Free training opportunities, new member investments, consolidation with Core Infrastructure Initiative and new opportunities for anyone to contribute accelerate work on open source securitySAN FRANCISCO, Oct. 29, 2020 — (PRNewswire) — OpenSSF, a cross-industry collaboration to secure the open source ecosystem, today announced free training for developing secure software, a new OpenSSF professional certificate program called Secure Software Development Fundamentals and additional program and technical initiatives. It is also announcing new contributors to the Foundation and newly elected advisory council and governing board members.
Open source software has become pervasive across industries, and ensuring its security is of primary importance. The OpenSSF, hosted at the Linux Foundation, provides a structured forum for a collaborative, cross-industry effort. The foundation is committed to working both upstream and with existing communities to advance open source security for all.
Open Source Security Training and Education
OpenSSF has developed a set of three free courses on how to develop secure software on the non-profit edX learning platform. These courses are intended for software developers (including DevOps professionals, software engineers, and web application developers) and others interested in learning how to develop secure software. The courses are specifically designed to teach professionals how to develop secure software while reducing damage and increasing the speed of the response when a vulnerability is found.
The OpenSSF training program includes a Professional Certificate program, Secure Software Development Fundamentals, which can allow individuals to demonstrate they've mastered this material. Public enrollment for the courses and certificate is open now. Course content and the Professional Certificate program tests will become available on November 5.
"The OpenSSF has already demonstrated incredible momentum which underscores the increasing priorities placed on open source security," said Mike Dolan, Senior VP and GM of Projects at The Linux Foundation. "We're excited to offer the Secure Software Development Fundamentals professional certificate program to support an informed talent pool about open source security best practices."
New Member Investments
Sixteen new contributors have joined as members of OpenSSF since earlier this year: Arduino; AuriStor; Canonical; Debricked; Facebook; Huawei Technologies; iExec Blockchain Tech; Laboratory for Innovation Science at Harvard (LISH); Open Source Technology Improvement Fund; Polyverse Corporation; Renesas; Samsung; Spectral; SUSE; Tencent; Uber; and WhiteSource. For more information on founding and new members, please visit: https://openssf.org/about/members/
Core Infrastructure Initiative Projects Integrate with OpenSSF
The OpenSSF is also bringing together existing projects from the Core Infrastructure Initiative (CII), including the CII Census (a quantitative analysis to identify critical OSS projects) and CII FOSS Contributor Survey (a quantitative survey of FOSS developers). Both will become part of the OpenSSF Securing Critical Projects working group. These two efforts will continue to be implemented by the Laboratory for Innovation Science at Harvard (LISH). The CII Best Practices badge project is also being transitioned into the OpenSSF.
The OpenSSF has elected Kay Williams from Microsoft as Governing Board Chair. Newly elected Governing Board members include:
- Jeffrey Eric Altman, AuriStor, Inc.;
- Lech Sandecki, Canonical;
- Anand Pashupathy, Intel Corporation; and
- Dan Lorenc from Google as Technical Advisory Committee (TAC) representative.
An election for a Security Community Individual Representative to the Governing Board is currently underway and results will be announced by OpenSSF in November. Ryan Haning from Microsoft has been elected Chair of the Technical Advisory Council (TAC).
There will be an OpenSSF Town Hall on Monday, November 9, 2020, 10:00a -12:00p PT, to share updates and celebrate accomplishments during the first three months of the project. Attendees will hear from our Governing Board, Technical Advisory Council and Working Group leads, have an opportunity for Q+A and learn more about how to get involved in the project. Register here.
Membership is not required to participate in the OpenSSF. For more information and to learn how to get involved, including information about participating in working groups and advisory forums, please visit https://openssf.org/getinvolved.
New Member Comments
"As an open-source company, Arduino always considered security as a top priority for us and for our community," said Massimo Banzi, Arduino co-founder. '"We are excited to join the Open Source Security Foundation and we look forward to collaborating with other members to improve the security of any open-source ecosystem."
"One of the strengths of the open protocols and open source software ecosystems is the extensive reuse of code and APIs which expands the spread of security vulnerabilities across software product boundaries. Tracking the impacted downstream software projects is a time-consuming and expensive process often reaching into the tens of thousands of U.S. dollars. In Pixar's Ratatouille, Auguste Gusteau was famous for his belief that "anyone can cook". The same is true for software: "anyone can code" but the vast majority of software developers have neither the resources or incentives to prioritize security-first development practices nor to trace and notify impact downstream projects. AuriStor joins the OSSF to voice the importance of providing resources to the independent developers responsible for so many critical software components." - Jeffrey Altman, Founder and CEO or AuriStor.
"It is our collective responsibility to constantly improve the security of open source ecosystem, and we're excited to join the Open Source Security Foundation," said Lech Sandecki, Security Product Manager at Canonical. "As publishers of Ubuntu, the most popular Linux distribution, we deliver up to 10 years of security maintenance to millions of Ubuntu users worldwide. By sharing our knowledge and experience with the OSFF community, together, we can make the whole open source more secure."
"The essence of open source is collaboration, and we strongly believe that the OSSF initiative will improve open source security at large. With all of the members bringing something different to the table we can create a diverse community where knowledge, experience and best practices can help shape this space to the better. Debricked has a strong background in research and extensive insight in tooling; knowledge which we hope will be a valuable contribution to the working groups," said Daniel Wisenhoff, CEO and co-founder of Debricked.
"With open source software becoming a crucial foundation in today's world, how to ensure its security is the responsibility of every stakeholder. We believe the establishment of the Open Source Security Foundation will drive common understanding and best practices on the security of the open source supply chain and will benefit the whole industry," said Peixin Hou, Chief Expert on Open System and Software, Huawei. "We look forward to making contributions to this collaboration and working with everybody in an open manner. This reaffirms Huawei's long-standing commitment to make a better, connected and more secure and intelligent world."
Laboratory for Innovation Science at Harvard
"We are excited to bring the Core Infrastructure Initiative's research on the prevalence and current practices of open source into this broader network of industry and foundation partners," said Frank Nagle, Assistant Professor at Harvard Business School and Co-Director of the Core Infrastructure Initiative at the Laboratory for Innovation Science at Harvard. "Only through coordinated, strategically targeted efforts – among competitors and collaborators alike – can we effectively address the challenges facing open source today."
Open Source Technology Improvement Fund
"OSTIF is thrilled to collaborate with industry leaders and apply it's methodology and broad expertise for securing open-source technology on a larger scale. The level of engagement across organizations and industries is inspiring, and we look forward to participating via the Securing Critical Projects Working Group," said Chief Operating Officer Amir Montazery. "Linux Foundation and OpenSSF have been instrumental in aligning efforts towards improving open-source software, and OSTIF is grateful to be involved in the process."