Open Supply Safety Basis Raises $10M


LOS ANGELES, Calif – KubeCon – October 13, 2021 – The Linux Basis, the nonprofit group enabling mass innovation by way of open supply, at the moment introduced it has raised $10 million in new investments to broaden and help the Open Supply Safety Basis (OpenSSF), a cross-industry collaboration that brings collectively a number of open supply software program initiatives underneath one umbrella to establish and repair cybersecurity vulnerabilities in open supply software program and develop improved tooling, coaching, analysis, finest practices, and vulnerability disclosure practices. Open supply luminary Brian Behlendorf will serve the OpenSSF neighborhood as Common Supervisor.
Monetary commitments from Premier members embody Amazon, Cisco, Dell Applied sciences, Ericsson, Fb, Constancy, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Purple Hat, Snyk, and VMware. Further commitments come from Common members Aiven, Anchore, Apiiro, AuriStor, Codethink, Cybertrust Japan, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift, and Wind River.
“This pan-industry dedication is answering the decision from the White Home to boost the baseline for our collective cybersecurity wellbeing, in addition to ‘paying it ahead’ to open supply communities to assist them create safe software program from which all of us profit,” mentioned Jim Zemlin, government director on the Linux Basis. “We’re happy to have Brian Behlendorf’s management and intensive experience on constructing and sustaining giant communities and technical initiatives utilized to this work. With the great development and pervasiveness of open supply software program, constructing cybersecurity practices and packages that scale is our largest process at hand.”
In keeping with {industry} stories (“2021 State of the Software program Provide Chain,” by Sonatype), software program provide chain assaults have elevated 650 p.c and are having a extreme influence on enterprise operations. Within the wake of accelerating safety breaches, ransomware assaults, and different cybercrimes tied to open supply software program, authorities leaders worldwide are calling for personal and public collaboration. As a result of open supply software program makes up at the very least 70 p.c of all software program (“2020 Open Supply Safety and Danger Evaluation Report” by Synopsys), the OpenSSF gives the pure, impartial, and pan-industry discussion board to speed up the safety of the software program provide chain.
“There has by no means been a extra thrilling time to work within the open supply neighborhood, and software program provide chain safety has by no means wanted extra of our consideration,” mentioned Brian Behlendorf, basic supervisor, Open Supply Safety Basis. “There is no such thing as a single silver bullet for securing software program provide chains. Analysis, coaching, finest practices, tooling and collaboration require the collective energy of 1000’s of crucial minds throughout our neighborhood. Funding for OpenSSF provides us the discussion board and assets to do that work.”
The OpenSSF is house to a wide range of open supply software program, open requirements, and different open content material work for bettering safety. Examples embody:
For extra details about OpenSSF, please go to: Member Quotes
“Open supply software program performs an more and more essential position throughout the entire panorama of data safety. Convening {industry} leaders to put money into growing insurance policies, practices, tooling, and schooling round open supply safety advantages us all. AWS was a founding member of the Core Infrastructure Initiative in 2014, and we’ll now construct on the relationships and investments that proceed the mission by becoming a member of OpenSSF as a Premier Member. With our companions on this initiative, and as energetic contributors in lots of open supply communities, we’ll assist elevate the bar within the safety of open supply software program,” mentioned Mark Ryland, Director of the Workplace of the CISO at AWS.
“OpenSSF will allow the neighborhood, throughout industries, to construct instruments and practices to safe the software program provide chain for open supply and past. That is essential to the way forward for API and utility safety, that are quick turning into a main assault vector for all enterprise going ahead,” says Vijoy Pandey, VP of Rising Applied sciences & Incubation at Cisco. “At Cisco, we imagine the appliance expertise is the brand new model, which calls for higher app velocity, belief, safety, and availability. This perception drives our deep funding in utility safety and full-stack observability, which is why becoming a member of forces with this prestigious basis and group as a trusted advisor and companion was a no brainer for us.”
