The open source software (OSS) community gathered last week at the Open Source Security Foundation (OpenSSF) Secure Open Source Software Summit in Washington, DC to continue collaboration across industry, government, and critical infrastructure.
Open source software is code that is freely available for anyone to use or modify. It drives innovation to many technologists working on world-class solutions, including JPMorgan Chase’s 57,000-plus technologists, who incorporate thousands of open source packages in developing tools that give our company, clients, and customers an edge.
OSS’s collaborative and freely accessible nature empowers technologists to collectively address shared challenges. The result is software that underpins critical functions across government and industry, including national defense systems and critical infrastructure. While the unique accessibility of OSS is a catalyst for innovation, it can also allow bad actors to find and include weaknesses in common code bases and exploit organizations at a large scale. We have witnessed a substantial number of high-profile attacks on OSS, underscoring the importance of strong public-private partnership to develop tools and solutions that will aid the many dedicated volunteers that maintain open source code. We are all responsible for bettering open source security, we encourage others using open source to join us in this critical effort.
In May 2022, OpenSSF launched the Open Source Software Security Mobilization Plan, which was pivotal in shaping industry and government’s efforts to secure the open source software supply chain. The plan steered the enhancement of open source security education and the development of tools such as Sigstore, which enables secure validation of software, and Alpha-Omega, which finds and fixes vulnerabilities in the most commonly used packages.
JPMorgan Chase, along with other financial institutions, established the Financial Services Information Sharing and Analysis Center (FS-ISAC) Supply Chain working group to socialize emerging supply chain threats to the Financial Sector and create guidance to address threats, such as the Software Supply Chain Primer White Paper published in 2022.
Participants at the Summit discussed the security challenges for the consumption of OSS in critical infrastructure sectors, potential opportunities to leverage advancements in AI for the greater benefit of open source security, and the need for shared responsibility to improve resilience of OSS in critical infrastructure. The significant presence of U.S. Government officials at the Summit is a testament to public sector’s active involvement and support for initiatives to better open source security and to continue strong public-private partnerships to achieve more secure outcomes.
The summit concluded with participants discussing approaches to tangible outcomes aligned to the three objectives to be accomplished in the next year: (1) the need to provide security education for OSS developers and stakeholders, (2) reinforce the safety of OSS repositories, and (3) enable cross-collaboration for incident response.
There is more to be done in improving tooling to address software supply chain attacks. We see significant importance in supporting the enhancement of OSS evaluation tools, like the Security Scorecard, an automated security tool to help open source users understand the risks of the dependencies in their software, and Software Bill of Material (SBOM) capabilities, an inventory that allow users to know what components make up an application. At JPMorgan Chase, our security teams are working towards such solutions and collaborating with organizations like OpenSSF to build better integrated tooling and capabilities that will ultimately promote safer practices and prevent future significant software supply chain security breaches.