A vulnerability discovered over 15 years ago still plagues hundreds of thousands of open source projects today, according to Trellix, raising supply chain security concerns. Assigned CVE-2007-4559, the bug was discovered in 2007 and still exists in the tarfile module of Python.

The Trellix Advanced Research Center came across the path traversal attack vulnerability during an investigation into a separate vulnerability. CVE-2007-4559 impacts some 350,000 open-source projects and an unknown number of closed-source projects, escalating fears of software supply chain attacks. According to NCC Group, attacks against organizations in the global supply chain increased by 51% between July and December 2021.

Christiaan Beek, head of adversarial & vulnerability research at Trellix, said, When we talk about supply chain threats, we typically refer to cyber-attacks like the SolarWinds incident, however building on top of weak code-foundations can have an equally severe impact.

Besides machine learning, automation applications, and docker containerization, the vulnerable tarfile module of Python is leveraged by AWS, Google, Intel, Facebook, and Netflix for specific frameworks. The tarfile module is the default setting in any project that leverages Python unless manually changed.

This vulnerabilitys pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. Its critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.

CVE-2007-4559 enables arbitrary code execution. Although its CVSS score of 5.1 suggests CVE-2007-4559 is a medium severity vulnerability, Trellix said its exploit is relatively easy and can be exploited with as little as six lines of code.

The tarfile module in Python enables developers to read and write tar archives, which is a UNIX-based utility used to package uncompressed or compressed (using gzip, bzip2, etc.) files together for backup or distribution.

The 2007 path traversal vulnerability exists because of a few un-sanitized lines of code in tarfile. The tarfile.extract() and tarfile.extractall() functions are coded without any safety mechanisms that sanitize or review the path supplied to it for file extraction from tar archives.

So when a user passes a TarInfo object while calling these extract functions, it causes directory traversal. In other words, it extracts files from a source specified to it without performing the appropriate safety check.

Trellix Threat Labs vulnerability researcher, Kasimir Schulz, said, This vulnerability is incredibly easy to exploit, requiring little to no knowledge about complicated security topics. Due to this fact and the prevalence of the vulnerability in the wild, Pythons tarfile module has become a massive supply chain issue threatening infrastructure around the world.

See More: Why Software Bill of Materials (SBOM) Is Critical To Mitigating Software Supply Chain Risks

Not only has this vulnerability been known for over a decade, the official Python docs explicitly warn to Never extract archives from untrusted sources without prior inspection due to the directory traversal issue, noted Charles Mcfarland, vulnerability researcher in Trellixs Advanced Threat Research team.

Tarfile Extract Warning to Python Developers | Source: Trellix

The number of unique projects/repositories on GitHub that include import tarfile in its python code is 588,840. However, 61% of these repositories did not perform cleanup of the tarfile members before being executed, taking the number of vulnerable repositories to 350,000.

Trellix also pointed out that since machine learning tools like GitHub CoPilot are trained on vulnerable GitHub repositories, they are learning to do things insecurely. Not from any fault of the tool but from the fact that it learned from everyone else.

Trellixs analysis of project domains impacted by CVE-2007-4559 revealed the following:

Project Domains Impacted by CVE-2007-4559 | Source: Trellix

It should be noted that Trellixs research on vulnerable projects is limited to GitHub. So it is likely that other projects are also affected by the 15-year-old vulnerability.

The software supply chain can have hundreds of vendors that supply applications, independent code, software, libraries, and other dependencies. When vulnerable dependencies such as the tarfile module are integrated with third-party providers, service providers, contractors, resellers, etc., it expands the attack surface of everyone in the chain while simultaneously weakening the security fabric of even those with appropriate security hygiene practices.

While we cant provide as detailed an analysis [of closed-source projects] as we can with open-source projects, it is fair to expect the trend to be similar. What if 61% of all projects open- and closed-source could be exploited due to this vulnerability? asks Douglas McKee, principal engineer and director of vulnerability research for Trellix Threat Labs.

To do our part Trellix is releasing a script which can be used to scan one or multiple code repositories looking for the presence and likelihood of exploitation for CVE-2007-4559. Additionally, we are working on automating submissions of pull requests to open-source projects which can be confirmed to be exploitable, McKee added.

Trellix has automated mass repository forking, mass repository cloning, code analysis, code patching, code commits, and pull requests. Patches by the company for 11,005 repositories are ready for pull requests. Trellix is developing patches for more projects.

