Learn how to use the systemd command to manage your network services.
Read More at Enable Sysadmin
How to set up Nginx on OpenShift and AWS ROSA
Use OpenShift’s Source to Image (S2I) to create a web application on OpenShift, with or without a cloud platform such as Red Hat OpenShift on AWS (ROSA).
Read More at Enable Sysadmin
Brian Behlendorf Testifies on Open Source Software Security to the US House Committee on Science and Technology
This post originally appeared on OpenSSF’s blog.
On Wednesday, May 11, 2022, Brian Behlendorf, OpenSSF General Manager, testified to the United States House of Representatives Committee on Science, Space, and Technology. Brian’s testimony shares the work being done within the Open Source Security Foundation and broader open source software community to improve security and trustworthiness of open source software.
A copy of Brian’s written remarks are below and linked here (PDF). Visit the Committee’s website to view a recording of the hearing.
Also testifying at the hearing were:
Ms. Lauren Knausenberger, Chief Information Officer, Department of the Air Force
Ms. Amélie Erin Koran, Non-Resident Senior Fellow, The Atlantic Council
Dr. Andrew Lohn, Senior Fellow, Center for Security and Emerging Technology, Georgetown University
May 9th, 2022
The Honorable Eddie Bernice Johnson, Chairwoman
The Honorable Frank Lucas, Ranking Member
Committee on Science, Space, and Technology
2321 Rayburn House Office Building
Washington, DC 20515-6301
Dear Chairwoman Johnson, Congressman Lucas, and distinguished members of the Committee on Science, Space and Technology,
Thank you for your invitation to address you today, and the opportunity to share with you the work being done within the Open Source Security Foundation and the broader open source software community to raise the level of security and trustworthiness of open source software.
What are the consequences of insecure open-source software and what is industry as a whole, and the Open Source Security Foundation in particular, doing to tackle such Vulnerabilities?
Open source software (“OSS”) has become an integral part of the technology landscape, as inseparable from the digital machinery of modern society as bridges and highways are from the physical equivalent. According to one report, typically 70% to 90% of a modern application “stack” consists of pre-existing OSS, from the operating system to the cloud container to the cryptography and networking functions, sometimes up to the very application running your enterprise or website. Thanks to copyright licenses that encourage no-charge re-use, remixing, and redistribution, OSS encourages even the most dogged of competitors to work together to address common challenges, saving money by avoiding duplication of effort, moving faster to innovate upon new ideas and adopt emerging standards.
However, this ubiquity and flexibility can come at a price. While OSS generally has an excellent reputation for security, the developer communities behind those works can vary significantly in their application of development practices and techniques that can reduce the risk of a defect in the code, or in responding quickly and safely when one is discovered by others. Often, developers trying to decide what OSS to use have difficulty determining which ones are more likely to be secure than others based on objective criteria. Enterprises often don’t have a well-managed inventory of the software assets they use, with enough granular detail, to know when or if they’re vulnerable to known defects, and when or how to upgrade. Even those enterprises who may be willing to invest in increasing the security of the OSS they use often don’t know where to make those investments, nor their urgency relative to other priorities.
There are commercial solutions to some of these problems. There are vendors like Gitlab or Red Hat who sell support services for specific open source software, or even entire aggregate distributions of OSS. There are other vendors, like Snyk and Sonatype, who sell tools to help enterprises track their use of OSS and flash an alert when there is a new critical vulnerability in software running deep inside an enterprise’s IT infrastructure.
However, fighting security issues at their upstream source – trying to catch them earlier in the development process, or even reduce the chances of their occurrence at all – remains a critical need. We are also seeing new kinds of attacks that focus less on vulnerabilities in code, and more on the supply chain itself – from rogue software that uses “typosquatting” on package names to insert itself unexpectedly into a developer’s dependency tree, to attacks on software build and distribution services, to developers turning their one-person projects into “protest-ware” with likely unintended consequences.
To address the urgent need for better security practices, tools, and techniques in the open source software ecosystem, a collection of organizations with deep investments into the OSS ecosystem came together in 2020 to form the Open Source Security Foundation, and chose to house that effort at the Linux Foundation. This public effort has grown to hundreds of active participants across dozens of different public initiatives housed under 7 working groups, with funding and partnership from over 75 different organizations, and reaching millions of OSS developers.
