Home Blog Page 79

Interview with Keycloak Contributor, Takashi Norimatsu of HITACHI OSS Group

Jason Perlow, Editorial Director of Linux Foundation Research, spoke with HITACHI’s Takashi Norimatsu about the Keycloak project, an open source identity access and management platform.

JP: Greetings, Norimatsu-san. Can you tell me a bit about yourself, where in Japan do you live, and what is your prior experience with information systems? Can you tell me how it is that how you became an OSS maintainer at HITACHI? Is it part of your regular responsibilities at the company, or is it something you do as a best effort?

こんにちは。乗松さん。少しあなた自身の事をお伺いしたいと思います。いまどちらにお住まいでしょうか? 現在の仕事をする前にIT分野でどのようなことをされてきましたでしょうか? 現在日立製作所の社員でありながら、どのようにしてオープンソースソフトウェア(OSS)のメンテナーになったのでしょうか? そして、メンテナーとしての活動は、会社の業務の一環として行っているのでしょうか?

TN: Thank you for the interview. I live in Yokohama, the 2nd largest city in Japan by population, about 35km southwest of Tokyo, Japan’s capital.

I had engaged in developing several kinds of equipment and systems, like some communication equipment firmware and their operation software, smart maintenance systems software, and so on.

My unit in Hitachi has been encouraging me to contribute features, especially about security to Keycloak. By following this policy, I’ve been contributing features to the Keycloak project for several years. It seems that existing Keycloak maintainers recognized my contributions and I was then promoted to Keycloak maintainer.

As a result of contributing to these open source activities, my unit in Hitachi decided that I would be working as a Keycloak maintainer as my regular responsibility.

インタビューいただきありがとうございます。現在は横浜市に住んでおります。現在の仕事に就く前ですが、IT分野としては様々な通信機器のファームウェアやオペレーション用のソフトウェアの開発、鉄道設備のスマートメンテナンスシステム用のソフトウェアの開発などを行ってまいりました。私の所属する部署では、OSSへのコントリビューションを推奨しておりまして、それに従い数年にわたってKeycloakにコントリビューションを続けてまいりました。その長年の活動がKeycloakのメンテナーに認められて、メンテナーになれたのだと思います。私の所属する部署では、私がKeycloakのメンテナーとして活動することを、業務の一環として認められています。

JP: So, what is Keycloak?  What kind of OSS is it?

Keycloak というのは、どういったOSSなのでしょうか?

TN: Keycloak is an identity and access management open source software. It can be used for single sign-on, social login, and securing API accesses. Keycloak complies with several open standards like OAuth 2.0, OpenID Connect, SAMLv2, LDAP, Kerberos, and so on.

Keycloakは、アイデンティティおよびアクセス管理用のOSSです。シングルサインオン、ソーシャルログイン、APIへの安全なアクセスを実現します。Keycloakは、様々な標準仕様に準拠しています。例として、 OAuth 2.0, OpenID Connect, SAMLv2, LDAP, Kerberosなどが挙げられます。

JP: Why did HITACHI decide to make contributions to Keycloak? 

なぜ日立製作所はKeycloakへコントリビューションすることを決めたのでしょうか?

TN: Our team in HITACHI provides services for OSS in the security area. When we looked for an appropriate OSS for single sign-on and securing API access, we picked up Keycloak because it is very easy to use without a complicated setup and it is highly customizable so that it can be applied to a wide range of use cases.

私の所属するチームは、セキュリティ分野のOSSについてのサービスを提供しています。以前、シングルサインオンやAPIへの安全なアクセスを行うのに良いOSSがないかを探していた時、Keycloakが目に留まりました。Keycloakは、複雑な設定なしに動かすことができますし、様々なカスタマイズが可能であることから、様々なユースケースに適用できると考えたためです。

JP: Why is OAuth 2.0 not sufficient for accessing APIs that require a high-security level?

高度なセキュリティが要求されるAPIアクセスにおいて、OAuth 2.0では不十分である理由はなんでしょうか?

