{"id":351708,"date":"2021-10-12T15:19:47","date_gmt":"2021-10-12T12:19:47","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/why-the-google-backed-secure-open-source-program-is-so-important-cloudsavvy-it\/"},"modified":"2021-10-12T15:19:47","modified_gmt":"2021-10-12T12:19:47","slug":"why-the-google-backed-secure-open-source-program-is-so-important-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/why-the-google-backed-secure-open-source-program-is-so-important-cloudsavvy-it\/","title":{"rendered":"#Why the Google-Backed Secure Open Source Program is So Important \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2d78df924bf\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2d78df924bf\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/why-the-google-backed-secure-open-source-program-is-so-important-cloudsavvy-it\/#Supply_Chain_Attacks\" >Supply Chain Attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/why-the-google-backed-secure-open-source-program-is-so-important-cloudsavvy-it\/#Secure_Open_Source_Rewards\" >Secure Open Source Rewards<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/why-the-google-backed-secure-open-source-program-is-so-important-cloudsavvy-it\/#Why_This_Matters\" >Why This Matters<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#Why the Google-Backed Secure Open Source Program is So Important \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 1200px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage size-full wp-image-14427\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/8d15c17f.png?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/8d15c17f.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/8d15c17f.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1200\" height=\"675\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/computer-maintenance-metallic-wrench-over-keyboard-233716384\">Kamira\/Shutterstock<\/a><\/span><\/figcaption><\/figure>\n<p>Supply chain attacks are skyrocketing, and open-source projects are the most common point of infiltration. The Linux Foundation, sponsored by Google, helps open-source projects protect themselves\u2014and everyone else.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Supply_Chain_Attacks\"><\/span>Supply Chain Attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Until very recently, if you were involved in cybersecurity and found yourself trying to explain supply chain attacks to someone you probably used the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Stuxnet\">Stuxnet attack<\/a>\u00a0as an example. Now, you have any number of examples to choose from.<\/p>\n<p>Everyone has heard of the\u00a0Solarwinds\u00a0and\u00a0Codecov\u00a0attacks because they were headline-grabbing, sophisticated attacks with a wide reach. But these two examples are a drop in the ocean of attacks of this type.<\/p>\n<p>Supply chain attacks poison the buffet. Anyone who eats from the buffet consumes the poison. The host of the buffet isn\u2019t the target. The targets are everyone who is invited to the feast. If the attackers can compromise a software toolkit or library that is used in many other <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lications and systems, they have managed to compromise all the users of those other products.<\/p>\n<p>Open-source and closed-source products are both at risk. There have even been cases where laptops were produced with hard drive images cloned from a compromised golden image, baking malware right into the hardware.<\/p>\n<p>But because open-source projects give everyone access to the source code and the ability to submit contributions to the project, they are an ideal attack vector for cybercriminals.\u00a0 And targeting open-source becomes ever more attractive as the use of open-source components continues to snowball. Almost all non-trivial development projects use open-source assets. The digital infrastructure of the modern world relies on open-source.<\/p>\n<p>According to a report by\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.sonatype.com\/resources\/state-of-the-software-supply-chain-2021\">Sonatype<\/a>\u00a0the use of open-source is still accelerating. That\u2019s great for open-source. What isn\u2019t so great is the concomitant increase in supply chain attacks using open-source as its attack vector. There has been a 650% increase in supply chain attacks year on year, including\u00a0dependency confusion,\u00a0typosquatting, and code injection.<\/p>\n<p>We\u2019ve previously described steps you can take in-house to try to\u00a0limit your exposure to supply chain attacks, using utilities such as <code>preflight<\/code>. We\u2019ve also reported on programs that are being implemented at an industry level, such as the Linux Foundation\u2019s\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/sigstore\">sigstore initiative<\/a>\u00a0which is being jointly developed by Google, Red Hat, and Purdue University, IN.<\/p>\n<p>The\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/sos.dev\/\">Secure Open Source<\/a>\u00a0program is a new initiative run by the Linux Foundation with a $1 million sponsorship from the Google Open Source Security Team.<\/p>\n<h2 id=\"secure-open-source-rewards\"><span class=\"ez-toc-section\" id=\"Secure_Open_Source_Rewards\"><\/span>Secure Open Source Rewards<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The pilot program is focused on enhancing the security of critical open-source projects. The definition of\u00a0<em>critical<\/em>\u00a0is the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.nist.gov\/system\/files\/documents\/2021\/06\/25\/EO%20Critical%20FINAL_1.pdf\">U.S. government\u2019s definition<\/a>, which was drafted to supplement\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/\">Executive Order 14028<\/a>. Their definition ranks software as critical if one or more of its software components has any one of the following attributes:<\/p>\n<ul>\n<li>It is designed to run with elevated privilege or manage privileges<\/li>\n<li>It has direct or privileged access to networking or computing resources<\/li>\n<li>It is designed to control access to data or operational <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a><\/li>\n<li>It performs a function critical to trust<\/li>\n<li>It operates outside of normal trust boundaries with privileged access<\/li>\n<\/ul>\n<p>Another important factor is the potential impact of the issue on consumers of the software. Who will be affected, in what numbers, and how? If the software in question is incorporated into other open-source projects its impact will be higher than if it is a standalone application. And the more popular a given component is, the more attractive it is for a supply chain attack.