FOSSA’s Post

The Open Source Security Foundation (OpenSSF), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has launched a new tool to simplify Software Bill of Materials (SBOMs) management for organizations. A Software Bill of Materials (SBOMs) is a nested, formatted inventory that lists the components making up software to include the supply chain relationships of various open source and commercial components used in building software. Understanding the supply chain of software, obtaining an SBOM and using it to analyze known vulnerabilities are crucial for managing cybersecurity risk. #sbom #cisa #Protobom #OpenSSF #DHS https://lnkd.in/dPN7PF-T

It's been an exciting month since we launched our upgraded FREE product! If you haven't explored it yet, now's the perfect time! For teams of up to 25 contributing developers and/or up to 5 projects, our free tier allows you to: 🔒 Detect and fix vulnerabilities 📝 Generate and share SBOMs 🤝🏻 Automate open source license license compliance Don’t miss out on these powerful tools designed to help you deliver trusted software. Read the full details in our blog and sign up today: https://lnkd.in/gbNQUzaC #SBOM #VulnerabilityManagement #LicenseCompliance #SoftwareSecurity

FOSSA Quality is another step in support of our mission to help companies embrace open source software and improve the integrity of their software supply chains. ⛓️ It adds an additional layer of visibility and control, helping you stay ahead of risks that could turn into vulnerabilities. Explore our blog post where we delve into the key aspects of package health and how FOSSA helps you deliver trusted software. 📈 Learn more: https://lnkd.in/ejq9PkJU #VulnerabilityManagement #OpenSource #OSS #SupplyChainSecurity

As the details of the Xz Utils incident emerge 💻Dan Draper comments on why this hack highlights the differences between open and closed software when it comes to vulnerabilities and responses. Dan said the view that the Xz Utils incident meant open source software should be avoided were off the mark. "I still believe that an open-source approach is, generally, a more secure path because it makes hiding malicious behaviour very hard." While people are using the Xz mess as an excuse to whip open source, the truth is that the attack failed because of open source. "When issues are detected, an army of developers and researchers rally around it, sharing notes and collaborating on a fix resulting in a rapid and transparent response." "Closed source commercial software is almost never patched as quickly and, even if it is, the company behind it tends to keep details to themselves for fear of recrimination." Is it time for the corporate world to pay the dues it owed to open-source software. Investing in open-source software allows maintainers to give projects their full attention, rather than as an oft-neglected side-interest. Do you agree or what’s your take on this - let us know in the comments below.

The xz security flaw has shown that open-source maintainership is fragile, particularly in balancing the needs of ongoing support and enterprise demands. Filippo Valsorda's post on GeoMyS provides an in-depth look at how this innovative firm addresses these issues. https://lnkd.in/e_SPNi9S #xz #security #opensource #oss #maintainer #maintainership

Supply chain attacks occur when an attacker targets a vulnerability in a third-party vendor's software at any point in the chain, a phenomenon which has become more frequent and sophisticated. This phenomenon is also helped, in some ways, by the absence of awareness of the threats and risks associated with OSS vulnerabilities. Take for example the Log4j download dashboard from Sonatype, which clearly shows how software developers are still consuming hundreds of thosands of vulnerable versions of Log4j. Here is what a modern software supply chain looks like today and where threats may hide at any point..Read more: https://hubs.la/Q02dh53m0 #opensource

🔓 Open source software (OSS) has risks that go beyond CVEs. 💡 A team of CISOs and experts endorsed by OWASP have identified the top 10 risks associated with OSS, shedding light on crucial aspects that often go unnoticed. ⚠️ The OWASP Top 10 Risks for Open Source Software cover a wide range of concerns, including: 1. Known Vulnerabilities: While CVEs remain a significant risk, this list highlights additional challenges that organizations must address. 2. Compromise of Legitimate Packages: Attackers can exploit vulnerabilities or hijack maintainer accounts to inject malicious code into legitimate packages. 3. Name Confusion Attacks: Malicious actors create packages with names and logos similar to legitimate ones, tricking developers into downloading compromised code. 4. & 5. Unmaintained and Outdated Software: Lack of regular updates and security patches can leave organizations vulnerable. 6. Untracked Dependencies: Failing to manage and track all dependencies can expose your codebase to unknown risks. 7. License and Regulatory Risks: Incompatible licenses and regulatory non-compliance can lead to legal troubles. 8. Immature Software: Inexperienced developers may introduce security vulnerabilities through poor coding practices. 9. Unapproved Changes: Unsanctioned changes to code and data from external sources can compromise the integrity of your applications. 10. Under/Over-sized Dependencies: Both minimal and excessively large dependencies introduce their own set of risks. By understanding and addressing these risks, organizations can unlock the full potential of open source software while ensuring the security and integrity of their applications. #OpenSourceSecurity #OSS #AppSec #OWASPTop10 #SoftwareSupplyChain #RiskManagement

Yesterday, Tidelift co-founder and general counsel Luis Villa joined Application Security Weekly Podcast to discuss the social and economic aspects of supporting open source projects. Here are some of the key takeaways from Luis’s conversation: Supporting open source: Luis shared insights on the challenges maintainers face, from handling security policies, delivering on community ex to balancing legal issues. At Tidelift, we are pioneering ways to provide sustainable financial support to maintainers, in an effort to ensure a robust and secure open-source ecosystem. Government and Corporate Roles: Luis discussed the importance of government and corporate support in maintaining the security and viability of open-source projects. With regulations like the EU's Cyber Resilience Act, there's a growing need for structured support for these essential projects. Security and Sustainability: Luis highlighted that as open source projects become more critical to the modern economy, maintaining their security and sustainability will be paramount. This should involve not just financial support but also providing resources for security response and licensing management. Looking Forward: Open source projects are the backbone of our digital infrastructure, and their maintainers are the unsung heroes. As we navigate the complexities of cybersecurity, it’s crucial to support these projects not just with gratitude but with tangible resources. Tidelift customers play a direct role in ensuring the projects they rely on keep getting better because maintainers are paid based on factors that include customer usage. Maintainers use this income to improve the secure development practices they have in place, to document these practices, and to commit to maintaining them over time. #opensource #opensourcemaintainers #cybersecurity Watch the podcast here -> https://lnkd.in/eB4pET_8

"The CVE-2023-6246 vulnerability in glibc can allow an attacker to escalate their local unprivileged access to the full root privilege level," says Dana Wang and David A. Wheeler in our latest blog. "This root access, depending on the system, can allow an attacker to gain access to confidential data, exfiltrate or manipulate sensitive data, launch a ransomware attack on that system, and may enable lateral movements to gain persistent access to more critical systems. Users of vulnerable versions are urged to upgrade." This CVE highlights the significance of the initiatives that OpenSSF has been championing like: ⭐ Memory Safe Languages ⭐ Tools ⭐ Coordinated Vulnerability Disclosure ⭐ Tabletop exercise (TTX) ⭐ Software Bill of Material (SBOM) Read the blog at: https://lnkd.in/g_uc8a6Q

Did you know that more than 20% of packages grapple with risks from neglected NPM packages? In our latest exploration, Mor Weinberger and I share insights on the silent threats and how Aqua's Supply Chain module empowers you to safeguard your code. Let's prioritize secure code for a resilient software journey! 🚀 #opensource #supplychain #aqua