本アナウンスは OpenSSF Membership Exceeds 100 with Many New Members Dedicated to Securing Open Source Software の参考訳です
OpenSSF Day Japanで日本語版トレーニングコース「セキュア ソフトウェア開発」を紹介
2022年12月5日 横浜発 ― 世界で最も重要なソフトウェア サプライチェーン セキュリティ イニシアチブが集まるLinux Foundationがホストする業界横断的な組織 Open Source Security Foundation (OpenSSF) は、ソフトウェア開発、サイバーセキュリティ、データサイエンス、PaaS、半導体、金融、シンクタンク、学術機関など幅広い分野の主要なテクノロジー企業から多くの新メンバーを迎え、OpenSSFのメンバー数が100社を超えたことを発表しました。
新ゼネラルメンバーには、Airbyte、Anaconda、Boostsecurity、ControlPlane、Cybozu、Docker、Endor Labs、FOSSA、HackerOne、Phylum、Qualys、Trail of Bits、VicOne、AMD Xilinx、新アソシエイトメンバーには、FS-ISAC、OpenForum Europe、Nanyang Technological Universityが含まれます。
OpenSSFのゼネラル マネージャーであるBrian Behlendorfは、次のように述べています。
「OpenSSFに新メンバーを迎え、とても嬉しく思います。重要インフラを狙う攻撃が続く中、世界中の産業界と政府が注意を払い、私たちが依存しているオープンソース ソフトウェアのセキュリティ体制を改善する方法を積極的に模索しています。」
OpenSSFは、SigstoreのGA版、Alpha-Omegaによる新投資、Scorecardsの新機能、ベストプラクティスWGによるセキュアなソフトウェア開発とオープンソースソフトウェア評価のための簡潔なガイドの発表、さらに、エンドユーザーWG、SBOM Everywhere SIG、セキュア サプライチェーン コンサンプション フレームワークSIGなどの新しい技術イニシアチブの拡大など生産的な活動を行ってきましたが、今回のコミットはこれに続くものです。
本日OpenSSFは、横浜で開催されるOpen Source Summit JapanにおいてOpenSSF Day Japanを主催し、コミュニティメンバー主導でソフトウェアサプライチェーンを保護するために行っている作業とオープンソースセキュリティの未来についてセッションを行います。OpenSSFはこのイベント内で、セキュアなソフトウェア開発の基礎に焦点を当てた無料トレーニングコース「セキュア ソフトウェア開発」が日本語で提供が開始されたことを発表します。
新ゼネラルメンバーの声 (原文より)
Airbyte
“We are excited to join the Open Source Security Foundation’s growing community. As a data infrastructure company that is both a user of open source software and a host of a thriving open source project, Airbyte is particularly sensitive to the data protection needs that exist up and down the supply chain. We are as thrilled to be collaborating on the evolution of open source security standards as we are to support and learn from the experiences of others in the OpenSSF network.”
Patsy Bailin, Head of Data Policy, Airbyte
Anaconda
We are excited to be a sponsor and contributing member of this important foundation. We are committed to securing open source software and providing maintainers, users, and administrators the tools needed to secure open source. With more than 30 million users of Anaconda Distribution and our repository of packages built from source, we are highly dedicated to the advancement of the open-source community and recognize, as do the other members of this foundation, that it will take all of us working together in the open to secure the future of open-source software.
Stephen Nolan, SVP of Product, Anaconda
BoostSecurity
“The software supply chain, and in particular, the open source ecosystem – finds itself today in front a big challenge: how to secure, and regain trust, in the software that the world uses…Solving this will require lots of innovation, collaboration among, and determination to keep ‘chipping away at it’ – one piece at a time. BoostSecurity believes that software supply chain security should be accessible, and consumable – by companies of all sizes and at all levels of security maturity and capabilities, and are proud to do our part in this endeavour. We are eager to work with the OpenSSF and its member companies to make the world’s software factory more secure.”
Zaid Al Hamami, Founder and CEO, BoostSecurity
ControlPlane
“Open source software is the engine of innovation for enterprises and governments across the globe. Its proliferation brings opportunity, but increases exposure in the face of the modern threat landscape. ControlPlane is committed to advancing cross-industry collaboration through the OpenSSF to systematically reduce risk for a more secure technological future.”
Andrés Vega, Vice President of Operations, North America, ControlPlane
Cybozu
“As a company whose vision is to build a society brimming with teamwork, we are excited to be joining OpenSSF to work together to strengthen the security of the open source software ecosystem. The challenge is not just to make our cloud service secure, but to collaborate across the industry to improve the security of the software supply chain as a whole. We look forward to working with OpenSSF members on this project and building a more secure future.”
Takuya Yoshikawa, Cloud Service Department Manager, Cybozu
Docker
“Docker has been working on supply chain security for many years, and is excited to join OpenSSF to work more closely with the communities there. As a developer focused company with many millions of users and customers, Docker recognises that security work falls to developers to implement, and they need help, support and tooling to improve the security of the world’s software that they develop and consume. Docker has been working with upstream open source communities for many years, through initiatives like Docker Official Images and Docker Verified Publishers that are used and trusted by millions of developers. Joining OpenSSF is part of our commitment to expand the work we are doing in this space, and work even more closely with the other communities and companies involved in the essential work of securing open source software.”
