenSSF): 「私たちがここで一緒にやっていることは、何が問題でそれを解決するために何ができるかという一連のアイデアと原則を集約することです。私たちがまとめた計画は、その開始点として地上に立てた10本の旗です。計画を行動に移せるようなさらなる意見とコミットメントを得ることを切望しています。」
関係各社からのコメント (原文より)
Anne Neurenberger, Deputy National Security Advisor, Cyber & Emerging Tech at National Security Council, The White House:
“President Biden signed the Executive Order on Cybersecurity last year to ensure the software our government relies on is secure and reliable, including software that runs our critical infrastructure. Earlier this year, the White House convened a meeting between government and industry participants to improve the security of Open Source software. The Open Source security foundation has followed up on the work at that meeting and convened participants from across industry to make substantial progress. We are appreciative of all participants’ work on this important issue.”
Atlassian
Adrian Ludwig, Chief Trust Officer
“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be participating in OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. We’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.”
Cisco
Eric Wenger, Senior Director, Technology Policy, Cisco Systems
“Open source software (OSS) is a foundational part of our modern computing infrastructure. As one of the largest users of and contributors to OSS, Cisco makes significant investments in time and resources to improve the security of widely-used OSS projects. Today’s effort shows the stakeholder community’s shared commitment to making open-source development more secure in ways that are measurable and repeatable.”
Dell
John Roese, Dell Technologies CTO
“Never before has software security been a more critical part of the global supply chain. Today, in a meeting led by Anne Neuberger [linkedin.com], Deputy National Security Advisor for Cyber and Emerging Technology, Dell and my Open Source Security Foundation colleagues committed our software security expertise to execute the Open Source Software Security Mobilization Plan. Dell’s best and brightest engineers will engage with peers to develop risk-based metrics and scoring dashboards, digital signature methodologies for code signing, and Software Bill of Materials (SBoM) tools – all to address the grand challenge of open-source software security. This is an excellent example of the leadership Dell provides to proactively impact software security and open-source security solutions, and reinforces our commitment to the open-source software community, to our supply chain and to our national security.”
Ericsson
“Ericsson is one of the leading promoters and supporters of the open source ecosystem, accelerating the adoption and industry alignment in a number of key technology areas. The Open Source Security Foundation (OpenSSF) is an industry-wide initiative with the backing of the Linux Foundation with the objective of improving supply chain security in the open source ecosystem.
“As a board member of OpenSSF, we are committed to open source security and we are fully supportive of the mobilization plan with the objective of improving supply chain security in the open source ecosystem. Being an advocate and adopter of global standards, the initiatives aim to strengthen open source security from a global perspective.”
GitHub
Mike Hanley, Chief Security Officer
“Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain. As home to 83M developers around the world, GitHub is uniquely positioned and committed to advance these efforts, and we’ve continued our investments to help developers and maintainers realize improved security outcomes through initiatives including 2FA enforcement on GitHub.com and npm, open sourcing the GitHub Advisory Database, financial enablement for developers through GitHub Sponsors, and free security training through the GitHub Security Lab.
“The security of open source is critical to the security of all software. Summit II has been an important next step in bringing the private and public sector together again and we look forward to continuing our partnerships to make a significant impact on the future of software security.”
Eric Brewer, VP of Infrastructure at Google Cloud & Google Fellow
“We’re thankful to the Linux Foundation and OpenSSF for convening the community today to discuss the open source software security challenges we’re facing and how we can work together across the public and private sectors to address them. Google is committed to supporting many of the efforts we discussed today, including the creation of our new Open Source Maintenance Crew, a team of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects, and by providing support to the community through updates on key projects like SLSA, Scorecards; and Sigstore, which is now being used by the Kubernetes project. Security risks will continue to span all software companies and open source projects and only an industry-wide commitment involving a global community of developers, governments and businesses can make real progress. Google will continue to play our part to make an impact.”
IBM
Jamie Thomas, Enterprise Security Executive
“Today, we had the opportunity to share our IBM Policy Lab’s recommendations on how understanding the software supply chain is key to improving security. We believe that providing greater visibility in the software supply chain through SBoMs ( Software Bill of Materials) and using the Open Source Software community as a valuable resource to encourage passionate developers to create, hone their skills, and contribute to the public good can help strengthen our resiliency. It’s great to see the strong commitment from the community to work together to secure open source software. Security can always be strengthened and I would like to thank Anne Neuberger today for her deep commitment and open, constructive, technical dialogue that will help us pave the way to enhancing OSS security. ”
Intel
Greg Lavender, Chief Technology Officer and General Manager of the Software and Advanced Technology Group
“Intel has long played a key role in contributing to open source. I’m excited about our role in the future building towards Pat’s Open Ecosystem vision. As we endeavor to live into our core developer tenets of openness, choice and trust – software security is at the heart of creating the innovation platforms of tomorrow.”
