Microsoft has announced a collaboration with several industry partners to create the Open Source Security Foundation (OpenSSF) – a new cross-industry initiative to improve the security of open source software. Hosted at the Linux Foundation, OpenSSF was founded in partnership with Google, Red Hat, IBM, NCC Group, and OWASP, as well as Microsoft-owned
GitHub.Microsoft Azure CTO Mark Russinovich said OpenSSF brings together work from the Linux Foundation-initiated Core Infrastructure Initiative (CII), GitHub-initiated Open Source Security Coalition (OSSC), and other open source security efforts. It aims to build a broader open source software security community, targeted initiatives, and best practices.
Russinovich said that open source software is core to nearly every company’s technology strategy and securing it is an essential part of securing supply chains, including Microsoft’s own. Since it is inherently community-driven, there is no central authority responsible for quality and maintenance of open source code, and since it can be copied and cloned, versioning and dependencies are particularly complex.
“With the ubiquity of open source software, attackers are currently exploiting vulnerabilities across a wide range of critical services and infrastructure, including utilities, medical equipment, transportation, government systems, traditional software, cloud services, hardware, and IoT,” he said.
“Open source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware.” “Given the complexity and communal nature of open source software, building better security must also be a community-driven process,” Russinovich said. Microsoft will bring several of its own current open source security initiatives under the OpenSSF umbrella as part of its involvement.
Microsoft embraces open source
Microsoft’s support of open source software has caught many by surprise given the company’s former opposition towards the paradigm. During the first four decades of its existence, from the 1970s through the 2000s, Microsoft viewed free and open source software as a threat to its business.
Back in 2001, former Microsoft CEO Steve Ballmer labelled Linux “a cancer that attaches itself in an intellectual property sense to everything it touches”. However, this started to change when Microsoft joined the Linux Foundation as a high-paying Platinum member in 2016.
This may have been brought about by the realisation that growing technologies such as the Cloud will rely on open source software solutions. Recently, Microsoft president Brad Smith admitted that the company was “on the wrong side of history when open source exploded at the beginning of the century”.
The company has in recent years open-sourced many of its applications – including Microsoft’s original JavaScript engine, PowerShell, and Visual Studio Code. The May 2020 Windows 10 Update shipped with Windows Subsystem for Linux 2 (WSL2), a custom-built Linux kernel which allows for easy integration of Linux distros and files within file explorer. Microsoft has also partnered with Mark Shuttleworth’s Canonical to bring Ubuntu to Windows 10.
