OpenSSF: Tackling Software Security with an Ecosystem Approach

Description of icon when needed6 Min Read

Security - it's a tough problem to solve, for the problem never stops changing. Today, there's a potential threat in the network APIs; tomorrow it's in the distributed application workloads. Next week, it's in the end-user access points.

In my 18 years at VMware, I've seen the security challenge grow and evolve many times over. It's grown more sophisticated and widespread. The challenge expands exponentially as companies embrace digital transformation, deploying more applications, more frequently, from more clouds, to more end users and devices. Today's software is more complex, including more open source, more dependencies and more attack surfaces. To secure that software and the infrastructure it runs on, you must know not only what it includes (the components) but where it came from (the provenance).

VMware provides innovative customer-ready security solutions, from Carbon Black to the Tanzu product family that embraces a Zero Trust Security mindset, to address those challenges. In my recent blog post on Modern Least Privilege, I wrote about DevSecOps and the SolarWinds incident, addressing security from code to production and how VMware Tanzu helps solve many of these challenges. And by replacing a perimeter defense approach with a Zero Trust Architecture that includes Carbon Black Cloud, you can embed security into everything and extend security policies beyond the enterprise-owned network boundary into the cloud.

However, it's clear that to reach the ultimate goal - consistent, trusted and secure applications and infrastructure, regardless of where they run and where you use them, without limiting developer productivity and operational agility - requires a multi-pronged approach. It must be addressed holistically, across the software ecosystem - commercial and open source.

Security is a team sport: a common, community concern that reaches across our industry. Over the past year, we have seen increased public scrutiny and efforts around the complex supply chains that are providing the components for today's software. The recent U.S. Executive Order on Improving the Nation's Cybersecurity released by the Biden Administration is but one high profile example of the urgency. Addressing the common security challenges found in open source software is where the Open Source Security Foundation (OpenSSF) from the Linux Foundation comes in.

The OpenSSF is a cross-industry collaboration that brings together multiple open source software initiatives under one umbrella to identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices and vulnerability disclosure practices. OpenSSF promotes a holistic approach to security and VMware is proud to be a premier member, joining other open source leaders and working towards common, consistent practices.

Joining OpenSSF is a natural choice for VMware, and we bring significant leadership and expertise in the open source security space. VMware has been involved in driving the open source community forward when it comes to understanding and helping secure the software supply chain. Be it through our leadership in the Automated Compliance Tooling (ACT) Initiative, focused on software bill of materials of open source based solutions. Or as contributors and maintainers of The Update Framework (TUF). Or more recently, through our participation and leadership in Supply Chain Levels for Software Artifacts (SLSA), and contributions to the recently CNCF published white paper "Software Supply Chain Best Practices." VMware's engineers have a deep understanding of the complex and diverse challenges before us. Through our participation in OpenSSF, we expect to help many more open source projects adopt industry best practices, which will benefit the entire ecosystem of software builders and users.

I'm excited to be part of the OpenSSF leadership team working side-by-side with open source luminaries such as Brian Behlendorf. At VMware, we know finding solutions to tough problems happens faster and more creatively when everyone works together. One of my favorite maxims is [Bill] Joy's Law: "no matter who you are, most of the smartest people work for someone else." By joining the OpenSSF, I'm looking forward to working with all the smartest people in one room - virtual or physical. As this industry comes together to work on consistent practices for security in the open source supply chain, I hope to see you and many more companies join us in the OpenSSF. You can start today - browse OpenSSF on GitHub to review some of the great progress to date.

This article may contain hyperlinks to non-VMware websites that are created and maintained by third parties who are solely responsible for the content on such websites.