Clever Geek Handbook

Who will be engaged in the development of open source security - discussing new projects and their future

The Linux Foundation founded the OpenSSF in August. It includes the Core Infrastructure Initiative and the Open Source Security Coalition . Their participants will develop tools to search for vulnerabilities in the code and verify the programmers involved in writing it. Let's tell what's what.





Photo - Andrew Sharp - Unsplash



What are the benefits for the IT industry



Less bugs in open source software . The main efforts of the foundation will go to support solutions that reduce the likelihood of critical vulnerabilities at the IT infrastructure level.



An example would be Heartbleed in OpenSSL, which allows unauthorized reading of memory on the server or client. In 2014, about 500 thousand websites were found to be vulnerable, and about 200 thousand of them have not yet been patched .



New developments in this area should facilitate faster responses to similar problems. GitHub has already transferred the Security Lab solution to the Open Source Security Coalition - it helps site participants to quickly bring information about bugs in the code to maintainers. GitHub interfaceallows you to get the CVE identifier for the detected problem and prepare a report.



Best development methodologies . A curated library of best practices will be formed , the content of which can be influenced by anyone in the open community. For these purposes, engineers from large IT companies will hold online meetings every two weeks and discuss technologies, frameworks and features of programming languages.





Photo - Walid Hamadeh - Unsplashโ€จ



Transparent selection process . The Core Infrastructure Initiative and the Open Source Security Coalition plan to developnew mechanisms for checking contributors. Little is known about their specifics, but they will help avoid repeating the story with the event-stream library for Node.js, when a new maintainer implemented a backdoor into it to steal cryptocurrency.



Perspective view



The IT community has welcomed new initiatives. Microsoft cyber security specialist Michael Scovetta noted that only three days pass from the discovery of the vulnerability to the appearance of the first exploits. He believes that the toolkit developed as part of the OpenSSF projects will allow the release of patches in a short time and reduce risks.



Although one of the residents of Hacker News in a thematic thread expressed concern that specialists will start developing new information security standards instead of developing existing ones. As a result, the story described in one of the XKCD comics will again become relevant .





:







open source โ€”

Linux. I:

Linux. II:

Linux. III: ยซยป

Linux-





More articles:


All Articles