Wipro Limited, a leading global information technology, consulting and business process services company, announced that it has joined the Open Source Security Foundation (OpenSSF) on the governing board to help address the growing threat to the software supply chain.
The OpenSSF is a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important open source security initiatives to help identify and fix security vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. In addition to developing and contributing best practices for secure coding and software components for the projects under the OpenSSF banner, Wipro’s leadership and open source experts will join other members in setting direction through governance and working committees of the foundation.
"We are thrilled to now count Wipro as a key strategic partner in the OpenSSF community," said Brian Behlendorf, General Manager, OpenSSF. "With their massive global technology team building open source software, and their reach across so many critical sectors, they will be tremendously helpful in driving adoption for the specifications, systems, software and content coming from the OpenSSF. In fact, they are already participating!"
“We’re excited to be a member of this important industry initiative and to work with our peers to help ensure the integrity of the global software supply chain”, said Andrew Aitken, Global Open Source Leader, Wipro Limited. “With Board representation from our CTO, Subha Tatavarti, and subject matter experts engaged in all working groups and projects, Wipro is fully committed to helping the industry develop better methods, processes and tools to identify and remediate vulnerabilities. In addition, our goal is to improve and share secure coding best practices with the community to address the growing threat to our software supply chain.”
Wipro’s open source and cybersecurity experts currently contribute to the six key working groups and projects within OpenSSF, engaging with members of the community to build use cases and experience-based insights to expand the scope of future offerings. Among those are:
- Sigstore project (comprised of Cosign, Rektor and Fulcio subprojects) expands current code signing capabilities to support a broader range of pipeline tools and incorporate automation for code signature validation as a standard practice. Wipro’s contribution is to Cosign, where we are building automation scripts for use with popular CICD pipeline tooling to verify code signing of docker containers; Helm Charts, Tekton Bundles, and others, to ensure no tampering or updates were made post creation; and Rektor, where we’ll provide documentation on the use of the Rektor APIs for retrieval of log data to provide appropriate metrics that will help make decisions on the trust, acceptance and validity of the signed metadata in the system.
- SLSA project: is building a security framework, checklist of standards and controls to prevent tampering, improving integrity, and securing packages and infrastructure in projects. Wipro is identifying and testing processes and tools to increase the automation of software supply chain security standards and promote the adoption of the framework in the industry.
Wipro is also engaged in related external projects, including OpenChain (ISO Standard for open source license compliance) and SPDX (ISO Standard for communicating SBOM information). Wipro’s involvement in these projects, combined with its experience working with enterprises across all geographies and industries, brings valuable insights to OpenSSF working groups, especially around Best Practices and Vulnerability Disclosures.
