Washington, D.C. (September 13, 2023) — The Open Source Security Foundation (OpenSSF), a cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), brought together US Government (USG) officials from the National Security Council (NSC), Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA) among others with industry leaders at the Secure Open Source Software (SOSS) Summit 2023. Participants at the Summit discussed the security challenges for the consumption of OSS in critical infrastructure sectors and beyond and highlighted the shared responsibility needed to ensure the resilience of OSS in critical infrastructure.
During the summit, the OpenSSF released a SOSS Vision Brief detailing the community’s work over the past year to further secure OSS and plan for the future. Given this track record of success, the Sector Risk Management Agencies (SRMAs) expressed support for partnering with OpenSSF. Each SRMA was encouraged to form partnerships with the OpenSSF as well as critical infrastructure Sector Coordinating Councils (SCCs) and Information Sharing and Analysis Centers (ISACs). Section 9 entities in each critical infrastructure sector were also encouraged to participate in the OpenSSF community. Section 9 entities are critical infrastructure providers that, subject to a cybersecurity incident, could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.
Participants at the Summit expressed the need for greater collaboration and coordination among incident response entities, access to more tabletop exercises, well-coordinated vulnerability disclosures, and cross-industry threat information exchanges. Industry and government leaders determined a collaborative agenda for OSS security objectives over the course of the next year with a focus on:
1. Providing Security Education to OSS Maintainers, Contributors, and Consumers
2. Securing OSS Repositories
3. Enabling Cross-Industry OSS Incident Response (IR) Capabilities
Participants of the SOSS Summit also discussed the need for a comprehensive secure software workbench for OSS developers and kickstarted the exploration of the nexus between OSS, Security, and AI:
1. Supply Chain Security of OSS Packages (e.g., PyTorch) used in AI
2. Security of Open Sourced AI Packages (e.g., Falcon)
3. AI in the Augmentation (e.g., DARPA AIxCC) of Security for OSS
4. Applied Security of Open Source Inputs/Outputs in AI
The Secure Open Source Software Summit 2023 set the stage for impactful initiatives and cross-collaboration among the OSS community, government, and critical infrastructure sector. OpenSSF invites all stakeholders and interested parties to join the journey toward a more secure open source software ecosystem.
Participating Organizations in the SOSS Summit
U.S. Government: Advanced Research Projects Agency for Health (ARPA-H), Cybersecurity and Infrastructure Security Agency (CISA), Defense Advanced Research Projects Agency (DARPA), Department of Energy, Department of the Treasury, National Science Foundation (NSF), National Security Council (NSC), Office of Management and Budget (OMB), Office of the National Cyber Director (ONCD)
Industry: Amazon, Apple, Bank of America, Boeing, Capital One, Cisco, Citi, Dell, Ericsson, GitHub, Google, IBM, Intel, JFrog, JPMorgan Chase, Lockheed Martin, Microsoft, Morgan Stanley, Oracle, Red Hat, RTX, Sonatype, VMware
Non-Profit: Alperovitch Institute for Cybersecurity Studies, Linux Foundation (LF), FS-ISAC, ISC2, Open Source Security Foundation (OpenSSF), Fintech Open Source Foundation (FinOS)
About the OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.
