This blog is developed from my keynote presentation delivered at the U.S. Department of Energy Solar Energy Technology Office (SETO) one-day workshop focused on building community engagement for lasting impact.

The community that develops around projects is one of the richest aspects of using, developing, and sharing open source software (OSS). This community consists of individuals who are interested enough in your software project to contribute and you, likewise, engage with their work fostering a reciprocal relationship that enables projects to benefit. These communities must be created and nurtured given the large number of projects and domain expertise that is often required to use and contribute to software code bases.

I'm offering the following considerations that will help you when building and working in an OSS community. This is a comprehensive but not an exhaustive list and they do not have to take place sequentially. The first two considerations are action-oriented and the last is prescriptive for maintaining an OSS code repository.

Did you know that SAS sponsors a robust open source software program? We host hundreds of code repositories at github.com/sassoftware. Before sharing, each project undergoes a diligent review for appropriate content, license terms, contribution guidelines, and legal considerations. A few of our most popular projects include SASPy (a Python library to work with SAS), the SAS Extension for VS Code, and relic (a tool for software developers, not specific to SAS).

Participation in the open source community is energizing for SAS developers too. Many developers attended the recent All Things Open conference in Raleigh (where SAS was a sponsor). The open source ecosystem benefits SAS developers, the tools that they use and the software they build. By giving back with their own contributions, the developers in SAS R&D feel the connection to a larger community of software professionals.

See more here:
Building an open source software community - SAS Users

1. The US Securing Open Source Software Act of 2022 is a step in the right direction  TechCrunch
2. The future of open source in 2023  Open Access Government
3. Why open-source software is so crucial  Softonic EN
4. Enhance your career by embracing open-source software  Troy Media
5. Q&A: Commercialization of open source for today's economy  Digital Journal
6. View Full Coverage on Google News

Read the original here:
The US Securing Open Source Software Act of 2022 is a step in the right direction - TechCrunch

Image: Natee Meepian / Shutterstock

Microsoft is warning that hackers are using open source software and bogus social media accounts to dupe software engineers and IT support staff with fake job offers that in reality lead to malware attacks.

A phishing-happy hacking crew linked to North Korea's armed forces has been using trojanized open-source apps and LinkedIn recruitment bait to hit tech industry employees, according to threat analysts from Microsoft's advanced persistent threat (APT) research group.

The Microsoft Threat Intelligence Center (MSTIC, pronounced 'Mystic') has seen the group using PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer for these attack since late April, according to MSTIC's blogpost.

Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats

The hacking group has targeted employees in media, defense and aerospace, and IT services in the US, UK, India, and Russia. The group was also behind the massive attack on Sony Pictures Entertainment in 2014.

Also known as Lazarus, and tracked by Microsoft as ZINC, Google Cloud's Mandiant threat analysts saw the groupspear-phishing targets in the tech and media sectors with bogus job offers in July, using WhatsApp to share a trojanized instance of PuTTY.

"Microsoft researchers have observed spear-phishing as a primary tactic of ZINC actors, but they have also been observed using strategic website compromises and social engineering across social media to achieve their objectives," MSTIC notes.

"ZINC targets employees of companies it's attempting to infiltrate and seeks to coerce these individuals into installing seemingly benign programs or opening weaponized documents that contain malicious macros. Targeted attacks have also been carried out against security researchers over Twitter and LinkedIn."

The group engages in espionage, data theft, hacking crypto exchanges and banking systems, and wrecking networks. It is also tracked as Labyrinth Chollima and Black Artemis.

A security team at Microsoft-owned LinkedIn also saw these actors creating fake profiles to impersonate recruiters from companies in the technology, defense, and media entertainment sectors.

Also: White House warns: Do these 8 things now to boost your security ahead of potential Russian cyberattacks

Targets were guided off LinkedIn to WhatsApp to share malware, and included IT and IT support workers at companies in the US, UK and India, according to Microsoft. Google's Threat Analysis Group (TAG) found the group using Twitter, Discord, YouTube, Telegram, Keybase and email with similar tactics last January.

US authorities warned US and European firms to beware of IT contractors applying for support and developer roles last year.

LinkedIn's Threat Prevention and Defense team terminated the bogus accounts.

