When it comes to openness in technology, people first think of open source software. But IT professionals can (and should) explore another avenue of openness: open security.

Open security may sound like an oxymoron for many in the cybersecurity field. After all, many security vendors today employ secrecy to guard their threat detection and response methods. But the consequence of this secrecy has created a dangerous monoculture in security, characterized by a general lack of transparency, black-box products, and poor integrations. The prioritization of vendor competition over collaboration to safeguard users further supports the asymmetric advantage held by attackers and ensures one breach can take down an entire ecosystem.

Closed security, while good in the short-term for vendors, has not been good for users, customers, or organizations seeking better security.

As a CISO with more than two decades of experience leading tech and financial service organizations, I believe that open securityoffering open detection rules, open artifacts, and open codeholds significant promise in making for transparent, interoperable, and accessible cybersecurity for all companies.

Open Security Open Source

Think of open security as a philosophy, methodology, and way of doing business that shifts the dynamic of a security companys relationship with its users toward transparency. Open security encourages community engagement to further strengthen the security posture of vendors, their customers, and users.

By developing security in the open, vendors let security practitioners see the underlying code of a product and run tests before implementing it in their environment.

Open security also offers practitioners a better understanding of how threat detections work and how security technology operates within a given environment, allowing organizations to simplify their cybersecurity processes.

Most important, it helps information security professionals identify potential blind spots or known gaps in a products code, and thats especially crucial given that no single security solution can protect against every known and unknown cyber threat.

Instead of spending time and resources verifying a chosen security vendors protection claims, open security lets companies focus on addressing gaps in their security technology stack and developing risk profiles for new and emerging threats. Similar to open source collaboration, security teams can leverage the cybersecurity community to identify security gaps faster than any security operations center can on its own.

In reality, security professionals have been playing defense with limited information thus far. When companies employ open security to look at their defense-in-depth, it offers a deeper understanding of how their organizations are protected.

Expand the talent pool with open security

The same information silos that lead to thousands of data breaches every year also contribute to the ever-widening cyber skills gap. By making security closed and proprietary, security vendors increase the barrier to entry for new security professionals.

As any security practitioner will admitits hard to break into the industry absent the ability to tinker with the tools to understand how they work. Security has wrapped itself in a dark-arts culture that reduces the diversity of its talent pool, deters new entrants, and encourages tolerance for complex and hard-to-use tools.

While many security practitioners get their start in the public sector, there are not enough of these hyper-skilled defenders to fill the ranks of organizations facing increasingly frequent and sophisticated attacks.

Developing security in the open lowers the barrier to entry for new cybersecurity professionals by making security accessible to a wider range of people. It encourages them to seize the opportunity to learn by letting them study the technology on a deeper level than whats available in the current market.

Cyber maturity requires transparency

While open security may sound radical, relying on security through obscurity as the primary form of protection against cyber threats does not work as an effective strategy for long-term success. The cybersecurity industry has transformed significantly in the past decade; now, its time for the next phase of growth, and an open security model unlocks new opportunities to educate and empower users.

Ultimately, customer demand will determine whether vendors adopt open security. Today, security providers may not want to open the black box of security because they know too many bypasses and questionable coding choices exist because of balancing performance and security or developing in a closed environment with minimal accountability. Open security can help right that wrong. And if customers demand that transparency, security providers will oblige.

By adopting an open approach to security, providers can invest the time to improve their products and practices while encouraging a new and diverse talent pool to join their ranks. Doing so can strengthen the security industry and better equip organizations to tackle tomorrows threats.

Mandy Andress, chief information security officer, Elastic

View post:
Open Security: The next step in the evolution of cybersecurity - SC Media

I think we can all agree that Firefox is one of the best browsers for Linux.

And, as a cherry on top, you can enhance your browsing experience with some extensions! Maybe even isolate Facebook?

Before I suggest some awesome Firefox add-ons, let me give you some pointers.

One thing that we all know is that blindly installing browser extensions can be extremely harmful. So how do you determine if a browser extension is safe to use?

Since this article is about Firefox add-ons, we focus on Firefoxs marketplace (the official place to get the add-ons).

While nothing is 100% bug-free/secure, there are a few things one can check:

With that said, let us take a look at a few of the extensions that improves your web browsing experience.

