Connect with us

Tech

Why Google-backed secure open source programs are so important – CloudSavvy IT

Published

on

 



Camilla / Shutterstock

Supply chain attacks are on the rise, with open source projects being the most common entry point. The Linux Foundation, sponsored by Google, helps open source projects protect themselves and everyone else.

Supply chain attack

Until very recently, if you were involved in cybersecurity and realized that you were trying to explain a supply chain attack to someone, you probably used the Stuxnet attack as an example. Now there are a number of examples to choose from.

Everyone has heard of Solarwinds and Codecovattacks. Because they were a widespread and sophisticated attack that grabbed headlines. But these two examples are the sea drop of this type of attack.

Supply chain attacks poison the buffet. Anyone who eats from the buffet consumes poison. The host of the buffet is not the target. The target is everyone invited to the feast. If an attacker could endanger software toolkits or libraries used in many other applications and systems, the attacker succeeded in endangering all users of those other products. I am.

Both open source and closed source products are at risk. In some cases, a laptop was created with a hard drive image duplicated from the compromised golden image and the malware was burned directly onto the hardware.

However, open source projects give everyone the ability to access source code and submit contributions to the project, so they are ideal attack vectors for cybercriminals. And as the use of open source components continues to snowball, targeting open sources becomes increasingly attractive. Almost all important development projects use open source assets. The digital infrastructure of the modern world relies on open source.

According to a Sonatype report, the use of open source is still accelerating. This is great for open source. Not so big is the simultaneous increase in supply chain attacks that use open source as the attack vector. Supply chain attacks, such as dependency disruption, typosquatting, and code injection, are increasing by 650% each year.

We’ve already covered the steps you can take in-house to limit your exposure to supply chain attacks using utilities such as preflight. He also reported on programs implemented at the industry level, such as the Linux Foundation’s sigstore initiative, jointly developed by Google, Red Hat, and Purdue University, Indiana.

TheSecure Open Source program is a new initiative run by the Linux Foundation, sponsored by the Google Open Source Security Team for $ 1 million.

Safe open source rewards

The pilot program focuses on strengthening the security of critical open source projects. The definition of critical is the United States. Government definition drafted to supplement Executive Order 14028. Those definitions rank software as critical if one or more of the software components have any of the following attributes:

Designed to run with elevated privileges or manage privileges. Has direct or privileged access to network or computing resources. Designed to control access to data or operational technology. Performs essential functions Operates outside the normal trust boundaries with privileged access

Another important factor is the potential impact of problems on software consumers. Who, how many, and how are they affected? If the software in question is embedded in another open source project, the impact will be greater than for a standalone application. Also, the more popular a particular component is, the more attractive it is to supply chain attacks.

Therefore, these criteria are also taken into account.

How many and what types of users will be affected by the increased security? Will the improvements have a significant impact on infrastructure and user security? If a project is compromised, how serious or widespread is the impact? Is the project included in the Harvard 2 Census for the most used packages, or is the OpenSSF critical score above 0.6?

Broadly speaking, software projects can apply for funding to fix security issues. The application is reviewed to consider topics such as the importance of the project, what the fix or improvement is, and who will do the work. Members of the evaluation committee are representatives of the Linux Foundation and the Google Open Source Security Team.

Suggestions should include improvements from this list, as seen favorably.

Strengthening the supply chain, including CI / CD pipelines and distribution infrastructure, in line with the Software Artifacts Supply Chain Level (SLSA) framework. Adopt software artifact signing and verification techniques such as the sigstore tool. Project improvements that result in higher OpenSSF scorecard results. Scorecards detect and list dependencies with open source projects. OpenSSF Allstarto enhances your GitHub repository. Earn the aCII Best Practices Badge by adopting industry best practices.

Rewards are categorized and distributed according to the complexity and benefits of improving security and the potential impact of a successful attack on a wider community.

Over $ 10,000: Complex, high-impact, permanent improvements that almost certainly prevent major vulnerabilities in the affected code or support infrastructure $ 5,000- $ 10,000: Moderate to provide attractive security benefits Complex improvements $ 1,000- $ 5,000: Moderate complexity and impact submission $ 505: Small improvements that still benefit from a security perspective

The reporting mechanism must be agreed and adhered to. These monitor the progress of the fix and make sure it is actually done. This is more than just free money.

Why this is important

“… Attackers are expected to continue to target upstream software supply chain assets as a preferred path for large-scale exploitation of downstream victims,” ​​the Sonatype report states. ..

The scale is huge due to the widespread use of open source in the development of open and proprietary products. Open source is surprisingly pervasive in the technological structure of the modern world. In fact, its technical structure now relies entirely on open source.

Initiatives like sigstore and Allstar are designed to support the entire open source movement. Other tools, such as preflight, are deployed at the consumer level. This new initiative complements both approaches and attacks the underlying problem.

Improving your code and development infrastructure and removing vulnerabilities will reduce your chances of being exploited. It will reduce the number of compromises.

Secure Open Source Awards are not a benefit of bugs. It is to provide resources to tackle the problem. You can reposition open source by addressing code issues, enhancing your CI / CD pipeline and source code repositories, and using software artifact signing and validation schemes.

Sources

1/ https://Google.com/

2/ https://www.cloudsavvyit.com/14406/why-the-google-backed-secure-open-source-program-is-so-important/

The mention sources can contact us to remove/changing this article

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos

ExBUlletin

to request, modification Contact us at Here or [email protected]