Inside a $150 Million Plan for Open Source Software Security

The New Stack Podcast

Nội dung được cung cấp bởi The New Stack Podcast and The New Stack. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được The New Stack Podcast and The New Stack hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.

2y ago 12:59

MP3•Trang chủ episode

AUSTIN, TEX. —Everyone uses open source software — and it’s become increasingly apparent that not nearly enough attention has been paid to the security of that software. In a survey released by The Linux Foundation and Synk at the foundation’s Open Source Summit in Austin, Tex., this month, 41% of organizations said they aren’t confident in the security of the open source software they use.

At the Austin event, The New Stack’s Makers podcast sat down with Brian Behlendorf, general manager of Open Source Security Foundation (OpenSSF), to talk about a new plan to attack the problem from multiple angles. He was interviewed for this On the Road edition of Makers by Heather Joslyn, features editor at The New Stack.

Behlendorf, who has led OpenSSF since October and serves on the boards of the Electronic Frontier Foundation and Mozilla Foundation, cited the discovery of the Log4j vulnerabilities late in 2021, and other recent security “earthquakes” as a key turning points.“I think the software industry this year really woke up to not only the fact these earthquakes were happening,” he said, “and how it's getting more and more expensive to recover from them.”

The Open Source Security Mobilization Plan sprung from an open source security summit in May. It identifies 10 areas that will be targeted for attention, according to the report published by OpenSSF and the Linux Foundation:

Security education.
Risk assessment.
Digital signatures, such as though the open source Sigstore project.
Memory safety.
Incident response.
Better scanning.
Code audits.
Data sharing.
Improved software supply chains.
Software bills of material (SBOMs) everywhere

The price tag for these initiatives over the initial two years is expected to total $150 million, Behlendorf told our Makers audience.

The plan was sparked by queries from the White House about the various initiatives underway to improve open source software security — what they would cost, and the time frame the solution-builders had in mind. “We couldn't really answer that without being able to say, well, what would it take if we were to invest?” Behlendorf said. “Because most of the time we sit there, we wait for folks to show up and hope for the best.”

The ultimate price tag, he said, was much lower than he expected it would be. Various member organizations within OpenSSF, he said, have pledged funding. “The 150 was really an estimate. And these plans are still being refined,” Behlendorf said. But by stating specific steps and their costs, he feels confident that interested parties will feel confident when it comes time to make good on those pledges.

Listen to the podcast to get more details about the Open Source Security Mobilization Plan.

301 tập

#Tech #News #Tech News #Technology #Thenewstack #New Stack #Development #DevOps #Joab Jackson #Alex Williams #Software Engineering #Heather Joslyn #Cloud Native #Software Development #Kubernetes #Open Source #Darry Taft