The OpenSSF’s seven working groups are:
Best Practices for Open Source Developers: This group works to provide open source developers with best practices recommendations, and easy ways to learn and apply them. Among other things, this group has developed courseware for teaching developers the fundamentals of secure software development, and implement the OpenSSF Best Practices Badge program.
Securing Critical Projects: This group exists to identify and help to allocate resources to secure the critical open source projects we all depend on. Among other things, this has led to a collaboration with Harvard Business School to develop a list of the most critical projects.
Supply Chain Integrity: This group is helping people understand and make decisions on the provenance of the code they maintain, produce and use. Among other things, this group has developed a specification and software called “SLSA”, for describing and tracking levels of confidence in a software supply chain.
Securing Software Repositories: This group provides a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure software repositories, which are key points of leverage for security practices and the promotion to developers of more trustworthy software.
Identifying Security Threats in Open Source Projects: This group enables informed confidence in the security of OSS by collecting, curating, and communicating relevant metrics and metadata. For example, it is developing a database of all known security reviews of OSS.
Security Tooling: This group’s mission is to provide the best security tools for open source developers and make them universally accessible. Among other activities, this group has released code to better enable a security testing technique called “fuzzing” among open source projects.
Vulnerability Disclosures: This group is improving the overall security of the OSS ecosystem by helping advance vulnerability reporting and communication. For example, this group has produced a Guide to Coordinated Vulnerability Disclosure for OSS.
There are also a series of special projects under the OpenSSF worthy of special mention:
Project sigstore: an easy-to-use toolkit and service for signing software artifacts, ensuring that the software you are holding is the same as what the developer intended, addressing a wide array of supply chain attacks.
The Alpha-Omega Project: an effort to systematically search for new vulnerabilities in open source code, and work with critical open source projects to improve their vulnerability handling and other security practices.
The GNU Toolchain Initiative: this effort supports the build ecosystems for perhaps the most critical set of developer libraries and compilers in the world, the GNU Toolchain, as a means to ensure its safety and integrity.
All the above efforts are public-facing and developed using the best practices of open source software communities. Funding from our corporate partners goes towards supporting the core staff and functions that enable this community, but all the substance comes from voluntary efforts. In some cases funds flow to assist with specific efforts – for example, recently the Alpha-Omega project decided to allocate funding towards the NodeJS community to augment its security team with a part-time paid employee and to fund fixes for security issues.
The Linux Foundation has also begun to adapt its “LFX” platform, a set of services designed to support the open source communities hosted by the Foundation, to incorporate security-related data such as vulnerability scans from Snyk and BluBracket, along with information from the OpenSSF Best Practices Badge program and the OpenSSF Security Scorecards initiative, to provide a unified view of the security risks in a particular collection of open source code, and what maintainers and contributors to those projects can do to improve those scores and reduce those risks. We expect to see more kinds of risk-related data coming into a unified view like this, helping developers and enterprises make better decisions about what open source components and frameworks to use, and how to reduce risk for those components they depend upon.
Guiding all of this is a deep conviction among the OpenSSF community that while there are many different ways in which security issues manifest themselves in the OSS ecosystem, every one of them is addressable, and that there are lots of opportunities for investment and collective action that will pay a return many times over in the form of lower risk of a future major vulnerability in a widely-used package, and lesser disruption if one is discovered.
Other efforts at the Linux Foundation include “Prossimo”, an effort focused on moving core Internet-related services to “memory-safe” languages like Rust, Go, or Java, which would eliminate an entire category of vulnerabilities that other languages allow too easily. Another is the SPDX standard for Software Bill of Materials (“SBOMs”), addressing the needs identified by White House Executive Order 14028 in a vendor-neutral and open way.
This is by no means a comprehensive list of all such efforts in the OSS ecosystem to improve security. Every OSS foundation either has a security team in operation today or is scrambling to identify volunteers and funding to establish one. There is a greater emphasis today than I’ve seen in my 30 years of using and contributing to OSS (since before it was called OSS) on the importance of such efforts. Clear metrics for progress are elusive since we lack clear metrics for evaluating software risk; in fact developing ways to measure and represent that risk is a key priority for OpenSSF. We will never see a time when open source software is free from security defects, but we are getting better at determining the tools and techniques required to more comprehensively address the risk of vulnerabilities in open source code. Scaling up those tools and techniques to address the tens of thousands of widely used OSS components and to get them more quickly updated remains a challenge.
