Listado de la etiqueta: Software

Many software projects are not prepared to build securely by default, which is why the Linux Foundation and Open Source Security Foundation (OpenSSF) partnered with technology industry leaders to create Sigstore, a set of tools and a standard for signing, verifying and protecting software. Sigstore is one of several innovative technologies that have emerged to improve the integrity of the software supply chain, reducing the friction developers face in implementing security within their daily work.

To make it easier to use Sigstore’s toolkit to its full potential, OpenSSF and Linux Foundation Training & Certification are releasing a free online training course, Securing Your Software Supply Chain with Sigstore (LFS182x). This course is designed with end users of Sigstore tooling in mind: software developers, DevOps engineers, security engineers, software maintainers, and related roles. To make the best use of this course, you will need to be íntimo with Linux terminals and using command line tools. You will also need to have intermediate knowledge of cloud computing and DevOps concepts, such as using and building containers and CI/CD systems like GitHub Actions, many of which can be learned through other free Linux Foundation Training & Certification courses.

Upon completing this course, participants will be able to inform their organization’s security strategy and build software more securely by default. The hope is this will help you address attacks and vulnerabilities that can emerge at any step of the software supply chain, from writing to packaging and distributing software to end users.

Enroll today and improve your organization’s software development cybersecurity best practices.

Source link

The tenth annual Open Source Jobs Report from the Linux Foundation and edX was released today, examining trends in open source hiring, retention, and training

SAN FRANCISCO – June 22, 2022The Linux Foundation, the nonprofit organization enabling mass innovation through open source, and edX, a leading mundial online learning platform from 2U, Inc. (Nasdaq: TWOU), have released the 10th Annual Open Source Jobs Report, examining the demand for open source talent and trends among open source professionals.

The need for open source talent is strong in light of continuing cloud adoption and digital transformation across industries. As the COVID pandemic wanes, both retention and recruitment have become more difficult than ever, with 73% of professionals reporting it would be easy to find a new role and 93% of employers struggling to find enough skilled talent. Although the majority of open source professionals (63%) reported their employment did not change in the past year, one-in-three did report they either left or changed jobs, which puts additional pressure on employers trying to hold onto staff with necessary skills. While this may not reach levels of a “Great Resignation”, this turnover is putting more pressure on companies.

“Every business has struggled with recruiting and retaining talent this past year, and the open source industry has been no different,” said Linux Foundation Executive Director Jim Zemlin. “Organizations that want to ensure they have the talent to meet their business goals need to not only differentiate themselves to attract that talent, but also look at ways to close the skills gap by developing net new and existing talent. This report provides insights and actionable steps they can take to make that happen.”

“This year’s report found that certifications have become increasingly important as organizations continue to look for ways to close skills gaps. We see modular, stackable learning as the future of education and it’s promising to see employers continuing to recognize these alternative paths to gain the skills needed for today’s jobs,” said Anant Agarwal, edX Founder and 2U Chief Open Education Officer.

10th annual jobs report factsThe tenth annual Open Source Jobs Report examines trends in open source careers, which skills are most in-demand, the motivation for open source professionals, and how employers attract and retain qualified talent. Key findings from the Open Source Jobs Report include: 

