Who will be engaged in the development of open source security – discussing new projects and their future

3 min


The Linux Foundation founded the OpenSSF in August. It included – Core Infrastructure Initiative and Open Source Security Coalition… Their participants will develop tools to search for vulnerabilities in the code and verify the programmers involved in writing it. Let’s tell what’s what.


Photo – Andrew Sharp – Unsplash

What are the benefits for the IT industry

Less bugs in open source software… The main efforts of the fund will go to support solutions that reduce the likelihood of critical vulnerabilities at the IT infrastructure level.

An example would be Heartbleed in OpenSSL, which allows unauthorized reading of memory on the server or client. In 2014, about 500 thousand websites were vulnerable, and about 200 thousand of them still not patched

New developments in this area should facilitate faster responses to similar problems. GitHub has already been pushed Open Source Security Coalition Security Lab solution – it helps site participants quickly communicate information about bugs in the code to maintainers. GitHub interface allows you to get CVE identifier for the detected problem and generate a report.

Best development methodologies… Will be formed a curated library of best practices whose content can be influenced by anyone in the open community. For these purposes, once every two weeks, engineers from large IT companies will conduct online meetings and discuss technologies, frameworks and features of programming languages.


Photo – Walid hamadeh – Unsplash

Transparent selection process… IN Core Infrastructure Initiative and Open Source Security Coalition plan to develop new mechanisms for checking contributors. Little is known about their specifics, but they will help avoid repeating the story with the event-stream library for Node.js when a new maintainer introduced into it a backdoor for stealing cryptocurrency.

Perspective view

The IT community has welcomed the new initiatives. Microsoft cybersecurity specialist Michael Scovetta notedthat from the moment the vulnerability was discovered until the first exploits appeared, only three days passed. He believes that the tools developed as part of the OpenSSF projects will allow the release of patches in a short time and reduce risks.

Although one of the Hacker News residents in the topic thread expressed concernthat specialists will start developing new information security standards instead of developing existing ones. As a result, the story described by in one of the comics XKCD


Related materials from our corporate blog:

What are the open operating systems for network equipment
How Europe is moving to open source software for government agencies
Participation in open source projects can be beneficial for companies – why and what it gives
The whole history of Linux. Part I: how it all began
The whole history of Linux. Part II: corporate twists and turns
History of Linux. Part III: new markets and old “enemies”
Benchmarks for Linux Servers



0 Comments

Leave a Reply