Comparison of the performance of Oracle
Click to Read More at Oracle Linux Kernel Development
Comparison of the performance of Oracle
Click to Read More at Oracle Linux Kernel Development
It has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions. FOSS is an increasingly vital resource in nearly all industries, public and private sectors, among tech and non-tech companies alike. Therefore, ensuring the health and security of FOSS is critical to the future of nearly all industries in the modern economy.
In March of 2022, The Linux Foundation, in partnership with the Laboratory for Innovation Science at Harvard (LISH), released the final results of an ongoing study, “Census II of Free and Open Source Software – Application Libraries.” This follows the preliminary release, “Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software” in February 2020 and now identifies more than one thousand of the most widely deployed open source application libraries found from scans of commercial and enterprise applications. This study informs what open source projects are commonly used in applications warrant proactive analysis of operations and security support.
The completed report from the Census II study identifies the most commonly used free and open source software (FOSS) components in production applications. It begins to examine the components’ open source communities, which can inform actions to sustain FOSS’s long-term security and health. The stated objectives were:
The study was the first to analyze the security risks of open source software used in production applications. It is in contrast to the earlier Census I study that primarily relied on Debian’s public repository package data and factors that would identify the profile of each package as a potential security risk.
To better understand the commonality, distribution, and usage of open source software within organizations, the study used software composition analysis (SCA) data supplied by Snyk, Synopsys, and FOSSA. SCA is the process of automating visibility into any software, and these tools are often used for risk management, security, and license compliance. SCA solution providers routinely scan codebases used by private and public sector organizations. The scans and audits provide a deep insight into what open source is being used in production applications.
With this data, the study created a baseline and unique identifiers for common packages and software components used by large organizations, which were then tied to a specific project. This baselining effort allowed the study to identify which packages and components were the most widely deployed.
Census II includes eight rankings of the 500 most used FOSS packages among those reported in the private usage data contributed by SCA partners. The analysis performed is based on 500,000 observations of FOSS usage in 2020.
These include different slices of the data based on versions, structure, and packaging system. For example, this research enables identification of the top 10 version-agnostic packages available on the npm package manager that were called directly in applications:
Other slices of the data examined in the study include versioned versus version agnostic, npm versus non-npm, direct versus indirect (and direct) packages. All eight top 500 lists are included in an open data repository on Data.World.
Observations and analysis of these specific metrics led the study to come to certain conclusions. These were:
Software components need to be named in a standardized schema for security strategies to be effective. The study determined that a lack of naming conventions used by packages and components across repositories was highly inconsistent. Thus, any ongoing effort to create software security and transparency strategies without industry participation would have limited effect and slow such efforts.
The complexities associated with package versioning. In addition to the need for standardized naming schema mentioned above, Software Bill of Materials (SBOM) guidance will need to reflect versioning information consistent with the public “main” repository for that package, rather than private repositories. Many of the versions that our data partners reported did not exist in the public repositories for those packages because developers maintained internal forks of the code.
Developer accounts must be secured. The analysis of the software packages with the highest levels of usage found that many were hosted on individual (personal) developer accounts. Lax developer security practices have considerable implications for large organizations that use these software packages because they have fewer protections and less granularity of associated permissions. The OpenSSF encourages MFA tokens or organizational accounts to achieve greater account security.
Legacy open source is pervasive in commercial solutions. Many production applications are being deployed that incorporate legacy open source packages. This prevalence of legacy packages is an issue as they are often no longer supported or maintained by the developers or have known security vulnerabilities. They often lack updates for known security issues both in their codebase or in the codebase of dependencies they require to operate. Apache log4j, version 1.x, for example, was ten times more prevalent than log4j 2.x (the version requiring recent remediation), and 1.x still has known unpatched disclosed vulnerabilities because the software was declared end-of-life (EOL) in 2015.Legacy packages present a vulnerability to the companies deploying them in their environments — it means they will need to know what open source packages they have deployed and where to maintain and update these codebases over time.
