As the open source model continues to prove its durability in the enterprise, the software community is increasing its concern for security. This concern was evident in recent weeks as major Linux groups paved the way for better code security.
Google announced a new initiative to focus on software vulnerabilities. Already a generous provider of remediation incentives, the software developer has upped the ante to encourage more researchers to submit troublesome code for cash.
Edgeless Systems made a striking open source contribution, JFrog offered advancements to support a more refined Rust foundation, and Facebook pushed the boundaries of Meta AI as well.
Google offers bug bounty for infected open source code
Google launched its Open Source Software Vulnerability Rewards (OSS VRP) program in late summer to reward discoveries of vulnerabilities in Google’s open source projects such as Golang, Angular and Fuchsia. The program joins the bounty campaign launched by Google about 12 years ago.
Over time, the campaign has expanded to include programs focused on Chrome, Android, and other areas. Together, these programs have rewarded over 13,000 submissions, totaling over $38 million paid.
The addition of this new program responds to the increasingly prevalent reality of growing supply chain compromises. Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including high-profile incidents like Codecov and the Log4j vulnerability which showed the destructive potential of a single open source vulnerability.
Google’s OSS VRP is part of a $10 billion commitment to improve cybersecurity, including securing the supply chain against these types of attacks for Google users and open source consumers around the world. entire.
“Securing open source software and the broader software supply chain remains a top concern for security organizations globally. By leveraging the human intelligence of the research community, Google shows they are committed to ensuring the security of its open source projects.
“This represents a big step taken by an OSS leader to ensure they are delivering secure OSS components,” said Dave Gerry, chief operating officer of an outsourced cybersecurity company. Crowd of insects.
How it works
The first prizes will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers and Fuchsia. After the initial rollout, Google plans to expand this list.
Researchers should focus on discoveries that have the most impact on the supply chain. The target code includes vulnerabilities leading to supply chain compromise, design issues leading to product vulnerabilities, and other security issues such as sensitive or leaked credentials, weak passwords, or unsecured facilities.
Depending on the severity of the vulnerability and the importance of the project, the rewards will range from $100 to $31,337. The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged.
To see the program rules for more information. If the submissions are more suitable for another Google code search campaign, Google will submit it for you to another VRP.
Also check the Patch rewards programwhich rewards security improvements to Google’s open source projects, such as up to $20,000 for fuzzing integrations in OSS-Fuzz.
“OSS projects already have the advantage of having more eyes on the code, which leads to finding and fixing vulnerabilities quickly. A bug bounty program like this will entice people to take a closer look .
“Ideally, a program like this could expand outside of ‘sponsored’ projects with ties to big tech companies to help other vital, but not so well-funded OSS projects,” said Mike Parkin, P.Eng. senior technician at Vulcan Cybera SaaS provider for enterprise cyber risk remediation.
Industry Gets First Runtime Encrypted Kubernetes as Open Source
Edgeless Systems released the first confidential Kubernetes based on confidential computing on September 13. It is available to all users on GitHub.
The Constellation open-source project verifiably protects Kubernetes clusters from the underlying cloud infrastructure and encrypts them end-to-end. Confidential Computing is a hardware-based technology that protects IT workloads from their environments and keeps data encrypted even during processing.
This development makes it possible to meet a massive security requirement as IT covers increasingly diversified environments. It helps businesses and developers manage growing security and compliance issues. Because Constellation is open source, more Kubernetes users can secure all of their data at rest, in transit, and currently in use.
JFrog adds to Rust’s efforts to eliminate OSS vulnerabilities
The open source community is gaining momentum by increasing the security of the code that runs in the vast majority of the world’s software, including proprietary programs.
JFrog, the company Liquid Software and the creators of the JFrog DevOps platform, announced on September 13 a new initiative with the Rust Foundation, an independent non-profit organization that manages the Rust programming language. The partnership is focused on identifying and eliminating threats to the Rust platform and ecosystem.
Effective immediately, the JFrog Security Research team will provide access to all information on known software vulnerabilities, ongoing threat research, and developer resources to proactively modify discovered platform issues and prevent vulnerabilities. emerging security issues to have future impacts.
“Securing the software supply chain cannot be achieved in a single effort. This requires ongoing commitment, as well as a multi-level approach. We believe that memory-safe languages play an important role in this plan,” said Stephen Chin, vice president of developer relations at JFrog.
“By working hand-in-hand with the Rust Foundation, we can ensure that this foundational programming language remains a recommended best practice in modern, secure software development,” he added.
A Google study indicated that memory security issues accounted for nearly the same proportion of security vulnerabilities designated as critical vulnerability exposures (CVEs) for more than a decade. The Rust programming language, reportedly used by 2.2 million developers over the past two years, was designed from the ground up to be both memory-safe and high-performance.
This means that the language does not allow users to access memory that they are not authorized to access. This, in turn, greatly reduces their ability to unknowingly inject malicious code that could render the language insecure.
Thus, Rust has been identified as a “critical open source software project” by the Open Source Security Foundation (OpenSSF) and has gained support under OpenSSF’s Alpha-Omega project to help identify new and not yet discovered in order to improve the security of Rust. posture.
Rust’s inherent stability and performance, combined with JFrog’s advanced security tools, research, and expertise, will help keep the Rust language secure over time.
“I believe this investment will ensure the safety, security, and sustainability of Rust, enabling new use cases and broader industry adoption,” said Bec Rumbul, Executive Director of the Rust Foundation.
PyTorch and deep learning initiatives
On September 12, Meta announced the PyTorch Foundation: A New Era for the Cutting-Edge AI Framework.
The pre-existing PyTorch organization is now the independent PyTorch Foundation under The Linux Foundation (LF) umbrella. The project joins LF with a diverse board of directors made up of representatives from AMD, Amazon Web Services, Google Cloud, Meta, Microsoft Azure, and Nvidia, with plans to grow over time.
The PyTorch Foundation will act as a guardian of the technology and support PyTorch through conferences, training courses, and other initiatives. The goal is to drive the adoption of AI tools by fostering and supporting an ecosystem of vendor-neutral open source projects with PyTorch. It will democratize state-of-the-art tools, libraries, and other components to make these innovations accessible to everyone.
Along with this arrangement, LF announced the same day that its training and certification community was introducing a new course, PyTorch and Deep Learning for Decision Makers (LFS116x). The content targets technical and non-technical individuals interested in understanding how deep learning and PyTorch can be used to create business value through the development and deployment of AI applications.
Visit the Linux Foundation for registration details.