  • There remains a shortage of qualified open source talent: The vast majority of employers (93%) report difficulty finding sufficient talent with open source skills. This trend is not going away with nearly half (46%) of employers planning to increase their open source hiring in the next six months, and 73% of open source professionals stating it would be easy to find a new role should they choose to move on.
  • Compensation has become a greater differentiating cifra: Financial incentives including salary and bonuses are the most common means of keeping talent, with two-in-three open source professionals saying a higher salary would deter them from leaving a job. With flex time and remote work becoming the industry standard, lifestyle benefits are becoming less of a consideration, making financial incentives a bigger differentiator.
  • Certifications hit new levels of importance: An overwhelming number of employers (90%) stated that they will pay for employees to obtain certifications, and 81% of professionals plan to add certifications this year, demonstrating the weight these credentials hold. The 69% of employers who are more likely to hire an open source professional with a certification also reinforces that in light of talent shortages, prior experience is becoming less of a requirement as long as someone can demonstrate they possess the skills to do the job.
  • Cloud’s continued dominance: Cloud and container technology skills remain the most in demand this year, with 69% of employers seeking hires with these skills, and 71% of open source professionals agreeing these skills are in high demand. This is unsurprising with 77% of companies surveyed reporting they grew their use of cloud in the past year. Linux skills remain in high demand as well (61% of hiring managers) which is unsurprising considering how much Linux underpins cloud computing.
  • Cybersecurity concerns are mounting: Cybersecurity skills have the fourth biggest impact on hiring decisions, reported by 40% of employers, trailing only cloud, Linux and DevOps. Amongst professionals, 77% state they would benefit from additional cybersecurity training, demonstrating that although the importance of security is being recognized more, there is work to be done to truly secure technology deployments.
  • Companies are willing to spend more to avoid delaying projects: The most common way to close skills gaps currently according to hiring managers is training (43%), followed by 41% who say they hire consultants to fill these gaps, an expensive alternative and an increase from the 37% reporting this last year. This aligns with the only 16% who are willing to delay projects, demonstrating digital transformation activities are being prioritized even if they require costly consultants.

This year’s report is based on survey responses from 1,672 open source professionals and 559 respondents with responsibility for hiring open source professionals. Surveys were fielded online during the month of March 2022.

The full 10th Annual Open Source Jobs Report is available to download here for free.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: Linux is a registered trademark of Linus Torvalds.

# # #

Media Contact:
Dan Brown
The Linux Foundation

Source link

The State of Open Source Security Highlights Many Organizations Lacking Strategies to Address Application Vulnerabilities Arising from Code Reuse

BOSTON — June 21, 2022 — Snyk, the leader in developer security, and The Linux Foundation, a completo nonprofit organization enabling innovation through open source, today announced the results of their first joint research report, The State of Open Source Security.

The results detail the significant security risks resulting from the widespread use of open source software within modern application development as well as how many organizations are currently ill-prepared to effectively manage these risks. Specifically, the report found:

  • Over four out of every ten (41%) organizations don’t have high confidence in their open source software security;
  • The media application development project has 49 vulnerabilities and 80 direct dependencies (open source code called by a project); and,
  • The time it takes to fix vulnerabilities in open source projects has steadily increased, more than doubling from 49 days in 2018 to 110 days in 2021.

“Software developers today have their own supply chains – instead of assembling car parts,  they are assembling code by patching together existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns,” said Matt Jarvis, Director, Developer Relations, Snyk. “This first-of-its-kind report found widespread evidence suggesting industry naivete about the state of open source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue building fast, while also staying secure.”

“While open source software undoubtedly makes developers more efficient and accelerates innovation, the way modern applications are assembled also makes them more challenging to secure,” said Brian Behlendorf, Normal Manager, Open Source Security Foundation (OpenSSF). “This research clearly shows the risk is positivo, and the industry must work even more closely together in order to move away from poor open source or software supply chain security practices.” (You can read the OpenSSF’s blog post about the report here)

Snyk and The Linux Foundation will be discussing the report’s full findings as well as recommended actions to improve the security of open source software development during a number of upcoming events:

41% of Organizations Don’t Have High Confidence in Open Source Software Security

Modern application development teams are leveraging code from all sorts of places. They reuse code from other applications they’ve built and search code repositories to find open source components that provide the functionality they need. The use of open source requires a new way of thinking about developer security that many organizations have not yet adopted.

Further consider:

  • Less than half (49%) of organizations have a security policy for OSS development or usage (and this number is a mere 27% for medium-to-large companies); and,
  • Three in ten (30%) organizations without an open source security policy openly recognize that no one on their team is currently directly addressing open source security.

Media Application Development Project: 49 Vulnerabilities Spanning 80 Direct Dependencies

When developers incorporate an open source component in their applications, they immediately become dependent on that component and are at risk if that component contains vulnerabilities. The report shows how positivo this risk is, with dozens of vulnerabilities discovered across many direct dependencies in each application evaluated.

