One of our top priorities at the Linux Foundation is to enhance the security of the open source software ecosystem. At the LF, we have a variety of projects and programs that help to advance this goal of increased cybersecurity for all. To organize these initiatives and efforts, we’re excited to announce the launch of a new information gateway called LF Security. LF Security is a digital hub on our website that brings together, in one place, all the LF resources and projects that accelerate open source software security.
You can visit LF Security at this link: https://www.linuxfoundation.org/lf-security
Open source software is a digital public good, and a world where open source software is secure and trusted will broadly benefit both the industry and community who uses and develops it. Improving trust and security across the open source software ecosystem can help individuals and organizations to both use open source software and to contribute back to the community. Incidents, though, such as Log4Shell and, more recently, the XZ Utils vulnerability, show how open source supply chains can be vulnerable and the lengths that threat actors will go to in order to achieve their goals and target open source software supply chains.
Achieving sustainable and secure open source software requires a concerted and ongoing effort across multiple fronts, whether through industry collaboration and funding, standards development, or initiatives across all levels of the stack. In addition to the Open Source Security Foundation (OpenSSF), the Linux Foundation hosts a wide variety of efforts that address open source security at all levels of the stack; these efforts are all highlighted on LF Security.
Projects featured on LF Security include the OpenSSF, a multi-stakeholder community focused on collaboration and developing best practices to secure the open source software ecosystem; the Post-Quantum Cryptography Alliance, a group developing cryptographic solutions resistant to quantum attacks; and LF Events, meetups for open source developers that often focus on security such as CloudNativeSecurityCon and SOSS.
Projects span the entire stack, including the Confidential Computing Consortium, which focuses on the adoption of Trusted Execution Environment (TEE) technologies and standards; the Cloud Native Computing Foundation, which provides security research and support for cloud native projects; and LFX, which provides a clear view into security for LF project stakeholders to provide contextual project security data. LF Security also includes initiatives that develop or maintain industry standards, including OpenChain, which develops programs and standards to build a trusted software supply chain; and SPDX, an international open standard for Software Bills of Materials.
Other initiatives focus on research and education: Linux Foundation Research publishes empirical insights and research around open source software security trends across industries. Most recently, LF Research has published reports on maintainer perspectives on open source security; helped create the Census II of Free and Open Source Software; and worked with Snyk on a report on progress and the current state of open source software security.
Linux Foundation Training & Certification helps teach security skills to learners around the world to ensure we have a more security-informed and focused workforce. Certifications and training range from hands-on learning workshops on secure coding fundamentals, certifications around Kubernetes cloud security, courses on DevSecOps and Cloud Native Fuzzing, and the Developing Secure Software training course. A full list can be found on the LF Security website.
LF Security also includes resources and guidance on the process for how to report vulnerabilities to LF projects and foundations, or vulnerabilities related to LF infrastructure or the website. Having a clear vulnerability disclosure process is important in order to ensure our own projects’ security and demonstrate our commitment to collaborating with security researchers and the community to advance security for all.
The webpage also includes an issue alert with advice on how to avoid social engineering takeovers of open source projects. The recent attempted XZ Utils backdoor is likely not an isolated incident, but part of an emerging pattern of new threats, as evidenced by similar takeover attempts. This alert from the Open Source Security (OpenSSF) and OpenJS Foundations is aimed to help developers recognize early threat patterns and take steps to protect their open source projects.
How to Contribute
This list of resources is not exhaustive, and still growing. The goal of LF security is to provide resources around open source security for all, whether you’re new to open source or a veteran of the community. We are always looking for additional resources and projects we can feature that further highlight the important security work done throughout our projects or communities. If want to contribute, propose a project, or share additional ideas, please get in touch!
Check out LF Security at this link: https://www.linuxfoundation.org/lf-security