How can the Federal government improve collaboration with industry to help secure open-source software?
I’ll focus here on principles and methods for collaboration that will lead to more secure OSS, and then for question 3 on specific opportunities to collaborate on.
First, focus on resourcing long-term personal engagements with open source projects.
Over the last few years, we have seen a healthy degree of engagement by the Federal government with OSS projects and stakeholders on the topic of improving security. The push established by Executive Order 14028 for the adoption of SBOMs aligned nicely with the standardization and growing adoption of the SPDX standard by a number of OSS projects, but it was aided substantially by the involvement of personnel from NIST, CISA, and other agencies engaging directly with SPDX community members.
Often the real secret to a successful OSS effort is in the communities of different stakeholders that come together to create it – the software or specification is often just a useful byproduct. The Federal government, both through its massive use of open source code and the role that it traditionally performs in delivering and protecting critical infrastructure, should consider itself a stakeholder, and like other stakeholders prioritize engagement with upstream open source projects of all sizes. That engagement need not be so formal; most contributors to open source projects have no formal agreement covering that work aside from a grant of intellectual property in those contributions. But as they say, “history is made by those who show up.” If the IT staff of a Federal agency (or of a contractor under a Federal contract) were authorized and directed to contribute to the security team of a critical open source project, or to addressing known or potential security issues in important code, or to participating in an OpenSSF working group or project, that would almost certainly lead to identifying and prioritizing work that would result in enhanced security in the Federal government’s own use of open source code, and likely to upstream improvements that make OSS more secure for everyone else.
Second, engage in OSS development and security work as a form of global capacity building, and in doing so, in global stability and resilience. OSS development is inherently international and has been since its earliest days. Our adversaries and global competitors use the same OSS that we do, by and large. When our operating systems, cloud containers, networking stacks and applications are made to be more secure, there are fewer chances for rogue actors to cause disruption, and that can make it harder to de-escalate tensions or protect the safety of innocent parties. Government agencies in France, Taiwan, and more have begun to establish funded offices focused on the adoption, development, and promotion of OSS, in many ways echoing the Open Source Program Offices being set up by companies like Home Depot and Walmart or intergovernmental agencies like the WHO. The State Department in recent years has funded the development of software like Tor to support the security needs of human rights workers and global activists. The Federal government could use its convening authority and statecraft to bring like-minded activities and investment together in a coordinated way more effectively than any of us in the private sector can.
Third, many of the ideas for improving the security of OSS involve establishing services – services for issuing keys to developers like Project sigstore does, or services for addressing the naming of software packages for SBOMs, or services for collecting security reviews, or providing a comprehensive view of the risk of open source packages. Wherever possible, the Federal government should avoid establishing such services themselves when suitable instances of such services are being built by the OSS community. Instead of owning or operating such services directly, the Federal Government should provide grants or other resources to operators of such services as any major stakeholder would. Along similar lines, should the Federal government fund activities like third party audits of an open source project, or fund fixes or improvements, it should ensure not only that such efforts don’t duplicate work already being done, it should ensure that the results of that work are shared (with a minimum of delay) publicly and upstream so that everyone can benefit from that investment.
These three approaches to collaboration would have an outsized impact on any of the specific efforts that the Federal government could undertake.
Where should Congress or the Administration focus efforts to best support and secure the open-sourced software ecosystem as a whole?
The private sector and the Federal government have a common cause in seeing broad improvements in the security of OSS. I’m happy to share where I see the private sector starting to invest in enhanced OSS security, in the hopes that this may inspire similar actions from others.
Education. Very few software developers ever receive a structured education in security fundamentals, and often must learn the hard way about how their work can be attacked. The OpenSSF’s Secure Software Fundamentals courses are well regarded and themselves licensed as open source software, which means educational institutions of all kinds could deliver the content. Enterprises could also start to require it of their own developers, especially those who touch or contribute to OSS. There must be other techniques for getting this content into more hands and certifications against it into more processes.