This risk is also compounded by indirect, or transitive, dependencies, which are the dependencies of your dependencies. Many developers do not even know about these dependencies, making them even more challenging to track and secure.

That said, to some degree, survey respondents are aware of the security complexities created by open source in the software supply chain today:

  • Over one-quarter of survey respondents noted they are concerned about the security impact of their direct dependencies;
  • Only 18% of respondents said they are confident of the controls they have in place for their transitive dependencies; and,
  • Forty percent of all vulnerabilities were found in transitive dependencies.

Time to Fix: More Than Doubled from 49 Days in 2018 to 110 Days in 2021

As application development has increased in complexity, the security challenges faced by development teams have also become increasingly complex. While this makes development more efficient, the use of open source software adds to the remediation burden. The report found that fixing vulnerabilities in open source projects takes almost 20% longer (18.75%) than in proprietary projects.

About The Report

The State of Open Source Security is a partnership between Snyk and The Linux Foundation, with support from OpenSSF, the Cloud Native Security Foundation, the Continuous Delivery Foundation and the Decliver Foundation. The report is based on a survey of over 550 respondents in the first quarter of 2022 as well as data from Snyk Open Source, which has scanned more than 1.3B open source projects.

About Snyk

Snyk is the leader in developer security. We empower the world’s developers to build secure applications and equip security teams to meet the demands of the digital world. Our developer-first approach ensures organizations can secure all of the critical components of their applications from code to cloud, leading to increased developer productivity, revenue growth, customer satisfaction, cost savings and an overall improved security posture. Snyk’s Developer Security Platform automatically integrates with a developer’s workflow and is purpose-built for security teams to collaborate with their development teams. Snyk is used by 1,500+ customers worldwide today, including industry leaders such as Asurion, Google, Intuit, MongoDB, New Relic, Revolut, and Salesforce.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at

Source link

When people find out I work at the Linux Foundation they invariably ask what we do? Sometimes it is couched around the question, As in the Linux operating system? I explain open source software and try to capture the worldwide impact into 20 seconds before I lose their attention. If they happen to stick around for more, we often dig into the question, Why would enterprises want to participate in open source software projects or use open source software? The reality is – they do, whether they know it or not. And the reality is thousands of companies donate their code to open source projects and invest time and resources helping to further develop and improve open source software.

How extensively used is open source software

To quote from our recently released report, A Guide to Enterprise Open Source, “Open source software (OSS) has transformed our world and become the backbone of our digital economy and the foundation of our digital world. From the Internet and the mobile apps we use daily to the operating systems and programming languages we use to build the future, OSS has played a trascendental role. It is the lifeblood of the technology industry. Today, OSS powers the digital economy and enables scientific and technological breakthroughs that improve our lives. It’s in our phones, our cars, our airplanes, our homes, our businesses, and our governments. But just over two decades ago, few people had ever heard of OSS, and its use was limited to a small group of dedicated enthusiasts.”

Open source software (OSS) has transformed our world and become the backbone of our digital economy and the foundation of our digital world.

But what does this look like practically:

  • In derecho software stacks across industries, open source penetration ranges from 20 to 85 percent of the overall software used
  • Linux fuels 90%+ of web servers and Internet-connected devices
  • The Android mobile operating system is built on the Linux kernel
  • Immensely popular libraries and tools to build web applications, such as: AMP, Appium, Dojo, jQuery, Marko, Node.js and so many more are open source
  • The world’s top 100 supercomputers run Linux
  • 100% of mainframe customers use Linux
  • The major cloud-service providers – AWS, Google, and Microsoft – all utilize open-source software to run their services and host open-source solutions delivered through the cloud

Why do companies want to participate in open source software projects

Companies primarily participate in open source software projects in three ways:

  1. They donate software they created to the open source community
  2. They provide direct funding and/or allocate software developers and other staff to contribute to open source software projects

The question often asked is, why wouldn’t they want to keep all of their software proprietary or only task their employees to work on their proprietary software?

