Archive d’étiquettes pour : America


By Ashwin Ramaswami

Last month, we just concluded the Linux Foundation’s 2022 Open Source Summit North America (OSS NA), when developers, technologists, and community leaders from industry, corporación, and government converged in Austin, Texas, from June 21-24 to talk about all things open source. Participants and speakers highlighted open source innovation and efforts to ensure a sustainable open source ecosystem.

What did the summit tell us about the state of OSS security? Several parts of the conference addressed different aspects of this issue – OpenSSF Day, Critical Software Summit, SupplyChainSecurityCon, and the Completo Security Vulnerability Summit. Overall, the summit demonstrated an increased emphasis on open source security as a community effort with various stakeholders. More ambitious and innovative approaches to handling the open source security problem – including collaboration, tools, and training – were also introduced. Finally, the summit highlighted the importance for open source users to give back to the community and contribute upstream to the projects they depend on.

Let’s explore these ideas in more detail!

Click on the list on the upper right of this video to view the entire OpenSSF Day playlist (13 videos)

Open source security as a community effort

Open source security is not just an isolated effort by users or maintainers of open source software. As OSS NA showed, the stakes of open source security have turned it into a community effort, where a wide variety of diverse stakeholders have an interest and are beginning to get involved.

  • As Todd Moore (IBM) mentioned in his keynote, incidents such as log4shell have made open source security a bigger priority for governments – and it is important for existing open source stakeholders, both users and maintainers, to work as a community to take a cohesive message back to the government to articulate our community’s needs and how we are responding to this challenge.
  • Speakers at a panel discussion with the Atlantic Council’s Cyber Statecraft Initiative and the Open Source Security Foundation (OpenSSF) discussed the summit held by OpenSSF in Washington, DC on May 12 and 13, where representatives from industry and government met to develop the Open Source Software Security Mobilization Plan, a $150 million plan for better securing the open source ecosystem.
  • A panel discussion explored how major businesses are working together to improve the security of the open source supply chain, particularly through the governance structure of the OpenSSF.

New approaches to address open source security

OSS NA featured several initiatives to address fundamental open source security issues, many of which were particularly ambitious and innovative.

  • The OpenSSF’s Alpha-Omega Project was announced to address software vulnerabilities for OSS projects that are most critical (alpha) and at the long tail (omega).
  • Eric Brewer (Google) gave a keynote discussing the fundamental problem of ensuring accountability in the open source software supply chain. One way of solving this is through curation: creating a repository of vetted and secure packages.
  • Standards continue to be important, as always: Art Manion (CERT/CC) discussed the history and future of the CVE Program, while Jennings Aske (New York-Presbyterian Hospital) and Melba Lopez (IBM) discussed the importance of a Software Bill of Materials (SBOM).
  • The importance of security tooling was emphasized, with discussions on tools such as sigstore, automation of security checks through Infrastructure as Code tools, and CI/CD pipelines.
  • David Wheeler (Linux Foundation) discussed how education in secure software development is critical to ensuring open source software security. Courses like the OpenSSF’s Secure Software Development Fundamentals Courses are available to help developers learn this topic.

Giving back to the community

Participants at the summit recognized that open source security is ultimately a matter of community, governance, and sustainability. Projects that don’t have the right resources or governance structure may not be able to ensure their projects are secure or accept the right funding to do so.

  • Steve Hendrick (Linux Foundation) and Matt Jarvis (Snyk) discussed the release of the 2022 State of Open Source Security report from Snyk and the Linux Foundation. The report noted that open source software is often a one-way street where users see significant benefits with minimal cost or investment. It is recommended that organizations need to close the loop and give back to OSS projects they use for larger open source projects to meet user expectations.
  • Aeva Black (Microsoft) discussed approaches to community risk management through drafting and enforcing a code of conduct, and how ignoring community health can lead to sometimes catastrophic technical outcomes for OSS Projects.
  • Sean Goggins (CHAOSS) discussed the relationship between community health and vulnerability mitigation in open source projects by using metrics models from the CHAOSS projects.
  • Margaret Tucker and Justin Colannino (GitHub) discussed the role that package registries have in open source security, beginning to formulate some principles that would comprobación these registries’ responsibility for safety and reliability with the freedom and creativity of package maintainers.
  • Naveen Srinivasan (Endor Labs) and Laurent Simon (Google) explored the OpenSSF Scorecard to more easily analyze the security of open source projects and proactively improve their security.
  • Amir Montazery (OSTIF) discussed the Open Source Technology Improvement Fund’s efforts to help OSS maintainers to work with security experts to improve their projects’ security posture.

