Securing software supply chains isn’t easy technically. Many new security programs and projects, such as https://www.sigstore.dev/, https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html, and https://www.cisa.gov/sbom, are being improved and fine-tuned every day. But there’s another major security issue: Who pays for all those security improvements?
This project’s job is to “improve global open source software supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open-source code” and then fix them, according to project documentation.
By pouring cash into securing these major projects, the Alpha-Omega project is doing as much, or more, as the latest technical security improvements, to improve overall software security.