What we learned from building an industry coalition

Securing the open source supply chain is critically important for developer communities and the entire software ecosystem. In recent years, the industry has seen an uptick in the adoption of open source components spurring new technology. However, this increase in adoption also increases the open source supply chain’s susceptibility to threats such as the backdoor attempts we have seen in package managers or massive credential harvesting.

In November 2019, GitHub announced the Open Source Security Coalition (OSSC) to bring together organizations committed to open source security and secure software development globally. The coalition sought to provide a space for collaboration on existing initiatives while encouraging the generation of new efforts.

After its announcement, GitHub served as a neutral convener to grow and drive the coalition toward fulfilling its mission.

Here’s what we learned.

Understanding your audience and its needs are key.  

Before officially kicking off, we surveyed partners’ motivations for joining the coalition. Open source security researchers faced many challenges when it came to their work. Some of these challenges included a lack of resources, user adoption, community engagement that stalled projects, and insufficient communication among organizations creating siloed and competing initiatives.

Through our initial research efforts and discussions, we originally identified nine potential work streams. However, after additional feedback, we landed on four key areas for the coalition:

1. Identifying threats to open source projects
2. Best practices for open source developers,
3. Security tooling,  and
4. Vulnerability disclosures.

Security researchers are eager to come together to help secure open source software

As the coalition’s original 14 partners grew to 21 partners, we learned that these partners viewed the coalition as a newly-established forum that could play a key role in contributing to the overall health and security of the internet. Among many benefits, partners viewed the coalition as a space to pool resources reaching equity in tooling and expertise, coordinate on building scalable infrastructure, break down silos, and decrease duplication of industry efforts.

Building from the bottom up with a strong operational and communication foundation works

To drive the coalition’s mission forward, GitHub made a conscious decision to put the work first.  Prior to the coalition’s launch, we hypothesized that taking this bottom-up approach to creating the coalition would foster a results-driven culture that was partner-led with equal representation while maintaining a funding-agnostic spirit.

Since launching, we proved our hypothesis that functional working groups produce deliverables. Grounding this hypothesis and the coalition in a strong foundation of operations and communications proved effective in not only guiding partners to generate work with their respective groups but also in providing a flexible, informal structure for partners to work towards formalizing its governance in a way that maintains the coalition’s culture, spirit, and values.

Focusing on the work first yields concrete outcomes

In the past few months, each working group has established their own objectives to address the coalition’s broader mission. Already, the coalition has produced its first concrete work product, a report entitled The Threats, Risks, and Mitigations in the Open Source Ecosystem. This report provides a detailed landscape of “high-level threats, security risks and potential mitigations” to open source software.

Bring it all together 

While there is no one-size-fits-all in creating an industry effort, starting with a coalition with a clear mission, focusing on the work through a developer-first lens, and building with a strong operational foundation produce results. As results surface, it is important to think of avenues to formalize the coalition’s initial structure as the entity and its work mature.

What to know what’s next for open source security? Visit the Security Lab blog