The number of vulnerable repositories we found begs the question, which other N-day vulnerabilities are lurking around in OSS, undetected or ignored for years? McFarland added. If this tarfile vulnerability is any indicator, we are woefully behind and need to increase our efforts to ensure OSS [open source software] is secure.

To check if your project/repository is vulnerable to CVE-2007-4559, refer to this GitHub documentation by Trellix.

Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!

The rest is here:
15-Year-Old Python Vulnerability Still Affects Over 350,000 Open-Source Projects - Spiceworks News and Insights

The whole world uses open source, but as weve learned from the Log4j debacle, free software isnt really free. Organizations and their customers pay for it when projects arent frequently updated and maintained.

How Can Open Source Sustain ItselfWithout Creating Burnout?

How can we support open source project maintainers and how can we decide which projects are worth the time and effort to maintain?

A lot of people pick up open source projects, and use them in their products and in their companies without really thinking about whether or not that project is likely to be successful over the long term, Dawn Foster, director of open source community strategy at VMwares open source program office (OSPO), told The New Stacks audience during this On the Road edition of The New Stacks Makers podcast.

In this conversation recorded at Open Source Summit Europe in Dublin, Ireland, Foster elaborated on the human cost of keeping open source software maintained, improved and secure and how such projects can be sustained over the long term.

The conversation, sponsored by Amazon Web Services, was hosted by Heather Joslyn, features editor at The New Stack.

One of the first ways to evaluate the health of an open source project, Foster said, is the lottery factor: Its basically if one of your key maintainers for a project won the lottery, retired on a beach tomorrow, could the project continue to be successful?

And if you have enough maintainers and you have the work spread out over enough people, then yes. But if youre a single maintainer project and that maintainer retires, there might not be anybody left to pick it up.

Foster is on the governing board for an project called Community Health Analytics Open Source Software CHAOSS, to its friends that aims to provide some reliable metrics to judge the health of an open source initiative.

The metrics CHAOSS is developing, she said, help you understand where your project is healthy and where it isnt, so that you can decide what changes you need to make within your project to make it better.

CHAOSS uses tooling like Augur and GrimoireLab to help get notifications and analytics on project health. And its friendly to newcomers, Foster said.

We spend a lot of time just defining metrics, which means working in a Google Doc and thinking about all of the different ways you might possibly measure something something like, are you getting a diverse set of contributors into your project from different organizations, for example.

Its important to pay open source maintainers in order to help sustain projects, she said. The people that are being paid to do it are going to have a lot more time to devote to these open source projects. So theyre going to tend to be a little bit more reliable just because theyre going to have a certain amount of time thats devoted to contributing to these projects.

Not only does paying people help keep vital projects going, but it also helps increase the diversity of contributors, because you, by paying people salaries to do this work in open source, you get people who wouldnt naturally have time to do that.

So in a lot of cases, this is women who have extra childcare responsibilities. This is people from underrepresented backgrounds who have other commitments outside of work, Foster said. But by allowing them to do that within their work time, you not only get healthier, longer sustaining open source projects, you get more diverse contributions.

The community can also help bring in new contributors by providing solid documentation and easy onboarding for newcomers, she said. If people dont know how to build your software, or how to get a development environment up and running, theyre not going to be able to contribute to the project.

And showing people how to contribute properly can help alleviate the issue of burnout for project maintainers, Foster said: Any random person can file issues and bug maintainers all day, in ways that are not productive. And, you know, we end up with maintainer burnout because we just dont have enough maintainers, said Foster.

Getting new people into these projects and participating in ways that are eventually reducing the load on these horribly overworked maintainers is a good thing.

Listen or watch this episode to learn more about maintaining open source sustainability.

Excerpt from:
How Can Open Source Sustain Itself without Creating Burnout? - thenewstack.io

OpenAI on Wednesday made DALL-E, its cloud service for generating images from text prompts, available to the public without any waitlist. But the crowd that had gathered outside its gate may have moved on.

The original DALL-E debuted in January 2021 and was superseded by DALL-E 2 this April. The latest release, which offers much improved text-to-image capabilities, allowed people to sign up to use the service but placed aspiring AI artists on a waitlist one that didn't move in the past five months for this Reg reporter. The newly public service is called DALL-E, although it's still version 2 of the technology.