The prevalence of “supercoders” in the FOSS community. Much of the most widely used FOSS is developed by only a handful of contributors – results in one dataset show that 136 developers were responsible for more than 80% of the lines of code added to the top 50 packages. Additionally, as stated in the Census II preliminary results in 2020, project atrophy and contributor abandonment is a known issue with legacy open source software. The number of developer contributors who work on projects to ensure updates for feature improvements, security, and stability decreases over time as they prioritize other software development work in their professional lives or decide to leave the project for any number of reasons. Therefore, it is much more likely that these communities may face challenges without sufficient developers to act as maintainers as time goes by.
The Linux Foundation’s community and other open source projects initiatives offer important standards, tooling, and guidance that will help organizations and the overall open source community gain better insight into and directly address potential issues in their software supply chain.
An actionable recommendation from Census II is to adopt Software Bill of Materials (SBOM) within your organization. SBOMs serve as a record that delineates the composition of software systems. Software Package Data Exchange (SPDX) is an open international standard for communicating SBOM information that supports accurate identification of software components, explicit mapping of relationships between components, and the association of security and licensing information with each component.
Many enterprises concerned about software security are making SBOMs a cornerstone of their cybersecurity strategy. The Linux Foundation recently published a separate study on SBOM readiness within organizations, The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness. The report offers fresh insight into the state of SBOM readiness by enterprises across the globe, identifying patterns from innovators, early adopters, and procrastinators.
Differentiated by region and revenue, these organizations identified current SBOM production and consumption levels and the motivations and challenges regarding their present and future adoption. This report is for organizations looking to better understand SBOMs as an important tool in securing software supply chains and why it is now time to adopt them.
The Open Source Security Foundation (OpenSSF) has developed a trio of free courses on how to develop secure software. These courses are part of the Secure Software Development Fundamentals Professional Certificate program. There’s a fee if you want to try to earn a certificate (to prove that you learned the material). However, if you just want to learn the material without earning a certificate, that’s free; simply audit the course. You can also start for free and upgrade later if you pay within the upgrade deadline. All three courses are available on the edX platform.
The courses included in the program are:
Secure Software Development: Requirements, Design, and Reuse (LFD104x)Secure Software Development: Implementation (LFD105x)Secure Software Development: Verification and More Specialized Topics (LFD106x)
The OpenSSF develops and hosts its Best Practices badging program for open source software developers. This initiative was one of the first outputs produced as a result of the Census I, completed in 2015. Since then, over 4,000 open source software projects have engaged, started, or completed obtaining a Best Practices Badge.
Projects that conform to OpenSSF best practices can display a badge on their GitHub page or their own web pages and other material. In contrast, consumers of the badge can quickly assess which FLOSS projects are following best practices and, as a result, are more likely to produce higher-quality and secure software. Additionally, a Badge API exists that allows developers and organizations to query the practice score of a specific project, such as Silver, Gold, and Passing. This means any organization can do an API check within their workflow to check against the open source packages they’re using and see if that project’s community has obtained a badge.
More information on the OpenSSF Best Practices Badging program, including background and criteria, is available on GitHub. The projects page shows participating projects and supports queries (such as a list of projects that have a passing badge). Project statistics and criteria statistics are available.
In addition to reviewing the Census II findings, we encourage you to read the Linux Foundation’s Open Source Supply Chain Security Whitepaper. This publication explores vulnerabilities in the open source software ecosystem through historical examples of weaknesses in known infrastructure components (such as lax developer security practices and end-user behavior, poorly secured dependency package repositories, package managers, and incomplete vulnerability databases). It provides a set of recommendations for organizations to navigate potential problem areas.
The Census II study shows that even the most widely deployed open source software packages can have issues with security practices, developer engagement, contributor exodus, and code abandonment. Therefore, open source projects require supporting toolsets, infrastructure, staffing, and proper governance to act as a stable and healthy upstream project for your organization.
The post A Summary of Census II: Open Source Software Application Libraries the World Depends On appeared first on Linux Foundation.
Podman’s new Netavark and Aardvark-based stack offers three main advantages over the existing CNI-based stack.
Read More at Enable Sysadmin
Do you engage in open source-related tasks within your organization? You know that collaboration is key. Here are three ways to engage and network with your open source peers and leverage your organization’s open source program!
