Amazon, Microsoft, Google, and others want to solve the IT security problem primarily with money. 30 million US dollars are already available. With the collaboration project of the Open Source Security Foundation (OpenSSF), big names in the IT industry want to standardize their security practices and thus better secure the open-source world. A ten-point plan presented by the OpenSSF for this purpose is to include funding of around 150 million US dollars over the next two years, as the organization announced.
A first tranche of the planned sum comes from early supporters of the OpenSSF. According to the announcement, these include Amazon, Ericsson, Google, Intel, Microsoft, and VMware, who initially want to jointly provide 30 million US dollars. It continues: "As the plan evolves, additional funding will be identified and work will begin as individual funding streams are agreed."
The measures in the ten-point plan include better security training, building a risk analysis for thousands of open source components, rolling out digital signatures for releases, and replacing existing components in a language with memory security. The latter is currently being promoted by Google, for example via a Rust module for the Apache web server, Rustls, or Rust in the Linux kernel.
The OpenSSF also relies on code scanning or securing the so-called software supply chain, which includes package managers such as NPM. A large part of the work is not implemented by the organization itself, but by its member companies. For example, Google has announced an open-source maintenance crew that will work with the upstream projects to ensure their security.