Warning: Undefined array key "HTTP_ACCEPT_LANGUAGE" in /home/u596154002/domains/usbusinessreviews.com/public_html/wp-includes/load.php on line 2057

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the rank-math domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u596154002/domains/usbusinessreviews.com/public_html/wp-includes/functions.php on line 6114
White House joins OpenSSF and the Linux Foundation in securing open-source software - Best Business Review Site 2024

White House joins OpenSSF and the Linux Foundation in securing open-source software

[ad_1]

Securing the open-source software supply chain is a huge deal. Last year, the Biden administration issued an executive order to improve software supply chain security. This came after the Colonial Pipeline ransomware attack shut down gas and oil deliveries throughout the southeast and the SolarWinds software supply chain attack. Securing software became a top priority. In response, The Open Source Security Foundation (OpenSSF) and Linux Foundation rose to this security challenge. Now, they’re calling for $150 million in funding over two years to fix ten major open-source security problems.

They’ll need every penny of it and more.

The government will not be paying the freight for these changes. $30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million

At the White House press conference, OpenSSF general manager Brian Behlendorf said, “I want to be clear: We’re not here to fundraise from the government. We did not anticipate needing to go directly to the government to get funding for anyone to be successful.”

Here are the ten goals the open-source industry is committed to meeting.

  1. Security Education: Deliver baseline secure software development education and certification to all.

  2. Risk Assessment: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.

  3. Digital Signatures: Accelerate the adoption of digital signatures on software releases.

  4. Memory Safety: Eliminate root causes of many vulnerabilities through the replacement of non-memory-safe languages.

  5. Incident Response: Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.

  6. Better Scanning: Accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.

  7. Code Audits: Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.

  8. Data Sharing: Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.

  9. Software Bill of Materials (SBOMs): Everywhere Improve SBOM tooling and training to drive adoption.

  10. Improved Supply Chains: Enhance the 10 most critical open-source software build systems, package managers, and distribution systems with better supply chain security tools and best practices.

I’ll go into more detail about those in later stories, but even at a glance, this is a massive undertaking. For instance, C, which is core to the Linux kernel, the most important of all open-source projects, has many vulnerabilities within it. While the memory-safe Rust language is now being used in Linux, it’s years, decades away, from replacing C in Linux’s over 27.8 million lines of code. Indeed, I doubt we’ll ever see all of Linux’s C code replaced by Rust. 

We’re already close to solving some of the others. The open-source security company Chainguard is calling on the software industry to standardize on Sigstore. Sigstore enables developers to securely sign software artifacts such as release files, container images, binaries, bills of material manifests. and more. This Linux Foundation project is backed by Google, Red Hat, and Purdue University.

Sigstore has several great features. These include:

  • Sigstore’s keyless signing gives a great developer experience and removes the need for painful key management.

  • Sigstore’s public transparency log (Rekor) and APIs mean Kubernetes consumers may easily verify signed artifacts.

  • Sigstore’s use of standards, such as support for any Open Container Initiative (OCI) artifact (including containers, Helm Charts, configuration files, and policy bundles) and OpenID Connect (OIDC), means it integrates seamlessly with other tools and services.

  • The active, open-source, vendor-neutral Sigstore community gives confidence that the project will be rapidly adopted and become a de-facto industry standard.

Indeed, Kubernetes has already adopted Sigstore. In brief, it makes it simple to adopt a secure digital signature for your code. Then, the programmers who use your code can be sure it really is the code they want and can trust.

This is essential. As Stephen Chin, software chain security company JFrog VP of Developer Relations, said, “While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated we need a more hardened process for validating open-source repositories.”

Of course, there will always be bugs. As Behlendorf said, “Software will never be perfect. The only software that doesn’t have any bugs is software with no users.”

Related Stories:

[ad_2]

Source link

slot gacor slot gacor togel macau slot hoki bandar togel slot dana slot mahjong link slot link slot777 slot gampang maxwin slot hoki slot mahjong slot maxwin slot mpo slot777 slot toto slot toto situs toto toto slot situs toto situs toto situs toto situs toto slot88 toto slot slot gacor thailand slot bet receh situs toto situs toto slot toto slot situs toto situs toto situs toto situs togel macau toto slot slot demo slot pulsa slot pragmatic situs toto deposit dana 10k surga slot toto slot link situs toto situs toto slot situs toto situs toto slot777 slot gacor situs toto slot slot pulsa 10k toto togel situs toto slot situs toto slot gacor terpercaya slot dana slot gacor pay4d agen sbobet kedai168 kedai168 deposit pulsa situs toto slot pulsa situs toto slot pulsa situs toto situs toto situs toto slot dana toto slot situs toto slot pulsa toto slot situs toto slot pulsa situs toto situs toto situs toto toto slot toto slot slot toto akun pro maxwin situs toto slot gacor maxwin slot gacor maxwin situs toto slot slot depo 10k toto slot toto slot situs toto situs toto toto slot toto slot toto slot toto togel slot toto togel situs toto situs toto toto slot slot gacor slot gacor slot gacor situs toto situs toto cytotec toto slot situs toto situs toto toto slot situs toto situs toto slot gacor maxwin slot gacor maxwin link slot 10k slot gacor maxwin slot gacor slot pulsa situs slot 10k slot 10k toto slot toto slot situs toto situs toto situs toto bandar togel 4d toto slot toto slot