Also Read: 9 Open Source Add-Ons to Improve Your Mozilla Firefox Experience

Key Highlights:

Everyone hates Facebook, but rarely anyone is willing to remove Facebooks tracking elements from their own website. So Mozilla pulled a Thanos moment Fine. Ill do it myself and created this add-on for Firefox users.

As the name suggests, an isolated container (not related to Docker) is created for Facebook. All the Facebook-related stuff happens inside this isolated container. This ends up making it harder for the social media giant to track you.

Key Highlights:

uBlock Origin is one of the most well-known and trusted ad blocking add-ons for Firefox. Yes, it is primarily used for blocking ads, but because its basic task is to block elements in your web browser, it can block a lot of items. Advertisements, yes, but also web trackers, cryptocurrency miners, pop-ups, etc.

Though its permissions may seem a bit excessive, there is a reason behind it. The add-on needs permissions like Access browser activity during navigation and Access your data for all websites so that it can assess every query and block ones that seem harmful or useless.

Key Highlights:

Bitwarden should be the go-to password manager for everyone. It has free sync support for mobile, web (browser), and desktop, can also store notes securely, helps generate usernames and passwords, auto-fills user info, and much more. On top of that, it is made available under the GPL-3.0 License. Who doesnt love free and open source software?

Bitwarden has everything that I would look for in a password manager. It costs just $10, if you want to upgrade to its premium plan and not self-host it. I highly recommend its Firefox add-on!

Key Highlights:

Are you someone who wants an open-source alternative to Grammarly? While I dont have any issues using Grammarly, something that I really like and prefer is free and open-source software. LanguageTool is an excellent tool one can use for checking grammar inconsistencies like spelling errors, using a different spelling (color vs colour), commonly confused words (then vs than) and you also get a thesaurus with it.

In my experience of using this add-on, it has worked reliably on almost all text fields. No issues there. The two biggest features of this add-on are as follows:

Picture this, you are reading an article on the Internet. There are two banner ads on the top and bottom of the webpage. There are ads on the whole right side. On top of the bottom ad banner is a video playing automatically. You turn on the ad blocker. But the video continues to play. The banners dont have ads in them, but they still use up valuable screen real estate. Bothered much?

Dont be too bothered. Behold, the Tranquility Reader add-on for Firefox. This extension removes extra elements like photos, videos, ads, social media share buttons, etc. It gives you a clean UI with nothing but text, so you can focus on reading.

The Tranquility Reader add-on has the following stats:

Key Highlights:

Enhancer for Youtube add-on for Firefox is one of its kind. It adds a few buttons to the YouTube player, allowing for greater customization. You get things like changing the resolution, controlling playback speed, controlling audio volume level with the mouse scroll wheel, and much, much more.

You can find more information about the extension on its official webpage.

Keeping a track of your time, productivity and sanity is crucial when you are browsing the internet. Especially when you are researching a topic and go down a rabbit hole. You deserve a break, but you will be so entrenched that you may lose track of time.

The Tomato Clock add-on is exactly what its name suggests. It is a clock timer. A tomato is 25 minutes long, which feels either long or short depending on your mental engagement with the content displayed on the screen. Upon completion of 25 minutes, you will get a browser notification, notifying you about the ever-passing of time.

Key Highlights:

Key Highlights:

When you search for the term Red Lamborghini, you get images of a red-colored Lamborghini. But, what if you didnt know what car it was? This add-on allows you to search for images, using the imageinstead of textual termsand shows similar results or the source of origin for that image.

You have the following ways of choosing an image for a search:

Key Highlights:

Having an accessible dictionary is never a bad thing! Ive certainly been spoilt by the force touch to look-up feature of macOS. The Dictionary Anywhere add-on for Firefox really makes up for it when I am on my desktop, using Linux. All I need to do to get a words definition is to double-click on the word, and the definition pops up!

For the moment, the only supported languages are English, Spanish, German and French. Please note that this extension will NOT work with Firefoxs reader mode. That is because scripts are not allowed to be executed in this mode.

A slight downside is that this makes it slightly annoying to double click and select a whole word in an editable text field. A small price to pay for salvation.

Also, if you want an actively maintained extension, this will disappoint you.

Key Highlights:

If you are a Vim user, do I really need to explain this to you? Go try it for yourself! Youll thank me later.

