The Linux Foundation And Harvard’s Lab For Innovation Science Release Census For Open Source Software Security

The Linux Foundation’s Core Infrastructure Initiative (CII), a project that helps support best practices and the security of critical open source software projects, and the Laboratory for Innovation Science at Harvard (LISH), announced the release of ‘Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software.`

This Census II analysis and report represent important steps towards understanding and addressing structural and security complexities in the modern day supply chain where open source is pervasive, but not always understood. Census II identifies the most commonly used free and open source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities, which can inform actions to sustain the long-term security and health of FOSS. Census I (2015) identified which software packages in the Debian Linux distribution were the most critical to the kernel’s operation and security.

“The Census II report addresses some of the most important questions facing us as we try to understand the complexity and interdependence among open source software packages and components in the global supply chain,” said Jim Zemlin, executive director at the Linux Foundation. “The report begins to give us an inventory of the most important shared software and potential vulnerabilities and is the first step to understand more about these projects so that we can create tools and standards that results in trust and transparency in software.”

Working in collaboration with Software Composition Analysis (SCAs) and application security companies, including developer-first security company Snyk and Synopsys Cybersecurity Research Center (CyRC), the Linux Foundation and Harvard were able to combine private usage data with publicly available datasets and develop a methodology for identifying more than 200 of the most used open source software projects, 20 of which are detailed in the findings. For the detailed methodology and list, including elaboration on each project, please read the report.

“FOSS was long seen as the domain of hobbyists and tinkerers. However, it has now become an integral component of the modern economy and is a fundamental building block of everyday technologies like smart phones, cars, the Internet of Things, and numerous pieces of critical infrastructure,” said Frank Nagle, a professor at Harvard Business School and co-director of the Census II project. “Understanding which components are most widely used and most vulnerable will allow us to help ensure the continued health of the ecosystem and the digital economy.”

With FOSS constituting 80-90 percent of all software, it is more important than ever that we understand what FOSS is most used and where it could be vulnerable to attack. The increasing importance of this has been underscored with US government agencies pushing for deeper insights into the software building blocks that make up various packages and devices via a software bill of materials (SBOM). For example, in April 2018, the leaders of the US Congress House of Representatives Energy and Commerce Committee sent a letter to the Linux Foundation, acknowledging the critical importance of FOSS and exploring the opportunities and challenges related to FOSS.

The increasing importance of FOSS throughout the economy became critically apparent in 2014 when the Heartbleed security bug in the OpenSSL cryptography library was discovered. By some estimates, the bug impacted nearly 20 percent, or half a million, of secure web servers on the Internet. It was the impetus for the Core Infrastructure Initiative, which has raised millions of dollars for open source security in just the last six years.

“Open source is an undeniable and critical part of today’s economy, providing the underpinnings for most of our global commerce. Hundreds of thousands of open source software packages are in production applications throughout the supply chain, so understanding what we need to be assessing for vulnerabilities is the first step for ensuring long-term security and sustainability of open source software,” said Zemlin.

About the Linux Foundation

Founded in 2000, The Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

About the Laboratory for Innovation Science at Harvard

The Laboratory for Innovation Science at Harvard (LISH) is spurring the development of a science of innovation through a systematic program of solving real-world innovation challenges while simultaneously conducting rigorous scientific research. To date, LISH has worked with key partners in aerospace and healthcare, such as NASA, the Harvard Medical School, the Broad Institute, and the Scripps Research Institute to solve complex problems and develop impactful solutions. More information can be found at https://lish.harvard.edu/