The plan published today by the Open Source Software Foundation and the Linux Foundation is also clear on a major point: Fixing the security issues with open-source software will take time and money. The plan calls for around $50 million in funding for the first two years, with funding for future years to be determined.
Delivering security certifications and training for open-source developers will likely cost $4.5 million in the first year alone, the plan says. Similarly, ensuring that open-source components are digitally signed is estimated to cost $13 million in the first year. Establishing a team at the OpenSSF which can respond to vulnerabilities and provide support for developers is estimated to cost around $3 million per year.
“We realize that's a meaningful amount. We realize that is an amount that, from some degree, is much more than any open-source developer has, or even most open source projects, but when you compare it to the cost of remediating a major vulnerability like we've seen in the last few years, it’s a drop in the bucket,” said Brian Behlendorf, general manager of OpenSSF, during a press conference held after the meeting.
Much of that funding will be met by the largest companies. Around $30 million has already been pledged by Alphabet, Amazon, Ericsson AB, Intel, Microsoft and VMware, Mr. Behlendorf said.
For others, the meeting was a validation of long-held concerns about the security of open-source software, and a recognition that freely available technology still requires resources to maintain.
Brian Fox, chief technology officer of open-source security company Sonatype Inc. said that while previous efforts to fortify security in this area didn’t have the desired impact, such as those initiated by the Linux Foundation after the Heartbleed vulnerability in 2014, he felt confident lasting change was possible now due to the collective effort on the plan.
“That's the first time that we've attempted to solve it this way. I think that effort will lead to actual concrete actions now, instead of people just coming together and talking about it,” he said.
— James Rundle
|