Conclusion

In sum, the talks and conversations at OSS Summit NA help paint a picture of how key stakeholders in the open source software ecosystem – OSS communities, industry, corporación, and government – are thinking about conceptualizing big-picture issues and directing efforts around OSS security.

But these initiatives and talks still have a lot of room for input! Whether individually or through your institution, consider adding your voice to this discussion as we continue to support the open source software community. Join an OpenSSF working group, another initiative, or contribute upstream to open source projects that you depend on.



Source link


  • LF Networking Announces ONE Summit North America 2022 Call for Proposals  and Registration are Now Open! 
  • ONE Summit is the one industry event focused on best practices, technical challenges, and business opportunities facing network decision makers across Networking, Access, Edge, and Cloud
  • Reinvigorated for 2022, ONE Summit returns in-person November 15-16 in Seattle, Wash. with a more interactive and creative environment enabling attendees to transform, innovate and collaborate together

SAN FRANCISCO, July 7, 2022 LF Networking,which facilitates collaboration and operational excellence across open source networking projects, announced Registration and the Call For Proposals (CFP) for ONE Summit North America 2022 are now open. Taking place in Seattle, Wash. November 15-16, ONE Summit is the one industry event focused on best practices, technical challenges, and business opportunities facing decision makers across 5G, Cloud, Telco, and Enterprise Networking, as well as Edge, Acces, IoT, and Core. 

For anyone using networking and automation to transform business, whether it’s deploying a 5G network, building government infrastructure, or innovating at their industry’s network edge, the ONE Summit collaborative environment enables peer interaction and learning focused on open source technologies that are redefining the ecosystem. As the network is key to new opportunities across Telecommunications, Industry 4.0, Public and Government Infrastructure, the new paradigm will be open. Come join this interactive and collaborative event, the ONE place to learn, innovate, and create the networks our organizations require. 

“We are pleased to host a rejuvenated ONE Summit, which brings the ecosystem together in-person merienda again,” said Arpit Joshipura, universal manager, Networking, Edge, and IoT, the Linux Foundation. “With a shifting industry that must embrace traditional networking now integrated across verticals such as Access, Edge, Core, and Cloud, we are eager to gather to learn, share, and iterate on the future of open collaboration.”

The event will feature an extensive program of 80+ talks covering the most important and timely topics across Networking, Access, Edge, and Cloud, with diverse options for both business and technical sessions. Presentation tracks include Industry 4.0; Security; The New Networking Stack; Operational Deployments (case studies, success & challenges); Emerging Technologies and Business Models; and more. 

The CFP is now open through July 29, 2022.

To register, visit  https://events.linuxfoundation.org/one-summit-north-america/register/. Corporate attendees should register before August 20 for the best rates. 

Developer & Testing Forum

ONE Summit will be followed by a complimentary two day LF Networking Developer and Testing Forum (DTF), a grassroots hands-on event organized by the LF Networking projects. Attendees are encouraged to extend the experience, roll up sleeves, and join the incredible developer community to advance the open source networking and automation technologies of the future. Information on the Spring 2022 LFN Developer & Testing Forum, which took place June 13-16 in Porto, Portugal, is available here.

Sponsor

ONE Summit  is made possible thanks to generous sponsors. For information on becoming an event sponsor, click here or email for more information and to speak to the team.

Press
Members of the press who would like to request a press pass to attend should contact pr@lfnetworking.org

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 2,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. Learn more at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. 

###



Source link