OpenSSF Protecting Open Source Security as Cold War Turns Hot

While the Open Source Security Foundation is active in all areas pertaining to open source security, developers might be most interested in OpenSSF’s free online Developing Secure Software certification program.

Let’s face it, the cold war between western nations and Russia, which many had presumed long dead, has reignited and has already escalated into a hot war in Ukraine that has the potential to spread to other countries. While whether or not that happens remains an unknown, one thing is certain: this new cold war is going to be with us for a very long time.

A key component of these revived hostilities will be an increase of cyberattacks by nation states that will threaten the integrity of the interconnected computer systems that run our world, which could be used to threaten our power supplies, the safety of our tap water, banking and finance, and more. Of particular concern have been the recent attacks on the software supply chain instigated by nation state actors, because malware delivered this way has the ability to quickly spread throughout government and industry with crippling effect.

The potential of these supply chain attacks to wreck havoc had already become evident by late 2020, many months before the current situation involving Russia and Ukraine was above the radar. They were brought to light with the discovery that attackers had breached SolarWinds — a Texas-based company that develops network management and other IT infrastructure software — and had compromised the build system for the company’s Orion monitoring software.

In the three months between the time of the hack and its discovery, the attackers were shipping malware with each and every download of the Orion software, which SolarWinds said might have involved more than 18,000 of its customers. Microsoft, which conducted its own investigation, said that the companies affected included security, technology, and non-governmental organizations, as well as numerous government agencies, and that 80% of the victim organizations were based in the U.S.

The problem has only gotten worse. According to security company Argon’s 2021 Software Supply Chain Security Report, software supply chain attacks grew by more than 300% over the course of last year.

“The number of attacks over the past year and the widespread impact of a single attack highlights the massive challenge that application security teams are facing,” Eran Orzel, Argon’s senior director of customer success and sales, said in a statement when the report was released. “Unfortunately, most teams lack the resources, budget, and knowledge to deal with supply chain attacks. Add to that the fact that to address this attack vector, AppSec teams need cooperation from development and DevOps teams, and you can understand why this is a tough challenge to overcome.”

That’s the bad news. The good news is that although the number of attempts to poison the software supply chain will likely continue to rise, there are solutions already available (with more under development) to keep the attackers from being successful. Mostly these are preventative measures that, like a good dose of medicine, makes systems more difficult to penetrate.

OpenSSF and Open Source Security

Recognizing that the expanding scope of security attacks affects open source as well as proprietary software (we can argue later about which has more vulnerabilities), at about the same time that the SolarWinds attack was discovered, the Linux Foundation formed the Open Source Security Foundation, a cross-industry collaborative effort devoted to improving open source software security. The project’s founding members, who brought to the table both money and expertise, include some A-list tech stars, such as GitHub, Microsoft, Google, IBM, Red Hat, GitLab, Uber, VMware, and others. Since then the membership has grown to include 74 companies.

Since October, the project’s general manager has been Brian Behlendorf, an Apache Software Foundation co-founder who became a regular at the Linux Foundation in 2016, when he took the job of executive director of the blockchain-based Hyperledger Project, which he left late last year to take the job at OpenSSF. In addition to his position at the security foundation, he is a board member at both Mozilla and Electronic Frontiers Fellowship.

Behendorf took the reins at OpenSSF almost simultaneously with an announcement by the Linux Foundation that $10 million had been raised to expand and support the project.

“There has never been a more exciting time to work in the open source community, and software supply chain security has never needed more of our attention,” he said in a statement. “There is no single silver bullet for securing software supply chains. Research, training, best practices, tooling and collaboration require the collective power of thousands of critical minds across our community. Funding for OpenSSF gives us the forum and resources to do this work.”

A short time later, Behlendorf indicated that much of the $10 million windfall would be used to fund the development of new security toolsets to support the tools the organization already offered, as well as to define best practices for securing open source software projects.

