Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News OpenSSF Announces the Alpha-Omega Project to Improve Software Supply Chain Security

OpenSSF Announces the Alpha-Omega Project to Improve Software Supply Chain Security

This item in japanese

The Open Source Security Foundation (OpenSSF) in partnership with Google and Microsoft have announced the Alpha-Omega Project to improve supply chain security across open source software (OSS) projects. The project will focus on improving the security posture of the most widely deployed and critical OSS projects.

The project will have two main initiatives. Alpha will work with OSS project maintainers to look for and address undiscovered vulnerabilities within their project's code. Omega will identify at least 10,000 of the most widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance.

Brian Behlendorf, general anager at OpenSSF, shares that:

Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open source projects through proactively finding, fixing, and preventing vulnerabilities. This is the start of what we at OpenSSF hope will be a major channel for improving OSS security.

The team states that the Alpha portion of the project will be collaborative in nature and focus on standalone and core ecosystem OSS projects. These projects will be selected based on work done by the OpenSSF Securing Critical Projects working group. The group defines a critical OSS project as one that "can have an especially large impact if it has a significant unintentional vulnerability, or if it is subverted in either its source repository or distribution package(s)".

The working group combined the results of several different analyses including the OpenSSF Criticality Score, Harvard's Census Program II, and the OSTIF Managed Audit Program into the current interim list of critical OSS projects. The criticality score aims to define the influence and importance of a project by assigning it a score between 0 (least critical) and 1 (most critical). A defined algorithm is used to weigh a number of parameters including age of the project, the contributor count, and the number of dependencies. There are a number of lists of critical projects with their criticality score available on Google Cloud Storage.

The assistance provided by Alpha team members is proposed to include threat modeling, source code audits, assistance with automated security testing, and direct support addressing identified issues. In addition, assistance could be provided in implementing best practices based on the OpenSSF Scorecards and the OpenSSF Best Practices Badge project.

Omega will make use of automated methods, security analysis triaging, and confidential reporting to identify and correct vulnerabilities across at least 10,000 critical OSS projects. Through funding from Microsoft and Google, Omega will have a dedicated team of software engineers working on this analysis pipeline.

Along with the work of helping improve the security posture of these OSS projects, the OpenSSF states that they will be tracking metrics to provide better insights to stakeholders on the security health of these projects. They indicate that "the public will receive a transparent, standardized view of the project’s security posture and compliance with security best practices."

More information about the project is available on the OpenSSF website. The OpenSSF is encouraging parties interested in Alpha-Omega to participate in the Securing Critical Projects working group.

About the Author

Rate this Article