The Linux Foundation Set to Improve Open-Source Code Security

VANCOUVER, B.C.—The Linux Foundation is set to expand its Core Infrastructure Initiative (CII) for improving open-source code security, that was initially setup in the aftermath of the OpenSSL Heartbleed vulnerability in 2014.

In a video interview at the Open Source Summit, Jim Zemlin, Executive Director of the Linux Foundation explains why the CII remains a critical effort for his organization and what is coming next to help improve open source security.

"Most security vulnerabilities are just bugs," Zemlin said.

CII was setup in 2014 by the Linux Foundation with initial support from VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco. The original goal was to try and help prevent another Heartbleed attack. With Heartbleed, a critical set of flaws was discovered in the open-source OpenSSL codebase that exposed many organizations to the risk of exploitation. The Heartbleed flaw also revealed that there were a number of critical open-source efforts that were underfunded and not able to perform adequate code and security quality assurance analysis.

CII is now working on further trying to identify which projects matter to the security of the internet as a whole, rather than taking a broader approach of looking at every single open-source project, he said. In his view, by prioritizing the projects that are the most critical to the operation of the internet and modern IT infrastructure, the CII can be more effective in improving security.

"You'll see in the next three months or so, additional activity coming out of CII," Zemlin said.

Among the new activities coming from the CII, will be additional human resources as well as new funding. The Linux Foundation had raised $5.8 million from contributors to help fund CII efforts, which Zemlin said has now all been spent. Zemlin that CII's money was used to fund development work for OpenSSL, NTP (Network Time Protocol) and conducting audits.

"There will now be more resources and human capital put toward potential testing initiatives and other activities that we'll have," he said.

Overall, Zemlin said that he wants to see improved security implemented across all open-source projects, whether they are hosted by the Linux Foundation or otherwise.  He said that CII will be looking at how to bring in a crowdsourced approach to improve code quality assurance. 

Improving the Linux Foundation

The upcoming expanded effort from the CII is part of the larger mission of the Linux Foundation to improve all aspects of the open-source software development ecosystem.

"We want to be the best upstream from the downstream consumption of the open-source projects we host," Zemlin said. 

To that end, the Linux Foundation is building systems and process that help to enable the open-source community with the lowest cost model possible. 

"You'll see us in the next six to 12 months continually rolling out tools, processes and frameworks that improve our productivity and benefit our communities," Zemlin said.

Watch the full video interview with Jim Zemlin above.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.