Aiming to provide continuous education and ease OSPO adoption across organizations, the TODO Group, in collaboration with the Linux Foundation, launches OSPOCon 2022 Call for Proposals. OSPOCon is the premier event for Open Source Program Offices to share information, solve problems, and learn how to build effective Open Source initiatives within organizations.
Why consider submitting a proposal to speak at OSPOCon?
OSPOCon is a go-to place where those working in open source program offices (or similar initiatives) in organizations can:
Share best practices, tooling, and lessons learned
Learn the newest OSPO trends
Connect and learn from the wide diversity of open source professionals’ visions
Take part in real-time discussions and give to get feedback from the community
Overall, people can come together to learn and share best practices, experiences, and tools to overcome OSPO challenges and similar open source initiatives.
OSPOCon NA and Europe are in-person and virtual events that are part of Open Source Summit conference umbrella. To submit a proposal via the OSSummit CFP (people will also get access to all the other events in the Open Source Summit collection).
Please remember the CFP submissions deadlines for each of the events. We hope to see you in the upcoming OSPOCon series!
OSSummit + OSPOCon NA: March 14th
OSSummit + OSPOCon Europe: May 30th
TODO comprises individual community contributors and 70+ organizations with years of experience running open source programs. They all want to collaborate on practices, tools, and other ways to run successful and effective open source projects and programs. We have a wide range of ongoing OSPO initiatives where everyone (from the most seasoned OSPOers to students) can participate and become a contributor.
Why consider attending the next Work Day meeting?
A good practice to keep learning from OSPOs is to share knowledge and be inspired by other community participants that run open source initiatives when working on common tooling and resources.
TODO organizes Work Day activity monthly meetings to ease community participation and work together with other OSPOers and open source experts on the various issues and PRs in the TODO Group GitHub organization.
Work Days have even a handful of things sorted by TODO project contribution level that we expect people to work during these meetings.
Learn more in the dedicated repo and review the upcoming meeting dates:
Wednesday, March 9, 2022, at 16:30 PM UTC
Monday, March 14, 2022, at 10:00 AM UTC
The OSPOlogy repo provides continuous OSPO learning and discussions with other OSPOers thanks to the OSPOlogy monthly community meetings, TODO Sync calls, and OSPO Forum.
OSPOlogy Community Meetings: Everyone is welcome to attend and participate in the monthly public meetings of the TODO Group and the wider OSPO community,. People can bring new discussion topics via the OSPOlogy CFP submission.
TODO Sync calls (Europe Chapter): This chapter was created to work together to improve OSPO adoption and education within Europe and discuss with the broader community the challenges European organizations face when implementing an open source program. EMEA-friendly time meetings are scheduled every last Thursday of the month at 3 PM (CET).
OSPO Forum: A place to: (1) Ask questions you’re wondering about when it comes to OSPOs; (2) Share ideas about how to improve OSPOs; (3) Engage with other OSPO community members. Topics are filtered by:
Learning and education
Structure and strategy
Security and compliance
Tools
Bonus: Resources for practical OSPO implementation
We went through three popular OSPO networking spaces where people can engage with the different professionals involved in open source program offices or similar open source initiatives within organizations.
The good news is that TODO Group goes far beyond a place to connect with other OSPOers. This group also drives open source education and adoption powered by course materials, research studies, and resources created by experienced professionals to keep learning about OSPOs, anytime.
Here is a list of the most popular resources that can help people find inspiration by the vision of open source professionals and guidance.
[NEW]  The Evolution of the Open Source Program Office Study: provides a set of patterns and directions, as well as a checklist, to help implement an OSPO or an open source initiative within corporate environments. This includes an OSPO maturity model, practical implementation from noted OSPO programs across regions and sectors, and a handful of broad OSPO archetypes (or personas), which drive differentiation in OSPO behavior
TODO Guides: A collection of best practices from the leading companies engaged in open source development aims to help organizations successfully implement and run an open source program office.
OSPO Survey:  The TODO Group is committed to running an annual survey of the status of Open Source Program Offices and sharing the results and data with the wider community. People can find the open data and previous results at Linux Foundation Research
OSPONews: Never miss a thing of the newest OSPO trends! This is the monthly newsletter to stay up to date on Open Source Program Office (OSPO) trends.
