The Open Source Security Foundation (OpenSSF), an arm of the Linux Foundation, is providing free security training for developers building and employing open source software starting later this week as part of an overall effort to advance best DevSecOps practices.

Linux Foundation CTO Chris Aniszczyk said the Secure Software Development Fundamentals professional certificate program along with additional programs and technical initiatives soon will be required for every maintainer working on open source projects overseen by the Linux Foundation. As the number of applications that incorporate open source software has increased, the potential harm that can be inflicted by vulnerabilities introduced via code continues to increase, he noted.

A larger percentage of those common vulnerabilities could be eliminated simply by providing developers with free access to training, Aniszczyk noted. Far too many developers and software engineers have not had access to security training beyond a few rudimentary courses in college, while many other developers are self-taught, he said.

Accessed online via the edX learning platform, the courses are designed to teach developers and software engineers how to develop secure software while reducing the potential for damage and increasing the speed of the response when a vulnerability is found.

The OpenSSF has also revealed existing projects from the Core Infrastructure Initiative (CII). The CII Census, quantitative analysis to identify critical open source projects, and CII FOSS Contributor Survey, a quantitative survey of developers, have become part of the OpenSSF Securing Critical Projects working group. These two efforts will continue to be implemented by the Laboratory for Innovation Science at Harvard (LISH). The CII Best Practices badge project is being transitioned into the OpenSSF.

OpenSSF also announced new contributors, including Arduino, AuriStor, Canonical, Debricked, Facebook, Huawei Technologies, iExec Blockchain Tech, Laboratory for Innovation Science at Harvard (LISH), Open Source Technology Improvement Fund, Polyverse Corp., Renesas, Samsung, Spectral, SUSE, Tencent, Uber and WhiteSource.

It has also elected an advisory council and governing board members with Kay Williams from Microsoft becoming Governing Board Chair. Other newly elected board members include Jeffrey Eric Altman from AuriStor Inc., Lech Sandecki from Canonical, Anand Pashupathy from Intel and Dan Lorenc from Google as the Technical Advisory Committee (TAC) representative.

Ryan Haning from Microsoft has been elected Chair of the Technical Advisory Council (TAC) and an election for a Security Community Individual Representative to the Governing Board is currently underway. An OpenSSF Town Hall will be held online Nov. 9.

Open source software obviously plays a critical role in boosting productivity because it means developers don’t have to constantly duplicate the same functions across multiple projects. However, if a vulnerability is discovered in one open source library the implications across multiple projects that have reused that same library can be profound. As part of an effort to ensure continued reliance on open source code, it’s incumbent on the open source community to make sure that code being shared is secure. In effect, responsibility for open source security needs to shift left at a massive level of scale. The challenge now is making sure that now open source developers have access to training the best DevSecOps practices that training enables are actually implemented.

Source: devops