TN: OAuth 2.0 is a framework for conveying authorization information among several entities so that it can be used flexibly in a wide range of use cases. Due to its flexibility, it may introduce security holes if it is used in the wrong way. To prevent it, detailed ways of how to use OAuth 2.0 securely have been developed like Financial-grade API (FAPI) security profile. For Open Banking use cases in the world, there are several in-service ecosystems whose security profiles are based on FAPI 1.0 Advanced security profile. For example, Open Banking Security Profile in the UK, Consumer Data Right (CDR) security profile in Australia, and Open Banking Brasil Financial-grade API Security Profile 1.0 in Brazil.

OAuth 2.0というのは、認可情報を複数のエンティティ間で伝達するためのフレームワークです。フレームワークであることから自由度が高く、様々なユースケースに適用可能です。その自由度の高さゆえに、誤った使い方をすると、セキュリティホールが生じる恐れがあります。それを防ぐために、どのようにOAuth 2.0を安全に使用したらいいかをこと細かく定めたものをセキュリティプロファイルと呼んでいます。その一例がFinancial-grade API (FAPI) Security Profileです。Open Bankingのユースケースにおいて、このFAPIをベースとしたセキュリティプロファイルがいくつかあります。例として、イギリスにおけるOpen Banking Security Profile、オーストラリアにおけるConsumer Data Right (CDR) security profile、ブラジルにおける Open Banking Brasil Financial-grade API Security Profile 1.0が挙げられます。

JP: How does FAPI accomplish accessing APIs that require a high-security level?

FAPIにより、どのようにして高度なセキュリティが要求されるAPIアクセスが可能になるのでしょうか?

TN: It is difficult to explain it briefly because FAPI covers a wide range of technologies. However, to try to summarize it, FAPI determines how to use OAuth 2.0 precisely to assure that the only right client application can access the right API provided by the resource server.

FAPIは様々な技術分野に関係する為一言で説明するのは難しいです。ですが、あえて言うならば、FAPIでは、OAuth 2.0のこと細かい使い方を定めることで、正しいクライアントアプリケーションが正しくAPIにアクセスできるようにします。

JP: To become a maintainer of Keycloak, what kind of contribution activities did you do?

Keycloakのメンテナーになるために、どういったコントリビューション活動をされたのでしょうか?

TN: I’ve been contributing some security features to Keycloak. In these contributions, my main contribution is supporting FAPI to Keycloak. However, it takes a lot of time and effort to do it by myself. Therefore, some contributors got together and established FAPI-SIG to work together on supporting FAPI to Keycloak. As a result, Keycloak 14 has supported FAPI 1.0 Baseline security profile, FAPI 1.0 Advanced security profile and FAPI-CIBA security profile. 

セキュリティに関する機能をKeycloakにコントリビューションし続けて来ました。その中で主要なものとしてFAPIのサポートが挙げられます。これは自分一人でやろうとすると非常に時間も手間もかかりますので、コントリビューターが集まりFAPI-SIGを立ち上げ、FAPIのサポート活動を行いました。結果として、Keycloak 14から FAPI 1.0 Baseline security profile, FAPI 1.0 Advanced security profile, and FAPI-CIBA security profileがサポートされるようになりました。

JP: What kind of support did you receive from your company for your contribution activities?

あなたの会社は、コントリビューション活動に対してどういったサポートをされているのでしょうか?

TN: My company, HITACHI sees the real value of Keycloak so that it allows me to use a significant portion of my time to contribute activities to Keycloak.

私の会社では、Keycloakに価値を見出しており、かなりの時間をKeycloakに関する作業にかけてよいことになっています。

JP: That’s wonderful. Thank you Norimatsu-san, I greatly appreciate your time.

Speed up your Ansible playbooks, create quick containers, and more tips for sysadmins

Check out Enable Sysadmin’s top 10 articles from January 2022.

Read More at Enable Sysadmin

The Linux Foundation Releases The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness Research

New data from Linux Foundation measures SBOM progress and adoption to address cybersecurity concerns 

SAN FRANCISCO, Calif., – February 1, 2022 — The Linux Foundation, the nonprofit organization enabling mass innovation through open source, in partnership with OpenSSF, SPDX, and OpenChain, today announced the availability of the first in a series of research projects to understand the challenges and opportunities for securing software supply chains. “The State of Software Bill of Materials and Cybersecurity Readiness” reports on the extent of organizational SBOM readiness and adoption tied to cybersecurity efforts. The study comes on the heels of both the U.S. Administration’s Executive Order on Improving the Nation’s Cybersecurity and the recent White House Open Source Security Summit. Its timing coincides with increasing recognition across the globe of the importance of identifying software components and helping accelerate response to newly discovered software vulnerabilities. 

