The Open Source Security Foundation: Better late than never

It has been put on the table several times the difficulty of being able to work in such a way as to optimize the search for bugs in the field of Open Source.

The idea of creating an Open Source Security Foundation is the most anticipated of all because it will best organize the bug search work on open source software.

This article will also interest you: Open Source: these security flaws that go unnoticed at the expense of the community

The arrival of the Open Source Security Foundation initiative puts cybersecurity at the heart of all projects. If the project has been established for a long time, it is difficult to understand why it took so long to complete it. Unfortunately, this duration of the trend has facilitated the fact that attackers can exploit bugs in open source applications, openSSL, Apache Struts and several other similar projects, whose security has been neglected.

Hence the regret that the initiative to create the Foundation took so long. It's time to combine efforts to protect free software. And that's the responsibility of every company.

If the initiative comes to life in 2020, then it should be encouraged. The fragmented construction of the Open Source has much more created its vulnerability. According to Kim Lewandowski, product manager on Google, a member of the OpenSSF board of directors: "We all depend on open source, and there is no reason for everyone to try to solve this problem individually or on silo terms." While it is clear that his vision is totally right, the question arises as to why he waited so long.

It is recalled, the main problem of the Open Source is its security which is not limited to a single company. For example, if a bank uses open source software, it is clear that it has the right to request that the software be secured. However, it is clear that securing it will cost a certain amount of money to pay. This is totally contrary to the very principles of Open Source, pay to use an application. The problem arises for almost all companies and included the American giant Google which the same generally contributes the production of open source software and use them a lot. "Google is not going to rewrite all the open source software available today on the Internet, and that we and our customers use," says Google agent Kim Lewandowski.

Even if Google gave itself the means, it will not be able to really achieve the goal of this kind in case the universe of The Open Source is very vast and continues yet even more tender. At best, it can do its best to fix the vulnerability of OpenSSL or Apache Struts. In short, a single company, no matter how strong, cannot solve this problem alone. Too much diversity, too many different needs, too many different projects. What makes solving a problem quite complex and even with the financial resources available, it is still a challenge. "There have been cases where some project maintenance people refuse to be paid or simply get involved in the changes we need."

For security tools several projects in the Open Source sector need to be supported. This aspect supposed to be supported by the Foundation for the Security of Open Source, History to help foundations that are already in charge, This kind of control such as the Cloud Native Computing Foundation (CNCF) or other organizations. "Some audits are excellent and have uncovered many things, but if the auditor does not complete the audit, projects may find themselves stuck with a mountain of outstanding corrections," notes Kim Lewandowski. She adds that sometimes "people also simply fix bugs, just to pass the audit or in search of a quick fix, but without solving the underlying security problem."

The real problem right now and to be able to bring an entire community together around a common goal. Identifying and solving security issues. As Google's product manager explains: "OpenSSF was currently considering different ways to encourage contributors to resolve security vulnerabilities, although it's likely that it won't necessarily be simpler. For example, some companies are willing to bring the expertise of their engineers to help fix bugs, which is a good thing. But can OpenSSF hold them accountable for these changes? For example, if a number of companies, members of the OpenSSF, each hire five engineers, how can we show responsibility to ensure that all these engineers do exactly what we expect them to do within the Foundation? These are difficult problems, and we need more help to do that."

Now access an unlimited number of passwords:

Check out our hacking software