Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday May 16 2022, @11:08PM   Printer-friendly

Open source community sets out path to secure software:

The open source community has presented a 10-point plan to improve the security and resilience of its software, bringing together more than 90 executives from 37 organisations, alongside US government officials, at a summit in Washington DC.

[...] OpenSSF executive director Brian Behlendorf added: "What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action."

The 10-point plan, which can be read in full on OpenSSF's website, is as follows:

  1. To deliver baseline secure software development education and certification;
  2. To establish a public, supplier-neutral, objective-metrics-based risk assessment dashboard for 10,000 widely used open source software (OSS) components;
  3. To accelerate the adoption of digital signatures on OSS releases;
  4. To eliminate the root causes of many vulnerabilities by replacing non-memory-safe languages;
  5. To establish an OpenSSF-backed incident response team to help open source projects respond to vulnerability disclosures;
  6. To improve the ability of maintainers and experts to discover new vulnerabilities in open source projects;
  7. To establish a programme of third-party code audits and remediation for up to 200 of the most-critical OSS components;
  8. To coordinate industry-wide data sharing to improve how the community goes about determining what the most-critical OSS components actually are;
  9. To improve the adoption of software bill of materials (SBOM) tooling and training;
  10. And finally, to enhance the 10 most-critical OSS build systems, package managers and distribution systems with improved supply chain security tools and practices.

Commenting on the plan, Mike Hanley, chief security officer (CSO) at GitHub, said: "Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain.


Original Submission

Related Stories

Toward Policy for Open Source Software as Infrastructure 5 comments

The Atlantic Council has published a policy report entitled "Avoiding the success trap: Toward policy for open-source software as infrastructure". It addresses the idea of Open Source Software (OSS) as essential infrastructure. OSS differs from physical infrastructure yet supports critical functions, provides dependable services, offers subtle and often unseen service delivery, and functions through decentralized control.

This report aims to develop tangible example policies for the United States and European Union to support OSS as infrastructure and point policymakers toward existing policy vehicles that government can readily modify and adopt to better support and engage with the OSS ecosystem. The report does not seek to make definitive statements about what open source is or is not through these analogies. Rather the goal is to capture a snapshot of its most essential features and most consequential participants. Any of the analogies can be extended far past usefulness, and policymakers should approach each keeping in mind the essential truth that, while all models are wrong, some (including, we believe, these) are useful, nonetheless. Before diving into the analogies though, this report looks to discuss the open-source ecosystem as it is, highlighting key principles and addressing common misconceptions.

[...] None of this report reflects a belief that OSS is inherently insecure, but rather that it is uniquely central to modern digital systems and that relationships with the OSS community are necessarily, and substantively, different than those government has grown accustomed to with industry and industry within itself. Sustainable use emphasizes the user responsibility for much of the risk associated with software use, including OSS, and addresses OSS-specific features of development and contribution possibly only with open-source code. Addressing systemic risk is an important step for policy efforts to support the security and sustainability of OSS projects with an accurate picture of the considerable interdependency between code bases. Finally, governments must step up to support OSS as the infrastructure that it is. These resources should come alongside expanded private sector support and can manifest in targeted formats as well as a more general support model, the OSS Trust. OSS is infrastructure, and the provision of support for it as such will permit more rapid adoption and considerable innovation in even critical domains of economic and government activity.

So it seems that the establishment continues to turn its jaundiced eye towards software development.

Previously:
(2023) Opinion: FOSS Could be an Unintended Victim of EU Security Crusade
(2022) Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone
(2022) Open Source Community Sets Out Path to Secure Software


Original Submission

Managing Open Source Software and Software Bill of Materials 12 comments

The US Department of Defense has published a report entitled, Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials (warning for PDF) about aligning government activities with industry best practices. It covers principles that software developers and software suppliers can reference, including managing open source software and software bills of materials to maintain and provide awareness about software security. The reports a follow up to the much hyped 2021 executive order on cybersecurity. Much focus is given to making and using Software Bill of Materials (SBOM) and incorporating them into the work flow:

The SBOM and its contents must be validated and verified. Validation assures that the SBOM data is appropriately formatted and can be integrated into various tools and automation. Verification ensures the content within the SBOM is accurately described and all components and related information on a product for licensing and exporting are represented.

Many organizations are increasingly incorporating tools into the build and source repository facility to automate this process and provide artifacts which can attest to the verification of the SBOM being delivered. Both the content of the package, the executables, libraries and configuration files, and the actual format of the SBOM, should be validated. Any open-source software components should be verified for license or export restrictions. In some organizations, validation is performed first by the developer during build/packing of the product and then by the developer/supplier before customer delivery to verify the integrity of the SBOM being delivered. For more information on the formats and tools available for validation, refer to section 5.1.5 of this document "SBOM Validation."