<\/p>\n<p>That\u2019s why these criteria will also be considered:<\/p>\n<ul>\n<li>How many and what types of users will be affected by the security improvements?<\/li>\n<li>Will the improvements have a significant impact on infrastructure and user security?<\/li>\n<li>If the project were compromised, how serious or wide-reaching would the implications be?<\/li>\n<li>Is the project included in the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.coreinfrastructure.org\/programs\/census-program-ii\/\">Harvard 2 Census Study<\/a>\u00a0of most-used packages, or does it have an\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/ossf\/criticality_score\">OpenSSF Critically Score<\/a>\u00a0of 0.6 or more?<\/li>\n<\/ul>\n<p>In broad strokes, a software project can apply for funds to allow them to rectify a security issue. The application is reviewed and topics such as how critical the project is, what the re<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tion or improvements are, and who will do the work are considered. The evaluating board members will be Linux Foundation and Google Open Source Security Team personnel.<\/p>\n<p>To be viewed favorably, a proposal should include improvements from this list:<\/p>\n<ul>\n<li>Supply chain hardening, including CI\/CD pipelines and distribution infrastructure in line with the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/slsa.dev\/\">Supply-chain Levels for Software Artifacts<\/a>\u00a0(SLSA) framework.<\/li>\n<li>Adopting software artifact signing and verification techniques, such as the <code>sigstore<\/code> tools.<\/li>\n<li>Project improvements that result in a higher\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/ossf\/scorecard\">OpenSSF Scorecard<\/a>\u00a0result. Scorecard detects and lists the dependencies with open-source projects.<\/li>\n<li>Using\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/ossf\/allstar\">OpenSSF Allstar<\/a>\u00a0to harden GitHub repositories.<\/li>\n<li>Earning a\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/bestpractices.coreinfrastructure.org\/en\">CII Best Practice Badge<\/a>\u00a0by adopting industry best working practices.<\/li>\n<\/ul>\n<p>The rewards are banded and dispensed according to the complexity and merits of the\u00a0security improvements and the potential impact of a successful attack on the wider community.<\/p>\n<ul>\n<li><strong>$10,000 or more<\/strong>: Complicated, high-impact, and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure<\/li>\n<li><strong>$5,000-$10,000<\/strong>: Moderately complex improvements that offer compelling security benefits<\/li>\n<li><strong>$1,000-$5,000<\/strong>: Submissions of modest complexity and impact<\/li>\n<li><strong>$505<\/strong>: Small improvements that nevertheless have merit from a security standpoint<\/li>\n<\/ul>\n<p>Reporting mechanisms must be agreed upon and adhered to. These will monitor the progress on the fixes, and verify they are actually taking place. This isn\u2019t just free money.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Why_This_Matters\"><\/span>Why This Matters<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Sonatype report reads \u201c\u2026we expect that attackers will continue to target upstream software supply chain assets as a preferred path to exploiting downstream victims <em>at scale<\/em>.\u201d<\/p>\n<p>Because of the widespread use of open-source in the development of open and proprietary products, that scale is huge. Open-source has permeated the technological fabric of our modern world to an astonishing degree. In fact, that technological fabric now utterly depends on open-source.<\/p>\n<p>Initiatives like <code>sigstore<\/code> and <code>Allstar<\/code> have been designed to provide help to the entire open-source movement. Other tools such as <code>preflight<\/code> are deployed at the consumer level. This new initiative complements both approaches and attacks the problem at its very root.<\/p>\n<p>If you improve the code and the development infrastructure and remove the vulnerabilities there will be fewer possible exploits. That will drive down the number of compromises.<\/p>\n<p>The Secure Open Source Awards isn\u2019t a bug bounty. It\u2019s about providing resources to tackle problems.\u00a0Addressing issues in the code, hardening the CI\/CD pipelines and source code repositories, and using a\u00a0software artifact signing and verification scheme will transform the position open-source finds itself in.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/14406\/why-the-google-backed-secure-open-source-program-is-so-important\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Why the Google-Backed Secure Open Source Program is So Important \u2013 CloudSavvy IT&#8221; Kamira\/Shutterstock Supply chain attacks are skyrocketing, and open-source projects are the most common point of infiltration. The Linux Foundation, sponsored by Google, helps open-source projects protect themselves\u2014and everyone else. Supply Chain Attacks Until very recently, if you were involved in cybersecurity and&#8230;<\/p>\n","protected":false},"author":1,"featured_media":351709,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/8d15c17f.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-351708","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/351708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=351708"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/351708\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/351709"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=351708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=351708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=351708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}