"ZINC primarily targeted engineers and technical support professionals working at media and information technology companies located in the UK, India, and the US," MSTIC warned.

"Targets received outreach tailored to their profession or background and were encouraged to apply for an open position at one of several legitimate companies. In accordance with their policies, for accounts identified in these attacks, LinkedIn quickly terminated any accounts associated with inauthentic or fraudulent behavior."

See original here:
Microsoft: Hackers are using open source software and fake jobs in ...

Marble Metrics3 October 2022

Marble Metrics is an open source, privacy friendly analytics platform. Marble Metrics provides functionality similar to Google Analytics while being compliant with GDPR, CCPA, and PECR. Marble Metrics is able to provide the important metrics that you're used to seeing in other analytics platforms without requiring a cookie consent. Marble Metrics can be self hosted on your own servers or hosted by the Marble Metrics team in the cloud. (AGPL)

Cross-platform

Developers: Web development / Web analytics

Vely is an embedded programming language with C as a host language. It is also a thin C-based application development framework. Vely empowers C with rich features, simplicity and enhanced safety. It is general-purpose and well-suited for web applications. Use Vely to rapidly develop high-performance and low-footprint native applications without interpreters or byte-code schemes. (LGPL)

Cross-platform

Developers: Web frameworks / C frameworks

RosarioSIS is a free & open source Student Information System (SIS), also known as School Management System (SMS) or even School ERP. RosarioSIS features students demographics, grades, scheduling, attendance, student billing, discipline & food service modules for school management, in one web-application. (GPL)

Cross-platform

Business: Nonprofit / Learning environments

ATOS is every freelancer's one-stop shop for managing clients, projects, and your taxes. Whether you're selling time-based sprints, or simply tracking time worked, ATOS allows you to manage multiple projects for multiple clients at once, all while generating beautiful invoices and helping you with your estimated taxes in the process. (AGPL)

Cross-platform

Business: Medium and small / Accounting software

Abc-Map is a free and open source mapping software. With Abc-Map you can easily create, edit and visualize geospatial information. You can export maps to PDF or share them online and even embed them in your websites. Abc-Map works on all platforms with a web browser (Linux, Mac OSX, Android, IOS, Windows). (GPL)

Cross-platform

Home users: Education / Geography

Nitric is a framework for rapid development of cloud-native and serverless applications. Define your apps in terms of the resources they need, then write the code for serverless function based APIs, event subscribers and scheduled jobs. Apps built with Nitric can be deployed to AWS, Azure or Google Cloud all from the same code base so you can focus on your products, not your cloud provider. (Apache)

Cross-platform

Developers: Web frameworks / Serverless frameworks

Mysqly is a full-featured opensource small-overhead PHP data framework for Mysql built for fast and efficient development. It's PDO based, has native SQL support and supports lazy loading of the connection. (MIT)

Cross-platform

Developers: Web frameworks / PHP frameworks

OpenMapTiles provides the fastest way how to setup custom styled world maps with open-source software. In a few minutes, you can have your own OpenStreetMap tileserver - ready for use in your websites or products. (BSD)

Cross-platform

Developers: Web development / Various software

Damegender is a GPLv3 Python toolkit about gender statistics. Allowing to detect gender from name, to count males and females in csv files, git repositories, mbox files and articles in newspapers. We incorporate free datasets released by statistical institutions and we are giving software to use commercial api services and to compare the different solutions for making benchmarkings. (GPL)

Linux

Business: Nonprofit / Community software

Foreman is a complete lifecycle management tool for physical and virtual servers. We give system administrators the power to easily automate repetitive tasks, quickly deploy applications, and proactively manage servers, on-premise or in the cloud. (GPL)

Linux

Administrators: Networking / Network management

PatternFly is an open source design system created to enable consistency and usability across a wide range of applications and use cases. PatternFly provides clear standards, guidance, and tools that help designers and developers work together more efficiently and build better user experiences. (MIT)

Cross-platform

Developers: Web frameworks / CSS frameworks

Open 3D Engine (O3DE) is an Apache 2.0-licensed multi-platform 3D engine that enables developers and content creators to build AAA games, cinema-quality 3D worlds, and high-fidelity simulations without any fees or commercial obligations. (Apache)

