Tech companies pledged an initial $30 million to fund the 10-point Open Source Software Security Mobilization Plan they developed with White House officials and released Thursday.
Amazon, Ericsson, Google, Intel, Microsoft and VMware committed the money to advance the portfolio approach to hardening the software supply chain that came out of two Open Source Software Security summits.
The plan comes in response to vulnerabilities and weaknesses in widely deployed open source software — which makes up 70% to 90% of software stacks — that threaten the security of federal agencies, infrastructure providers, businesses and nonprofits.
“It requires a cohesive effort because there’s not one root cause or one root approach that’s going to address them all,” said Brian Behlendorf, general manager of the Linux Foundation’s Open Source Security Foundation (OpenSSF), on a press call Thursday. “Industry recognizes that; I think the public sector partners recognize that as well.”
The plan aims to secure open source security production, improve vulnerability discovery and remediation, and shorten ecosystem patching responses through 10 funding streams:
- security education,
- risk assessment,
- digital signatures,
- memory safety,
- incident response,
- better scanning,
- code audits,
- data sharing,
- software bill of materials everywhere, and
- improved supply chains.
“I think this really ensures that we all understand the importance of open source, how productive it’s allowed us to be and our obligation to consider the implications of using it,” said Jamie Thomas, general manager of systems strategy and development for IBM.
OpenSFF brought together more than 90 executives from 37 companies and officials from the National Security Council, Office of the National Cyber Director, Cybersecurity and Infrastructure Security Agency, National Institute of Standards and Technology, Department of Energy, and Office of Management and Budget for its second summit to finalize the plan. The National Security Council led the first summit in January.
Tech companies must now justify their $30 million investments, a downpayment on a bigger pool of funding planned over the next two years.
“It’s the beginnings of what will hopefully be a larger fund to cover the $150 million that we identified,” Behlendorf said. “Now as the plans evolve, as we find ways to save money, as we adjust the targets to the available funding, we’ll right-size it to the opportunity.”