Technology Giants Aim to Secure Critical Open Source Projects Through ‘Core Infrastructure Initiative’ via The Linux Foundation
Industry heavyweights including Microsoft, Google, Intel, and Cisco are banding together to support and fund open source projects that make up critical elements of global information infrastructure.
The new Core Infrastructure Initiative brings technology companies together to identify and fund open source projects that are widely used in core computing and Internet functions, The Linux Foundation announced today. Formed primarily as the industry's response to the Heartbleed crisis, the OpenSSL library will be the initiative's first project. Other open source projects will follow.
The Heartbleed vulnerability discovered earlier this month in OpenSSL has far-ranging implications because the popular SSL (Secure Sockets Layer) library is used in embedded systems, software applications, and in Internet infrastructure. Trust in SSL, a basic foundation of the Internet, was shaken because the vulnerability impacted practically every aspect of modern technology. The goal of the Core Infrastructure Initiative is to support open source projects that have become a critical part of computing and Internet infrastructure so that issues can be found and remediated faster.
“Protecting and supporting the work of open source developers and the projects that provide the underpinning of the world’s technology infrastructure is of the highest priority,” Don Ferguson, software CTO and a senior fellow at Dell, said in a statement.
Operating under the aegis of The Linux Foundation, the multi-million dollar initiative will be funded by a roster of tech giants, including Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace and VMware. The members represent a wide swath of the industry, from cloud hosting and services, hardware, software, storage, Internet services, and networking.
“Security is an industry-wide concern requiring industry-wide collaboration," Steve Lipner, partner director of software security at Microsoft, said in a statement.
The funds will be administered by the Linux Foundation and a steering group comprised of the founding members, key open source developers, and other industry stakeholders. The Linux Foundation already supports Linus Torvalds, the inventor of Linux, so that he can focus entirely on Linux development. The new initiative will extend this kind of financial support to other open source projects, so that developers and maintainers can work full-time supporting the code, said Jim Zemlin, executive director of The Linux Foundation. The funds will also go towards security audits to check the security of the code, necessary computing and test infrastructure, travel, and coordinating face-to-face meetings.
"We believe that an open-source approach to online security will ensure that code is constantly improving, making the web a safer place for us all,” Chris DiBona, director of engineering for open source at Google, said in a statement.
Providing financial support to improve security isn't a new concept, and actually has "improved the security of software in the last few years," Jaime Blasco, labs director at AlienVault, told SecurityWeek. Bug bounty programs encourage security researchers to look for vulnerabilities in code and involve experts who otherwise may not be able to devote the necessary time and effort to work on the problem.
"Crowdsourcing, whether designing the best new protocol, smart watch or getting the eyes of the brightest people together to identify software bugs and vulnerabilities, is powerful," Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi, told SecurityWeek. "Code becomes more trusted with increased visibility and input," he said.
The companies in the initiative are not interested in taking over or “close-sourcing” projects. Rather, the goal is to give developers the support they need to continue working under community guidelines. In the case of OpenSSL, which in years past collected a mere $2,000 per year despite its tremendous popularity, the funds could go towards key developers as well as to pay for other resources to enable outside code reviews and improve response times to patch requests, according to the foundation.
"Maintaining the health of the community projects that produce software critical to the security and safety of Internet commerce is in everyone's interest," Eben Moglen, a professor at the Columbia Law School and founding director of the Software Freedom Law Center, said in a statement. The Core Infrastructure Initiative will allow "dedicated programmers to continue maintaining and improving the free and open source software that makes the Net work safely for us all," Moglen said.
Open source software "sits at the heart of the majority of recent efforts" in the computer industry, Wolfgang Kandek, CTO of security firm Qualys, told SecurityWeek. Shared code lowers the cost of entry into the market and fosters innovation as engineers are freed up to experiment. Netflix got its start without being hampered by upfront infrastructure costs, and open source components keep the prices for devices making up the Internet of Things "ultra-competitive," he noted.
Open source historically has produced highly secure software. In fact, the most recent Coverity Open Scan study found that the quality of open source code surpassed the quality of proprietary code. The problem is that as systems get more interconnected, open source projects have to be both interoperable and scalable. As software becomes more complex and difficult to maintain, the need for dedicated developer support has grown accordingly.
"Open source software makes today's computing infrastructure possible," Doug Beaver, the engineering director of traffic and edge at Facebook, said in a statement. The Core Infrastructure Initiative "will help ensure that these core components of Internet infrastructure get the assistance they need to respond to new threats and to reach new levels of scale," he said.
“Open source code powers everything we do online,” added John Engates, CTO of Rackspace.
Anyone interested in joining the initiative, or donating to the fund can visit the Core Infrastructure Initiative site.