Close Menu
Edu Expertise Hub
    Facebook X (Twitter) Instagram
    Wednesday, June 25
    • About us
    • Contact
    • Submit Coupon
    Facebook X (Twitter) Instagram YouTube
    Edu Expertise Hub
    • Home
    • Udemy Coupons
    • Best Online Courses and Software Tools
      • Business & Investment
      • Computers & Internet
      • eBusiness and eMarketing
    • Reviews
    • Jobs
    • Latest News
    • Blog
    • Videos
    Edu Expertise Hub
    Home » Latest News » OSS leaders detail commitments to bolster software security
    Latest News

    OSS leaders detail commitments to bolster software security

    TeamBy TeamMarch 10, 2024No Comments4 Mins Read0 Views
    Facebook Twitter Pinterest LinkedIn Telegram Tumblr Email
    OSS leaders detail commitments to bolster software security
    Share
    Facebook Twitter LinkedIn Pinterest Email


    The operators of leading open source software (OSS) package repositories, including the Python Software Foundation and the Rust Foundation, have set out the actions they are taking to help better secure and protect the open source software (OSS) ecosystem, underscored by a series of high-profile OSS flaws in the past few years, most notably Log4Shell.

    OSS was the subject of a two-day security summit convened by Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly in the US this week, which brought together OSS foundations, package repositories, representatives from the wider IT industry, and US government agencies and civil society organisations, to explore new approaches to strengthen OSS security, and conduct tabletop wargame exercises on OSS vulnerability response.

    “Open Source Software is foundational to the critical infrastructure Americans rely on every day,” said Easterly. “As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come.”

    “Open source software is a mission-critical foundation of cyber space,” added Anjana Rajan, assistant national cyber director for technology security. “Ensuring that we have a secure and resilient open source software ecosystem is a national security imperative, a technology innovation enabler and an embodiment of our democratic values. As the chair of the Open Source Software Security Initiative [OS3I], ONCD is committed to ensuring this remains a priority for the Biden-Harris Administration and commends CISA’s leadership in convening this important forum.”

    Following the conference, CISA has also committed to working closely with package repositories to push take-up of its recently launched Principles for Package Repository Security, co-developed with the Open Source Security Foundation’s (OpenSSF’s) Securing Software Repositories Working Group, and launched a new effort to enable voluntary collaboration and cyber data sharing with OSS infrastructure operators to protect the supply chain.

    Some of the initiatives being advanced by OSS package repositories include:

    • The Rust Foundation is currently working to bring in Public Key Infrastructure (PKI) for the Crates.io repository for mirroring and binary signing. It has also published a more detailed threat model for Crates.io, and introduced new tooling to identify malicious activity.
    • The Python Software Foundation is currently on-boarding more providers to PyPI to enable trusted, credential-less publishing, and expanding support from GitHub to include GitLab, Google Cloud and ActiveState. Work to provide an API and other tools to report and mitigate malware, with the goal of increasing PyPI’s ability to respond to the problem quickly and effectively, is also underway. Additionally, the ecosystem is finalising index support for digital attestations, PEP 740, which will enable digitally signed attestations and their verifying metadata to be uploaded to Python package repositories.
    • Packagist and Composer recently brought in vulnerability database scanning and further measures to stop attackers taking over packages without authorisation, and will be undertaking more work in line with the Principles for Package Repository Security framework, and conducting an in-depth audit of existing codebases, later in 2024.
    • Npm, which already requires those who maintain high-impact projects to enrol in multi-factor authentication (MFA) has recently introduced tooling that lets them automatically generate package provenance and software bills of material to enhance users’ ability to trace and verify the provenance of their dependencies.
    • Sonatype’s Maven Central has, since 2021, been automatically scanning staged repositories for vulnerabilities and reporting to their developers. Going forward, it’s launching a publishing portal with enhanced repository security, including support for MFA. Other future initiatives include Sigstore implementation, Trusted Publishing evaluation and access control on namespaces.

    Keeping code secure

    Mike McGuire, senior software solutions manager at the Synopsys Software Integrity Group, said: “The efforts of the open source community, in concert with CISA as part of this initiative, is indicative of a broader truth, which is that open source project maintainers and stewards generally do an effective job at keeping their code secure, up to date and of acceptable quality.

    “There is no doubt that threat actors have been taking advantage of the inherent trust that we have in open source, so these efforts should go a long way in preventing supply chain attacks from starting at the level of open source project development,” he said.

    “However, no matter what is done because of these exercises, no commercial application will be made any more secure if development organisations don’t invest more in managing the open source that they leverage,” said McGuire.

    “When over 70% of commercial applications have a high-risk open source vulnerability, and the average age of all vulnerabilities is 2.8 years old, it’s clear that the biggest concern is not with the open source community, but with the organisations failing to keep up to date with the varying security patching work that the community is doing,” he said.

