White House Joins OpenSSF, Linux Foundation In Securing Open-Source Software (zdnet.com) 46
An anonymous reader quotes a report from ZDNet: Securing the open-source software supply chain is a huge deal. Last year, the Biden administration issued an executive order to improve software supply chain security. This came after the Colonial Pipeline ransomware attack shut down gas and oil deliveries throughout the southeast and the SolarWinds software supply chain attack. Securing software became a top priority. In response, The Open Source Security Foundation (OpenSSF) and Linux Foundation rose to this security challenge. Now, they're calling for $150 million in funding over two years to fix ten major open-source security problems.
The government will not be paying the freight for these changes. $30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million. At the White House press conference, OpenSSF general manager Brian Behlendorf said, "I want to be clear: We're not here to fundraise from the government. We did not anticipate needing to go directly to the government to get funding for anyone to be successful."
Here are the ten goals the open-source industry is committed to meeting:
1. Security Education: Deliver baseline secure software development education and certification to all.
2. Risk Assessment: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
3. Digital Signatures: Accelerate the adoption of digital signatures on software releases.
4. Memory Safety: Eliminate root causes of many vulnerabilities through the replacement of non-memory-safe languages.
5. Incident Response: Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
6. Better Scanning: Accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
7. Code Audits: Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
8. Data Sharing: Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
9. Software Bill of Materials (SBOMs): Everywhere Improve SBOM tooling and training to drive adoption.
10. Improved Supply Chains: Enhance the 10 most critical open-source software build systems, package managers, and distribution systems with better supply chain security tools and best practices.
The government will not be paying the freight for these changes. $30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million. At the White House press conference, OpenSSF general manager Brian Behlendorf said, "I want to be clear: We're not here to fundraise from the government. We did not anticipate needing to go directly to the government to get funding for anyone to be successful."
Here are the ten goals the open-source industry is committed to meeting:
1. Security Education: Deliver baseline secure software development education and certification to all.
2. Risk Assessment: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
3. Digital Signatures: Accelerate the adoption of digital signatures on software releases.
4. Memory Safety: Eliminate root causes of many vulnerabilities through the replacement of non-memory-safe languages.
5. Incident Response: Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
6. Better Scanning: Accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
7. Code Audits: Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
8. Data Sharing: Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
9. Software Bill of Materials (SBOMs): Everywhere Improve SBOM tooling and training to drive adoption.
10. Improved Supply Chains: Enhance the 10 most critical open-source software build systems, package managers, and distribution systems with better supply chain security tools and best practices.
Re: (Score:1)
Consultants dream (Score:2)
Re: (Score:3, Funny)
Yea and also when they make it illegal to use any language other than Rust.
Re: (Score:2)
Honestly it's the gov't (Score:2)
If it's one thing the Dems are good at, it's boring procedural stuff. And there's nothing more boring and procedural than methodically fixing bugs in software.
Re: (Score:1)
Re:Do we really... (Score:4, Informative)
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2, Insightful)
Wazzamadda, you afraid Biden is going to come around with Obama, and take your misinformation while he's taking your guns?
Re: (Score:2, Interesting)
I look forward to your insightful take on the government being arbiters of truth if/when Republicans are back in control.
The Department of Homeland Security was a Republican creation, and its primary jobs are spying on Americans [wikipedia.org] and obfuscating information [wikipedia.org]. They don't need any help from anyone else to engage in malice. Besides, they are the ones who want to be the arbiters of truth. That's why they keep trying to regulate social media, claiming that conservative voices are being silenced [pewresearch.org] when studies have proven that social media amplifies conservative messaging [theverge.com] in more cases, and actually suppresses liberal speech far more o [cbsnews.com]
Re: (Score:1)
Hunter, is it you?
Release the crack pipe, bro
Re: (Score:1)
You quote ancient news, from back in Trump day. Fine, I'll agree that happened BUT... Now the Democrats are the ones censoring dissent on Twitter and other social media, and it's why they lost their shit when Musk offered to buy Twitter. It's why the Democrats have made the George Orwell 1984-worthy Ministry of Truth, to be the ones who control what "Disinformation" is.
The spying and invasion of privacy was expanded under Obama, just continuing and amplifying Bush agenda.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
As state level propaganda tend to be more crisp.... 1st amendment and all, you see.
Re: (Score:2)
...want to get more involved with a White House that is creating a literal Ministry of Propaganda?
They had one in the early C20th but then along came Sigmund Freud's nephew who privatised it: https://en.wikipedia.org/wiki/... [wikipedia.org] Knowing about Bernays & how he worked gives us valuable insights into the govt & corporate propaganda we see these days. Most people are blissfully unaware.
Re: (Score:2)
Re: (Score:2)
On Windows? (Score:2)
Re: (Score:2)
I read that they got into Solarwinds somehow through a compromised O365 account. But that could have happened even through no fault of Microsoft's (I don't know either way) and I don't know if it was an actual exploit that got them in to begin with, social engineering, or what.
Colonial Pipeline is supposedly similar, a password leak is suspected. So it may be that neither of these hacks was actually caused by a security vulnerability in software.
Re: (Score:3)
Re: (Score:1)
Re: (Score:3)
That's right, not only are they unrelated to FOSS but they are also likely unrelated to security vulnerabilities in software at all, unless you count a lack of 2FA. But since they could have been using 2FA if they wanted to, you can't really blame that either...
Re: (Score:2)
double agenda? (Score:3)
I'm guessing here the NSA/CIA/ABC is sitting on a bunch of exploits that they believe they need for their job (and thus stay secret by obscurity). If so, the whitehouse could contribute quite a lot by providing these exploits to the maintainers, for no expense on their side. Alternatively, could this be a method to ensure that these exploits stay secret (e.g. by deliberately sabotaging other from working on them).
Re: (Score:3)
I'm guessing here the NSA/CIA/ABC is sitting on a bunch of exploits that they believe they need for their job (and thus stay secret by obscurity).
You don't need to guess. It is pretty well documented how many security agencies by all participating governments collect and hoard zero-day exploits for use in cyber warfare. They have a definite interest in not releasing them to be fixed by either open-source or proprietary actors when potential targets have a widely or critically deployed exploit.
Recommended reading: This Is How They Tell Me the World Ends: The Cyberweapons Arms Race [amazon.com].
I hope a few distros survive (Score:2, Informative)
Re: I hope a few distros survive (Score:2)
Re: (Score:2)
Re: (Score:2)
Well there is always OpenBSD :)
But if a backdoor is put in Linux, it would be in the kernel, so it will probably impact all distros. But the kernel is so complex now I kind of believe you will need a more more than "many eyes" to find any vulnerabilities>
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
The White House? (Score:2)