OpenAI justified the closed list by citing the need to be cautious. The org wanted to prevent users from generating violent, hateful, or pornographic imagery, and to prevent the creation of photorealistic images of public figures. And it created policies to that effect, because abuse and misinformation are genuine concerns with machine-learning image creation technology.

"To ensure responsible use and a great experience, we'll be sending invites gradually over time," OpenAI advised beta registrants in April via email. "We'll let you know when we're ready for you."

While OpenAI was doling out access at 1,000 users per week (as of May), Midjourney a rival AI-based text-to-image service entered public beta in July. Midjourney's Discord server, through which users interact with the service, reportedly reached about one million users by the end of July.

That was about the number of invitations extended by OpenAI at the time, following a transition to beta testing. Midjourney's Discord server currently lists 2.7 million members, while OpenAI presently claims to have 1.5 million users.

In August, another AI image generation company called Stability.ai released its own text-to-image model called Stable Diffusion, under a permissive CreativeML Open RAIL-M license.

The result was a surge of interest in Stable Diffusion because people can run the code on a local computer, without concern for fees OpenAI and Midjouney require payment when users have exceeded their free tier allowances.

Also, Stable Diffusion is seen as a way to create explicit images without concern for censorious cloud gatekeepers whether or not those images comply with the limited (and unlikely to be enforced) restrictions in the Stable Diffusion license.

"In just a few days, there has been an explosion of innovation around it," wrote Simon Willison, an open source software developer, in a blog post about a week after Stable Diffusion's public release. "The things people are building are absolutely astonishing."

Just one month on, it looks like OpenAI is late out of the starting gate.

"DALL-E has been opened up to everyone (no waitlist)!" quipped Brendan Dolan-Gavitt, assistant professor in the computer science and engineering department at NYU Tandon, via Twitter. "It's amazing what a few weeks of competition from open source can do ;)"

"The challenge OpenAI are facing is that they're not just competing against the team behind Stable Diffusion, they're competing against thousands of researchers and engineers who are building new tools on top of Stable Diffusion," Willison told The Register.

"The rate of innovation there in just the last five weeks has been extraordinary. DALL-E is a powerful piece of software but it's only being improved by OpenAI themselves. It's hard to see how they'll be able to keep up."

Artist Ryan Murdock (@advadnoun), who helped jumpstart text-to-image AI by flipping OpenAI's CLIP prompt evaluation model around and connecting it to VQGAN, expressed similar sentiment.

"I think OpenAI is still relevant but DALL-E is not," he said in a discussion with The Register. "I see very few people using DALL-E in the scene because it costs money, is gated in terms of what it can or will produce, and can't be used with interesting new research."

Murdock also observed that the texture of DALL-E images "looks really bad because the superresolution isn't conditioned on the text."

That's one area where open source innovation has helped: among the first additions to the Stable Diffusion image generation process were two code libraries, GFPGAN and Real-ESRGAN, which handle the repair of AI face rendering errors and image upscaling respectively.

Citing the ongoing debate about image ownership many artists are not thrilled their work was used without their consent to train these models Murdock said that ship seems to have sailed because Stable Diffusion's models now live on people's computers. He anticipates even more pushback as these AI models evolve to generate video.

Undaunted by external developments that have commodified AI image generation, and touting more robust filtering to ensure image safety, OpenAI sees a business opportunity.

"We are currently testing a DALL-E API with several customers and are excited to soon offer it more broadly to developers and businesses so they can build apps on this powerful system," the company said.

Continued here:
OpenAI opens doors to DALL-E after the horse has bolted to Midjourney and others - The Register

NdcTechs Temenos certified consultants will participate in a pilot programrun by Red Hat to acquire Red Hat training and practical experience implementing Red Hat technologies, such as Red Hat OpenShift and Red Hat Application Services.

In order to provide solutions based on cloud-native, open source technologies to support financial institutions, NdcTech, an IT and consulting firm offering transformational services for banks and financial institutions, has partnered with Red Hat, a provider of enterprise open source solutions, according to a statement released on Monday.

Red Hat has acknowledged NdcTech as a regional systems integrator across Europe, the Middle East, and Africa. Both businesses seek to expand into new areas with offerings supported by cutting-edge cloud-native technologies and improve customer support through go-to-market tactics.

According to Ammara Masood, CEO of NdcTech, the agreement would aid in the development of knowledge in the newest cloud-native and containerized modern stacks employing Red Hat OpenShift and Red Hat Application Services supporting Temenos solutions.

