BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ
News Articles Presentations Podcasts Guides

Topics

Choose your language

InfoQ Dev Summit Boston

Discover transformative insights to level up your software development decisions. Use code LIMITEDOFFERIDSBOSTON24 for an exclusive offer.
InfoQ Dev Summit Munich

Get practical advice from senior developers to navigate your current dev challenges. Use code LIMITEDOFFERIDSMUNICH24 for an exclusive offer.
QCon San Francisco

Level up your software skills by uncovering the emerging trends you should focus on. Register now.
The Software Architects' Newsletter

Your monthly guide to all the topics, technologies and techniques that every professional needs to know about. Subscribe for free.

InfoQ Homepage News OpenSSF New Manifesto Urges the Software Industry to Take Responsibility for Open Source Security

Development

OpenSSF New Manifesto Urges the Software Industry to Take Responsibility for Open Source Security

Bookmarks

Aug 31, 2023 1 min read

InfoQ Article Contest

Share your knowledge Win a ticket to a QCon event
or an InfoQ Dev SummitFind out more

The Open Source Consumption Manifesto from OpenSSF aims to make the software industry more aware of its responsibility when it comes to ensuring the software supply chain remains secure and healthy.

The importance of open source software today cannot be overstated and its contribution to efficiency and innovation has been tremendous. But, as recent vulnerabilities and attacks show, including Log4j and Log4Shell, open source security is still an open issue and there is no unity about how to best achieve it.

Some believe the education of software development teams should be a priority. Others focus on the value of frameworks, best practices, and standards. [...] any of the above are workable methods.

This is where the OSCM comes in, trying to build a consensus on a simple approach. As a first step, the manifesto attempts to bring the focus on "consumption", as a more general frame than "development", with security vulnerabilities being only a part of the equation. The other part of the equation lies deep within the software supply chain, where new kind of attacks have become commonplace.

Open source consumption risk now includes malicious packages and malware attacks. In quick order, bad actors have shifted left to target open source projects. Attacks like dependency and manifest confusion represent real risks.

The OSCM includes a number of points attempting to bring the attention to and prioritize what really matters. For example, it stresses the fact that not all vulnerabilities are actively curated and scoring systems such as CVSS may suffer from a lag effect.

It also suggests using audit and quarantine functionality for components matching known vulnerabilities and malicious packages, as well as focusing on tools and processes allowing teams to take informed decisions on open source software they are using.

Two additional suggestions, among several others, include actively engaging with open source developers to contribute to their effort and adopting tooling, best practices, and processes aimed to improve security.

The Open Source Consumption Manifesto is still in its early days and setting itself as a collaborative endeavor open to contributions and aiming for inclusion. It is hosted on GitHub and its proponents are welcoming pull requests.

About the Author

Sergio De Simone

Show moreShow less

Rate this Article

Adoption
Style

This content is in the Security topic

Related Topics:
BT