As we close out another remarkable year at the Eclipse Foundation, it's time to reflect on the strides we've made in enhancing the security of our open source projects. Last year, I shared our journey in moving the needle on security breakthroughs. This year, our commitment to establishing the Eclipse Foundation as a leader in open source security has only deepened, thanks in large part to the unwavering support of the Alpha-Omega project, an initiative supporting open source security improvements.
Elevating Our Security Posture
Our primary goal has been clear: to exemplify security best practices within the open source community. Achieving this wouldn't have been possible without Alpha-Omega's profound impact. Their support has enabled us to:
- Build a Professional Security Team: We've assembled a dedicated team focused on providing a secure environment for open source collaboration and innovation.
- Implement Major Infrastructure Upgrades: Significant enhancements have been made to our infrastructure, laying a solid foundation for robust security measures.
- Overhaul Security Processes: Comprehensive revisions to our security protocols ensure that vulnerabilities are managed effectively and efficiently.
Key Achievements of 2024
Consistent Vulnerability Management
We established a consistent and effective vulnerability management system across over 420 projects. This initiative ensures all vulnerabilities are resolved before disclosure, providing timely communication with security researchers. Our team shared this approach at VulnCon and continues to offer insights globally on scalable vulnerability management.
We published a blog post discussing the new 4.0 version of the Common Vulnerability Scoring System (CVSS). The post explains the differences introduced in CVSS 4.0 compared to CVSS 3.1, highlights how these changes affect vulnerability scoring for Eclipse Foundation projects, and encourages using new fields like "Urgency" for a more nuanced assessment.
We also published a detailed review of the new 4.0 rules for CVE Numbering Authorities (CNAs), discussing how they impact the Eclipse Foundation's role in assigning CVEs. Additionally, we hosted a webinar to explain these rules in depth.
Open Regulatory Compliance Working Group
In response to the evolving cybersecurity landscape, we spearheaded the creation of the Open Regulatory Compliance Working Group (ORC WG). This collaborative effort assists organisations that produce and consume open source software in navigating the challenges posed by the Cyber Resilience Act (CRA) —an EU regulation aiming to strengthen cybersecurity in digital products— and other impending regulations. A key focus of the working group is to collaboratively create practical, vendor-neutral specifications that will help organisations implement forthcoming regulations. As part of this initiative, we also established key liaison status with European Standards Organisations like CEN/CENELEC.
Automating Policy Management with Eclipse OtterDog
Leveraging Eclipse OtterDog, we've automated provisioning and policy management for over 2,000 repositories on GitHub, achieving 81% adoption across Eclipse Foundation projects. This automation streamlines security policy enforcement and ensures consistent application of best practices. Such automation also helps with reducing manual errors, and saving time.
Security Handbook for Eclipse Committers
We have begun publishing a Security Handbook for Eclipse Foundation Committers. This handbook provides best practices for securing development workflows within Eclipse Foundation projects, covering topics such as securing developer accounts, machines, and environments. It also includes guidelines for vulnerability management, including handling embargoes and issuing security advisories, as well as references to tools and other best practices to help maintain secure software development processes.
Enhancing Code Signing Security
We've integrated Sigstore signing into our existing code-signing infrastructure, making it available to all projects and strengthening the integrity and provenance of software artifacts across the foundation.
In parallel, we transitioned our code signing services (both JAR signing and Authenticode)—which cannot be supported by Sigstore—to use a Hardware Security Module (HSM) for certificate storage. Initially, this transition significantly impacted our performance and scalability. To address this, we investigated using Cloud HSM and deployed a new version of the signing service that leverages Google Key Management Service (KMS) as a backend. This approach is far more scalable and has restored build times to normal.
Advancing Security Policy Framework
Approximately 12% of our projects have progressed to level one of our newly developed security policy framework.
The framework, also known as gradually, is an internal framework designed to enhance the security of its 420+ projects by implementing progressive security practices. Organised into levels from foundational to advanced, it covers key areas such as securing developers, source code repositories, code integrity, builds, dependencies, deployment, and consumption, building upon existing frameworks like SLSA and SSDF to address the specific needs of the Eclipse Foundation.
MFA Rollout Completion
The rollout of Multi-Factor Authentication (MFA) across all repositories—supported by OtterDog—is now complete. Having MFA is a critical step in preventing unauthorised access to repositories. Plans are underway to extend MFA adoption across internal applications and services, further enhancing our security posture.
IAM Service Migration
We've migrated 40% of our infrastructure applications and services to our newly integrated Identity and Access Management (IAM) service using Keycloak. This migration is a significant step toward implementing MFA across internal applications and services.
Audits and Case Studies
Three security audits have been completed during 2024. During the Open Community Experience 2024 (OCX) conference, representatives of various projects joined the stage to talk about their recent experiences with security audits.
Eclipse Temurin
Eclipse Temurin is part of the Eclipse Adoptium project, providing code and processes that support the building of runtime binaries and associated technologies for general use across the Java ecosystem. Runtimes released by the Adoptium project have millions of downloads, so the security of build scripts is critical for a large number of users.
The audit concentrated on areas like the usage of secure HTTPS downloads, authenticity and integrity guarantees, state-of-the-art use of cryptography, and hardcoded or otherwise exposed secrets or tokens.
