Alpha-Omega Dishes out Cash to Secure Open Source Projects
Securing software supply chains isn’t easy technically. But you already knew that. Many new security programs and projects, such as Sigstore, Supply-Chain Levels for Software Artifacts (SLSA, pronounced “salsa”), and Software Bill of Materials (SBOMs), are being improved and fine-tuned every day. But there’s another major security issue: Who pays for all those security improvements? One answer for high-level, open source projects is Google, Microsoft, and the Open Source Security Foundation (OpenSSF)‘s Alpha-Omega Project.
This project’s job is to “improve global open source software supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open-source code” and then fix them, according to project documentation.
Part of Alpha-Omega’s work is technical. At the recent Open Source Summit Europe in Dublin, its security team announced the release of the first version of the Omega Analysis Toolchain. This program orchestrates over 27 different security analyzers to identify critical security vulnerabilities in open source packages. This program was launched by Microsoft and donated to OpenSSF. It’s already proved useful. It’s been used to identify the CVE-2022-32222 and CVE-2022-38018 vulnerabilities. It’s also been used with the OpenSSF Security Reviews project to experiment with a “fully automated security review.”