Cross-platform

Developers: Game development / Game engines

Reactive Resume is a free and open source resume builder thats built to make the mundane tasks of creating, updating and sharing your resume as easy as 1, 2, 3. With this app, you can create multiple resumes, share them with recruiters through a unique link and print as PDF, all for free, no advertisements, without losing the integrity and privacy of your data. (MIT)

Cross-platform

Home users: Office / Various software

A remote desktop software, written in Rust. Works out of the box, no configuration required. Great alternative to TeamViewer and AnyDesk! You have full control of your data, with no concerns about security. You can use our rendezvous/relay server, or self-hosting, or write your own rendezvous/relay server. (GPL)

Cross-platform

Administrators: System / Remote desktop

NocoDB is an open source Airtable alternative. NocoDB works by connecting to any relational database and transforming them into a smart spreadsheet interface! This allows you to build no-code applications collaboratively with teams. NocoDB currently works with MySQL, PostgreSQL, Microsoft SQL Server, SQLite, Amazon Aurora & MariaDB databases. (AGPL)

Cross-platform

Administrators: System / Database management

Syncthing is a continuous file synchronization program. It synchronizes files between two or more computers in real time, safely protected from prying eyes. Your data is your data alone and you deserve to choose where it is stored, whether it is shared with some third party, and how it's transmitted over the internet. (MPL)

Linux- Windows- MAC OS X- FreeBSD

Home users: File Management / Sync tools

Subtitld is probably the best open source software to edit, transcribe and create subtitles. It is able to read SRT, SSA, TTML, SBV, DFXP, VTT, XML, SCC and SAMI file formats and to write SRT file format by default. (GPL)

Linux- Windows

Home users: Video / Subtitle editors

Stork is a library for creating beautiful, fast, and accurate full-text search interfaces. It comes in two parts. First, it's a command-line tool that indexes content and creates a search index file. Second, it's a Javascript library that uses that search index file to build an interactive search interface. (Apache)

Linux- Windows- MAC OS X

Developers: Web development / Various software

VPaint is an experimental vector graphics editor based on the Vector Animation Complex (VAC), a technology developed by a collaboration of researchers at Inria and the University of British Columbia. (MIT)

MAC OS X- Windows- MAC OS X

Home users: Graphics / Animation

Dotgrid is a grid-based vector drawing software designed to create logos, icons and type. It supports layers, the full SVG specs and additional effects such as mirroring and radial drawing. Dotgrid exports to both PNG and SVG files. (MIT)

Linux- Windows- MAC OS X

Home users: Graphics / Vector graphics

Read the rest here:
Open Source Software Directory - OSSD

Written Offer for Source Code

For third party technology that you receive from Oracle in binary form which is licensed under an open source license that gives you the right to receive the source code for that binary, you can obtain a copy of the applicable source code from this page. If the source code for the technology was not provided to you with the binary, you can also receive a copy of the source code on physical media by submitting a written request to:

Or, you may send an email to Oracle using this form. Your request should include:

We may charge you a fee to cover the cost of physical media and processing. Your request must be sent (i) within three (3) years of the date you received the Oracle product that included the component or binary file(s) that are the subject of your request, or (ii) in the case of code licensed under the GPL v3, for as long as Oracle offers spare parts or customer support for that product model.

See original here:
Source Code for Open Source Software Components - Oracle

Teach devs security fundamentals to bolster supply chain resilience, argues Wheeler

Addressing a decades-old deficiency in coding curriculums could have a profound effect on the security of the software supply chain, a leading expert on the subject tells The Daily Swig.

In particular, David A Wheeler, director of open source supply chain security at the Linux Foundation, draws a link between a failure to incorporate security into entry-level developer courses and the vast majority of vulnerabilities belonging to a small number of common bug classes.

The IT PhD and Certified Information Systems Security Professional (CISSP) also moonlights as adjunct professor of computer science at Virginias George Mason University, and in 2020 concluded a 33-year spell at the US Institute for Defense Analyses.

Daily Swig: David, can you summarize your background and what your current roles involve?

David A Wheeler: Ive loved computers since junior high school and paid my way through school doing computer consulting. I also briefly maintained the worlds first commercial, entirely text-based multiplayer roleplaying game, Scepter of Goth.