TODO Group is a great place to begin and advance in the OSPO journey. The open source community is always welcome to be part of TODO. Welcome to the OSPOverse!
The post Three Ways to Engage with Open Source Program Offices appeared first on Linux Foundation.
New Podman features, file sharing with Samba, and more tips for sysadmins
Image
Check out Enable Sysadmin’s top 10 articles from February 2022.
    Posted:
    March 4, 2022
|
    by
          Vicki Walker (Red Hat)      
  Topics:  
      Containers  
      Linux administration  
      Podman  
      Career  
Read the full article on redhat.com
Read More at Enable Sysadmin
SAN FRANCISCO – March 2, 2022 — The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the final release of “Census II of Free and Open Source Software – Application Libraries.” This follows the preliminary release of Census II, “Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software” and identifies more than one thousand of the most widely deployed open source application libraries found from scans of commercial and enterprise applications. This study informs what open source packages, components and projects warrant proactive operations and security support.
The original Census Project (“Census I”) was conducted in 2015 to identify which software packages in the Debian Linux distribution were the most critical to a Linux server’s operation and security. The goal of the current study (Census II) is to pick up where Census I left off and to identify and measure which open source software is most widely deployed within applications developed by private and public organizations. This Census II allows for a more complete picture of free and open source software (FOSS) adoption by analyzing anonymized usage data provided by partner Software Composition Analysis (SCA) companies Snyk, the Synopsys Cybersecurity Research Center (CyRC), and FOSSA and is based on their scans of codebases at thousands of companies.
“Understanding what FOSS packages are the most widely used in society allows us to proactively engage the critical projects that warrant operations and security support,” said Brian Behlendorf, executive director at Linux Foundation’s Open Source Security Foundation (OpenSSF). “Open source software is the foundation upon which our day-to-day lives run, from our banking institutions to our schools and workplaces. Census II provides the foundational detail we need to support the world’s most critical and valuable infrastructure.”
Census II includes eight rankings of the 500 most used FOSS packages among those reported in the private usage data contributed by SCA partners. These include different slices of the data based on versions, structure, and packaging system. For example, this research enables identification of the top 10 version-agnostic packages available on the npm package manager that were called directly in applications:
To review all of the Top 500 lists in their entirety, please visit Data.World.
The study also surfaces these five overall findings that are detailed in the report:
1) The need for a standardized naming schema for software components so that application libraries can be uniquely identified
2) The complexities associated with package versioning – SBOM guidance will need to reflect versioning information that is consistent with the public “main” repository for that package, rather than private repositories
3) Much of the most widely used FOSS is developed by only a handful of contributors – results in one dataset show that 136 developers were responsible for more than 80% of the lines of code added to the top 50 packages
4) The increasing importance of individual developer account security – the OpenSSF encourages the use of MFA tokens or organizational accounts to achieve greater account security
5) The persistence of legacy software in the open source space
Census II is authored by Frank Nagle, Harvard Business School; James Dana, Harvard Business School; Jennifer Hoffman, Laboratory for Innovation Science at Harvard; Steven Randazzo, Laboratory for Innovation Science at Harvard; and Yanuo Zhou, Harvard Business School.
“Our goal is to not only identify the most widely used FOSS but also provide an example of how the distributed nature of FOSS requires a multi-party effort to fully understand the value and security of the FOSS ecosystem. Only through data-sharing, coordination, and investment will the value of this critical component of the digital economy be preserved for generations to come,” said Frank Nagle, Assistant Professor, Harvard Business School.
“Open source software plays a foundational role in enabling global economic growth. Of course, the ubiquitous nature of OSS means that severe vulnerabilities — such as Log4Shell — can have a devastating and widespread impact. Mounting a comprehensive defense against supply chain threats starts with establishing strong visibility into software — and we at FOSSA are thrilled to be able to contribute our market-leading SBOM capabilities and experience helping thousands of organizations successfully manage their open source dependencies to improve transparency and trust in the software supply chain.” – Kevin Wang, Founder & CEO, FOSSA
“The Linux Foundation’s latest multi-party Census effort is further evidence that OSS is at the very heart of not only today’s modern application development process, but also plays an increasingly vital behind the scenes role throughout all of society,” said Guy Podjarny, Founder, Snyk. “We’re honored to have made significant contributions to this latest comprehensive assessment and welcome all future efforts that help to empower the developers building our future with the right information to also effectively secure it.”