According to Rob Spittel, director, Global FSI Ecosystem, Red Hat, the company looks forward to working with other Temenos partners like NdcTech to transform a strong technical basis into commercial value for our banking customers.

One of Temenos 42 implementation partners, NdcTech works with Temenos to integrate open source software with its cloud-native financial services. Temenos is a provider of banking software.

Here is the original post:
Red Hat And NdcTech Collaborate To Deliver Solutions Based On Open Source - Open Source For You

PISCATAWAY, N.J., Sept. 19, 2022 (GLOBE NEWSWIRE) -- Paladin Cloud, a leader in open source cloud security, announced today that it has joined the Cloud Native Computing Foundation (CNCF), which builds sustainable ecosystems for cloud native software. The collaboration enables Paladin Cloud to provide developers with a modern cloud native platform to protect their applications and data running in the cloud. Paladin Clouds CNCF membership demonstrates the companys commitment to providing developers with best in-class open source tools and a thriving community to drive product innovation.

With Paladin Cloud, developers can monitor their cloud services in real-time to identify and eliminate misconfigurations and security risks, while automating workflow and remediation. With a modern user interface and an open, connector based architecture, developers can leverage Paladin Clouds extensible policy management plane to expand beyond AWS, Azure and Google Cloud to connect into cloud-based enterprise systems.

Were passionate about working with developers in the open source community to help support their projects and protect their applications and data, said Steve Hull, Paladin Clouds Co-founder and CTO. Our product vision is to equip developers with an enterprise grade, open source product that fits into their workflow and helps improve their cloud security posture.

Were excited to welcome Paladin Cloud to the CNCF community as a Silver member, said Priyanka Sharma, General Manager, CNCF. CNCF is committed to working with organizations whose mission is to advance the cloud native community, while fostering an open source ecosystem.

Paladin Clouds open source product is free to download and use at GitHub. The company supports its users through its Slack and Gitter channels.

About Paladin CloudPaladin Cloud is a rapidly growing, open source, cloud security company with a Security-as-Code platform that helps developers and security teams significantly reduce risks in cloud environments to protect their applications and data. The companys holistic approach to cloud security is based on its policy management plane that leverages best practice security policies in an open, connector-based architecture. Paladin Cloud is backed by Okapi Venture Capital, Bowery Capital, SaaS Ventures, Touchdown Ventures, Samsung Next, T-Mobile Ventures and UST. For more information, please visit http://www.paladincloud.io or connect with us at LinkedIn and Twitter.

About Cloud Native Computing FoundationCloud native computing empowers organizations to build and run scalable applications with an open source software stack in public, private and hybrid clouds. The Cloud Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure, including Kubernetes, Prometheus, and Envoy. CNCF brings together the industrys top developers, end users, and vendors and runs the largest open source developer conferences in the world. Supported by more than 800 members, including the worlds largest cloud computing and software companies, as well as over 200 innovative start-ups, CNCF is part of the nonprofit Linux Foundation. For more information, please visit http://www.cncf.io.

Press Contact:SGPRsamsungnext@smallgirlspr.com

View original post here:
Paladin Cloud Joins the Cloud Native Computing Foundation - GlobeNewswire

About W3C Software

The natural complement to W3C specifications is runningcode. Implementation and testing is an essential part of specificationdevelopment and releasing the code promotes exchange of ideas in the developercommunity.

All W3C software is certified OpenSource/Free Software. (see the license)

2022-04-25 Version3.0of Ical2html includesthe changes byJohannes Weil: command line options to set a title on thegenerated page, to highlight the current day, and to start the week onMonday; and update to libical version3.

ical2html now also recognizes text in descriptions,summaries and locations that looks like a URL and turns it into ahyperlink.

(News Archive)

2022-04-15The slide framework b6+ can nowshow a second window with a preview of the current and next slides andspeaker notes. During a presentation, you could thus show the slideswhile looking at the preview on a second screen.

(News Archive)

2022-04-01 Version8.4 ofthe HTML-XML-utils fixes a bugwith ::attr() selectors. If hxselect wasgiven multiple, comma-separated selectors, the ::attr()selector only worked on the first selector. (Thanks to Bas Ploeger forthe patch!)