Now I teach at George Mason University on how to develop secure software which Ive studied over many decades.

Most of my work is with the Open Source Security Foundation, OpenSSF [whose members include AWS, Google, and Microsoft]. I view my role as being a kind of catalyst or accelerant. I can run around as a subject matter expert to help organizations improve the security of their software.

David A Wheeler has studied the secure development of software for decades

DS: And what are the biggest barriers to improving application security?

DAW: The fundamental problem is that we do not teach software developers how to write secure software.

I don't care if its a separate course or embedded [in other coding courses] that's not the question. The question is: when software developers are learning the basics of their craft, do they learn the basics of developing secure software? And the answer is mostly no.

A 2019 Forrester study found that none of the top US coding schools and none of the top five non-US computer science schools were teaching this. Another study found that only one school did at UC, San Diego. So good for them, shame on the rest.

DS: Lets imagine all coding schools immediately revamped their courses to incorporate security fundamentals. Would we see a steady fall in vulnerabilities as a new wave of security-savvy developers emerge?

DAW: Its generally estimated that somewhere between 90% to 95% of all vulnerabilities are in a relatively small set of common ones [classes].

So, if you educate developers to prevent them systemically, and then use tools to find the stragglers, we can dramatically reduce by at least one order of magnitude and maybe two the number of vulnerabilities that actually slip out.

They can also find and fix the problems created in the past.

Right now, detection, response, and recovery is overwhelmed by the sheer number of vulnerabilities going into deployed systems, so it will be much easier to counter the attackers when vulnerabilities are much rarer. And that's really the argument of shift left in general: the sooner you can get rid of the problems, the better.

DS: Why is security neglected in the coding curriculum given the potentially severe consequences of software vulnerabilities?

DAW: Our educational system does not always respond to societal needs. There was an open letter written by Oracle and some other folks 10, 15 years ago or so, where they basically begged universities [to educate them properly].

But sometimes they [universities] want to teach what they want to teach, and it doesnt matter what societys needs are.

DS: Could this partially reflect the fact that many educators learned their craft when cyber threats were less numerous and severe?

DAW: On the [early] internet people were mostly connected to folks they felt they could trust. But once you saw this growth of the internet and the worldwide web running on top of it in the 90s, then very quickly [they realized] no, you cant just trust arbitrary computers you connect to.

But educational conservatism isnt all bad. Its actually sensible to teach things that have stood the test of time, which security has. The fundamental [computing] design principles have been known [about] since the 1970s.

RECOMMENDED Security teams often fight against developers taking control of AppSec: Tanya Janca on the drive to DevSecOps adoption

DS: Might there be a commercial incentive at work that favours coding quickly over coding securely?

DAW: Maybe to some extent for the for-profits, but I think the bigger for-profit issue is that if you know how to do [secure development], you can probably earn double or triple in industry [compared to teaching]. Youre not gonna teach.

I teach, but thats my side hustle. I enjoy teaching. George Mason University is 20 minutes from me and more connected to industry than some other universities.

DS: How do we persuade or incentivize education providers to embed security into coding courses?

DAW: I think this is a solvable problem basically, society needs to scream more loudly.

The US spends a tremendous amount of money financing degrees, including computer science. If were gonna pay, maybe we could have some criteria?

DS: Could the impetus behind shifting left or DevSecOps help persuade education providers to change emphasis?

DAW: I would like to think so, but I think its much more societal and industry pressure continuing over a period of time [that will make the difference].

Right now DevSecOps [is practised properly by] a minority, and we need to make sure that [secure development is practised] not just the majority, but is [a baseline] expectation [of all developers].

Developers are not being taught general security principles let alone how to apply them, says Wheeler

Years ago, I pushed really hard to get security added to a course on software engineering and after a lot of pressure and debate [the provider] finally added the word security no content, just that security might be important!

The ACM software engineering curriculum guidance at least does talk about knowing how to develop secure software, but lacks key specifics.

But I'm willing to believe that with continued emphasis we can get academia and many other organizations on board with making sure that software developers know the fundamentals.

DS: What fundamentals should newbie developers be taught?

DAW: What are the common problems? How do we prevent them in general? How do you design software so its less likely to be attacked? And what kind of tools can help developers to deal with that?