Metrics and benchmarks. There are plenty of efforts to determine what are suitably objective metrics for characterizing the risks of OSS packages. But running the cloud systems to perform that measurement across the top 100,000 or even 10,000 open source projects may cost more than what can be provided for free by a single company, or may be fragile if only provided by a single vendor. Collective efforts funded by major stakeholders are being planned-for now, and governments as a partner to that would not be turned away.
Digital signatures. There is a long history of U.S. Government standards for identity proofing, public key management, signature verification, and so on. These standards are very sophisticated, but in open source circles, often simplicity and support are more important. This is pulling the open source ecosystem towards Project sigstore for the signing of software artifacts. We would encourage organizations of all sorts to look at sigstore and consider it for their OSS needs, even if it may not be suitable for all identity use cases.
Research and development investments into memory-safe languages. As detailed above, there are opportunities to eliminate whole categories of defects for critical infrastructure software by investing in alternatives written in memory-safe languages. This work is being done, but grants and investments can help accelerate that work.
Fund third-party code reviews for top open source projects. Most OSS projects, even the most critical ones, never receive the benefit of a formal review by a team of security experts trained to review code not only for small bugs that may lead to big compromises, but to look at architectural issues and even issues with the features offered by the software in the search for problems. Such audits vary tremendously in cost based on the complexity of the code, but an average for an average-sized code base would be $150K-250K. Covering the top 100 OSS projects with a review every other year, or even 200 every year, seems like a small price compared to the costs on US businesses to remedy or clean up after a breach caused by just one bug.
Invest into better supply chain security support in key build systems, package managers, and distribution sites. This is partly about seeing technologies like SBOMs, digital signatures, specifications like SLSA and others built into the most widely used dev tools so that they can be adopted and meaningfully used with a minimum of fuss. Any enterprise (including the Federal government) that has software certification processes based on the security attributes of software should consider how those tools could be enhanced with the above technologies, and automate many processes so that updates can be more frequent without sacrificing security.
These activities, if done at sufficient scale, could dramatically lower the risks of future disruptive events like we have seen. As a portfolio of different investments and activities they are mutually reinforcing, and none of them in isolation is likely to have much of a positive impact. Further econometrics research could help quantify the specific reduction of risk from each activity. But I believe that each represents a very cost-effective target for enhancing security in OSS no matter who is writing the check.
Thank you again for the opportunity to share these thoughts with you. I look forward to answering any questions you may have or providing you with further information.
Sincerely,
Brian Behlendorf
General Manager, Open Source Security Foundation
The Linux Foundation
The post Brian Behlendorf Testifies on Open Source Software Security to the US House Committee on Science and Technology appeared first on Linux Foundation.
In Memory of Shubhra Kar
This past week, we lost our dear friend, colleague, and a true champion of the open source community. Our CTO, Shubhra Kar, passed away suddenly while he was with his entire LF family at our first in-person, all-hands gathering since before the pandemic.
Those who had the honor to work with him will know, he was a special leader and a wonderful human being. Above all, Shubhra was the kind of leader who quickly passed the credit for accomplishments to his team over himself. His humble spirit and ever-present smile was admired by all around him. He was so proud of the world class team he had built here, and did that in part with engineers who followed him from one organization to another throughout his career.
We also knew Shubhra as a selfless leader – one who was more interested in the work than the reward. At the same time, he was incredibly ambitious – wanting to build a platform that would not only transform The Linux Foundation but support open source development communities around the world. This was the week his team unveiled significant new enhancements across the LFX platform. It was a project he led from vision to reality, after many – even members of his own team – had told him the path to success was impossible. He was a transformational leader that has left his legacy here.
While he was passionate about his work and his team, he loved his family even more. In fact, his children were often spotted behind him during video calls throughout the day. He was a fantastic husband and father, and we are so grateful for his wife, son, and daughter sharing him with us.
Sharing Memories
Our thoughts and prayers remain with Shubhra’s family in this incredibly difficult time. If you would like to leave a memorial message for Shubhra, please submit a pull request on GitHub here. His family would love to hear from you and especially appreciates stories that are shared of his life and career.
Memorial Fund
The Linux Foundation has made arrangements with the family to establish Shubhra’s memorial fund that will provide support for his family and his children’s education. Donations can be made to the family here.
The post In Memory of Shubhra Kar appeared first on Linux Foundation.
How to troubleshoot network connectivity problems
Intermittent network connectivity errors can be hard to diagnose, especially if they happen between monitoring checks.