Dell Applied sciences
“The Linux Basis’s concentrate on safety is prime to addressing the rising dangers related to software program,” mentioned John Roese, Dell Applied sciences’ International Chief Know-how Officer. “The Open Supply Safety Basis’s work will assist us collectively make certain crucial software program packages and the top to finish software program supply pipeline is safe and reliable.”
“As a pacesetter in cell communication, pioneering and driving 5G globally, safety is on the core of the community infrastructure we construct and ship to our prospects. In an {industry} more and more constructed round open supply and open standardization we’re absolutely dedicated to deal with cybersecurity vulnerabilities in a collaborative effort. We’re proud to affix the Open Supply Safety Basis as a founding member and we stay up for proceed to work with the neighborhood and wider {industry} for a safe software program provide chain, together with the open supply parts,” says Erik Ekudden, Senior Vice President and Chief Know-how Officer, Ericsson.
“Open Supply Software program performs a crucial position in Constancy’s know-how technique. We’re proud to be a part of the Open Supply Safety Basis and to work with others to make sure that Open Supply options and their provide chains are protected, safe, and dependable, enabling Constancy to higher serve our prospects and shoppers,” mentioned John Andrukonis, SVP, Constancy Utility Structure.
“The world runs on software program, and most of that software program consists of and depends on open supply,” mentioned Mike Hanley, Chief Safety Officer at GitHub. “As the house to greater than 65 million builders around the globe, we’re excited to proceed partnering throughout the open supply neighborhood and with different Open Supply Safety Basis members to energy a safer, reliable future that may profit everybody.”
“We’re doubling down on our OpenSSF dedication within the wake of rising open supply software program provide chain assaults and President Biden’s Government Order,” mentioned Eric Brewer, vice chairman of infrastructure and fellow at Google. “This choice is a part of our White Home pledge to spend $100 million to fund open supply safety foundations and follows a wide range of investments we’ve made to help builders and safety engineers throughout the private and non-private sectors. The OpenSSF is the most effective place for cross-industry management for these very difficult matters, and we stay up for working with the US and different governments to enhance safety worldwide.”
“IBM is deeply targeted on growing and constructing extremely safe hybrid cloud, AI and quantum-safe applied sciences which can be designed to guard our shoppers’ most delicate workloads each at the moment and into the long run,” mentioned Jamie Thomas, Common Supervisor, Technique & Improvement and IBM Enterprise Safety Government. “As a long-time open supply chief, IBM appears ahead to working with the OSSF, our {industry} companions, and open supply communities in the direction of addressing the ever-increasing problem of {hardware} and software program open supply provide chain safety.”
“As a long-standing member of the open supply software program neighborhood, Intel contributes every day within the upstream initiatives we collaborate with,” mentioned Greg Lavender, senior vice chairman, CTO, and basic supervisor of Software program and Superior Know-how at Intel Company. “Together with the Linux Basis, we imagine the Open Safety Basis (OpenSSF) is a singular alternative to have interaction in initiatives and efforts targeted on bettering the standard and safety for at the moment and our future. Intel stays dedicated to offering contributions that profit open supply software program provide chains and bettering the safety posture of crucial initiatives on which our ecosystem relies upon.”
JPMorgan Chase
“JPMorgan Chase is deeply dedicated to working with the open supply neighborhood to resolve our most urgent safety challenges. As a founding member of the Open Supply Safety Basis, we now have labored collectively to enhance the safety of open supply and the integrity of all software program. We commend the US Authorities’s latest initiative to boost consciousness on this urgent matter and name to motion the know-how neighborhood to resolve some of the complicated safety challenges of our time. We welcome the brand new members to OpenSSF and stay up for persevering with the journey of innovation and bringing significant change to how we construct, safe, and validate software program,” mentioned Pat Opet, Chief Data Safety Officer, JPMorgan Chase & Co.
“As open supply is now core to just about each firm’s know-how technique, securing open supply software program is a vital a part of securing the provision chain for each firm, together with our personal. All of us at Microsoft are excited to take part with others in contributing new investments to the Open Supply Safety Basis and we stay up for constructing safer software program by way of community-driven efforts to create options that may assist us all,” mentioned Mark Russinovich, Azure CTO and Technical Fellow, Microsoft.