These general principles and the ability to apply them are important [skills] but lacking today.

Read more secure software development news

The first thing I did when I joined the Linux Foundation in 2020 as an employee was develop a course on developing secure software fundamentals. Thousands of people have now signed up.

George Mason University initially agreed to do my course every other semester, and very quickly, it's in every semester its in demand.

But its an optional graduate course. We do need, in society, people who drill in deeper and [become experts], but we also need every developer to know the basics.

DS: How important is it that developers understand how to use security tools?

DAW: If youre doing DevOps, you pretty much need a CI pipeline, and this is an obvious place to insert security tools. But if the developer doesn't know what theyre doing, they wont know what the tool is telling them and what to do about it.

A fool with a tool is still a fool. Theyre not stupid it's just that no one has told them. Education and tooling go hand in hand.

The tools are going to miss things or report things that are not actually problems in context. Computer programs dont cant know the full context.

But as long as developers know which tools to use and how, then they can do [some] amazing things.

DS: Finally, anything to say on OpenSSFs various initiatives aimed at bolstering software supply chain security?

DAW:Whether its industry, academia or governments, were all using open source software, so my first pitch would be: get involved with the OpenSSF. We would love to see more people involved.

I was deeply involved in the concise guides for developing secure software and evaluating open source software. And earlier, the OpenSSF published guides for open source projects and security researchers on [handling] coordinated [vulnerability] disclosure.

The Alpha-Omega Project has funded the Python Software Foundation and is funding Eclipse, Node... Theyre announced a new partnership with Rust. They've released some tools for finding vulnerabilities again, trying to shift left.

Theres also some funding for SBOM work, a tool for a Python library for SPDX [Software Package Data Exchange], and an [enterprise] end users working group kicking off.

RELATED Developers still struggling with security issues during code reviews, study finds

Read the original here:
We dont teach developers how to write secure software Linux Foundations David A Wheeler on reversing the CVE surge - The Daily Swig

The Linux Foundation and edX are making a self-paced, open-source course on container technology available to students anywhere in the world.

edX is a provider of massively open online courses (MOOCs), most of which are free, with the option to pay to receive a certification. edX was originally started by Harvard and MIT and has now partnered with dozens of education and non-profit organizations to bring university-level online courses to people all over the world.

One of those organizations is the Linux Foundation, which offers more than 50 courses about Linux and other open-source softwares topics on the edX website.

The Linux Foundation is a non-profit technology consortium that promotes the use of the open-source operating system Linux. It originally began in 2000 as the Open Source Development Labs (OSDL) and later became the Linux Foundation when OSDL merged with the Free Standards Group (FSG).

The Linux Foundation works to promote the growth and commercial adoption of the Linux operating system. It also facilitates collaboration on open-source software projects and promotes diversity and inclusion in the Linux community. As part of its mission, the Linux Foundation offers various training courses and resources to help amateurs and experts alike learn more about Linux.

SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)

The Linux Foundation has partnered with edX to host its Linux courses on the edX website. Because edX is largely free, it fits well with the Linux Foundations mission to promote open-source software and make it as accessible to as many people as possible.

All told, the Linux Foundation offers more than 50 courses on the edX website, ranging from beginner to advanced. The topics arent just confined to Linux and cover multiple other subjects, including DevOps and FinOps and open-source software platforms such Kubernetes, Jenkins, GraphQl and more. The foundation also offers seven professional Linux certifications that bundle related Linux Foundation courses into a targeted education experience.

Its impossible to cover all of the 50+ Linux Foundation courses hosted on edX, but we wanted to highlight a few of them here to give you a sense of the depth and diversity of the course offerings currently available. For this list, we will specifically be focusing on the Linux classes, but there are many other excellent courses offered by the Linux Foundation that are also worth exploring.

If you are brand new to the world of Linux, then you cant go wrong with this Introduction to Linux course, which boasts more than 1 million in enrollment; there is also a Spanish language version available as well. The self-paced class is designed to be spaced across 14 weeks, with approximately five to seven hours of lessons and homework each week.

Topics covered include how to navigate through major Linux distributions, system configurations and graphical interface of Linux, basic command-line operations, and common applications of Linux. By the end, participants should have a good working knowledge of Linux and be ready to move onto more advanced lessons.