“With businesses increasingly dependent upon open source technologies, if those same businesses aren’t contributing back to the open source projects they depend upon, then they are increasing their business risk. That risk ranges from projects becoming orphaned and containing potentially vulnerable code, through to implementation changes that break existing applications. The only meaningful way to mitigate that risk comes from assigning resources to contribute back to the open source powering the business. After all, while there are millions of developers contributing to open source, there might just be only one developer working on something critical to your success.” – Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center
Download the Report
Join the Webinar TODAY to learn more directly from the authors of this report. 
Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members. The Linux Foundation is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
###
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.
Jennifer Cloer
503-867-2304
The post The Linux Foundation and Harvard’s Lab for Innovation Science Release Census of Most Widely Used Open Source Application Libraries appeared first on Linux Foundation.
The secret to breaking down walls, fostering teamwork, and unleashing creativity is having people across the organization who are passionate about embracing open.
Read More at Enable Sysadmin
SAN FRANCISCO, March 1, 2022, The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important open source security initiatives, today announced 20 new organizations have joined OpenSSF to help identify and fix security vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. It is also announcing the latest milestones achieved across a variety of its technical initiatives, all of which underscore the cross-industry momentum that is taking place as a result of increasing awareness in the wake of recent security incidents and since the recent White House Open Source Security Summit and recent Congressional hearings.
“The time is now for this community to make real progress on software security. Since open source is the foundation on which all software is built, the work we do at OpenSSF with contributions from companies and individuals from around the world is fundamental to that progress,” said Brian Behlendorf, executive director at OpenSSF. “We’ve never had more support or focus on building, sustaining, and securing the software that underpins all of our lives, and we’re happy to be the neutral forum where this can happen.”
New Premier Member commitments come from 1Password, Citi, Coinbase, Huawei Technologies, JFrog, and Wipro. New General Member commitments come from Accuknox, Alibaba Cloud, Block, Inc, Blockchain Technology Partners, Catena Cyber, Chainguard, Cloudsmith, DeployHub, MongoDB, NCC Group, ReversingLabs, Spotify, Teleport, and Wingtecher Technology. New Associate Members include MITRE and OpenUK. For a complete review of the OpenSSF member roster, please visit: https://openssf.org/about/members/
These commitments come on the heels of the recent White House Open Source Security Summit, where the Linux Foundation and OpenSSF represented hundreds of its project communities and discussed how best to support software security and open source security posture going forward. This summit was a major milestone in the Linux Foundation’s engagement with the public sector and underscored its position supporting not only the projects it hosts but all of the world’s most critical open source infrastructure.
Since the OpenSSF announced initial commitments in October, the community has continued to advance the OpenSSF mission. Some selected highlights include:
OpenSSF also recently announced the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. It is initially supported by Microsoft and Google with a combined investment of $5 million. The Project improves global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.
Scorecards is an OpenSSF project that helps open source users understand the risks of the dependencies they consume. OpenSSF members GitHub and Google recently announced Scorecards v4, which includes Scorecards GitHub Workflow Action to automate the identification of how changes to a project affected its security. It also includes License Check to detect the presence of a project license and Dangerous-Workflow check to detect dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows. The Scorecards project has also increased the scale of scans from 50,000 projects to one million projects. These software projects are identified as most critical based on their number of direct dependencies, giving a more detailed view of the ecosystem and strengthening supply chain security as users see improved coverage of their dependencies.
Sigstore recently released a project update that reported nearly 500 contributors, 3,000 commits, and over one million entries in Rekor. For more information on what is driving this adoption, please visit the Sigstore blog.
In the pursuit of encouraging wider adoption of multi-factor authentication (MFA) by developers of critical open source projects, The Securing Critical Projects Working Group coordinated the distribution of nearly 1000 codes for free MFA tokens (graciously donated by Google and Github) to developers of the 100 most critical open source projects. This dsiribution is a small but critical step in avoiding supply chain attacks based on stolen credentials of key developers.