Read More at Enable Sysadmin
Create Impact Change with the 2022 Call for Code
I am always amazed at the impact we all have coming together, using our collective talents for good. Combining our collective brain power, skills, time, and resources produces stellar results – maybe it is better rendering management for films that entertain with mind-bending CGIs or improving automated software testing and deployment so developers can spend more time on innovation. Human ingenuity is amazing!
Imagine our impact when we come together for good. When we see communities who need a collective leg up in life, or when we see injustice and foresee ways to balance the scale, or when we see the devastation in the wake of natural disasters and know there is a better way. We want to make the lives of everyone better – it might seem daunting, but innovation is bred from not knowing what you can’t do.
Facilitating this drive to help is what the Call for Code® project is about. It is, “creating and deploying open source technologies to tackle some of the world’s greatest challenges.” It is about thinking beyond yourself – using your talents to help others.
Call for Code was created by David Clark Cause with Founding Partner IBM and in partnership with United Nations Human Rights and The Linux Foundation. The goal is to inspire “developers to create practical, effective, and high-quality applications that can have an immediate and lasting impact on humanitarian issues as sustainable open source projects.” The Linux Foundation helps take the raw innovation and put in place the right tools to enable an impact across the world: instill best practices, engage external partners, provide feedback, and test them in the real world.
Call for Code 2022
The Call for Code 2022 is now open for registration. The focus this year is on sustainability. Do you have an idea to improve sustainable production, consumption, and management of resources, reduce pollution creation, and protect biodiversity? Keep reading. You don’t have a world-changing idea. Keep reading – you just might light a spark of ingenuity.
For this year, specifically, your solution should address: carbon emissions; clean energy; supply chain transparency and traceability; water scarcity and quality; reducing waste footprints; biodiversity; food insecurity; and education access and job opportunities to further environmental justice. And, no, this isn’t just for software developers. Each well-rounded team needs builders, designers, communicators, and humanitarians.
There is a total of $285,000 in prizes, all winners will receive open source support from The Linux Foundation, and all participants will receive a variety of support, such as IBM Cloud services, accelerators, expert webinars, mentors, and more.
Registration opened April 26, 2022 and final submissions are due October 31, 2022. Visit callforcode.org for detailed information and requirements and to register.
Call for Code 2021 Winners
Do you still need some inspiration? Take a few minutes to read about the 2021 winners. Half of the projects focus on racial justice – and those are the ones I want to take a moment to highlight. If you see one that inspires you, click through to learn more and for ways you can contribute:
Fair Change allows people to easily record public safety incidents in a safe and secure way with a goal of more transparency, reeducation, and reform.
TakeTwo utilizes machine learning to highlight potentially racially insensitive language on websites you are browsing in Chrome.
Legit-Info provides information on policy proposals at various levels of government. It communicates the potential impact without legalese and facilities sharing opinions with policy makers. It also gives policy makers visibility into how diverse citizens will be impacted.
Open Sentencing helps public defenders understand and document any racial disparities in the judicial system.
Five Fifths Voter helps remove impediments to voting by providing information on voter registration, voter ID laws, restrictions, purging, gerrymandering, and tools that make it easier to vote, such as childcare at the voting stations.
Incident Accuracy Reporting System enables victims and witnesses to contribute to incident reports to help give law enforcement and the public a 360-degree view of events that took place at any incident. It utilizes Hyperledger blockchain to ensure transparency, trust, and that information can’t be altered.
Truth Loop is a mobile-friendly tool to see pending legislation, learn about it, record your own story related to the legislation and its impact, and share that with policy makers.
Call for Code also has seven other projects related to natural disasters and stemming the impact of climate change, including monitoring the real-time air health for wildland firefighters, democratizing earthquake monitoring, inspecting buildings, facilitating drone canvassing and delivery of supplies following a natural disaster, and helping farmers optimize water use. Finally – they have a project, Rend-o-Matic, that enables musicians to remotely record their individual track in a composition and stitches them all together into the final, virtual performance.
Join a Call for Code Project
Let’s show the world the impossible is possible.
Call for Code is making a difference! Are you experiencing some FOMO? Want to join in? Good news – fear no more. You can! And you don’t even have to be a technical person. Besides the need for a wide range of technical specialists, the projects can also utilize individuals for documentation, testing, design, UI/UX, legal, subject matter experts, advocacy, and community building. Just head over to our Call for Code page and help work on these projects.