A good reference on guidance for the SBOM process can be found in NTIA's publication "Software Suppliers Playbook: SBOM Production and Provision" guidance. It is important that developers understand the end-user requirements for SBOM generation and how this information might be used by both suppliers and customers. Additional process information relating to SBOMs and acquisitions can be found in the "Software Consumers Playbook: SBOM Acquisition, Management, and Use".

Don't say that acronym at the airport while working with your team over the phone...

Previously:
(2022) Open Source Community Sets Out Path to Secure Software


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Troll) by Anonymous Coward on Monday May 16 2022, @11:12PM (3 children)

    by Anonymous Coward on Monday May 16 2022, @11:12PM (#1245489)

    By the time the blue-hairs are done with their revisions it will be a 30 point plan, ten of which deal with the security implications of pronouns.

    • (Score: 0) by Anonymous Coward on Tuesday May 17 2022, @03:28PM (2 children)

      by Anonymous Coward on Tuesday May 17 2022, @03:28PM (#1245672)

      Personally I'm not a fan of committees, but I'll take them over literal Nazis any day ;^)

      • (Score: 3, Funny) by DannyB on Tuesday May 17 2022, @05:34PM (1 child)

        by DannyB (5839) Subscriber Badge on Tuesday May 17 2022, @05:34PM (#1245744) Journal

        Why are you triggered about Nazis? Nothing was said about a Code of Conduct.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 0) by Anonymous Coward on Tuesday May 17 2022, @11:34PM

          by Anonymous Coward on Tuesday May 17 2022, @11:34PM (#1245823)

          Well SN has one of those, are we all Nazis now?

  • (Score: 5, Funny) by FatPhil on Monday May 16 2022, @11:33PM (5 children)

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Monday May 16 2022, @11:33PM (#1245493) Homepage
    I hope his first move is to replace the version control software he hosts in a memory-safe language, them rewrite the webserver he's hosted on in a memory-safe language, and then rewrite the OS his webserver's running on in a memory-safe language.

    Anything less would be hypocricy. He'd better start soon, otherwise his second move will be in about 2122.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    • (Score: 0) by Anonymous Coward on Tuesday May 17 2022, @12:16AM

      by Anonymous Coward on Tuesday May 17 2022, @12:16AM (#1245507)

      and never once mentioned the R word (rust). bravo!

    • (Score: 1, Touché) by Anonymous Coward on Tuesday May 17 2022, @03:06AM (3 children)

      by Anonymous Coward on Tuesday May 17 2022, @03:06AM (#1245540)

      Github is a Ruby shop.

      Ruby, memory safety and amazing performance that makes Python look fast.

      • (Score: 3, Funny) by FatPhil on Tuesday May 17 2022, @08:03AM

        by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday May 17 2022, @08:03AM (#1245581) Homepage
        Yup, sorry, I forgot that layer of the stack, it's an important one. Important for my argument as the core of ruby is written in ...

        ... hahah, that would be telling, let's just say it's the same as the other three layers.

        Rewrite it!
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
      • (Score: 2) by Freeman on Tuesday May 17 2022, @01:51PM

        by Freeman (732) on Tuesday May 17 2022, @01:51PM (#1245631) Journal

        That makes me glad I never picked up ruby. I had the chance to look into it, but I went with Python instead. I've made some good use of Python. At the start of my recent foray into programming I had been using C# and VisualStudio, but decided I liked not using Proprietary Microsoft Software on my proprietary Microsoft OS. That way, I can easily switch to Linux, if/when the time comes. Which seems to be fast approaching, Oct 14, 2025. That's, if Microsoft doesn't just push must have Microsoft Account to get updates onto Windows 10, before Oct 14, 2025.

        --
        Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
      • (Score: 2) by DannyB on Tuesday May 17 2022, @05:39PM

        by DannyB (5839) Subscriber Badge on Tuesday May 17 2022, @05:39PM (#1245746) Journal

        Github is a Ruby shop.

        In about 2012 or thereabout, Twitter rewrote their platform from Ruby into Java. There are (or were) YouTube videos explaining how and why they did this. Performance. Scalability. Routing a billion twits per day in nearly real time.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 5, Insightful) by Anonymous Coward on Monday May 16 2022, @11:42PM (2 children)

    by Anonymous Coward on Monday May 16 2022, @11:42PM (#1245496)

    Corporation wants to be the gatekeeper to open source. No thanks.

    • (Score: 0) by Anonymous Coward on Tuesday May 17 2022, @01:20AM

      by Anonymous Coward on Tuesday May 17 2022, @01:20AM (#1245518)

      Indeed. Who are these self-declared representatives of 'the community' who're primarily motivated by making an income and a subset of The Linux Foundation?

      And Open Source ⊄ Linux

    • (Score: 2) by DannyB on Tuesday May 17 2022, @05:41PM

      by DannyB (5839) Subscriber Badge on Tuesday May 17 2022, @05:41PM (#1245750) Journal

      Corporations are free to use, contribute to, and promote open source. And they do. Out of enlightened self interest. The way open source works tends to prevent gatekeepers. Without walls, windows are unnecessary.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 2, Interesting) by Anonymous Coward on Tuesday May 17 2022, @12:04AM

    by Anonymous Coward on Tuesday May 17 2022, @12:04AM (#1245503)

    I know software security is a messy diffuse subject, but this is little too wordy and unfocused.