This self-paced course on Linux Tools for Software Development is designed to take place over 14 weeks for one to two hours a week. While this course is still classified as an introductory level, the instructions say that in order to make the most of it, you should ideally have experience as a developer on any operating system, though not necessarily Linux. Experience in working at the command line is not necessary but would be helpful.

In this course, participants will learn how to use essential command-line tools for everyday tasks as well as construct scripts and perform complicated tasks in an automated way. They will also discuss how Linux works with various types of file systems, compile programs in Linux, and use different types of shared and static libraries. Finally, they will build packages out of software in Linux in both RPM and Debian systems, so it can be distributed to other developers of Linux distributions.

This self-paced course on Open Source Software Development: Linux for Developers is designed to take place over 14 weeks for one to two hours a week. While this course is still classified as an introductory level, the instructions say that in order to make the most of it, you should ideally have experience as a developer on any operating system, not necessarily Linux. Experience in working at the command line is not necessary but would also be helpful. You will also need a computer installed with a current Linux distribution, either a physical computer or a Linux virtual machine.

Participants will leave the course with a good understanding of Linux systems and utilities. They should be able to work comfortably at the command line and discuss the key concepts involved in developing open-source software. The course will also review open-source software licensing issues and cover the known best practices for long term sustainability of projects.

Dont have an edX account and want another way to learn about Linux? Check out our Linux course roundups featuring classes on Udemy, LinkedIn Learning and Skillshare and start your Linux education todayfrom the comfort of your home.

Visit link:
Learn Linux online for free with Linux Foundation Courses from edX - TechRepublic

Blockchain is one of those technologies that has garnered support from many institutions, and it is being touted as a potential solution to some of these problems. The blockchain sector has been growing with the help of open-source technology, as people have become more aware of problems within our current systems and how much better they could be if we made some changes. If you are interested in trading Bitcoin, use a reputable trading platform like the Bitcoin 360 Ai platform.

There is still work to be done before we can say blockchain is revolutionary, but it seems like a helpful technology worth exploring. Innovation may be the biggest issue with supply chains, and blockchain could solve this problem.

There is not a lot of innovation in supply chains because they are international and global in scope. Because so many parties are involved, it is difficult to innovate in addition to geographical constraints. Blockchain technology would address this issue by allowing all participants to communicate seamlessly without going through third parties or intermediaries.

The technology operates on a peer-to-peer basis where transactions do not require intermediaries with a plan. Transparency also contributes to the innovation problem as everyone can access all the information about what is happening in their ecosystem anytime. Lets explore how blockchain has expanded its root in different industries.

What are the advantages of open-source technology?

A significant advantage of open-source technology is that it is collaborative. Many people working together on a common goal would result in a competitive ecosystem and superior results. The quality of an open-source technology would be better than the best effort of any single source. Open-source technology is also readily available to everyone; anyone can use it without paying for licenses, royalties or other expenses.

Open-source technology was initially developed in the 1970s as an alternative to company restrictions regarding how many were using their products and for how long. Open source software was first released in 1983 by a programmer called Richard Stallman, whose idea was to make software free of licensing fees and restrictions.

Security in blockchain due to open source technology:

Another advantage of open-source technology is that the source code is always visible to developers and programmers that use the technology. Any bugs or loopholes in the source code can be easily identified or discovered through users peer reviews of blockchain networks. Security comes with familiarity, and open-source in blockchain makes it easy for enterprise customers to understand how their data is protected, how compliant they are with regulations, and who has access to their data at any time.

Open-source blockchain databases are very secure, and users can access the same source code used by hyper ledger, Ethereum and distributed ledger technology companies. As a result, blockchain is safe, secure, scalable and reliable. Furthermore, using open-source technology, enterprises can collaborate in developing their blockchain solutions without paying licensing fees or being concerned about intellectual property theft.

Blockchain has come a long way:

Blockchain has become an industry standard, with many organizations adopting it worldwide for their business needs. Blockchain networks have matured and scaled up due to the efforts of numerous developers and enthusiasts. The technology has become more reliable as innovative solutions are developed for issues often associated with inefficiencies, such as decentralization, security and transparency.