(News Archive)

2021-11-28 The slide framework b6+ has a couple ofnew features: 1)When slides are embedded in aniframe or object, links in the slide replacethe parent document, rather than open inside the iframe.2)It is possible to embed a slide as a static page, disablingthe navigation to other slides. 3)Accessibility has improved:When switching slides, the new slide is made available to screenreaders. See an explanationof ARIA role=application and aria-live by Lonie Watson. Theexplanation talks about Shower, but b6+ is similar. 4)Whenslides do not have ID attributes, you can still start at a specificslide by giving its number as fragment ID. E.g., to open apresentation with slide 25, end the URL with ?full#25.5)The F1 key switches to full screen, because not all browsersprovide a command for that. 6)Pressing the ? keyin slide mode pops up a brief overview of available commands.7)It is now possible to disable the use of a left mouse click toadvance slides. 8)Another option hides the mouse pointer when itdoesn't move for some seconds. 9)Various small bug fixes andimprovements.

You can read the manual ordownload a zip filecontaining the JavaScript file (b6plus.js), a style sheet(simple.css), the manual (Overview.html) and some images used in themanual.

(News Archive)

News Archives: 2022, 2021, 2020, 2019, 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005, 2004, 2003.

Here is the list of Past Open SourceProjects developed at W3C.

W3C software is free and open source: the software is made primarily bypeople of the Web community, for the Web community.

There are many ways to get involved:

Great communities make great tools, and with only a few minutes of your timeyou can join the mailing-lists associated with W3C open source projects (suchas www-validator forthe markup validator or www-validator-cssfor the CSS validator) and participate in discussions and user support.

A lot of W3C software have a specific user discussion mailing-list (see eachprojects for details), some also have IRC (chat) channels, such as the#validator channel on the irc.freenode.net fordiscussions on W3C validation services.

Developers are welcome to get involved by contributing code. either to existing projects (see list above and check each project'sdocumentation for contact e-mail information), or proposed future software.Patches and bug fixes are alwayswelcome, and developers willing to get seriously involved will generally getcommit access after a proving period.

As explained below, all of W3C software source is freely available, developers areencouraged to get the source for the projects they care about and start hackingright away.

Read the IPR FAQon software contribution if you intend to contribute code. Note that asthis license is GPL compatible, it is possible to redistribute software basedon W3C sources under a GPL license.

Code is not the only way to get involved in making W3C software better.Testing, bug reports, suggestions, or help in creating good documentation areequally important! Most project will have a Feedback page, and you canreport bugs, test cases and patches on our Bugzilla.

All the tools listed on this page are free and open source, but hosting,maintaining and developing them often costs a lot. With your support throughthe Validator Donation Programor the W3C Supporters Program,we can build even better tools.

Most W3C software is available directly from our CVS base or in our Mercurial repository. You can browse the contentand history of either through their respective web interfaces.

See the documentation of each software for specific instructions fordownload and installation.

Some software that was formerly available via FTP atftp.w3.org has been moved to our web site.

See original here:
Open Source Software - W3

Learn who needs open source audits, why you might need one, who and what is involved, and how an open source audit can help you in an M&A.

If youre part of a modern business that does any software development, your dev teams are using open source components to move quickly, save money, and leverage community innovation. If youre a law firm or a consultant, your clients use open source. And if youre on the lookout for your next acquisition, youll be evaluating targets replete with open source. In the most recent Synopsys Open Source Security and Risk Analysis report, we found that 78% of all code analyzed was entirely open source.

While the prevalence of open source components is now widely understood, the implications of software license conflicts, unknown dependencies, and vulnerable components are often underestimated or overlooked. Unresolved issues consequent to open source in digital assets can negatively influence mergers and acquisitions (M&A). Its the responsibility of those involved in these engagements to adequately scope this influence and mitigate the issues that can spoil a deal.

The first step toward an effective and actionable audit is to consider why youre doing an audit. Are you doing it for internal purposes, or are you doing it to prove your resources are assets rather than liabilities?

For many, impending M&A activity drives an audit. After all, when buying, you want to acquire high-quality assets free of legal, security, and quality issues. When selling, you want to be a high-quality asset. Buyers want to have a good handle on the risks they are taking on so they can value and structure the deal appropriately. Those buyers want to know that their target does not bring with it baggage that is unaccounted for. Theyd like to know the company is using open source components within the bounds of their licenses, that it is minimizing potential cyber attack vectors, that it can ensure consistent uptime, and that its dataand its customers datawill be secure.

