To bolster software supply chain security, top technology companies have offered $30 million toward a two-year goal.
The Linux Foundation and Open Source Security Foundation (OpenSSF) Thursday announced a 10-point plan to boost open source and supply chain security after meeting key Biden administration officials and about 90 industry executives.
The group plans to spend more than $150 million over the next two years to make open source software more secure. The goal is to find and fix vulnerabilities like Log4j faster, in an effort to better protect the U.S. from malicious cyberattacks that exploit insecure software platforms and devices.
A group of leading technology companies, including Amazon, Ericsson, Google, Intel, Microsoft and VMware, already have pledged an initial tranche of more than $30 million in initial funding.
The United States industry gathering is a followup to the White House summit in January, convened by the National Security Council. That original meeting was in the wake of the Log4j vulnerability disclosure, an incident which put millions of devices worldwide at risk.
The security plan and funding are part of a larger effort by the software industry to restore some of the perceived imbalances that some officials say have led to security problems in open source.
The open source community, largely composed of volunteers, invests time and effort into creating code that serves as the foundation for much of modern computing. Wealthy Silicon Valley companies can capitalize on open source repositories to build their products, with limited investment or support toward code creation.
The amount of funding tech companies are pledging is meaningful compared to previous investments in open source, but is a drop in the bucket “when you compare it to the cost of remediating the cost of a major vulnerability,” said Brian Behlendorf, general manager of the Linux Foundation’s OpenSSF project, said during a press conference Thursday.
A number of technology companies announced plans to enhance the security of open source partners.
Google Cloud during the meeting said it would launch an Open Source Maintenance Crew, a dedicated team of engineers to work with upstream maintainers in order to boost the security of various open source projects, according to a blog post from the company.
Google Cloud also announced the launch of a new dataset designed to give developers and maintainers access to critical software supply chain information through the Open Source Insights project.
Open source and software executives said the summits are an essential step in helping the industry strengthen the security of the software supply chain.
“Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain,” GitHub CSO Mike Hanley said in an emailed statement.
GitHub, the home of 83 million developers worldwide, is committed to advancing the efforts outlined during the meeting, Hanley added. GitHub has enabled two-factor authentication on GitHub.com and npm, helped encourage financial backing for developers through the GitHub sponsors program and offered free security training through the GitHub Security Lab.