The mainframe platform has been known for decades as the only platform with the design principles of security, scalability, availability, and performance, all of the utmost importance. Mainframes are the cornerstone technology of society, powering the most critical infrastructure in industries such as finance, transportation, healthcare, government, and more.
The US White House recently released its Executive Order (EO) on Improving the Nation’s Cybersecurity (along with a press call) to counter “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”
Recently, the Linux Foundation published a blog that centered on how its communities enable the required security practices. For example, SPDX and OpenChain have been a center point for guidance and standards in open source software supply chain management for years.
Open Mainframe Project recognizes the adoption of open source on the mainframe requires attention to security practices and policies within the hosted project communities. In particular, here are the programs and practices in place which can help ecosystem members with fulfilling the requirements outlined in the EO.
Software Bill of Materials (SBOMs)
The EO focuses on the need for a Software Bill of Materials (SBOMs) along with other tasks that depend on SBOMs. SBOMs are a key tool in understanding where the code your organization originates from.
Open Mainframe Project hosted projects are able to produce SBOMs because they have aligned on the use of SPDX short-form license identifiers, which provide the ability to specify the license of a given source code file in a simple, efficient, portable, and consistent manner, which is both human and machine-readable. SPDX is in the process of being approved as ISO/IEC Draft International Standard (DIS) 5962, and SPDX 2.2 as used by Open Mainframe Project hosted projects already supports the current guidance from the National Telecommunications and Information Administration (NTIA) for minimum SBOM elements.
All of the Open Mainframe Project hosted projects have regular license code scans and SBOMs made publicly available from these scans. In addition, as the Zowe project produces binary artifacts, that project community produces a bill of materials for its build artifacts on each release.
Code Lineage and Provenance
Good code hygiene best starts at the source, understanding where the code contributed to the project originates. Being able to track each contribution and its author for a given project is not just a good exercise for intellectual property (IP) hygiene, but also is key to security management. Understanding the code lineage and provenance helps prevent malware and other unintended code from entering the source code repository from the start.
The Developer Certificate of Origin (DCO) is in use in all of our hosted project communities, which helps to ensure the lineage and providence of code contributions are well known and contributors assert their ability to contribute code to the project.
Open source projects tend to depend on third-party libraries and tooling that are leveraged during the build and/or at runtime. Understanding the lineage of these components is crucial, and staying ahead of the security vulnerabilities within these components is critical for open source projects such as those hosted at the Open Mainframe Project.
Open Mainframe Project hosted projects such as ADE and Zowe leverage LFX Security as a tool for managing security vulnerabilities in their dependencies. Having security vulnerabilities management and resolution a transparent activity in our community builds trust with the downstream consumers of the hosted projects.
Maintaining best practices in security management
Security management is a culture and process exercise within open source communities. Being able to align with the best practices on managing an open-source project ensures that projects are easy for new contributors and users to engage with, as well as built on a sustainable foundation, but also that the project community can address and respond to security vulnerabilities in a timely manner.
As a part of the project lifecycle, projects achieve a Core Infrastructure Initiative Best Practices Badge. This badge is a rigorous process for open source communities, requiring nearly all projects globally that have achieved a badge to make changes to their processes and procedures as part of achieving a badge. ADE, COBOL Programming Course, GenevaERS, and Zowe have all achieved a passing badge, and many more of the hosted projects are working through the process of achieving a badge.
We take security seriously
As you can see, Open Mainframe Project takes security as seriously as the vast number of mainframe end-users and vendors globally.
Open source projects hosted at Open Mainframe Project benefit from this security infrastructure and more; check out the benefits of hosting your project at the Open Mainframe Project for more details.