Morgan Stanley
“Whether or not we’re leveraging open supply in our personal code, contribute to OSS initiatives, or devour OSS by way of know-how we procure and make the most of, the protection and safety of OSS and the creation of a reliable provide chain is crucial to all companies. To that finish, we’re delighted to affix the Linux Basis’s Open Supply Safety Basis venture to collaborate with our cross-industry companions to enhance the safety, security and belief within the OSS ecosystem,” mentioned Neil Allen, International Head of Cyber Safety Engineering, Morgan Stanley.
“As a contributing member of the open supply software program neighborhood and an inaugural Linux Basis member, Oracle has numerous builders that contribute to third-party open supply initiatives every day,” mentioned Wim Coekaerts, senior vice chairman of software program growth, Oracle. “Oracle appears ahead to taking part within the Open Supply Safety Basis and dealing with different members to proceed to strengthen the software program provide chain, serving to buyer work extra securely.”
Purple Hat
“Open supply is pervasive in software program options of every kind, and cybersecurity assault charges are on the rise. Our prospects look to Purple Hat to supply belief and enhanced safety in our open supply based mostly portfolio. Open supply and neighborhood collaboration is one of the best ways to resolve massive, industry-wide challenges, reminiscent of open supply provide chain safety. And that’s why we’re excited to affix along with the Linux Basis and different {industry} leaders so we will proceed to enhance the applied sciences and practices to construct a safer future from open supply software program,” mentioned Chris Wright, senior vice chairman and CTO, Purple Hat.
“Open supply is constructed by hundreds of thousands of empowered builders, who additionally have to safe this crucial basis of the digital world,” mentioned Man Podjarny, Founder & President, Snyk. “The very important work of the Linux Basis and the OpenSSF ensures we collectively reside as much as this accountability. The Snyk neighborhood is absolutely dedicated to this essential, collaborative effort and we stay up for working intently with the opposite OpenSSF members to higher safe OSS so it could possibly proceed to securely gasoline innovation.”
“Each firm that makes use of software program needs to be involved about their software program provide chain,” mentioned Equipment Colbert, chief know-how officer, VMware. “For 2-plus years, VMware has engaged in contributions to open supply initiatives within the broader software program provide chain safety area and invested in initiatives to assist prospects additional strengthen their safety insurance policies and processes. As a member of the Open Supply Safety Basis, we’re dedicated to collaborating throughout the {industry} to drive elevated stage of software program provide chain safety.”Common Member Quotes
“Software program provide chain dangers have gotten pervasive, with the potential to sluggish utility supply and stunt innovation,” commented John Leon, VP of Enterprise Improvement at Apiiro. “Managing utility threat has turn out to be more and more complicated and requires visibility throughout the SDLC – together with the provision chain. Apiiro is happy to companion with the open supply neighborhood and help the Linux Basis and OpenSSF as they energy the collaboration that’s very important to securing software program.”
“AuriStor’s founders have contributed to the standardization of safety protocols and open supply growth of safety first software program for greater than 35 years. We view the OpenSSF, its working teams and initiatives, and those who take part in them as essential to bettering the safety of each {industry}, service, and residential. The OpenSSF has the potential to make a big distinction in everybody’s future. We encourage all members of the software program growth neighborhood to contribute,” mentioned AuriStor Founder and CEO Jeffrey Altman.
“We seized the chance to affix this basis as a result of OpenSSF gives an actual industry-neutral discussion board to speed up the hardening and safety of the software program provide chain. Devgistics (previously InfoSiftr) supplies crucial enhancements to the world’s hottest open-source repository. Devgistics has been concerned in lots of free and open-source initiatives for years, together with being a Moby (Docker Engine) maintainer, offering help to the Docker/container ecosystem, and serving within the Open Container Initiative. Devgistics continues to contribute cutting-edge options for security-conscious shoppers just like the US Air Pressure,” mentioned Devgistics Founder and President Justin Steele.
