Skip to main content
close search
site logo

Software industry urged to assume risk on open source security

The Open Source Security Foundation called on organizations that use open source software components to adopt better security practices.

Published Sept. 1, 2023
David Jones's headshot
Reporter
Close-up Focus on Person's Hands Typing on the Desktop Computer Keyboard
gorodenkoff via Getty Images

First published on

Cybersecurity Dive

The key to fixing massive security problems in the software supply chain lies with major consumers of open source, according to a group of experts from the Open Source Security Foundation. 

Open Source Consumption Manifesto, a document released Thursday on behalf of the OSSF End Users Working Group, calls on commercial and non-commercial development organizations to: 

  • Consider the critical role of open source software consumption in building a secure software supply chain.
  • Balance open source software consumption against a defined risk profile, which depends on factors like risk tolerance, regulatory context, etc.
  • Recognize potential risks, including vulnerabilities, malicious software and component choice.
  • Understand not all vulnerabilities are actively curated, and risk scoring systems (such as CVSS) can be trailing indicators.
  • Utilize audits and quarantine functionality for components matching known vulnerabilities and malicious packages. 

The manifesto is aimed at organizations that use open source components as dependencies in their own software, according to Brian Fox, co-founder and CTO of Sonatype and one of the authors of the manifesto.

“The typical application is 80%-90% open source and has been for nearly two decades,” Fox said via email. “We need these organizations to manage the open source dependencies intentionally, like they do for third party software they buy.”

The group says open source maintainers should not carry the bulk of the burden for supply chain security.

Incidents like the Sunburst malware supply chain attack against Solarwinds and the Log4j vulnerability led to a crisis of confidence, but the group insists that new practices by large consumers of open source can change that dynamic. 

The manifesto comes just weeks after the White House issued a request for information about open source security and the use of memory-safe languages. A central component of the Biden administration’s national cybersecurity strategy has been developing better ways to secure supply chains in the wake of the Log4j crisis.

Editors' picks

Company Announcements

View all | Post a press release
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Editors' picks
Latest in IT Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell