What is the Alpha-Omega Project? Its purpose is to “improve global open source software supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open-source code” and then fix them. This is vital to improving open-source security.
To make this happen, the Linux Foundation‘s partner group — Open Source Security Foundation (OpenSSF), Google, and Microsoft — are joining forces to work with security experts and use automated security testing to improve open-source security. Microsoft and Google are bringing an initial investment of $5 million to the Alpha-Omega Project.
Software supply chain security has become essential. One major security problem after another — including the SolarWinds software supply chain attack, the Log4j vulnerability, and the npm bad code injection episode — can be traced back to software supply chain vulnerabilities.
Hackers and national adversaries have made widely-deployed open-source projects their top targets. These days, when a new vulnerability is disclosed, it’s only a matter of hours until it’s exploited. For instance, the widely deployed Log4j library problems forced many organizations into crisis mode as they raced to update applications before they could be attacked.
A separate part of the problem, as Jack Aboutboul VP of