“DTCC is dedicated to growing extremely resilient and safe code to safeguard the monetary market. DTCC is proud to be a part of the OpenSSF neighborhood and appears ahead to partnering with our fellow members on protected, safe and dependable computing,” mentioned Ajoy Kumar, Head of Tech/Cyber Danger at DTCC.
“As organizations modernize software program growth and shift safety left, GitLab believes that open supply will play a key position in fostering this modernization and delivering safe software program with velocity to the market,” mentioned Eric Johnson, CTO at GitLab. “Supporting the Open Supply Safety Basis aligns with GitLab’s mission of enabling everybody to contribute, and we stay up for supporting, collaborating, and sharing our experience in implementing safety in GitLab’s DevOps Platform to the OpenSSF neighborhood.”
Goldman Sachs
“Persevering with to safe the software program provide chain, specifically the various crucial open supply initiatives foundational to any fashionable group’s IT structure, is a prime strategic crucial for Goldman Sachs, our friends, companions, and shoppers in monetary companies, the know-how ecosystem, and the broader economic system,” mentioned Atte Lahtiranta, chief know-how officer at Goldman Sachs. “This work can’t be completed in particular person organizational silos. We as a substitute have to work collaboratively, throughout each the non-public and public sector, along with open supply maintainers and contributors, to reply the decision to motion that’s the latest cybersecurity government order. The OpenSSF will present a vital discussion board and related infrastructure to permit us to share main practices, develop improved tooling, and work collectively to higher defend our digital infrastructure.”
“Open-source software program is the spine of a whole bunch of 1000’s of at the moment’s purposes, making it crucial that we do our greatest to flag new vulnerabilities and insecure parts quick—earlier than they compromise companies or crucial infrastructure,” mentioned Asaf Karas, JFrog Safety CTO. “We’re completely happy to broaden our membership with the Linux Basis and help this cross-industry collaboration to establish and repair open supply safety vulnerabilities, strengthen instruments, and promote finest practices to make sure builders can simply shift left and bake-in safety from the beginning of utility planning and design — all the best way to software program deployment, distribution, and runtime.”
“Software program growth is transferring quicker than ever earlier than. The {industry} wants tooling and processes to make sure that safety can sustain with at the moment’s tempo of growth. StackHawk is happy in regards to the work that the Open Supply Safety Basis is doing to enhance safety and we’re proud to proceed as a member,” mentioned Joni Klippert, StackHawk Founder & CEO.
“IT growth up to now, an rising variety of crucial companies and core competencies have been constructed on open supply, and this pattern will proceed. As an essential a part of the software program provide chain, open supply safety performs an essential position in all the software program provide chain. Tencent Cloud has at all times been eager to contribute code and know-how to open supply initiatives, and in addition maintains a steady enormous funding in safety. It is extremely gratifying to see that OpenSSF will be established, and we stay up for working intently with {industry} companions to enhance the safety stage of open supply software program and strengthen the software program provide chain safety,” mentioned KK Dong, Chief Safety Officer at Tencent Cloud.
Wind River
“Because the dependency on open-source software program turns into more and more pervasive, the Open Supply Safety Basis’s community-driven method to growing and sharing safety metrics, instruments and finest practices turns into an crucial. Our prospects are actively within the well being of the open supply from which their options are constructed, and assuring safe growth throughout open the provision chain is significant,” mentioned Paul Miller, CTO, Wind River. “We’re wanting ahead to collaborating extra intently with the OpenSSF neighborhood. By working collectively, Wind River can present prospects with a stage of open supply safety assurance that might in any other case be unobtainable.”In regards to the Linux Basis
Based in 2000, the Linux Basis is supported by greater than 1,800 members and is the world’s main house for collaboration on open supply software program, open requirements, open knowledge, and open {hardware}. Linux Basis’s initiatives are crucial to the world’s infrastructure, together with Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and extra. The Linux Basis’s methodology focuses on leveraging finest practices and addressing the wants of contributors, customers, and resolution suppliers to create sustainable fashions for open collaboration. For extra info, please go to us at
The Linux Basis has registered logos and makes use of logos. For a listing of logos of The Linux Basis, please see its trademark utilization web page: Linux is a registered trademark of Linus Torvalds.