In our previous blog post, we explained what an Open Source Program Office (OSPO) is and why it is essential for companies that use or produce open source software (OSS). We also provided some guidance on how to create and manage an OSPO, and some useful resources for further learning. If you haven’t read it yet, we recommend you to do so before continuing with this article.
Just a few days earlier, the Open Source Security Foundation (OpenSSF) published the Open Source Consumption Manifesto (OSCM), a set of core values and guiding principles for software organizations that consume OSS and include it in their software supply chain, and we were thrilled to see that it aligns with our vision.
The OpenSSF is a cross-industry collaboration that aims to improve the security of OSS, founded in 2020 as part of the Linux Foundation and including among its first members leading companies and organizations, such as Google, Microsoft, IBM, GitHub, and others. The authors of this Manifesto are members of the OpenSSF End Users Working Group, which focuses on addressing the needs and challenges of OSS consumers and is chaired by Jonathan Meadows, a senior security engineer, and it was published in August 2023 as a blog post on the OpenSSF website inspired by another famous manifesto, the Agile Manifesto.
We believe that after talking about OSPO, it is a good follow-up to talk about OSCM, because both topics are related to the challenges and opportunities of OSS for companies. While OSPO focuses on the organizational and strategic aspects of OSS, and helps companies to manage their relationship with the open source ecosystem, OSCM focuses on the technical and operational aspects, particularly on security.
Let's see what the OSCM is about.
The OSCM is a set of fifteen guidelines for companies and organizations that use OSS (that means, almost all of them) to improve their security posture and reduce the associated risks, and it can be used as a reference to create a security strategy for OSS consumption.
The blog post that presents it starts reminding us that after the Log4Shell incident, everything changed. People were talking about it everywhere, measures were taken at political level, and the community was shaken: it was a wake-up call, and it showed that OSS is not immune to security issues, even if it is generally considered more secure than proprietary software.
But after the initial shock, did something really change? The authors of the Manifesto think that the answer is no, and that companies are not doing enough, using OSS without a clear strategy and without taking the necessary precautions to protect themselves and their customers.
In November of 2022, Tenable found 72% of organizations remain vulnerable to Log4Shell. In December of the same year, Wired magazine drew attention to the lack of response as well. And as we drift further from December 2021, it only gets worse. Last month, software developers consumed hundreds of thousands of vulnerable versions of Log4j.
That's where the OSCM could make the difference: it's a collection of fifteen principles, or best practices, the result of a long discussion with feedbacks coming from members of different companies and disciplines, and it can help those who decide to adopt it to change their approach to OSS consumption.
We can summarize it in four core values:
Responsibility: companies should take responsibility for the consumption of OSS, and security should be considered at every stage of the software development lifecycle (SDLC).
Awareness: companies should be aware of the risks and benefits of consuming OSS, and they should be able to make informed decisions.
Collaboration: companies should collaborate with the upstream developers of consumed components, and contribute to the improvement and sustainability of the OSS ecosystem.
Continuos improvement: companies should continuously monitor, measure and improve the security of the open source components they consume.
Please read the full text of the Manifesto for the complete list of principles and guidelines.
Following the open source philosophy, it is a collaborative effort, so the authors invite everyone to join the working group, adopt it, sign it, and share it with others.
Both OSPO and OSCM mention the importance of adopting a security strategy for the software supply chain, but they aren't frameworks or models and they don't provide a detailed plan to follow.
There are established security models, and the OSCM mentions two of them: SLSA and S2C2F. Let's see what they are about.
SLSA stands for Supply chain Levels for Software Artifacts, and it is a framework that aims to provide a set of best practices for the software supply chain, with a focus on OSS. It was created by Google, and it is now part of the OpenSSF. It consists of four levels of assurance, from Level 1 to Level 4, that correspond to different degrees of protection against supply chain attacks.
Our CTO Paolo Mainardi mentioned SLSA in a very good article on software supply chain security, and we also mentioned it in another article about securing OCI Artifacts on Kubernetes.
S2C2F stands for Secure Supply Chain Consumption Framework, and it is a framework developed by Microsoft and contributed to the OpenSSF2. S2C2F is a consumption-focused framework, and it defines a set of practices and a maturity model-based implementation guide to help organizaziont improve the security of their software supply chain.
These are technical details that are out of the scope of this article, but we think that it is important to mention them because the security strategy of a company should be based on a solid foundation, and these frameworks show that there are already some good starting points, companies don't have to start from scratch. If you want to know more about them or other ways to improve the security of your software supply chain, visit the OpenSSF website.
The OSCM carries an intention of inclusion. It has changed over the course of our discussions, and we invite your future changes as well. Most of all, we hope the values and principles contained in the OSCM prove helpful. And that it serves as a guide to better open source consumption in your organization.
We agree with the OpenSSF: time is running out. The security of the software supply chain is a critical issue, and every company should start to take it very seriously. We covered the OSPO topic in our previous article, and complemented it with the OSCM in this one, to show you that there are concrete and viable solutions that you can start exploring today. Of course this is not the complete picture, and you should always consider your specific context, but we hope that this article can help you to get started.
We would love to hear your thoughts, so please feel free to contact us via email or social media.