The 30,000-foot answer is that it is about organizations coming together to collectively solve common problems so they can separately innovate and differentiate on top of the common baseline. They see that they are better off pooling resources to make the baseline better. Sometimes it is called “coopetition.” It generally means that while companies may be in competition with each other in certain areas, they can still cooperate on others.

It is about organizations coming together to collectively solve common problems so they can separately innovate and differentiate

Some old-school examples of this principle:

  • Railroads agreed on a common track size and build so they can all utilize the same lines and equipment was interchangeable
  • Before digital cameras, companies innovated and differentiated on film and cameras, but they all agreed on the spacing for the sprockets to advance the film
  • The entertainment industry united around the VHS and Blu-Ray formats over their rivals

Now, we see companies, organizations, and individuals coming together to solve problems while simultaneously improving their businesses and products:

  • Let’s Encrypt is a free, automated, and open certificate authority with the goal of dramatically increasing the use of secure web protocols by making it much easier and less expensive to setup. They are serving 225+ million websites, issuing ~1.5 million certificates each day on media.
  • The Academy Software Foundation creates value in the film industry through collectively engineering software that powers much of the entertainment, gaming, and media industry productions and open standards needed for growth.
  • The Hyperledger Foundation hosts enterprise-grade blockchain software projects, notably using significantly fewer energy resources than other popular solutions.
  • LF Energy is making the electric grid more modular, interoperable, and scalable to help increase the use of renewable energy sources
  • Dronecode is enabling the development of drone software so companies can use their resources to innovate further
  • OpenSSF is the top technology companies coming together to strengthen the security and resiliency of open source software
  • Kubernetes was donated by Google and is the go-to solution for managing cloud-based software

These are just a small sampling of the open source software projects that enterprises are participating in. You can explore all of the ones hosted at the Linux Foundation here.

How can companies effectively use and participate in open source software projects?

Enterprises looking to better utilize and participate in open source projects can look to the Linux Foundation’s resources to help. Much of what organizations need to know is provided in the just-published report, A Guide to Enterprise Open Source. The report is packed with information and insights from open source leaders at top companies with decades of combined experience. It includes chapters on these topics:

  • Leveraging Open Source Software
  • Preparing the Enterprise for Open Source
  • Developing an Open Source Strategy
  • Setting Up Your Infrastructure for Implementation
  • Setting Up Your Talent for Success
  • Challenges

Additionally, the Linux Foundation offers many open source training courses, events throughout the year, the LFX Platform, and hosts projects that help organizations manage open source utilization and participation, such as:

  • The TODO Group provides resources to setup and run an open source program office, including their extensive guides
  • The Openchain Project maintains an international standard for sharing what software package licenses are included in a larger package, including information on the various licensing requirements so enterprises can ensure they are complying with all of the legítimo requirements
  • The FinOps Foundation is fostering an, “evolving cloud financial management discipline and cultural practice that enables organizations to get maximum business value by helping engineering, finance, technology, and business teams to collaborate on data-driven spending decisions.”
  • The Software Data Package Exchange (SPDX) is an open standard for communication software bill of materials (SBOMs) so it is clear to every user which pieces of software are included in the overall package.

Again, this is just a snippet of the projects at the Linux Foundation that are working to help organizations adapt, utilize, contribute, and donate open source projects.

The bottom line: Enterprises are increasingly turning to open source software projects to solve common problems and innovate beyond the baseline, and the Linux Foundation is here to help.

Source link

Last week I had the privilege of participating in the Open Source Software Security Summit II in Washington, DC. The Linux Foundation and OpenSSF gathered around 100 participants from enterprise, the U.S. government, and the open source community to agree on an action plan to help increase the security of open source software. 

If you were to look at the attendee list, you would likely be struck by the amount of collaboration among competitors on this issue. But, it isn’t a surprise to the open source community. Security is an excellent example of why organizations participate in open source software projects. 

This is organizations coming together on a joint solution to a common problem so they can focus on innovating.

