Linux Foundation Partners with Open Source Group on Code Security Audits

To continue to grow the security and reputation of open source software by the businesses around the world, the Linux Foundation recently partnered with the Open Source Technology Improvement Fund (OSTIF) to fund more software security audits on a wide range of open source projects.

The strategic partnership, which will augment the Linux Foundation’s previous work in providing code security audits, enables OSTIF to share its related code-auditing resources through the Linux Foundation’s Community Bridge funding and support organization for developers and projects.

OSTIF is a nonprofit group that works to connect open source security projects with needed funding and logistical support, while the Linux Foundation hosts a myriad of open source projects and encourages open source collaboration around the world.

The partnership is the result of a need for increased security audits that can assure enterprises of the safety and security of open source project code, Mike Dolan, vice president of strategic programs for the Linux Foundation, told Channel Futures.

The Linux Foundation’s Mike Dolan

“With open source, anybody can see the code and anybody can tell us if there’s a security problem,” he said. “And whether it is open source or proprietary code, the reality today is that most proprietary software even includes open source code. The world of proprietary-only is really shrinking.”

As more and more enterprises continue to use open source project code from the Linux Foundation members and projects to run their businesses, they are continuing to become more dependent on open source, which drives the need to baseline its security, said Dolan.

“If they fail, there’s a system-level problem with that,” said Dolan. “So we want to make projects better for upstream use, above the developers in the chain.”

That means focusing on increasing security and improving the security of these projects that so many enterprises are dependent upon, he added.

On its own, the Linux Foundation has funded more than $1 million in security audits in the last few years, and now those efforts will be expanded through the partnership with OSTIF.

“Putting this together means that we can start to improve, in a measurable way, many of these projects that people are dependent upon,” Dolan said.

The code security audits will be done by a variety of companies that contract with the Foundation, which has no internal code auditing resources of its own. OSTIF’s background is in performing such audits, and the group has relationships with many auditing firms, said Dolan.

OSTIF is going to help find auditors, price the work out, move the efforts forward and hold the auditors accountable, while streamlining the process for the Linux Foundation, said Dolan.

“The groups each have different specializations,” he said. “This will help get security audits done more seamlessly for projects.”

For channel partners who work with open source project code, the security audits will be helpful, said Dolan. “The world is becoming more dependent on open source and channel partners are a critical part of the supply chain that delivers software to customers. As channel partners start to build more services or software-based solutions, the choice of software becomes more important.”

Through the audits, the ability to select open-source software code that has been vetted for its security will make it easier for partners and customers to choose open source, said Dolan.

“It gives confidence for channel partners to share with their customers,” he said.

Pund-IT’s Charles King

Charles King, principal analyst with Pund-IT, said the partnership should be helpful in working to make open source projects even more secure for enterprise users in the future.

“For two decades, the Linux Foundation has provided reliable support and insights for thousands of open source projects and tens of thousands of developers,” said King. “In today’s business and online environments, there are probably no greater concerns than the security of infrastructures, systems and applications, so the new strategic partnership between the Linux and Foundation and the OSTIF comes as welcome news.”

With the Foundation’s stature among open source advocates and OSTIF’s focus on security challenges and solutions, “the partnership should deliver real dividends to the businesses and individuals that depend on Linux and other open source products,” said King.