To join OpenSSF and/or contribute to these important initiatives, please visit: https://openssf.org/
“We’re proud to be among like-minded organizations and individuals that share a collective commitment to improving the security posture of open source software,” said Pedro Canahuati, Chief Technology Officer at 1Password. “Much of the technology we use today is built on open source software. Given 1Password’s human-centric approach to building user-friendly applications, it’s important to us that its integrity and security is protected.”
“The security of open source software and its supply chain is an essential aspect to Citi. We have worked with the open source community on bolstering security in these areas, and we look forward to strengthening this mission by joining the Open Source Security Foundation,” said Jonathan Meadows, Head of Cloud & Application Security Engineering, Citibank.
“Coinbase is the world’s most trusted cryptocurrency exchange, and the security of our open source dependencies — as well as the broader crypto ecosystem — is paramount. The OpenSSF’s goals align with our own, and Coinbase is proud to be contributing to increasing the security of open source software for the benefit of all,” said Jordan Harband, Staff Developer Relations Engineer, Coinbase.
“The importance of open source software security is well recognized by the customer, industry, and government. It is time for the community to take strategic, continuous, effective, and efficient actions to advance the open source software security posture. We are very glad to see OpenSSF launching initiatives (Scorecard, Alpha-Omega, SigStore, etc.) to improve the open source software security directly,” said Dr. Kai Chen, Chief Security Strategist, Huawei. “Huawei commits to strengthen investment on cybersecurity and to maintain a global, secure and resilient open source software supply chain.”
“Open source software is the foundation of today’s modern systems that run enterprises and government organizations alike – making software part of a nation’s critical infrastructure,” said Stephen Chin, VP of Developer Relations, JFrog. “JFrog is honored to be part of OpenSSF to accelerate innovation and advancement in supply chain security. Projects coming out of OpenSFF help make JFrog’s liquid software vision a secure reality.”
“With the increasing adoption of open source software and its growing importance in enabling innovation and transformation comes commensurate cybersecurity risks. The community needs a concerted effort to address them. We are excited to join the governing board of OpenSSF to collaborate with other members on defining and building set of solutions and frameworks and best practices to help ensure the integrity of the open source software supply chain and contribute our domain expertise, breadth of resources and global reach to this important effort,” said Subha Tatavarti, CTO, Wipro Limited.
“In the Shift Left, DevSecOps Developer-led adoption of Security Tools and platforms an OpenSource led approach is imperative. We are thrilled to see OpenSSF launching path-breaking initiatives to help end-users and technology providers harness the power of open source and contribute to the collective knowledge capital,” said Nat Natraj, co-founder, CEO, AccuKnox.
“Open Source software has become a key software supply chain of IT, and Open Source software security has a huge impact on infrastructure security. Alibaba Cloud, as the world’s leading cloud vendor that always puts security and data privacy as the priority, is keeping investing in security research. For a long time, the public has felt that open source software is very safe because of transparency, all software developers can review the code, find and fix vulnerabilities. But In fact, there are many widely used open-source software that is still possible to have security bugs that have not been noticed for a long time. It is great to have an organization like OpenSSF, which can connect so many great companies and open source communities to advance open source security for all. As a member of Open Source Security Foundation, we’re looking forward to collaborating with OpenSSF to strengthen the Open Source security,” said Xin Ouyang, Head of Alibaba Cloud Security, Alibaba Cloud.
“Block is very excited to join with other industry leaders to help step up the quality of open source security. I strongly believe that as an industry, it is our priority to address security concerns in a supply chain that we all use. We may compete on products, but we should never compete on security, and OSSF is a fantastic example of this idea,” said Jim Higgins, CISO of Block.
“Open source software is mainstream and underpins much of the world’s critical infrastructure as well as powering enterprises across the globe. Against this backdrop, OpenSSF’s mission to secure the open source supply chain is fundamental to our future,” said Duncan Johnston-Watt, CEO and Co-founder of Blockchain Technology Partners. “Collaboration is key to OpenSSF’s success, and so we are delighted to contribute to this initiative which complements our existing involvement in the Hyperledger Foundation, CNCF, and LF Energy.”
