Alpha-Omega initiative aimed at improving security 10 thousand open projects

OpenSSF Foundation (Open Source Security Foundation) introduced the project Alpha-Omega , in which it is planned to spend 10 million dollars to increase the safety of open software. The funds will allocate the founders of OpenSSF, including Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, Jpmorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk and Vmware. At the same time, 5 million dollars are ready to transfer to Google and Microsoft.

The project consists of two components:

  • Part Alpha implies a manual security audit 200 widely used open projects that are most popular from the position of their use in the form of dependencies or in infrastructure elements. Work will be carried out in collaboration with the accompanying and will include a systematic analysis of the code to identify new vulnerabilities and their operational correction.
  • OMEGA part focused on holding automated testing of 10 thousand most popular open projects. For testing, improvements to the methods used, analyzing the results of the inspection, the management of information to project developers and coordination to eliminate critical problems will be created a separate team of engineers. The main task of this command will discard false positives and identify in automated reports of real vulnerabilities.

The need for manual audit at the ALPHA stage is due to the need to identify hidden problems that are problematic to identify during automated testing. As an example, such problems are mentioned by recent critical vulnerabilities in the Log4J, who have been submitted by the infrastructure of a large number of large companies. Projects for audit will be selected taking into account the recommendations of the expert community and data from the previously formed ratings of Critically Score and Census.

Recall that the OpenSSF Foundation is created under the auspices of the Linux Foundation organization and is concentrated at work in areas such as coordinated disclosure of information about vulnerabilities, the dissemination of corrections, the development of security tools, the publication of the best practices for the safe organization of development, detecting security-related security Threats in open software, conducting work on audit and strengthening the safety of critical open projects, creating funds to verify developer identity.
OpenSSF continues the development of such initiatives as Core Infrastructure Initiative and Open Source Security Coalition , And also combines other security associated with the work joined by the company.

/Media reports.