Open-source security has taken multiple steps forward in 2022, thanks in no small part to multiple efforts led by the Open Source Security Foundation, aka OpenSSF.

One of the marquee efforts from OpenSSF, launched in Feb., is the Alpha-Omega effort. The initial goal of the effort was to provide support to help improve security for a small set of open-source projects, which was the Alpha component. The Omega component was all about building and providing tooling that can help a broader set of critically important open-source efforts. Now, after nearly a year of operation, the OpenSSF today issued an annual report outlining what Alpha-Omega has actually achieved to advance the state of open-source security. 

“At the beginning, we weren’t really sure what the uptake for Alpha would be,” Michael Scovetta, principal security manager at Microsoft, and one of the leads for Alpha-Omega, told VentureBeat. “We had hoped that organizations would kind of want help and be willing to do this, but we didn’t have a lot of data to prove that.”

As it turns out, open-source organizations were receptive to the offer of security help from the OpenSSF. In the first year, Node.js, the Eclipse Foundation, the Rust Foundation, jQuery, and the Python Software Foundation have been brought into the Alpha part of the Alpha-Omega effort.

The uptake hasn’t been just limited to organizations willing to accept support, but also organizations willing to contribute financially. Alongside the annual report today, the OpenSSF announced that Amazon has pledged $2.5 million to the Alpha-Omega effort. Total funding for the Alpha-Omega project now stands at $8.5 million.

The challenge of securing the most critical open-source effort belongs to Alpha

The OpenSSF is an organization run by the Linux Foundation that is tasked with helping to secure open-source software across multiple aspects of the software development and supply chain life cycle.

In May, the organization announced a multiyear plan to help secure all open-source software. It’s an effort that comes with a hefty price tag of $147.9 million. Alpha-Omega is a subset of the OpenSSF’s broader goals of securing all open-source software. Rather than securing everything, with Alpha-Omega the goal is to make specific efforts to help secure the most critical open-source software.

Node.js is among the benefactors of Alpha-Omega and has been issuing monthly updates on its progress since May. Node.js is one of most popular open-source JavaScript frameworks and is widely used for both front- and back-end web development. With the support of Alpha-Omega, the Node.js project has been able to activate the Node Security Working Group, which has been developing a threat model for the technology.

The group has also been working on integrating security directly into the continuous integration/continuous deployment (CI/CD) application development infrastructure to automatically identify potential vulnerabilities.

The Eclipse Foundation, which hosts its own large list of open-source developer projects, including the Eclipse IDE (integrated development environment) is also actively benefiting from Alpha-Omega already. As part of the effort, the Eclipse Foundation is in the process of generating Software Bill of Materials (SBOMs) for all of its projects. Detailed security audits of the most critical Eclipse Foundation project are also now under way.

Omega advances open-source security tools

On the Omega side, one of the primary developments over the past year has been the release of the Omega Analyzer tool for analyzing security information.

Scovetta said that the foundations for the Omega Analyzer were contributed to the project by Microsoft. He explained that the analyzer can orchestrate over 25 different security tools that developers can choose to run against an open-source project to find various types of security issues and software defects.

“It’s intended for security researchers to have a more efficient workflow in understanding things,” he said.

The Omega Analyzer has already found numerous vulnerabilities, and Scovetta expects that many more will be found as the tool is more widely used in the coming year.

Lessons learned and the road ahead

While Alpha-Omega has made progress in 2022, there is still much work to be done.

The project is also learning from the lessons of its first year to be even more impactful for its next year. Among the lessons that Scovetta highlighted is how much work reporting vulnerabilities actually is.

“I think we may have underestimated the amount of effort it takes to record a vulnerability and have back and forth with the maintainer, follow up and wait for something to be fixed,” Scovetta said.

To that end, he noted that there have been active discussions in the Alpha-Omega project on how to scale vulnerability reporting for open-source projects. There isn’t an obvious answer to that challenge yet, but Scovetta emphasized it’s a problem that is being worked on by Alpha-Omega.

“We really need to focus on solving that problem and I’m not exactly sure how we’re going to do that, but I know that that’s kind of near the top of our list of unsolved problems,” he said.