Do you have another idea around sustainability? Register for the Call for Code 2022 now and pull together your team.
Let’s show the world the impossible is possible.
How to configure your system to preserve system logs after a reboot
Edit your systemd-journald configuration to store journal entries for as long as you need them.
Read More at Enable Sysadmin
How to find and interpret system log files on Linux
Learn how to use rsyslog and systemd-journald to get information about what’s happening on your system.
Read More at Enable Sysadmin
3 ways to monitor time on OpenShift nodes
Learn how to monitor OpenShift nodes for NTP inaccuracies, corrections, or time drift occurrences.
Read More at Enable Sysadmin
OpenSSF Announces 15 New Members To Further Strengthen Open Source Software Supply Chain Security
Expands core working groups ahead of OpenSSF Day
SAN FRANCISCO, May 9, 2022 – The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important software supply chain security initiatives, today announced 15 new members from leading software development, cybersecurity, financial services, communications, and academic sectors.
This round of commitments is led by two new premier members, Atlassian and Sonatype, who will join the OpenSSF governing board. New general member commitments come from Arnica, Bloomberg, Comcast, Cycode, F5 Networks, Futurewei Technologies, Legit Security, Sectrend, SUSE, and Tenable.
“We are thrilled to welcome Atlassian and Sonatype, two companies who play critical roles in modern software development and security, to the OpenSSF governing board”, Brian Behlendorf, General Manager at OpenSSF. “Open source software supply chain attacks threaten the very foundations of innovation that billions of people rely upon. Our 15 new members join a growing community of organizations, developers, researchers, and security professionals that are investing time and resources required to respond in this constantly evolving threat landscape.”
Open source software has become the foundation on which our digital economy is built. As noted in the Linux Foundation’s 2022 Software Bill of Materials (SBOM) and Cybersecurity Readiness report, 98% of organizations use open source regularly. The same study revealed that 72% of organizations are very or extremely concerned about software security. Recent vulnerabilities, such as the one impacting Log4j, have caused many organizations to prioritize software supply chain security and realize the need to be fully abreast of the open source ecosystem, as well as contributing to it. From governments to businesses, open source security has been brought to the top of the agenda as a priority issue to address and as a result, OpenSSF is seeing membership rise at a rapid pace.
The latest commitments follow a productive period for OpenSSF in which the foundation expanded its core working groups to include Securing Software Repositories. This group aims to improve cybersecurity practices where developers download open source packages most often.
Furthermore, on June 20th, the foundation will host a full day of sessions at OpenSSF Day. Presentations, delivered by working group leaders, will include subjects such as Best Practice Badges and Other Good Practices, Three Things Your Open Source Project Must Consider, and Securing Critical Projects. The day will conclude with a panel discussion on the Future of Securing Open Source Software. Registration and attendance are free for all those attending the Open Source Summit conference.
Premier Member Quotes
Atlassian
“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be joining OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. As a premier member, we’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.” – Adrian Ludwig, Chief Trust Officer, Atlassian
Sonatype
“As the maintainers of the largest repository of open source components in Maven Central, we have a unique view into how great the demand for open source has become in recent years. However, as that demand has grown, bad actors have recognized the power of open source and are seeking to use that against the industry. As these software supply chain attacks become more commonplace, open source developers have become the frontline of this battle. Our key mission at Sonatype is to help people understand their software supply chain, and harness all of the good that open source has to offer, without any of the risk. OpenSSF and its members share a similar vision. I’m excited to play a bigger role in OpenSSF as a board member and collectively work with other members to keep open source ecosystems safe and secure, as we all figure out how to battle both new and old attacks on the community.” – Brian Fox, CTO and co-founder, Sonatype
General Member Quotes
Arnica
“Software supply chain attack vectors have consistently caught the security community off-guard. Based on Arnica’s research across all attacks since 2018, we found two consistent root causes. One, improper access management to source code and two, inability to detect abnormal behavior in the developer toolset. The journey to solve these gaps is long and we are working on perfecting each risk mitigation strategy one-by-one, starting with introducing the first-ever self-service access management for GitHub.” – Nir Valtman, Co-Founder and CEO, Arnica
Bloomberg
