Security has always been of utmost importance to the entire open source ecosystem.
Eric S. Raymond, one of the luminaries of the open source movement, in his famous essay, Cathedral and the Bazaar, wrote “given enough eyeballs, all bugs are shallow.” While still true, the complexity of software, and the increasing number of collaborators, puts an increasing onus on the eyeballs hunting for vulnerabilities.
In addition to well-defined security policies at a project level, virtually all of the top organisations that contribute to open source software have security initiatives of their own.
In an effort to consolidate the various independent efforts, the Linux Foundation announced the Open Source Security Foundation (OpenSSF) back in August 2020.
This isn’t Linux Foundation’s first attempt at consolidating security efforts. Back in 2014, it shepherded various groups for a coordinated response to the Heartbleed bug under the Core Infrastructure Initiative (CII).
The OpenSSF, however, has a large merit and a much wider scope. It includes the CII and also ropes in GitHub’s Open Source Security Coalition [https://github.blog/2020-07-09-what-we-learned-from-building-an-industry-coalition/] and combines them with the security expertise of several industry open source contributors including Google, Microsoft, Red Hat, VMware, and others.
The foundation announced that a total of 16 new contributors have joined the founding members today including Canonical, Facebook, Samsung, Huawei Technologies, and more.
“It is our collective responsibility to constantly improve the security of open source ecosystem, and we’re excited to join the Open Source Security Foundation,” said Lech Sandecki, Security Product Manager at Canonical, who’s also been indicted into the initiative’s governing board.
Lech pointed out that their Ubuntu distribution already has a long-term support release that provides security updates for up to 10 years, adding: “By sharing our knowledge and experience with the OSFF community, together, we can make the whole open source more secure.”
One of the core principles of the initiative is to educate developers to create software that’s more secure and impervious to vulnerabilities.
To put this objective into practice, OpenSSF today launched three free courses on how to develop secure software.
As per the foundation, the three courses equip software developers (including DevOps professionals, software engineers, and web application developers) with the necessary skills required not only to develop secure software, but also to reduce the damage and reduce the time it takes to respond to newly discovered vulnerabilities.
The OpenSSF training program includes a professional certificate program as well. The courses will be delivered through the edX learning platform, which is a non-profit online learning platform founded by Harvard and MIT.
While you can enroll for the course and the certificate starting today, the content and the test for the certification will be available on November 5.