“SBOMs are no longer optional. Our Linux Foundation Research team revealed 78% of organizations expect to produce or consume SBOMs in 2022,” said Jim Zemlin, executive director at the Linux Foundation. “Businesses accelerating SBOM adoption following the publication of the new ISO standard (5962) or the White House Executive Order, are not only improving the quality of their software, they are better preparing themselves to thwart adversarial attacks following new open source vulnerability disclosures like those tied to log4j.”

An SBOM is formal and machine-readable metadata that uniquely identifies a software component and its contents; it may also include copyright and license data. SBOMs are designed to be shared across organizations and are particularly helpful at providing transparency of components delivered by participants in a software supply chain. Many organizations concerned about application security are making SBOMs a cornerstone of their cybersecurity strategy.

Key findings from survey participants analyzed for the report include:

82% are familiar with the term Software Bill of Materials (SBOM)76% are actively engaged in addressing SBOM needs47% are producing or consuming SBOMs78% of organizations expect to produce or consume SBOMs in 2022, up 66% from the prior year

Survey participants also revealed their top three benefits for producing SBOMs:

51% say it’s easier for developers to understand dependencies across components in an application49% state it’s easier to monitor components for vulnerabilities44% noted it’s easier to manage license compliance.

Linux Foundation researchers also revealed that additional industry consensus and government policy will help drive SBOM adoption and implementation. The researchers noted:

62% are looking for better industry consensus on how to integrate the production/consumption of SBOMs into their DevOps practices58% want consensus on integration of SBOMs into their risk and compliance processes. 53% desire better industry consensus on how SBOMs will evolve and improve80% of organizations worldwide are aware of the White House Executive Order on improving cybersecurity 76% are considering changes as a direct consequence of the Executive Order

Finally, research participants revealed their top attributes used to prioritize which open source software components would be used by developers: security ranked highest, followed by license compliance.

Linux Foundation Research conducted this worldwide empirical research into organizational SBOM readiness and adoption in the third quarter of 2021. A total of 412 organizations from around the world participated in the 65-question survey. The Report is authored by Stephen Hendrick, vice president of Research at the Linux Foundation.  The Linux Foundation has also prioritized research to aid collective understanding of the scope of cybersecurity challenges with the first in a series of core research projects to explore important issues related to implementing cybersecurity best practices and standards adoption, beginning with this study of SBOM readiness. 

The Linux Foundation supports numerous open source SBOM and security-related programs, including Open Source Security Foundation (OpenSSF), SPDX (ISO/IEC 5962), sigstore, Let’s Encrypt, in-toto, The Update Framework (TUF), Uptane, and OpenChain (ISO 5230).

Additional Resources

Download the The State of Software Bill of Materials and Cybersecurity Readiness report

Watch the playback of our February 1 webinarUnderstanding the Role of Software Bill of Materials in Cybersecurity Readiness

Join one of six OpenSSF working groups to help improve open source security

Read about SPDX as the ISO standard for SBOMs

Access free training on generating a free software bill of materials

Get certified as a secure software development professional

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members. The Linux Foundation is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Jennifer Cloer

503-867-2304

jennifer@storychangesculture.com

The post The Linux Foundation Releases The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness Research appeared first on Linux Foundation.

3 reasons you should get that IT certification

IT certifications take various amounts of time to pay off. Consider this advice regarding spending your valuable time and money.

Read More at Enable Sysadmin

How to find third-party vulnerabilities in your Java code

Learn four ways to check your Java projects for vulnerable dependencies.

Read More at Enable Sysadmin

Enhancing Supply Chain Security for Embedded Systems: Renode Dashboard for Zephyr RTOS Adds New Software Bill of Materials (SBOM) Capabilities by Default

Authors: Michael Gielda, Kate Stewart

A Software Bill of Materials (or SBOM) makes the information about the software components running on a system available. Transparency and summarization are needed in embedded systems with resource constraints and where updates may have significant deployment or recall costs.    