“Open source leads to a massive sharing of knowledge. Beyond the quantity of information, the quality of it becomes important to bring value to society,” said Philippe Antoine, CEO of Catenacyber. “We are glad to join OpenSSF to contribute to improving the cybersecurity of open source projects through fuzzing and other means. Let’s fix all the bugs!”
“Making the software lifecycle secure by default is increasingly critical as open source has become the digital backbone of the world. A vibrant, open software security ecosystem is essential to that mission. We are excited to be members of the Open Source Security Foundation and to continue working with the community to make the software lifecycle secure by default,” said Tracy Miranda, head of open source at Chainguard.
“Having a single source of truth for software artifacts has never been more vital to supply chains, especially for the open-source community. OSS engineers need trust and provenance, and a trusted source for secure end-to-end software delivery, from build through to production. At Cloudsmith, our mission is to evolve the cloud-native supply chain, making it simple for the OSS community to secure their software delivery at scale through Continuous Packaging. We are thrilled to join OpenSSF, and we look forward to being part of the continued mission to improve the security posture of open source software universally,” said Alan Carson, CEO at Cloudsmith.
“At DeployHub, we have been laser-focused on tracking the consumption of microservices, including their versions. These relationships make up our new application-level Software Bill of Materials (SBOMS). There is no better place to have this supply chain conversation than the OpenSSF,” explains Tracy Ragan, CEO DeployHub.
“As all industries increasingly rely upon open source software to deliver digital experiences, it is our collective responsibility to help maintain a vibrant and secure ecosystem,” said Lena Smart, Chief Information Security Officer, MongoDB. “You can have all the tools in the world, but at the end of the day, it is people across multiple organizations around the world working together that will ensure an expansive cybersecurity program. One of MongoDB’s values is “Build Together,” and we’re excited to join and further cross-industry collaboration to move the security of open source software forward.”
“Even if your code is perfectly secure, chances are it has vulnerable dependencies. And the number of unpatched vulnerabilities “in the wild” outpaces the speed at which the security community can patch or even identify them. Security, as it is practiced now, doesn’t scale at the rate needed to keep things at least as secure as they were yesterday, and we have compelling reasons to expect this to get even worse for defenders. However, through harnessing dedicated investment and coordinating industry-wide efforts to improve the security of the most critical open source components and find scalable interventions for the entire ecosystem, we have an opportunity to improve software security at a massive scale. But we can only do this together, and it is for this reason that NCC Group is excited to contribute to the work of OpenSSF,” said Jennifer Fernick, SVP & Global Head of Research at cybersecurity consulting firm NCC Group.
“The software supply chain has become a major risk vector for new threats, including those from the open source ecosystem. The inherent dependencies and complexities of the modern software supply chain means that companies often lack visibility and the ability to track each component through the entire software development process. Recognizing these challenges, ReversingLabs is pleased to join the OpenSSF and offer its contributions to the community that help drive the automation of more comprehensive software bills of material and mitigate software supply chain and package release risks,” said Mario Vuksan, CEO and Co-founder, ReversingLabs.
“As a technical community we all have a responsibility to improve the security and trust of an open source ecosystem that so many of us rely upon. Spotify has always relied on open source software, and contributes to the community through projects like Backstage. We believe open source software forms the backbone of our industry and we look forward to supporting the foundation’s goal of ensuring everyone can depend on a healthy and secure software ecosystem,” said Tyson Singer, VP, Head of Technology and Platforms at Spotify.
“The complexity of modern infrastructure has broadened attack surface areas to the point where data breaches are just about an everyday occurrence,” said Ev Kontsevoy, CEO of Teleport. “These risks have been exacerbated by the rise of remote and hybrid workplaces. With an eye on global attacks, the open source community’s commitment to improving open source security is critical to ushering in a new era of computing. Offering a solution to increase security, ease usability, and help scale enterprise development access, Teleport is pleased to be a part of the OpenSSF.”
“As a fast-growing startup, Wingtecher focuses on exploring the technologies that secure various kinds of open source softwares. We are excited to join OpenSSF and ready to collaborate with the community to overcome the emerging open source security challenges worldwide,” said Vincent Li, COO Wingtecher Technology.
Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit: https://openssf.org/
Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
###
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.