Blockchain technology has provided enterprises with a platform to understand how organizations can use open-source software to solve business issues presented by the vast amounts of data generated within their enterprise. In addition, because blockchain is a distributed ledger system, it is highly safe and secure. As a result, there is little need for double spending or fraud by eliminating third-party intermediaries such as banks or credit card processors when processing transactions.

Industries that are readily adopting blockchain:

Many industries are already adopting blockchain technology to handle tasks that require a distributed ledger database with multi-signature transactions. For example, ICOs and cryptocurrency transactions have been recorded for years and are now used for fundraising.

Real estate has also started using blockchain technology to track land registries and reduce costs incurred from paper records that result in mismanagement or fraud. As the world becomes more digitized, a secure database is becoming more apparent, especially in banking and finance. Both parties require a transparent database of transactions when dealing with each other.

Healthcare is another industry looking to blockchain technology to build secure, efficient and transformational solutions. Medical records are one area of the healthcare industry where blockchain can potentially transform the system. Hospitals and clinics are using blockchain technology to digitize medical records and make them more secure than paper ledger books used in the past.

Open-source technology has also been introduced for disaster management. A single store of information is kept for each community instead of a central repository vulnerable to malicious attacks or data loss.

Read the original here:
The Blockchain Sector is growing with the help of Open-Source Technology - Wales 247

At a glance.

Jeremy Fleming, director of the UK Government Communications Headquarters, gave a rare speech in London on Tuesday warning the public that Beijing has deliberately and patiently set out to gain strategic advantage by shaping the worlds technology ecosystems. The spy chief said that Chinese Communist Party leadership has plans to use digital currency and satellites, among other existing and emerging technologies, to further its control over global markets and extend its surveillance capabilities around the world.

Fleming also claimed that Chinese efforts to build a central-bank digital currency could allow officials to monitor transactions and potentially evade future international sanctions. Describing the rising threat as the national security issue that will define our future, he also indicated that the Chinese government plans to leverage its tech exports to create client economies and governments and aims to spread its authoritarian practices to other nations. Fleming warned that unless lawmakers invest in emerging security technologies like quantum computing, the divergent values of the Chinese state will be exported through technology.

Mao Ning, a spokeswoman for Chinas Foreign Ministry, denied Flemings claims at a Tuesday daily briefing, stating, The remarks of the British official have no factual basis at all. Chinas technological development is aimed at making lives better for the Chinese people. It does not target anyone, still less pose any threat. Western officials have been sending warning signals about the potential use of equipment exported from Chinese tech leader Huawei Technologies Co. for digital espionage, but both Huawei and Beijing have denied these accusations.

In a bipartisan decision, the US Senate Homeland Security Committee has approved the Securing Open Source Software Act 2022, legislation that calls on the Cybersecurity and Infrastructure Security Agency (CISA) to create a risk framework regarding the use of open source code within the government and critical infrastructure agency. Prompted by the infamous Log4j vulnerability, the draft act requires CISA to hire experts who are able to identify and remediate vulnerabilities in open source code, and any open source software being used will be continuously monitored and checked by CISA. The act also directs some agencies to create in-house open source programs.

"This software needs curation to be secure and the responsibility for that curation lies firmly with the user, in this case our public sectors across the globe," Amanda Brock, CEO of not-for-profit group OpenUK, told Computing. However, as Brock noted, the bill is unclear about how CISA will coordinate this framework, especially when third-party services are involved. "Where there is payment associated with open source software, that is not for the software itself, and understanding that is key. Liability for these - as with any paid for services - rests with the provider, but these are part of the act of curation that all end users need to ensure," Brock added. The draft act will need to be passed by the full Senate before becoming law, but some experts say regardless, clouding companies might take it upon themselves to implement heightened security measures. "I strongly suspect the cloud provider industry will actually solve this meaningfully sooner than the government will, said Michel Isbitski, director of cybersecurity strategy at cloud security firm Sysdig. They have to because of the amount of open source software they use in their offerings. They also have the benefit of scale on their side."

