Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News OpenSSF New Manifesto Urges the Software Industry to Take Responsibility for Open Source Security

OpenSSF New Manifesto Urges the Software Industry to Take Responsibility for Open Source Security

The Open Source Consumption Manifesto from OpenSSF aims to make the software industry more aware of its responsibility when it comes to ensuring the software supply chain remains secure and healthy.

The importance of open source software today cannot be overstated and its contribution to efficiency and innovation has been tremendous. But, as recent vulnerabilities and attacks show, including Log4j and Log4Shell, open source security is still an open issue and there is no unity about how to best achieve it.

Some believe the education of software development teams should be a priority. Others focus on the value of frameworks, best practices, and standards. [...] any of the above are workable methods.

This is where the OSCM comes in, trying to build a consensus on a simple approach. As a first step, the manifesto attempts to bring the focus on "consumption", as a more general frame than "development", with security vulnerabilities being only a part of the equation. The other part of the equation lies deep within the software supply chain, where new kind of attacks have become commonplace.

Open source consumption risk now includes malicious packages and malware attacks. In quick order, bad actors have shifted left to target open source projects. Attacks like dependency and manifest confusion represent real risks.

The OSCM includes a number of points attempting to bring the attention to and prioritize what really matters. For example, it stresses the fact that not all vulnerabilities are actively curated and scoring systems such as CVSS may suffer from a lag effect.

It also suggests using audit and quarantine functionality for components matching known vulnerabilities and malicious packages, as well as focusing on tools and processes allowing teams to take informed decisions on open source software they are using.

Two additional suggestions, among several others, include actively engaging with open source developers to contribute to their effort and adopting tooling, best practices, and processes aimed to improve security.

The Open Source Consumption Manifesto is still in its early days and setting itself as a collaborative endeavor open to contributions and aiming for inclusion. It is hosted on GitHub and its proponents are welcoming pull requests.

About the Author

Rate this Article