Auditors worked closely with the project team to understand the code and provide feedback on improvements. The report includes 19 findings with security implications and additional annexes with suggestions for code quality improvements. The high-severity issues included:
- Possible code injection
- Software download and installation missing verification
- Disabled host verification
All security issues have been resolved through code fixes, configuration changes, and other measures. Check the full report and our blog post for more information and details about the findings and fixes.
Along with this security audit, we have also released a case study detailing how the Eclipse Foundation and the Adoptium Working Group are working to build the world's most secure OpenJDK distribution.
Eclipse CycloneDDS
Eclipse CycloneDDS is an implementation of the Data Distribution Service (DDS) specification published by the Object Management Group (OMG). The standard defines both the communication protocol and API for a publisher-subscriber model and is used in various fields including aerospace, defense, and autonomous vehicles. Developed at a time when malicious actors were less of a concern, the DDS Security Specification was later introduced to address new challenges in secure communication. This specification adds security plugins that implement authentication, access control, and cryptographic operations, which CycloneDDS now supports. The audit focused on the correctness of this implementation.
During the audit process, the auditors frequently interacted with the project team. They implemented three fuzzers to cover the desired functionality. Using these fuzzers, the auditors found two issues with possible security impact and provided several recommendations to improve code quality.
Check the full report and our blog post for more information and details about the findings and fixes.
Eclipse Kuksa
The open Eclipse KUKSA™ project aims to provide shared building blocks for Software-Defined Vehicles that can be utilised across the industry. The audit covered the databroker and the Python client, consisting of static analysis, manual code review, and dynamic analysis with fuzzing.
The findings include two crashes and some shortcomings in permission verification paths. While addressing these issues, the Kuksa team decided to deprecate the sdv.databroker API, which was implicated in a significant portion of the findings. The API is now disabled by default and can be enabled by a specific option at the start of the databroker.
Check the full report and our blog post for more information and details about the findings and fixes.
Security Training
To support our fellow developers, the Eclipse Foundation has offered free security training for all committers and contributors. The complete training consists of three parts: fundamentals, secure coding, and advanced topics.
The fundamentals were delivered in two sessions in November, each attended by 75 individuals. The remaining sessions will be offered in 2025. The fundamentals covered topics such as an introduction to a risk-based approach to security, multi-factor authentication, and how to create and handle bugs without releasing private information.
Strengthening Our Credibility and Influence
Our security advancements have not only fortified our projects but have also elevated our standing as a key stakeholder in cybersecurity discussions with institutions and agencies. This credibility has been instrumental in maintaining a leading role in 2024, ensuring that open source communities remain visible to policymakers, particularly within the European Commission concerning the Cyber Resilience Act.
We've worked diligently to ensure that open source foundations and communities can continue to thrive amid increasing cybersecurity regulations. The establishment of the Open Regulatory Compliance Working Group exemplifies our commitment to partnering with governmental bodies, enabling the industry to meet regulatory requirements while leveraging open source software throughout the supply chain.
Looking Ahead
Without a doubt, the support from Alpha-Omega is dramatically improving the security of the entire open source ecosystem. The information and operational technology industries rely on open source to innovate and operate cost-effectively. As such, these investments are set to pay dividends for years to come, reinforcing the resilience and reliability of open source software globally.
As we move into 2025, our focus remains steadfast on being the place to develop and consume open source security. We'll continue to improve our infrastructure, empower projects with more and better security tools and services, and facilitate communication between projects and security researchers. Key initiatives include:
- Continued Collaboration: We'll persist in our efforts with the ORC WG and other collaborative initiatives to navigate regulatory landscapes effectively.
- Advancing Security Frameworks: Helping more projects progress through our security policy framework, introducing improved tooling and processes for broader adoption.
- Completing IAM Migration: The goal is to migrate the remaining infrastructure applications and services to Keycloak, enabling comprehensive MFA implementation.
- Enhancing Code Signing Practices: Implementing stronger access controls and modern monitoring in our code signing service, and promoting this approach to other open source foundations.
- Mini Security Reviews: Conducting mini audits to assess adherence to security best practices, aiming to complete 35 reviews and strengthen the community.
- Exploring Identity Verification: Piloting a voluntary identity verification system for developers to enhance trust and make it more difficult for malicious actors to infiltrate projects.
Conclusion
The past year has been one of significant progress and collaboration. Our achievements are a testament to the dedication of our security team, the support of Alpha-Omega, and the collective efforts of the entire Eclipse community. Together, we're not only enhancing the security of our projects but also setting a standard for open source communities worldwide.
Thank you for being part of this journey. We look forward to another year of innovation, collaboration, and security excellence.
For more information on our security initiatives or to get involved, please visit our security page.
About the Author
Mikaël Barbero
Mikaël currently serves as Head of Security at the Eclipse Foundation. He leads the security team at the EU’s largest open source software foundation, developing best practices and programs to protect its members and the open-source projects governed by the Foundation. He is a seasoned technologist passionate about open source, software engineering, and creating user-centered software and solutions. His diverse experience spans everything from software architecture to team management, and of course, cybersecurity.