US policymakers gathered yesterday in Washington, DC for Fintech Week, where the Financial Stability Board, which coordinates international financial regulation, is expected to share its plan for regulating the cryptocurrency market. The Washington Post explains that although the board has no power to set legislation, its recommendations have motivated lawmakers in the past. Its fair to say the US wants to lead on this globally and largely has been leading on it, said Patrick Dougherty, a former Securities and Exchange Commission lawyer who is now on the board of the Global Digital Asset and Cryptocurrency Association. The White House is also calling for a crackdown on the illicit use of digital assets, and last week, the Financial Stability Oversight Council issued a warning urging lawmakers to restrict cryptocurrency use before it threatens global finance systems. The board will also examine issuing rules for the use of stablecoins after the fall of the Terra stablecoin in May led to a massive downturn in the crypto market. The cryptocurrency industry continues to push back at the possibility of regulation, with industry group the Crypto Council for Innovation warning that a heavy-handed approach could cut this technology off at its knees.

Read more here:
GCHQ chief warns of Chinese . US open source software bill advances. Financial Stability Board on crypto regulation. - The CyberWire

Open-source software (OSS) has a lot of advocates. After all, why would we continuously try and write code that solves problems that others have already solved? Why not share the knowledge and gradually and incrementally improve existing open-source solutions? These egalitarian ideals are arguably central to civilization itself never mind software but also contain underlying tensions that have been a challenge for generations.

The challenge of OSS security is that just because everyone can look at the source code, it does not mean anyone will. There are widely used open-source projects that are being maintained by only a small number of engineers, and those engineers cannot be entirely altruistic with their contributions of time and effort they, too, have bills to pay.

This can be a challenge even for larger open-source projects. For example: the Linux kernel project has 30+ million lines of code, hundreds of bugs that need to be fixed, and almost 2000 active developers working on it. Thats 15,000+ lines of code per active developer!

A recent report from the Linux Foundation found that the average number of outstanding critical vulnerabilities in an application is 5.1, and that 41% of organizations are not confident in their open source software security. Even worse: only 49% of organizations have an open-source security policy.

Even if a security issue is found in open-source software, it does not mean someone will fix it. This is a fact highlighted by the report, which found that the average number of days to fix a vulnerability is currently 97.8 leaving enterprises running that software open to attacks for many months. This is the often-ignored side of OSS security: while the good guys can hunt for bugs and vulnerabilities in the code to fix them, the bad guys can hunt for those same bugs to exploit them.

The reality is that these potential security issues are not a distant, imaginary problem, or industry FUD that can be easily ignored in the real world. Due to the vast amount of OSS code in active use, examples of active security issues with open source are legion. Indeed, 70% of the average program today is made of open-source software, with the number of dependencies varying widely by language: a mere 25 dependencies per project in Pythons case, but a massive 174 per project in the case of JavaScript.

As the situation with the colors.js and faker.js packages demonstrated earlier this year, problems with dependencies can have real-world impact on enterprise software. The two simple JavaScript libraries were baked into thousands of Node Package Manager (NPM) programs, which in turn were downloaded multiple millions of times every week till their creator, JavaScript developer Marak Squires, deliberately broke them for reasons unknown. The result of Squires adding an infinite loop to colors.js and faker.js was widespread failure of NPMs that included his code, prompting a scramble to roll back the changes to safe versions (colors.js v1.40 and faker.js v5.5.3).

Relying exclusively on a volunteer community to identify vulnerabilities, report and fix them is a bet with long odds. Paying someone to probe the security of your open-source solutions can help plug this gap, while you continue to enjoy the wider benefits of open source.

Another challenge with OSS updates and patches is that they need to be applied to secure systems, a fact that can present specific challenges. If your mission-critical solution relies on a specific software version, updating may mean losing functionality and/or requiring unscheduled downtime. In these business-critical scenarios it is sometimes more elegant to employ an expert to backport the fix and maintain a version for a longer period than the wider community supports.

Its open-source, go change it! is a statement you will hear a lot from the open-source community, and it highlights a key fact: Expecting good security levels for free while others contribute time, effort or money to the equation is not reasonable or sustainable.

Options include either contributing to open source as it was originally intended, by improving the code and publishing it for others, or employing experts to manage the OSS code and debug it as required. But making no contribution at all is an option that the industry cant afford.

See the original post:
When transparency is also obscurity: The conundrum that is open-source security - Help Net Security