Some organizations opt for an internal open source audit because the leadership team has been reading news about open source vulnerabilities, exploits, and possible breaches. Some teams may be concerned about the intellectual property risks due to noncompliance with open source licenses. Whats driving your organizations choice? Your reason makes a difference in who you involve and your goals.

As the focus on digital transformation heightens, development and release velocity expectations rise, which is a heavy burden placed on developers. As a result, they depend more and more on open source for foundational functionality so they can spend more time on innovation.

When preparing for a code audit, understand that developers are focused on producing the highest-quality code possible given tight deadlines. Its important to not assume that developers understand the complex license terms often associated with the open source components they leverage. The same often goes for security vulnerabilities. Regardless, the scale of open source usage has far outpaced the ability to manually track these types of risks.

Senior leadership, legal departments, and senior technical managers are usually the ones charged with identifying the strategy, policies, and processes associated with open source risk management. Unfortunately, this does not always prescribe clear mechanisms to manage developers consumption of open source libraries. Developers often place more weight on a solution that meets the task if the alternative can mean missing a shipping deadline.

Software audits come in many different shapes and sizes. There are, however, several areas of consideration that should be addressed to make the audit insightful and actionable.

An audit report should focus on these areas. And the parties should review these topics with the auditor, whos experience can provide clarity and answer specific questions. This is a critical step, because what the audit uncovers may have a material impact on the valuation of a business and the deal terms during an M&A. For example, different licenses pose different levels of riskdepending on the industry in which a business operates, the sensitivity of data it touches, the external/internal orientation of the software, and more. The same goes for security vulnerabilities; they may affect web-based applications differently than they do embedded applications. These are the types of considerations that an expert audit group can advise on.

Maybe something needs to change, maybe it doesnt; the results of your audit will help you answer that question. If your audit showed exactly what you expected, youre in the minority. When we did an analysis of our security audits from 2021, we found that 97% of applications scanned used open source, and companies were only aware of about half of the open source in use. The majority of codebases we analyze have license and security issues.

The output of an open source audit provides clear information about not only the open source code in use, but also the known vulnerabilities in the code and the license compliance risks. This information gives you a clear picture of whats in the targets code, and it can help you be better prepared moving forward.

If your goal is to assess your own code for internal purposes, audit results arm you with the information to create open source risk management policies for future development efforts. If your audit is for an M&A or due diligence situation, the results provide invaluable information necessary for determining deal value and risk.

The most common reason for an open source audit among our customers is for merger and acquisition events. A snapshot of the open source use and risk exposure of the code in question provides much-needed information to help you move forward as a buyer or a seller. Buyers get visibility into risks they may be taking on; sellers have the opportunity to address such risks in advance of due diligence. If you anticipate being on either side of a transaction, the Black Duck Audit Services team can help you decide how to proceed.

Learn more about open source software audits

Follow this link:
Understanding the hows and whys of open source audits - Security Boulevard

Sessions will explore where we are today in metaverse technology and applications, whats lacking, and how open source software and standards communities can take a leadership role in bridging the gaps.

SAN FRANCISCO (PRWEB) September 12, 2022

A new metaverse track hosted by the Linux Foundation is being offered at next months O3DCon event, taking place October 17-19 in Austin, Texas. The track will be presented by thought leaders from a range of open source projects. Sessions will explore where we are today in metaverse technology and applications, whats lacking, and how open source software and standards communities can take a leadership role in bridging the gaps. The event will also host open floor discussions each day for event attendees to share thoughts and ideas about the presentations delivered in the metaverse track.

The metaverse track schedule can be found at: https://bit.ly/3L3IrLG

Session topics in the metaverse track include:

This years event will convene a vibrant, diverse community focused on building an unencumbered, first-class, 3D engine poised to revolutionize real-time 3D development across a variety of applicationsfrom game development, metaverse, digital twin and AI, to automotive, healthcare, robotics and more.

Early bird pricing for O3DCon expires September 16.

The event is produced by the Open 3D Foundation (O3DF), home of the open-source Open 3D Engine (O3DE) project. O3DE is a modular, cross-platform 3D engine built to power anything from AAA games to cinema-quality 3D worlds to high-fidelity simulations. The code is hosted on GitHub under the Apache 2.0 license. Connect with the community on Discord.com/invite/o3de and GitHub.com/o3de.

