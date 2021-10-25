Security is becoming an increasingly key piece of the open source puzzle amid industry-wide pushes to shift left and integrate security during early stages of application development.

The Linux Foundation’s Open Source Security Foundation (OpenSSF) is one example of how the open source community is working to improve software security through an ecosystem approach, vying for proactive handling of security by default.

OpenSSF brings together players like Cisco, GitHub, Google, VMware, and others to develop better security tools and practices for open source application development without bias toward a specific ecosystem or vendor.

“It’s been very much a volunteer-driven effort involving all sorts of companies and individual software experts,” OpenSSF GM Brian Behlendorf said during a KubeCon press conference.

OpenSSF has amassed a set of projects focused on educating open source developers on secure software development practices, identifying critical projects, and reinventing how digital identity relates to developers and security, Behlendorf explained.

The foundation aims to be a home for initiatives that focus on understanding the landscape of open source code and upgrading developer tooling to include more security aspects.

OpenSSF also prioritizes helping open source security teams work together to understand common challenges, address vulnerabilities in a timely manner, and better assess risk.

But despite the progress made so far, “there’s a whole lot of work to do in this space,” Behlendorf said.

Project SLSA

Google’s Supply chain Levels for Software Artifacts (SLSA) project is a framework for ensuring the integrity of software artifacts throughout the software supply chain and is a key project within OpenSSF.

Initially launched in June, Project SLSA allows companies to audit the supply chain within internal workflows by using a system of incremental levels, each with an increasing amount of trustworthiness. Only secure and untampered-with artifacts reach the fourth and highest level. These artifacts can be securely traced back to their source, providing a sense of confidence for consumers.

Google, a founding member of OpenSSF, based its SLSA efforts on its internal Binary Authorization for Borg, which has been in use for the past eight years and is mandatory for all of Google’s production workloads.

“[Project SLSA] has been inspired by things coming out of OpenSSF, and we’re looking to see what we [can] do to increase the amount of resources available to that project,” Behlendorf said.

In a blog post about SLSA, Kim Lewandowski of Google’s open source security team laid out eight different threats — for example, a compromised build platform like with the SolarWinds breach — and how SLSA’s framework might have prevented them, or at least made them more difficult for attackers to exploit.

“In its final form, SLSA will differ from a list of best practices in its enforceability. It will support the automatic creation of auditable metadata that can be fed into policy engines to give ‘SLSA certification’ to a particular package or build platform,” the blog explains.