New Tripartite Initiative Aims to Fortify Open-Source Cybersecurity

In a landmark move, the Linux Foundation Training & Certification;  Information System Security Certification Consortium (ISC2), the global security certification non-profit;  and the Open Source Security Foundation (OpenSSF) have announced a strategic alliance to bolster the open-source cybersecurity community. This collaboration will unify secure software development, knowledge exchange, education, and certification. The goal is to set a new standard for open-source code's security lifecycle management.

The initiative will prioritize equipping software developers across the globe with the skills to integrate robust cybersecurity measures into the very fabric of their code. Leveraging the existing educational infrastructure of the partnering organizations, the collaboration will utilize ISC2’s renowned certifications, such as the Certified Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), and Certified in Cybersecurity (CC). Similarly, the Linux Foundation’s IT Professional Program for Cloud Engineers and the Certified Kubernetes Security Specialist (CKS) will contribute to a comprehensive curriculum combining open-source compliance and cybersecurity training with security industry best practices.

Looking ahead, the groups will develop role-specific learning programs featuring courses, certifications, and hands-on labs, with an initial focus on crafting secure microservices. The coalition also aims to serve as a definitive source on cybersecurity regulations and best practices, particularly in the realm of secure collaborative software development. Additionally, the creation of research tools to assess needs and monitor the effectiveness of cybersecurity initiatives is on the agenda.

The significance of open-source code in the realm of cybersecurity is undeniable. 90% of all commercial companies use open source.. This widespread adoption underscores the importance of security in open-source software.

At the Linux Foundation Member Summit 2023 in Monterrey, California, Clyde Seepersad, SVP and General Manager of Training & Certification at the Linux Foundation, emphasized the urgency of the situation: “Despite growing cyber threats, cybersecurity has been met with insufficient attention and resources. Through this partnership, we aim to amplify our collective impact on cybersecurity to enhance protection for everyone.”

At the same time, Seerpersad added, there's a real need for a consolidated approach because "There's never been as much disjointed activity on the regulatory front because there are dozens of regulatory agencies across many dozens of countries saying we should move. And, the danger is that with 60 different global policies, it's impossible to achieve all of them." 

A unified approach is vital. So, the partnership will provide an authoritative voice on cybersecurity regulations, requirements, and best practices, with an emphasis on secure collaborative software development.

ISC2 CEO Clar Rosso highlighted the collaboration's potential: “As organizations and consumers face relentless cyber threats, the union of the largest open-source software foundation with the premier cybersecurity professional association will be a formidable force in securing a safer future. Secure open source code is the foundation of global innovation, and ISC2 is committed to ensuring developers have the necessary training to create more secure, robust solutions.”

Omkhar Arasaratnam, GM of OpenSSF, also weighed in: “Education is a key strategy to ensure the security of open source software from the ground up. Our collaboration with ISC2 will expand access to quality security education for all.”

For developers and security workers, and those who employ them, the partnership will provide a unified set of classes and certifications to help them get jobs and do those jobs right once they have them. 

The timing of this initiative is critical. With an increasing reliance on open-source communities for secure and reliable code, and as the onus of security shifts from consumers to developers through evolving regulations and policies, there is a pressing need for developers to be equipped with the requisite security expertise. This partnership is a proactive step toward meeting the growing demands for cybersecurity in the open-source landscape.

Noteworthy Linux and open-source stories:

• CIQ, Oracle, and SUSE unite behind OpenELA to take on Red Hat Enterprise Linux

• What Linux kernel maintainers do and why they need your help

• Heavy metal Linux 6.6 has arrived