About the Open 3D FoundationEstablished in July 2021, the mission of the Open 3D Foundation (O3DF) is to make an open-source, fully-featured, high-fidelity, real-time 3D engine for building games and simulations, available to every industry. The Open 3D Foundation is home to the O3D Engine project. Since its launch in 2021, more than 25 member companies have joined the O3DF. Newest members include OPPO and Heroic Labs, as well as Microsoft, LightSpeed Studios and Epic Games. Other Premier members include Adobe, Amazon Web Services (AWS), Huawei, Intel and Niantic. In May, O3DE announced its latest release, focused on performance, stability and usability enhancements. The O3D Engine community is very active, averaging up to 2 million line changes and 350-450 commits monthly from 60-100 authors across 41 repos.

About the Linux FoundationFounded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the worlds leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the worlds infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundations methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Inquiries:pr@o3d.foundation

Share article on social media or email:

Go here to read the rest:
New Metaverse Track at O3DCon to Tackle Big Questions and Practical Applications of Emerging Graphical Technology - PR Web

Building software is hard.Building cloud software is even harder because things move much faster -- and require mission-critical reliability and availability. To effectively build software in the cloud, engineering teams need observability, CI/CD, reporting, and lots of tooling. But all of the tools available to engineering teams never quite fit together in a way that provides visibility and consistency.When things go wrong, developers scramble to troubleshoot systems with disparate data and systems.

TechOps teams are in charge of keeping everything running. But poorly integrated toolsets create an environment where teams have several interfaces and data sets to wrangle when operating critical services. Teams often try to solve this problem by creating one-off integrations of out-of-the box tools with internally developed tooling and process.These integrations are generally very shallow, and create a significant maintenance burden and reliability gaps.

Custom integrations provide more places to store data and a wider pool to search, resulting in a decentralized view of the data sources and no easy way for developer collaboration. Whats needed is an open source-based control center for collaboration and proper integration with current systems -- no more copying and pasting. But its important to make the centralized command hub center work for everyone at the organization not just front line developers and SREs.

Challenges at every level

Challenges for operating, monitoring, and incident response exist at all level of our organizations. TechOps teams are focused on hosting, deployment, and reliability of services. These teams have specific concerns to address before, during and after a potential incident. How can developers get early warning of a service outage? How do we sort through large volumes of monitoring data to troubleshoot failures? How do we track the status and progress during an incident?How do we document the work that was done to restore the service?How do we gather all of the relevant incident information for the retrospective and RCA documents?

Lets say theres a service-interrupting issue.At the developer level, the teams need detailed monitoring and log data. Having a centralized control center provides easier access to this data, improving efficiency and offering perspectives on how to solve future problems.

Engineering leads have roughly the same goals as developers on the frontlines of the issue, but they are more focused on high-level, business-oriented trends. This broader perspective means that they primarily want a less granular view of outage data.These users will spend more of their time focused on analyzing trends in outages over time, understanding the current status and next steps for an ongoing incident, and ensuring proper communication with internal and external stakeholders.

At the Senior Management level, executives need high-level answers to explain problems to their customers. During major service disruptions, CEOs are often in constant communication with their major stakeholders providing status about why services went down. Rather than granular outage data, these discussions rely on high-level but informed and actionable business insights.

Addressing the disconnect with open source

Clear data and collaborative workflows are critical at every level of an organization. But the real power lies in integration -- not standalone solutions. By leveraging the flexibility of open source software, teams can create collaboration systems that reduce downtime, avoid confusion, enable speed, and increase efficiency.

When compared to internally developed one-off systems, open source solutions typically scale better, provide higher quality and reliability, and lower the overall maintenance burden for TechOps teams.Creating a streamlined Ops process with proper visibility and integrations improves developer productivity.It also boosts workplace satisfaction and helps reduce developer burnout.

One of the major problems with custom in-house tooling for TechOps is maintenance.This tooling may work great when its first built.But over time, requirements shift, and maintenance work for internal tooling often falls to the bottom of the priority list.Meanwhile, new tools are inserted into the tech stack, and common dependencies arent always updated and managed appropriately.The result?The tooling we all rely on breaks in an ugly way as soon as we have an incident or outage.This leaves teams scrambling to restore critical services without proper visibility and control into their systems.

Implementing an open source solution also improves a teams ability to maintain the software needed to solve future problems. When organizations adopt open source, theyre gaining access to underlying source, backed by a community of independent contributors, with flexible, layered extensibility. This allows the team to speed up maintenance and deployment of the software so they can focus on solving issues quickly and improving systems for better operations in the future.