Jennifer Cloer
503-867-2304
The post Open Source Security Foundation Attracts New Commitments, Advances Key Initiatives in Weeks Since White House Security Summit appeared first on Linux Foundation.
Start tinkering with the open hybrid cloud by using DevStack to create a local OpenStack installation on a spare server or laptop.
Read More at Enable Sysadmin
LF Edge furthers innovation at the open source edge across a unified ecosystem, with induction of Edge Gallery —an open-source MEC edge computing project —and adds leading innovator American Tower as Premiere member and Ritsumeikan University as new Associate member
SAN FRANCISCO — February 28, 2022 – LF Edge, an umbrella organization within the Linux Foundation that aims to establish an open, interoperable framework for edge computing independent of hardware, silicon, cloud, or operating system, today announced American Tower has joined the project as a Premier member. Additionally, the project announced Edge Gallery has joined the umbrella as a Stage 1 project, RITSUMEIKAN University has joined as an Associate member, and the community issued its 2021 Annual Report.
American Tower, a global leading infrastructure provider of wireless, data center, and interconnect solutions to enable a connected world, joins other existing LF Edge Premiere members: Altran, Arm, AT&T, AVEVA, Baidu, Charter Communications, Dell Technologies, Dianomic, Equinix, Ericsson, F5, Fujitsu, Futurewei, HP, Huawei, Intel, IBM, NTT, Radisys, RedHat, Samsung, Tencent, VMware, Western Digital, ZEDEDA.
“We are pleased to see even more leading technology innovators joining as LF Edge members,” said Arpit Joshipura, general manager, Networking, Edge and IOT, the Linux Foundation. “The proliferation of new technologies joining collaborative innovation at the open source edge means scalability, interoperability, and market innovation is happening across the ecosystem.”
About America Tower
American Tower, one of the largest global REITs, is a leading independent owner, operator and developer of multitenant communications real estate with a portfolio of approximately 219,000 communications sites. For more information about American Tower, please visit americantower.com.
”We are excited to join LF Edge and their members to accelerate innovation, enabled by edge network architecture. A distributed model, positioning critical data closer to the user, provides the low-latency infrastructure to deliver the automation, performance, and cognitive insight required by manufacturing, healthcare, transportation, and more.” – Eric Watko, Vice President, Product Line Management, American Tower.
American Tower is joined by new Associate member, RITSUMEIKAN University, a private university in Kyoto, Japan, that traces its origin to 1869. With the Kinugasa Campus in Kyoto, and Kyoto Prefecture, the university also has a satellite called Biwako-Kusatsu Campus and Osaka-Ibaraki Campus. Ritsumeikan university is known as one of western Japan’s four leading private universities.
EdgeGallery Joins LF Edge Umbrella
Celebrating it’s two-year mark as an umbrella project, LF Edge welcomes its tenth project, Edge Gallery. Edge Gallery is an open-source MEC edge computing project initiated by Huawei, carriers, and vertical industry partners that joined the Linux Foundation in late 2021. Its purpose is to build a common edge computing platform that meets the “connection + computing” characteristics of the telecom industry, standardize the openness of network capabilities (especially 5G network capabilities), and simplify lifecycle processes such as MEC application development, test,migration, and running.
EdgeGallery joins the nine existing projects – Akraino, Baetyl, Fledge, EdgeX Foundry, Home Edge, Open Horizon, Project EVE, Secure Device Onboard (SDO) and State of the Edge – that support emerging edge applications across areas such as non-traditional video and connected things that require lower latency, and faster processing and mobility. LF Edge helps unify a fragmented edge market around a common, open vision for the future of the industry.
LF Edge 2021 Annual Report
The LF Edge community also issued a report of its progress and results from the past year. “LF Edge “ summarizes key highlights (including blueprints, deployments and momentum) Governing Board, Technical Advisory Board, Outreach Committee and General Manager. To download the report, visit: https://www.lfedge.org/resources/publications/.
More details on LF Edge, including how to join as a member, details on specific projects and other resources, are available here: www.lfedge.org.
About The Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
# # #
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.
The post American Tower Joins LF Edge as Premiere Member, Community Adds EdgeGallery to Project Roster appeared first on Linux Foundation.