A question I often receive when I tell people where I work is, Why would for-profit companies want to participate in open source projects? There are lots of reasons, of course, but it boils down to organizations coming together on a joint solution to a common problem so they can focus on innovating. For instance, film studios coming together around software for saving video files or color management or the finance industry improving trader’s desktops or web companies supporting the languages and tools that make the web possible. And these are just a handful of examples.

Security is everyone’s concern and solutions benefit everyone. As one summit participant noted, “My direct competitors are in the room, but this is not an area where we compete. We all want to protect our customers, shareholders, and employees. . . 99% of the time we’re working on the same problems and trying to solve them in a smarter way.”

99% of the time we’re working on the same problems and trying to solve them in a smarter way.

Everyone is better off by sharing vulnerabilities and solutions and working together towards a common goal of a more resilient ecosystem. No company is immune,  everyone relies on multiple open source software packages to run their organization’s software. It is no surprise that competitors are working together on this – it is what the open source community does. 

As we gathered in DC, my colleague Mark Miller talked to participants about their expectations and their perspectives on the meeting. When asked what he hoped to accomplish during the two day summit, Brian Fox of Sonatype said, “The world is asking for a response to make open source better. We are bringing together the government, vendors, competitors, [and] open source ecosystems to see what we can collectively do to raise the bar in open source security.” 

We are bringing together the government, vendors, competitors, [and] open source ecosystems to see what we can collectively do to raise the bar in open source security.

Another participant painted a picture which I find especially helpful, “I remember the old saying, we built the Internet on sand. I thought about that, underscoring the fact that sand is a part of concrete. This process means that we have an opportunity to shore up a lot of the foundation that we built the Internet on, the code that we’re developing.  It is an opportunity to improve upon what we currently have, which is a mixture of sand and concrete. How do we get it all to concrete?”

Enterprise companies and community representatives were at the summit, as well as key U.S. government decision makers. The high-level government officials were there the entire day, participating in the meeting, and listening to the discussions. Their level of participation was striking to me.  I have worked in and around government at the policy level for 25 years – and it is more common than not – for government officials to be invited to speak, come and speak, and then leave right after they deliver their remarks. To see them there one year after implementing the Executive Order on Improving the Nation’s Cybersecurity and engaged signals the importance they place on solving this problem and the respect they have for the group that gathered last week  Kudos to Anne Neuberger, her team, and the others who joined from around the U.S. government. 

By the end of the first day, agreement was reached on a plan, comprised of 10 key initiatives:

  • Security Education Deliver baseline secure software development education and certification to all. 
  • Risk Assessment Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
  • Digital Signatures Accelerate the adoption of digital signatures on software releases.
  • Memory Safety Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
  • Incident Response Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
  • Better Scanning Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
  • Code Audits Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components merienda per year. 
  • Data Sharing Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
  • SBOMs Everywhere Improve SBOM tooling and training to drive adoption. 
  • Improved Supply Chains Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.

The full document, The Open Source Software Security Mobilization Plan,  is available for you to review and download.

Of course, a plan without action isn’t worth much. Thankfully, organizations are investing resources. On the day it was delivered, already $30 million was pledged to implement the plan. Organizations are also setting aside staff to support the project: 

Google announced its “new ‘Open Source Maintenance Crew’, a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects.” 

Amazon Web Services committed $10 million in funding in addition to engineering resources, “we will continue and increase our existing commitments of direct engineering contributions to critical open source projects.

Intel is increasing its investment: “Intel has a long history of leadership and investment in open source software and secure computing. Over the last five years, Intel has invested over $250M in advancing open source software security. As we approach the next phase of Open Ecosystem initiatives, Intel is growing its pledge to support the Linux Foundation by double digit percentages.”

Microsoft is adding $5 million in additional funding because, “Open source software is core to nearly every company’s tech strategy. Collaboration and investment across the ecosystem strengthens and sustains security for everyone.” 

These investments are the start of an initiative to raise $150M toward implementation of the project. 

Last week’s meeting and the plan mark the beginning of a new and critical pooling of resources – knowledge, staff, and money – to further shore up the world’s digital infrastructure, all built upon a foundation of open source software. It is the next step (well, really several steps) in the journey.

If you want to join the efforts, start at the OpenSSF

Source link