Flexibility is one of the top traits organizations look for in developers. But to achieve complete flexibility, organizational software needs to match these human expectations. Without open source enabling this flexibility, TechOps is a mess. On the other hand, integrating tools into a centralized view makes cross-organizational collaboration easier and addresses diverse challenges at every level of a modern organization.

Photo Credit: Rawpixel.com/Shutterstock

Chris Overton is Vice President of Engineering at Mattermost, Inc. Previously, Chris led engineering at Elastic, where he was also responsible for the Cloud product division. Chris is an expert in building and operating public and hybrid SaaS services, distributed systems, analytics/processing of large data sets, and search.

Read more:
TechOps is a mess: Open source is the solution - BetaNews

BE'ER SHEVA, Israel, Sept. 9, 2022 /PRNewswire/ --Rezilion,an automated software vulnerability management platform,announced today that it has been named a vendor providing Innovative tools for SBOM management in Gartner's new report, titled Emerging Tech: A Software Bill of Materials Is Critical to Software Supply Chain Management.

The report highlights the growing importance of SBOMs in managing software supply chain risk at a time when the software industry increases its reliance on third-party and/or open-source code. Unlike internally-developed components, which adhere to rigorous security and quality guidelines, open-source software (OSS) can come from many sources and is far more prone to risk. These security and compliance risks are exacerbated by a lack of visibility and understanding of open-source dependencies within the software supply chain. SBOMs answer that challenge by providing a much-needed view into an organization's inventory of software, as well as the dependencies, licenses, compliance posture and provenance information.

The software supply chain has become a target and is under constant attack, with high-profile breaches, such as the ones impacting SolarWinds and Kaseya. An SBOM is critical because it offers visibility, and also allows users to monitor vulnerabilities in parallel with whatever vulnerability management is conducted by the supplier. But having visibility isn't enough - organizations also need to be able to identify new software vulnerabilities. To meet this need, the report recommends that static SBOMs evolve to include dynamic and real time capabilities. Furthermore, the report highlights the need to go beyond identification of software vulnerabilities and leverage SBOMs to drive efficient remediation.

Using the Rezilion platform, customers can identify, prioritize, and remediate software vulnerabilities using a first-of-its-kind Dynamic SBOM. Unlike static SBOMs, which traditionally provide visibility into a single software environment at a specific point in time, Rezilion's Dynamic SBOM seamlessly plugs into all software environments, from development to production, and provides real-time visibility to all software components. Rezilion's Dynamic SBOM then does more than just uncover what software components are there: it reveals if and how they're being executed in runtime, providing organizations with an unparalleled solution to understand where bugs exist but also whether or not they could be exploited by attackers.

Through Rezilion's Dynamic SBOM, customers benefit from:

"Gartner's analysis and outlook on SBOMs arrives at a critical time," said Liran Tancman, Co-Founder and CEO of Rezilion. "As more organizations embrace SBOMs as a vital component of their software security tooling, we're thrilled to be among the named providers. Our Dynamic SBOM gives organizations the ability to know how their dependencies are being exploited, which solidifies how well-aligned our current capabilities are with the evolution of SBOMs in the future."

Rezilion was named a vendor in the Software Bill of Materials (SBOM) category in the Gartner Hype Cycle for Open Source Software, 2022, and the SBOM and ASOC categories in the Gartner Hype Cycle for Application Security, 2022, in July of this year.

Rezilion's Dynamic SBOM is available now across CI and on-prem and cloud environments. A basic, free-of-charge version is available for use in CI through Rezilion's website. Get started today at http://www.rezilion.com/get-started.

Rezilion's platform automatically secures the software you deliver to customers. Rezilion's continuous runtime analysis detects vulnerable software components on any layer of the software stack and determines their exploitability, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable vulnerabilities across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours, while giving DevOps teams time back to build.

Learn more about Rezilion's software attack surface management platform at http://www.rezilion.com and get a 30-day free trial.

Disclaimer: GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Media Contact:Danielle OstrovskyHi-Touch PR410-302-9459[emailprotected]

SOURCE Rezilion

View original post here:
Rezilion Recognized as SBOM Tool Provider in Gartner Emerging Technologies Trend Report on Software Bills of Materials (SBOM) USA - English - USA -...