The Linux Foundation and Open Source Software Security Foundation (OpenSSF) Gather Industry and Government Leaders for Open Source Software Security Summit II
10-Point Open Source and Software Supply Chain Security Mobilization Plan Released with Initial Pledges Surpassing $30M
WASHINGTON , May 12, 2022 /PRNewswire/ -- The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE, and OMB to to reach a consensus on key actions to take to improve the resiliency and security of open source software.
Open Source Software Security Summit II, is a follow-up to the first Summit held January 13, 2022 that was led by the White House's National Security Council. Today's meeting was convened by the Linux Foundation and OpenSSF on the one year after the anniversary of President Biden's Executive Order on Improving the Nation's Cybersecurity.
The Linux Foundation and OpenSSF, with input provided from all sectors, delivered a first-of-its-kind plan to broadly address open source and software supply chain security. The Summit II plan outlines approximately $150M of funding over two years to rapidly advance well-vetted solutions to the ten major problems the plan identifies. The 10 streams of investment include concrete action steps for both more immediate improvements and building strong foundations for a more secure future.
A subset of participating organizations have come together to collectively pledge an initial tranche of funding towards implementation of the plan. Those companies are Amazon, Ericsson, Google, Intel;, Microsoft, and VMWare, pledging over $30M. As the plan evolves further more funding will be identified, and work will begin as individual streams are agreed upon.
This builds on the existing investments that the OpenSSF community members make into open source software. An informal poll of our stakeholders indicates they spend over $110M and employ nearly a hundred full-time equivalent employees focused on nothing but securing the open source software landscape. This plan adds to those investments.
Jim Zemlin - Executive Director, Linux Foundation: "On the one year anniversary of President Biden's executive order, today we are here to respond with a plan that is actionable, because open source is a critical component of our national security and it is fundamental to billions of dollars being invested in software innovation today. We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in software itself. This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership."
Brian Behlendorf - Executive Director, Open Source Security Foundation (OpenSSF): "What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action."
"As a board member of OpenSSF, we are committed to open source security and we are fully supportive of the mobilization plan with the objective of improving supply chain security in the open source ecosystem. Being an advocate and adopter of global standards, the initiatives aim to strengthen open source security from a global perspective."
"The security of open source is critical to the security of all software. Summit II has been an important next step in bringing the private and public sector together again and we look forward to continuing our partnerships to make a significant impact on the future of software security."
Melissa Evers, Vice President, Software and Advanced Technology, General Manager of Strategy to Execution
Mark Curphey (founder of OWASP) and John Viega (author of the first book on software security), Stream Coordinators
"SAP is firmly committed to supporting the execution of the Open Source Software Security Mobilization Plan and we look forward to continuing our collaboration with our government, industry, and academic partners."
"As the only global systems integrator in the OpenSSF ecosystem and in line with its support of OpenSSF objectives, Wipro will commit to training 100 of its cybersecurity experts to the level of trainer status in LF and OpenSSF secure coding best practices and to host training workshops with its premier global clients and their developer and cybersecurity teams.
"Further, Wipro will increase its public contributions to Sigstore and the SLSA framework by integrating them into its own solutions and building a community of 50+ contributors to these critical projects."
Three Goals of the 10-Point Plan
The 10-Point Plan Summarized (available in full here)
View original content to download multimedia:https://www.prnewswire.com/news-releases/the-linux-foundation-and-open-source-software-security-foundation-openssf-gather-industry-and-government-leaders-for-open-source-software-security-summit-ii-301546671.html
SOURCE The Linux Foundation
Continental Breakfast - For Paid Conference Pass Holders, Exhibitors, Sponsors, Speakers, Press
Keynote Presentation - Open to all Badge Holders
Presentation Details TBA