Microsoft joins OpenSSF to improve open-source software security

Microsoft has joined the recently launched Open Source Security Foundation (OpenSSF) to help create a healthier, more secure open-source software ecosystem for all, the company announced yesterday in a blog post.

Collaborative efforts such as OpenSSF aim to address these concerns in open-sourced projects. Major technology players including Microsoft, Google, IBM, and others, are confirmed members of the organization’s governing board. Together, OpenSSF says they help set guidelines on vulnerability disclosures, security tooling, and threat identification. Each of the working groups has its won technical steering committee and is self-governed.

“We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open-source software we all depend on,” said Jim Zemlin, executive director at The Linux Foundation. “Ensuring open source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”

Microsoft has warmed up to open source in the last few years. Earlier this year, the company finally admitted that it was wrong about open-source, referring to an era when Steve Balmer fiercely belittled Linux. Since Satya Nadella took the helm, however, Microsoft has been actively embracing open source with projects like Visual Studio Code, Linux subsystem on Windows, and open-sourcing some of its older projects. On June 4, 2018, the company officially acquired GitHub, one of the world’s largest code repository hosting platform, for US$7.5 billion.

Open-sourcing relies on public governance and support from its user base. The code can be scrutinized by anyone to validate their security, and any party can modify the solution to suit their own needs.

But the very nature of open-source software raises inherent security risks. Since support is decentralized, no one person or party is responsible for bugs. There’s also the risk of attackers, under the guise of a maintainer, injecting malware into popular projects. And because popular tools are cloned and continuously modified, version verification is a time-consuming process.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Tom Li
Tom Li
Telecommunication and consumer hardware are Tom's main beats at IT World Canada. He loves to talk about Canada's network infrastructure, semiconductor products, and of course, anything hot and new in the consumer technology space. You'll also occasionally see his name appended to articles on cloud, security, and SaaS-related news. If you're ever up for a lengthy discussion about the nuances of each of the above sectors or have an upcoming product that people will love, feel free to drop him a line at [email protected].

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now