“We are incredibly excited to join the Open Source Security Foundation (OpenSSF), whose values of public good, openness and transparency, and diversity, inclusion, and representation, align with those of Bloomberg. As an ‘Open Source First’ organization, we greatly value open source and its use within the finance sector, and we are fully committed to helping secure the open source software supply chain, something we have invested in via an ongoing collaboration between our CTO Office and Engineering organization.” – Gavin McNay, Security Architect in Bloomberg’s CTO Office
Comcast
“Comcast is committed to open source software. We use it to build products, attract talent, and develop our technology to improve the customer experience. When it comes to open source security, everyone plays a role. We are thrilled to join OpenSSF with the global open-source community to see how we can continue to evolve to make open-source development even more secure.” – Shilla Saebi, Open Source Program Office Lead, Comcast Cable
F5 Networks
“The growth of open source usage has magnified the importance of advancing OSS supply chain security for all, which can only be achieved as a shared priority among the industry. At F5, we are committed to ensuring our customers’ apps are fast, available and secure in any environment. That is why we value the work of the Open Source Security Foundation and its participating members, and look forward to sharing our domain expertise to help advance this important work.” – Geng Lin, EVP and Chief Technology Officer, F5
Futurewei Technologies
“OpenSSF is a premier and leading organization on open source security. Futurewei is very excited to join OpenSSF, and to engage in the conversations on the important topics of open source security and sustainability. We look forward to exciting discussions and collaborations with OpenSSF.” – Chris Xie, Head of Open Source Strategy and Business Development
Legit Security
“Legit Security is pleased to join OpenSSF to advance the security of software supply chains within the open-source ecosystem as well as giving organizations tools to secure the infrastructure that makes up the SDLC – such as pipelines and systems. Attacks on software supply chains are estimated to increase between three to six times per year and are a global threat. We look forward to working with OpenSSF to publish security research and contribute tools and code for more secure software delivery and consumption across the entire community.” – Liav Caspi, CTO of Legit Security
Sectrend
“We feel very excited to be a part of this industry-leading Open Source Security foundation (OpenSSF). Together with other top-notch peers around the globe in various sectors under this initiative, we, Sectrend, are aiming to assist organizations of any size address the security and license compliance risks from open-source software. Securing the software supply chain is very critical for every company. Within the framework of OpenSSF or the Linux Foundation, Sectrend will make a tremendous contribution to this community-driven process in tooling, training, research, best practices, and consulting. Beyond Security, More than Open Source.” – Alex Xue, CEO, Sectrend
SUSE
“According to recent research in an Economist Impact survey, 95% of organizations are practicing open innovation, demonstrating how open source software is critical to business’s infrastructure and applications. With this comes the need for software to be secure and is why SUSE takes a proactive stance against security and compliance risks, leveraging tools for full lifecycle security including vulnerability management, CI/CD pipeline security, run-time security and government security certifications. SUSE is joining OpenSSF to further collaborate with the efforts to ensure the security of the open source software supply chain.” – Brent Schroeder, Head of SUSE’s Office of the CTO
Tenable
“We’re proud to be part of OpenSSF and join so many industry peers who understand the critical importance of securing open-source software and its associated supply chain. Log4j showed the world how pervasive OSS use is and how vulnerable it can be if the proper development and controls are not put in place to protect it. Tenable’s commitment to increasing visibility in attack surfaces includes shifting left to secure software development and helping organizations understand where the risks are throughout their systems.” – Glen Pendley, CTO, Tenable
The foundation also announced new Associate Members, including the Eclipse Foundation, China Academy of Information and Communications Technology (CAICT) and Chinese Academy of Sciences (ISCAS).
Additional Resources
View the complete list of the OpenSSF membersAttend OpenSSF Day at the Linux Foundation’s Open Source Summit on June 20 Contribute efforts to one or more of the active OpenSSF working groupsRead the OpenSSF and Harvard’s Census II Report, shedding light on the most commonly used FOSS packages at the application library level
About OpenSSF
Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit: https://openssf.org/
About the Linux Foundation
Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, ONAP, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at: linuxfoundation.org
Media Contacts
Babel for OpenSSF
The post OpenSSF Announces 15 New Members To Further Strengthen Open Source Software Supply Chain Security appeared first on Linux Foundation.