Justin Cormack, CTO, Docker
Endor Labs
“Eighty percent of the code in modern applications is code your developers didn’t write but depend on through open source packages. When our founding team was leading the Prisma Cloud engineering group at Palo Alto Networks, we realized the true magnitude of this issue. Our mission now is to enable OSS to live up to its true potential without introducing unnecessary risk. It’s exciting to once again take a new approach to the market, and we believe these solutions will radically enhance application development everywhere. The OpenSSF is leading the charge on open source security. They are establishing a trust-based partnership with any organization that relies on open source, with the goal of making open source use scalable and secure, while helping the community thrive. These ideals align perfectly with ours, which is why we’re so excited for this partnership.”
Varun Badhwar, CEO and Co-Founder, Endor Labs
FOSSA
“FOSSA is proud to join the 100+ other members of the OpenSSF community in our shared mission to advance open source security. We’re excited to get to work with the other remarkable leaders in the foundation, and share our expertise across the software supply chain, especially mitigating the risks associated with open source license violations and security vulnerabilities. Everything we do at FOSSA is for the love of open source, and in support of the massive positive impact it has on innovation and equality for our customers. Our support for and participation in OpenSSF is another example of that commitment.”
Kenaz Kwa, VP of Product, FOSSA
HackerOne
“Open source software is foundational to our digital world and, just as we all benefit from open source, we must collectively contribute to its security. Log4Shell demonstrated the devastating impact of open source vulnerabilities, if not properly addressed, on organizations and their software supply chains. For too long, only a small but vital group of volunteers have helped secure open-source projects for the entire internet. We launched the Internet Bug Bounty to fund the security of open-source projects to address this challenge, and we view OpenSSF as a critical teammate in building toward the same vision of a safer internet. We are proud to join OpenSSF and support project maintainers, developers, and security teams to reduce the impact of Log4Shell and vulnerabilities like it.”
Kayla Underkoffler, Senior Security Technologist, HackerOne
Phylum
“We are excited to be a contributing member of the Linux Foundation and to support OpenSSF’s mission. At Phylum, we are doing our part to secure the universe of code by automating software supply chain security to block new risks, prioritize existing issues and allow organizations to only use open-source code that they trust.”
Patrick Sheehan, CRO, Phylum
Trail of Bits
“Open-source software is at the very core of Trail of Bits. We make our tools open source with the aspiration that organizations can use them to tackle their security challenges, including those within the software supply chain. When our engineers and researchers work on a problem, it’s likely that the solution will benefit the entire community, not just a given customer. We consider it of strategic importance that we make our in-house knowledge available, so issues can be solved at-large. To that end, we’ve built tools that automatically build a dependency graph and SBOM, find various issues in Python, and enable code signing and verification. We plan to build on these accomplishments as a general member of OpenSSF, and look forward to collaborating with other organizations in the pursuit of making open-source software as secure as possible.“
Dan Guido, CEO, Trail of Bits
VicOne
“Modern electronic vehicles adopt more and more open source software and it’s becoming a regular target of hackers. The security concerns have been raised in regulations, such as UN R155, ISO/SAE 21434. Powered by Trend Micro’s 30+ years of experience in cybersecurity, VicOne, as an automotive cybersecurity expert, will help our OEM/Tier-1 customers to strengthen data security practices and comply with international standards and regulations including proactive monitoring new cybersecurity incidents, open source vulnerability assessment, prioritization, and SBOM management.”
Terence Wang, Director of Product Management, VicOne Inc.
AMD Xilinx
“AMD is excited to join the Open Source Security Foundation to contribute to and stay on top of the latest open source security standards, including tooling, best practices, and other standards. AMD is committed to driving the adoption of open source software and joining OpenSSF will be critical to helping to ensure that AMD’s open source software releases are using the latest security standards accepted by the open source community. It will also provide additional confidence for our customers that not only is our software open sourced, but is also secure.”
Nathan Menhorn, Sr. Product Security Engineer, AMD
参考資料
OpenSSFについて
Open Source Security Foundation (OpenSSF)は、Linux Foundationがホストする業界横断的な組織です。業界で最も重要なオープンソースセキュリティの取り組みと、それをサポートする個人および企業をつなぎ合わせます。OpenSSFは、すべての人のためのオープンソースセキュリティを前進させるために、コラボレーションを推進し、アップストリームおよび既存のコミュニティ両方と協力します。詳細については openssf.org をご覧ください。
Linux Foundationについて
2000年に設立されたLinux Foundationとそのプロジェクトは、2,950を超えるメンバーによってサポートされています。Linux Foundationは、オープンソース ソフトウェア、オープンハードウェア、オープンスタンダード、オープンデータに関するコラボレーションのための世界有数の拠点です。Linux Foundationのプロジェクトは、Linux、Kubernetes、Node.js、ONAP、Hyperledger、RISC-Vなど世界のインフラストラクチャにとって重要なものです。Linux Foundationの方法論は、ベストプラクティスを活用し、貢献者、ユーザー、ソリューション プロバイダーのニーズに対応し、オープン コラボレーションの持続可能なモデルを構築することに重点を置いています。詳細については linuxfoundation.org をご覧ください。
Linux Foundationはさまざまな登録商標および商標を使用しています。 Linux Foundationの商標の一覧についてはこちらをご覧ください。
Linuxは、Linus Torvaldsの登録商標です。