In 2021, we saw significant indicators that having an SBOM is going to become a regulatory requirement in some embedded market segments (medical, energy, etc.) and the US Government came out with an executive order in May 2021 that has a timeline with expectations that the industry would be ready for generating SBOMs in 2022.   

Software Package Data eXchange® (SPDX®) is an international standard (ISO/IEC 5962:2021), able to express SBOM information, as well as other facts about software packages, files, and snippets.   It is uniquely able to specify the fidelity of information required for embedded software, and partition the information logically to express system level information.

The Zephyr Project incorporated the ability to generate SBOMs automatically during builds in 2021. This is done when building Zephyr executables using the ‘west spdx’ command. West is Zephyr’s meta-tool that supports the build infrastructure. There are multiple SBOMs created (one for the Zephyr sources,  one for the application sources, and one for the built image) that will link back to all the dependencies in the source files.

Antmicro’s Renode Zephyr Dashboard now includes SBOMs

A Platinum member of Zephyr Project, Antmicro, among other contributions (including maintaining Zephyr support for RISC-V and work around supporting Zephyr on FPGA platforms), has been ensuring Zephyr developers can access powerful simulation, testing, and debug capabilities of their open source simulation framework, Renode

Renode shares the vendor-neutral and user-centric approach of Zephyr, focusing on the security and developer productivity of the RTOS.

The two open source projects have been collaborating for many years now, but recently a great showcase of where Zephyr and Renode complement each other is demonstrated by the Renode Zephyr dashboard

The Renode tool visualizes the results of a continuous integration (CI) system running real Zephyr binaries on multiple architectures, boards and SoCs from a variety of vendors, incorporating the advantages of portable examples and the structured platform data provided by Zephyr. 

Renode’s flexibility and reconfigurability produces a concise dashboard displaying Zephyr-compatible boards currently supported in Antmicro’s open simulation framework.

This dashboard project utilizes the systemized information from Zephyr – which uses device trees to describe the platform data needed to pick and configure specific drivers and subsystems, which can then be mapped onto the plug and play, building blocks oriented nature of Renode.

Renode Dashboard Includes SBOMs in Standard Builds

As a member of the Zephyr’s Technical Steering Committee, Antmicro collaborates with other Zephyr members (which include many of Antmicro’s customers such as Google, Intel, or NXP) to ensure the use of a standardized and unified approach to implementing new ports. This concept of defining commonalities in platforms is an important step toward improving and generalizing support for silicon in embedded systems tooling.

Currently at 129 passing boards and spanning four different demos, including MicroPython and TensorFlow Lite Micro, the most recent version of the Zephyr Dashboard is enhanced with the ability to generate SBOM artifacts for all of its samples automatically.

This showcases how simple Zephyr makes it to generate reliable and accountable software and have accompanying SBOMs. The dashboard shows a breadth of platforms supported by both Zephyr and Renode, all of which have SBOMs. 

Using Renode helps you track various metrics (performance, coverage, memory use etc.) related to your software across time. The software BOM generation capability complements this picture, providing the traceability and security needed to build real-life commercial products.

About the Authors: 

Michael Gielda is VP Business Development at Antmicro, Chair of Outreach for CHIPS Alliance, and a member of the Marketing Committees in RISC-V International and The Zephyr Project.  Contact: mgielda@antmicro.com

Kate Stewart is VP Dependable Embedded Systems at The Linux Foundation, a technical co-lead in the SPDX project, and a governing board member for the CHAOSS project.    Contact: kstewart@linuxfoundation.org

Transparently Patching PWNKIT with Ksplice

A real life example that highlights the

Click to Read More at Oracle Linux Kernel Development

How to find third-party vulnerabilities in your Python code

Learn how to use the pip-audit tool to find CVE advisories issued for Python modules you’re using in your project.

Read More at Enable Sysadmin

How to fix Kubernetes namespaces stuck in the terminating state

Sometimes the process to delete Kubernetes namespaces gets hung up, and the command never completes. Here’s how to troubleshoot terminating namespaces

Read More at Enable Sysadmin

How to update container images with Podman

Keeping your images current is standard procedure for operating and managing a containerized environment. Here’s how to do it.

Read More at Enable Sysadmin