Melissa Evers, Vice President, Software and Advanced Technology, General Manager of Strategy to Execution
“Intel commends the Linux Foundation in their work advancing open source security. Intel has a history of leadership and investment in open source software and secure computing: over the last five years, Intel has invested over $250M in advancing open-source software security. As we approach the next phase of Open Ecosystem initiatives, we intend to maintain and grow this commitment by double digit percentages continuing to invest in software security technologies, as well as advance improved security and remediation practices within the community and among those who consume software from the community.”
JFrog
Stephen Chin, Vice President of Developer Relations
“While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated we need a more hardened process for validating open-source repositories. As we say at JFrog, ‘with great software comes great responsibility’, and we take that job seriously. As a designated CNA, the JFrog Security Research team constantly monitors open-source software repositories for malicious packages that may lead to widespread software supply chain attacks and alerts the community accordingly. Building on that, JFrog is proud to collaborate with the Linux Foundation and other OpenSSF members on designing a set of technologies, processes, accreditations, and policies to help protect our nation’s critical infrastructure while nurturing one of the core principles of open source – innovation.”
JPMorgan Chase
Pat Opet, Chief Information Security Officer
“We are proud to have worked with Open Source Security Foundation (OpenSSF) and its members to create the new Open Source Software Security Mobilization Plan, This plan will help to address security issues in the software supply chain which is critical to making the world’s software safer and more secure for everyone.”
Microsoft
Mark Russinovich, CTO, Microsoft Azure
“Open source software is core to nearly every company’s technology strategy. Collaboration and investment across the open source ecosystem will strengthen and sustain security for everyone. Microsoft’s commitment to $5M in funding for OpenSSF supports critical cross-industry collaboration. We’re encouraged by the community, industry, and public sector collaboration at today’s summit and the benefit this will have to strengthen supply chain security.”
OWASP Foundation
Andrew van der Stock, Executive Director
“OWASP’s mission is to improve the state of software security around the world. We are contributing to the Developer Education and Certification, as well addressing the Executive Order for improving the state and adoption of SBOMs. In particular, we would like to see a single, consumable standard across the board.”
Mark Curphey (founder of OWASP) and John Viega (author of the first book on software security), Stream Coordinators
“We’re excited to see the industry’s willingness to come together on a single ‘bill of materials’ format. It has the potential to help the entire industry solve many important problems, including drastically improving response speed for when major new issues in open source software emerge.”
SAP
Tim McKnight, SAP Executive Vice President & Chief Information Security Officer
“SAP is proud to be a part of the Open Source Software Security Summit II and contribute to the important dialogue on the topic of Open Source software security.
“SAP is firmly committed to supporting the execution of the Open Source Software Security Mobilization Plan and we look forward to continuing our collaboration with our government, industry, and academic partners.”
Sonatype
Brian Fox, CTO of Sonatype and steward of Maven Central
“It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today. It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone. The Open Source Software Security Mobilization Plan is a great step toward bringing our community together with a number of key tactics, starting with securing OSS production, which will make the entire open source ecosystem stronger and safer.”
Wipro
Andrew Aitken, Global Head of Open Source
“Wipro is committed to helping ensure the safety of the software supply chain through its engagement with OpenSSF and other industry initiatives and is ideally suited to enhance efforts to provide innovative tooling, secure coding best practices and industry and government advocacy to improve vulnerability remediation.
“As the only global systems integrator in the OpenSSF ecosystem and in line with its support of OpenSSF objectives, Wipro will commit to training 100 of its cybersecurity experts to the level of trainer status in LF and OpenSSF secure coding best practices and to host training workshops with its premier global clients and their developer and cybersecurity teams.
“Further, Wipro will increase its public contributions to Sigstore and the SLSA framework by integrating them into its own solutions and building a community of 50+ contributors to these critical projects.”
プレス ブリーフィング ー オープンソースソフトウェア セキュリティサミットII
