The Open Source Software Security Foundation (OpenSSF), a project of the Linux Foundation, has come up with a 10-point plan to improve the safety of the software supply chain, costed at $147.9M over two years, though it relies in part on developers changing their behaviour to take more account of security issues.
According to the OpenSSF “roughly 70-90% of any software stack consists of open source software.” Whether or not an application itself is open source, it is likely to include libraries and dependencies that are, developed using open source programming languages and compilers, and deployed on open source platforms.
“The shared benefit also comes with shared risk in the form of exposure to vulnerabilities in those OSS components,” observes the new paper.