28.Lock Globe

More critical flaws similar to Log4Shell found in open source are almost inevitable, but Open Source Security Foundation’s (OpenSSF’s) goal is to make those incidents rare and continually make the attackers’ job harder, a Linux Foundation executive noted.

Founded in 2020, OpenSSF is a cross-industry organization hosted by the Linux Foundation that brings together individuals and companies including Cisco, GitHub, Google, and VMware, to develop better security tools and practices for open source application development without bias toward a specific ecosystem or vendor.

The organization offers automation tools, educational materials, and courses and develops various projects and frameworks — including Supply Chain Levels for Software Artifacts (SLSA)Secure Supply Chain Consumption Framework (S2C2F)Software Bill of Materials (SBOM) Everywhere, and Alpha-Omega — to improve security for the open source community, David Wheeler, Director of open source supply chain security at Linux Foundation, told SDxCentral.

“Certainly nobody wants another Log4j, [but] a major vulnerability in software that beats open source or closed source is probably inevitable,” he said. “So the goal is to make these kinds of problems rare. And so we are working towards that end.”

Wheeler noted OpenSSF offers open source security courses that specifically educate students not to make the mistake that happened in Apache Log4j 2 Java library.

“Unfortunately, LogShell was not, as far as anyone can tell, intentional maliciousness. It was an honest mistake, in part due to the complexity of code, and in part, frankly due to people who are doing the development not knowing how to do certain kinds of secure software development, and the tools that really support them either,” he said.