The Open Source Security Foundation (OpenSSF) is a few months old now, but the question is why it isn’t years old. After years of attackers exploiting bugs in OpenSSL, Apache Struts, and countless other projects, along with our laziness in patching them, it seems that long ago we would have combined to protect the open source supply chain upon which every organization depends. But we haven’t. It wasn’t until 2020 that we decided as an industry to stop piecemealing our approach to security.
Why?
That’s the question I asked Kim Lewandowski, a Google product manager and member of the OpenSSF’s governing board. According to Lewandowski, “We all depend on open source, and there’s no reason for us to all try to solve this individually or in a silo.” She’s right, but why did it take us so long to get to this point?