Trouble Comes In the Front Door

There’s an old adage among bricks and mortar businesses that “trouble comes in the front door.” What this means is that no matter how much an establishment hardens its rear entranceways, puts iron bars over windows, or otherwise attempts to turn a facility into a fortress, those who seek to cause trouble will more than likely walk in through the front door disguised as customers or clients.

The same is true in cyberspace. The odds are that most cracker hackers aren’t going to bother to try to brute force their way through a firewall when when the easiest way to gain access to a system is to come in looking like legitimate traffic. From there, they’ll be looking for exposed vulnerabilities in software the system is running.

Because of this, the main focus at OpenSSF hasn’t been so much on the traditional bolted-on security that’s designed to keep attackers out of a system, or heuristics programs that look for suspicious behavior, but considers all of the software running on a system, since all software can contain (some would say will contain) hidden or undiscovered security vulnerabilities. Although traditional software and hardware security solutions remain an essential element in any security program, OpenSSF places an emphasis on making sure that all of the applications running on the system are designed with security in mind.

This requires developers to be trained in security best practices however, and traditionally security hasn’t always been a priority for developers under pressure to create customer pleasing applications that are user friendly with rich feature sets. It also doesn’t help that many developers, including many of the most talented, learned computer programming on their own, without benefit of computer science courses that would at least pay lip service to security mindfulness.

Many of the people in charge at large development houses or enterprise IT departments have understood the problem for years, and have been working to rectify this knowledge gap among application developers. By the time OpenSSF came in to existence, almost all big tech firms — from proprietary to open source — had developed in-house training programs to keep their developers up-to-date on safe coding practices.

OpenSSF’s Free Security Training for App Devs

With the advent of OpenSSF, security training for developers has been made easier for large enterprises, and accessible for smaller companies with tight resources, due to its free online training course called Developing Secure Software. The foundation says it takes about 14-18 hours to complete the course, and it’s designed so those taking it can go at their own pace. After completing the course, a certificate of completion is awarded that’s valid for two years.

This means that companies no longer have to develop and maintain security training programs in-house, but can make having a current certificate from OpenSSF an employment requirement. The same course is also available on edX, the higher education platform with Harvard/MIT roots and involvement, offered as part of edX’s and the Linux Foundation’s Secure Software Development Fundamentals professional certificate program.

The edX course can be audited for free, so there’s no charge for learning the material, but there’s a $537.30 fee for certification, which has more stringent testing than the free certificate offered directly from OpenSSF, because it verifies that the material was actually learned. While the course material is essentially the same, the edX content is split into three courses: Requirements, Design, and Reuse; Implementation; and Verification and More Specialized Topics.

White House Open Source Security Summit

In early January, OpenSSF was along for the ride when the Biden White House brought government and private sector stakeholders together for an Open Source Security Summit, for the purpose of discussing ways to improve the security of open source software. Also present were representatives from other tech organizations that included Apple, Google, The Linux Foundation, Microsoft, Red Hat, VMware, and others. Representing the public sector were Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, and Chris Inglis, the U.S. government’s National Cyber Director.

The White House said in a statement issued after the meeting, “The discussion focused on three topics: Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes.”

While the statement from the White House basically just listed topics that were discussed, the representatives from the private sector all seemed to think that the meeting was fruitful.

“During today’s meeting, we shared a set of key opportunities where, with sufficient commitments from everyone, we could make a substantial impact on the critical endeavors needed to protect and improve the security of our software supply chains,” Behlendorf said in a statement following the meeting. “The open source ecosystem will need to work together to further cybersecurity research, training, analysis and remediation of defects found in critical open source software projects.

“These plans were met with positive feedback and a growing, collective commitment to take meaningful action,” Behlendorf added. “Following the recent log4j crisis, the time has never been more pressing for public and private collaboration to ensure that open source software components and the software supply chains they flow through demonstrate the highest cybersecurity integrity.”

In addition to the training on secure coding practices and the security-focused software tools it makes available, OpenSSF sponsors Working Groups, which are collaborative projects for the planning, design, and delivery of security tooling, and best practices to secure critical open source projects. In addition, the organizations hosts Town Halls, where people can stay informed about the latest happenings in open source security while engaging with security experts.