I am very excited to be joining The Linux Foundation as the senior director of infrastructure security to work on The Core Infrastructure Initiative. The challenge of securing software is not new, nor is it isolated to open source. What is unique right now though is how everyone has increasingly come to rely upon shared code to foster innovation and speed time to market. Research shows 90 percent or more of modern applications, both commercial and non-commercial, contain third-party open source code. As adoption grows, we have to ensure that critical open source software is supported, protected, and fortified.
Fortunately, without a moment’s hesitation last year, many rallied around the Linux Foundation to create the Core Infrastructure Initiative, a multi-million dollar project comprised of technology companies, security experts and developers, all of whom are committed to working collaboratively to identify and fund critical open source projects in need of assistance.
This is an incredibly important time for CII. The stakes have never been higher for open source software. Working together, I believe CII has the potential to make a major impact on the security of technology that we all use every day. And CII has made a difference already. Since CII started, we’ve seen improvement in the bug closure rate on funded projects.
Open source software encompasses a whole range of projects, some of which have strong vibrant communities around them and some which scratched a single developer’s itch. Our mission is to identify which of the most critical projects are the weakest and would benefit from help to become stronger. Beyond the initial triage, we’ll be focusing on industry best practices for secure open source development to further foster a culture of secure coding practices.
CII recently announced nearly $500,000 in new grants to support three very different, but important projects: 1) a new testing project leveraging Frama-C, 2) the Reproducible Builds initiative from Debian, and 3) the Fuzzing Project. Tools can be very expensive to create and use but can be a very effective force multiplier. I hope that CII’s investments in tooling will pay off in improved security for many projects. With these investments, CII is moving beyond ad-hoc, reactionary bug fixes to advance tooling projects that a wide number of projects can leverage to proactively improve security.
I am grateful to the Linux Foundation and the CII Steering Committee for entrusting me with this mission. When I first heard of the creation of the Core Infrastructure Initiative back in April 2014, I took the long overdue step of joining the Linux Foundation as an individual member, never dreaming that I would get this opportunity to actively foster the initiative. I have been advocating for, using, and contributing to open source software for a long time. I believe that open source software is more secure than people give it credit for (especially during the dark days of Shellshock and Heartbleed) and simultaneously not secure enough – more must be done. Open source software is not unique in this regard. It is a pet peeve of mine when people make bold proclamations about the security of open source without acknowledging that there exists a wide range of requirements, capabilities and practices in open source projects, just as in closed source. What is important is that we all come together to make sure that our most critical open source software is being cared for at a level that will ensure that it is responsive to vulnerability disclosure, proactively identifying and refactoring problematic code, performing positive and negative testing appropriately, and using the best tools available.
Improving cyber security will never be light work; our members know that many hands are needed to dramatically reduce global threats to online security. I’m honored to be working with the industry’s largest tech giants — Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware — on this critical endeavor.
CII is committed to fostering open source innovation and secure development practices. We have an amazing program in the making and we can make a difference. We need your help to make this work. Whether your interest is in best open source development practices, surveying open source communities, developing new tools, suggesting a grant or just general discussion about CII – we want to hear from you.