    This post is exclusively published on eduexpertisehub.com

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Team

      Related Posts

      You’re using ChatGPT? A true story about why AI literacy starts with us

      June 25, 2025

      Zopa Bank launches current account earlier than expected

      June 24, 2025

      Can the Most Populous State Pull Off Universal Pre-K?

      June 24, 2025

      Dr. Mahnaz CharaniaChief Transformation Officer, The New Teacher Project

      June 23, 2025

      Clouded judgement: Resilience, risk and the rise of repatriation

      June 23, 2025

      Why Giving My Students More Choice Was the Most Punk Rock Thing I Could Do

      June 22, 2025
      Courses and Software Tools

      Extreme Privacy: What It Takes to Disappear

      August 24, 202452 Views

      Modern C++ Programming Cookbook: Master Modern C++ with comprehensive solutions for C++23 and all previous standards

      September 18, 202427 Views

      Meebook E-Reader M7 | 6.8′ Eink Carta Screen | 300PPI Smart Light | Android 11 | Ouad Core Processor | Out Speaker | Support Google Play Store | 3GB+32GB Storage | Micro-SD Slot | Gray

      August 19, 202422 Views

      HR from the Outside In: Six Competencies for the Future of Human Resources

      May 20, 202517 Views

      Coders at Work: Reflections on the Craft of Programming

      April 19, 202516 Views
      Reviews

      Smart critique: AI Tools for literary beginners | Udemy Coupons 2025

      June 25, 2025

      Commercial Portfolio Manager

      June 25, 2025

      Ten Ways to Get Dumped by a Tyrant: Volume II (Light Novel)

      June 25, 2025

      Global Cultural Interplay: Elevating the Art of Business Success Across Cultures

      June 25, 2025

      Machine Learning and Big Data with kdb+/q (Wiley Finance)

      June 25, 2025
      Stay In Touch
      • Facebook
      • YouTube
      • TikTok
      • WhatsApp
      • Twitter
      • Instagram
      Latest News

      You’re using ChatGPT? A true story about why AI literacy starts with us

      June 25, 2025

      Zopa Bank launches current account earlier than expected

      June 24, 2025

      Can the Most Populous State Pull Off Universal Pre-K?

      June 24, 2025

      Dr. Mahnaz CharaniaChief Transformation Officer, The New Teacher Project

      June 23, 2025

      Clouded judgement: Resilience, risk and the rise of repatriation

      June 23, 2025
      Latest Videos

      These MISTAKES will ruin your ETHICAL HACKING CAREER.

      June 24, 2025

      Elevate your business career with a Master of Applied Finance

      June 23, 2025

      5 Career Options for Digital Marketing Students

      June 22, 2025

      F1 2021 Career Mode – Not a bad move on a 4x WDC #formula1 #automobile #f1game #foryou #gaming

      June 20, 2025

      How to Become a Cyber Security Engineer in 2025[Complete Roadmap]| Intellipaat#shorts #cybersecurity

      June 19, 2025
      Latest Jobs

      Commercial Portfolio Manager

      June 25, 2025

      Senior Product Designer, Amazon Health

      June 25, 2025

      Bartender (Part Time)

      June 25, 2025

      Senior Performance Marketing Manager

      June 25, 2025

      Technical Program Manager

      June 24, 2025
      Legal
      • Home
      • Privacy Policy
      • Cookie Policy
      • Terms and Conditions
      • Disclaimer
      • Affiliate Disclosure
      • Amazon Affiliate Disclaimer
      Latest Udemy Coupons

      Mastering Maxon Cinema 4D 2024: Complete Tutorial Series | Udemy Coupons 2025

      August 22, 202435 Views

      Advanced Program in Human Resources Management | Udemy Coupons 2025

      April 5, 202530 Views

      Diploma in Aviation, Airlines, Air Transportation & Airports | Udemy Coupons 2025

      March 21, 202530 Views

      Python Development & Data Science: Variables and Data Types | Udemy Coupons 2025

      May 24, 202521 Views

      Time Management and Timeboxing in Business, Projects, Agile | Udemy Coupons 2025

      April 2, 202521 Views
      Blog

      10 Overused LinkedIn Buzzwords (And What To Say Instead)

      June 24, 2025

      How To Manage Your Career Goals Successfully

      June 20, 2025

      5 Mistakes That Are Killing Your LinkedIn Profile

      June 18, 2025

      How To Write A Cover Letter That Stands Out To Recruiters

      June 17, 2025

      Why Feedback Will Help Your Professional Development

      June 14, 2025
      Facebook X (Twitter) Instagram Pinterest YouTube Dribbble
      © 2025 All rights reserved!

      Type above and press Enter to search. Press Esc to cancel.

      We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
      .
      SettingsAccept
      Privacy & Cookies Policy

      Privacy Overview

      This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
      Necessary
      Always Enabled
      Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
      Non-necessary
      Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
      SAVE & ACCEPT