The Linux Foundation has pioneered the Open Source Security Foundation (OpenSSF) project in order to improve the security of open source software.
On the 3rd of August, 2020, key players in the IT industry joined forces in order to improve the security of open source software. Among the founding members of the new alliance are GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, and smaller companies: ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware.
Previous open source security initiatives, such as the Core Infrastructure Initiative, GitHub's Open Source Security Coalition, and others, will continue to operate under the auspices of OpenSSF.
So why is such attention being given to the security of open source software? The answer is simple — open source software has now entered into almost all aspects of our life — from PCs or cellulars to government agencies and data centers. With that, the creation of open source software is carried out by a huge number of developers, but its copying and modification are carried out without strict control of the relevant department who are responsible for the quality and safety of finished software products. Ultimately, the risk of introducing malicious pieces into the source code increases. Realizing all the risks and the need to create a single center for code verification and identification of developers, led the Linux Foundation to create OpenSSF.
The tasks of the new organization will include timely detection of security threats in open source software, auditing of essential open source projects, strengthening their security, developing means of identifying developers, disclosing information about vulnerabilities and methods to fix them, publishing best practices for organizing development while taking into account safety requirements, and much more.