    Distill them down into half dozen or less topics - e.g., development, test/auditing, monitoring/mitigation, etc. - and then expand each into more concrete/detailed steps down level.

    Way it's presented, it just sounds like a strung-out laundry list - not very persuasive to the larger software/IT community.

  • (Score: 0) by Anonymous Coward on Tuesday May 17 2022, @12:18AM (1 child)

    by Anonymous Coward on Tuesday May 17 2022, @12:18AM (#1245508)

    so.. that software you were getting from toejam eating hippies for free hasn't been audited
    guess we gotta fix that

    • (Score: 2) by DannyB on Tuesday May 17 2022, @05:43PM

      by DannyB (5839) Subscriber Badge on Tuesday May 17 2022, @05:43PM (#1245752) Journal

      Without walls you don't need windows.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 2, Insightful) by Anonymous Coward on Tuesday May 17 2022, @12:59AM (4 children)

    by Anonymous Coward on Tuesday May 17 2022, @12:59AM (#1245515)

    and in the darkness bind them.

    The article makes it seem like the whole Open Source Community has already decided this when in fact it is OpenSSF executive director Brian Behlendorf that wants this for a big payout with his buddies.

    No thanks.

    • (Score: 3, Touché) by MostCynical on Tuesday May 17 2022, @02:19AM (1 child)

      by MostCynical (2589) on Tuesday May 17 2022, @02:19AM (#1245529) Journal

      "community" is a self-declared, and, in this instance, self-serving, term (words are weapons)

      other examples: "representative", "BLM", "Antifa", "Gamer"...

      --
      "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
      • (Score: 1, Touché) by Anonymous Coward on Tuesday May 17 2022, @10:49AM

        by Anonymous Coward on Tuesday May 17 2022, @10:49AM (#1245603)

        "community" is a self-declared, and, in this instance, self-serving, term (words are weapons)

        other examples: "representative", "BLM", "Antifa", "Gamer"...

        You left out "Oathkeepers", "Proud Boys", "Freedom Caucus", "Moral Majority", "Accuracy In Media", "Turning Point" and "TRUTH Social". Do your research!

    • (Score: 1, Touché) by Anonymous Coward on Tuesday May 17 2022, @03:18AM

      by Anonymous Coward on Tuesday May 17 2022, @03:18AM (#1245541)

      Where the fuck did OpenSSF even come from? I've never heard of these clowns before.

      I guess it's time to renew my membership with the EFF.

    • (Score: 2) by DannyB on Tuesday May 17 2022, @05:43PM

      by DannyB (5839) Subscriber Badge on Tuesday May 17 2022, @05:43PM (#1245753) Journal

      Intel has more than one ring?

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 5, Informative) by Anonymous Coward on Tuesday May 17 2022, @01:58AM

    by Anonymous Coward on Tuesday May 17 2022, @01:58AM (#1245523)

    Formation: 2020
    The list of founding governing board members includes GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat.[3] Other founding members include GitLab, HackerOne, Intel, Okta, Purdue, Uber, WhiteSource, and VMware.[3]

    https://en.wikipedia.org/wiki/Open_Source_Security_Foundation [wikipedia.org]

  • (Score: 2) by Thexalon on Tuesday May 17 2022, @02:10AM

    by Thexalon (636) on Tuesday May 17 2022, @02:10AM (#1245525)

    "Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain."

    Bingo! [buzzwordbingogame.com]

    But in all seriousness, most people know what they're supposed to do to prevent software security problems, they just don't do it, because they're human, and they don't always get caught because the testers are human.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 1, Insightful) by Anonymous Coward on Tuesday May 17 2022, @05:55AM

    by Anonymous Coward on Tuesday May 17 2022, @05:55AM (#1245557)

    software supply chain, methinks, also requires a unburdened and worryfree brain which pulls in dependancies like "cheap good calories", "reliable electricity" and "affordable housing".. and maybe not having bombs going off all 5 minutes...

  • (Score: 0) by Anonymous Coward on Tuesday May 17 2022, @02:02PM (1 child)

    by Anonymous Coward on Tuesday May 17 2022, @02:02PM (#1245636)

    Given how popular they are today, I'm suprised they didn't suggest a block chain to track who has worked/signed off on which signed pieces.

    They definitely need to sign and track everything. The sources, tools, and build outputs.

    • (Score: 2) by MostCynical on Wednesday May 18 2022, @12:46AM

      by MostCynical (2589) on Wednesday May 18 2022, @12:46AM (#1245830) Journal

      since blockchain is actually 'proof of work', this should be simple to implement... get to it, peons!

      --
      "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(1)