We just published our 2023 annual report and 2024 is off to a great start. In this post we’ll cover our first four grants of 2024, totaling over $750,000 and outline our 2024 objectives and key results.
Continuing support for Node.js at OpenJS
Some of the most visible Alpha-Omega grants have been in support of staffing security roles at foundations and organizations where they can evangelize and drive security improvements across a large ecosystem. While we work with our grant recipients to help them find diversified and sustainable funding for these roles, we’ve always expected these engagements to be measured in years. One of our first engagements was with OpenJS, supporting the Node.js security team. In 2023 this team released a new permission model for Node.js, significantly reduced response time for security reports, and increased the number of security releases. We’re happy to continue that support in 2024 as the team continues the work they’ve started and takes on new challenges such as SBOMs and automated dependency updates.
However, many Alpha-Omega engagements start with some form of audit. We’ve consistently found audits to be cost-effective and high impact. By partnering with experienced security professionals, organizations learn as much about their security culture as they do about their code or processes. Alpha Omega is pleased to announce that it has made three new grants to RubyCentral, FreeBSD, and OpenRefactory.
FreeBSD: Code and Process Audits
FreeBSD is an open source, Unix-like operating system that has been continuously developed for 30 years by a global community of software developers and vendors that build and operate products based on FreeBSD, commercial and personal users of the operating system, and academic researchers. FreeBSD is relied on for demanding and downtime-sensitive workloads such as payment processing and check remittance, routing ISP traffic, running DNS root servers, efficiently delivering video content globally, and more.
Our grant to the FreeBSD Foundation will enable them to undertake code audits of important subsystems; in addition to uncovering any vulnerabilities in these systems to redress, the audits will look to identify classes of vulnerabilities and suboptimal coding practices that may exist across the project and incorporate learnings into their Committer training and onboarding. FreeBSD will also undertake a process audit to similarly look for opportunities to improve the way FreeBSD is developed, and will pursue a multi-factor authentication pilot to determine the best options to provide to their community and how to best communicate those options in order to achieve ubiquitous use.
Ruby Central: Organization Accounts
Ruby Central maintains and operates RubyGems.org and the package tools RubyGems & Bundler. This vital infrastructure supports development across the Ruby ecosystem. They also organize the annual RubyConf and RailsConf software conferences and support community growth by providing resources to Ruby contributors and organizers. RubyGems.org served 2.7 billion package (gem) downloads to 11 million unique IP addresses last month, and has grown 20-25% per year, every year for more than a decade and is accelerating.
The Alpha-Omega grant will fund development of one of the most requested RubyGems.org features: organization accounts. This will help developers that manage multiple gems securely centralize access controls, and will benefit large gem owners like Shopify, as well as smaller organizations with fewer gems. This work is in addition to the recent establishment of a Software Engineer in Residence for the RubyGems project (funded outside of Alpha-Omega). We’ve seen multiple times how even one person can have a dramatic impact on the security posture of an organization, and we’re excited to contribute to RubyGems security.
Omega: Scaling Open Source Security
Most of our grants have gone to foundations or large organizations that have the resources, processes, and leverage for that funding to have a significant impact on their ecosystems. But there are thousands of smaller, often single-maintainer projects that we can’t forget about. Through Omega, we aim to check many of these projects for security vulnerabilities, share validated results privately, and improve their security as much as possible in a practical amount of time. Wherever possible, we’d prefer to see maintainers leveraging security tools within their repository and build tools.
To this end, we’re continuing our collaboration with OpenRefactory to apply scaled techniques for vulnerability discovery and remediation on thousands of projects. Our first experiments in this space have given us confidence that we can find and eliminate common classes of vulnerabilities at a reasonable cost and scale. This time we’re going to narrow our focus on the most critical Python packages. OpenRefactory has demonstrated the capability to examine about 300 packages per month. From that analysis, the team generates reports which identify critical security flaws in the code and suggests fixes which are shared with developers. The goal is to encourage project developers to incorporate those fixes into their packages rendering them more secure.
Alpha-Omega: Objectives & Key Results for 2024
As we enter our third year we wanted to share our 2024 objectives and key results (OKRs). As we mentioned in our 2023 Annual Report, these OKRs reflect learnins of the past two years and the increasing maturity of the project. Below is a summary of our OKRs.
On behalf of the Alpha-Omega team, we’re incredibly grateful to the hard working individuals driving security work across the open source ecosystem, and are so proud to be able to catalyze security improvements.