For those who dont know what this add-on does, it allows you to navigate around Firefox solely using the Vim-style keys. Pressing the J key scrolls down, pressing the K key scrolls up, pressing the X key closes the current tab, pressing the T key opens a new tab, and a variety of other keyboard shortcuts.

While this add-on has the Experimental badge, I have had no problems with it in my experience of using it over the last year or two.

FireShot is a very simple Firefox add-on. It allows you to capture the full web pages into a single, long image or as a PDF file. On top of that, you can annotate too (hahaha)! Although annotation only works on Windows, thats a bummer!

It does not have a Recommended badge by Firefox. So, you can explore more about it on its add-on page before you decide to use it.

This article covers a wide range of add-ons for Firefox that I think should help improve your web browsing experience.

What is your favorite Firefox extension? Let me know your thoughts in the comments below.

Excerpt from:
11 Interesting Firefox Add-ons to Improve Your Browsing Experience - It's FOSS

Open source is the origin of much of the progress that we now enjoy and, in a way, a bastion of some early internet culture that many think is being lost.

Android, Linux or the Firefox browser are the great examples, which have a huge list of software whose code can be freely shared and improved. What is perhaps not so well known is that for quite some time the big technology companies themselves, the ones that do the most business with proprietary software, have been its main promoters.

And that has good and bad things.

Recently, there has just been a turn of events in this throne of benefactors of the Open Source.

Google has increased its commitments to open source software and has overtaken Microsoft in terms of active contributions, according to a new analysis from Aiven using data from OSCI.

Microsoft had been the company that was giving the most resources until this year. Although, yes, the ranking has a certain trick because it breaks off the subsidiaries. For example, Microsofts GitHub or IBMs Red Hat. Counting them together, Microsoft would still be first.

It is perhaps hard to believe that Microsoft, which especially in the 90s had many litigations with Open Source promoters, has led this classification for so long. However, since the arrival of Satya Nadella, his perspective has changed, and a lot.

Google, for its part, has always supported and supported open source. Again, for better or for worse. It has turned Android into a standard, but it has also been criticized for closing APIs of, for example, Chromium, according to its interests.

According to data from the Open Source Contributor Index (OCSI), Google had 5,421 active contributors in August, compared to 5,268 for Microsoft.

Red Hat, Intel and IBM have systematically followed Google and Microsoft in terms of the number of taxpayers this year and also in the last five years.

In the meantime, Amazon is one rung behind, with 1,963 contributions. However, Amazon is showing higher monthly growth than some of the other companies on the list.

There are also differences by language. Looking at the type of projects they work on, Aivens team found that while Google and Amazon mostly work on C++, Java, and Python, Microsoft prefers its own languages: Powershell and C#.

The data is obtained by counting the commits on GitHub. Altogether, the commits Monthly open source projects from Google, Microsoft and Amazon grew 300% in six years, from 2,654 contributors in May 2016 to 10,549 in May 2022.

Heikki Nousiainen, field technology director and co-founder of Aiven, said in the report that the big tech trio is putting more resources and development time into open source, something the community needs to ensure that important projects are sustained.

Their input also helps promote clean, transparent, and secure code, says Nousiainen, which will help ensure that security vulnerabilities like Log4Shell, a javascript vulnerability that caused chaos in IT departments around the world, dont reoccur. the world last year.

This is especially relevant because large companies commonly hide behind security problems to privatize some elements of the code.

That Google has overtaken Microsoft is especially surprising, says Nousiainen. A contributing factor has been the decline in Microsofts year-over-year commitments to open source projects. However, Microsofts commitment to developer freedom and innovation is constant, as the company it is a major player in open source, and even bought GitHub in 2018, he commented.

But, why is it so interesting?. Open source is a neutral no mans land, says Aivens founder. People have always engaged with each other, but now its more because people expect companies to engage more and connect. The ecosystem is a much more powerful thing now and its easier to build.

However, as we mentioned, not always everything is so idyllic. In March 2021, Google limited access to many Chrome APIs within the open source Chromium web browser, which Chrome and many other browsers are based on.

Google justified its decision by saying that Third-party Chromium-based browsers integrate features based on Googles cloud, which were intended only for Google Chrome users.

In other words, this meant that a small fraction of users could access their Google account and store their personal Chrome sync data, such as bookmarks, not only with Google Chrome, but also with some Chromium-based third-party browsers. .

Googles move caused many Chromium developers and maintainers on other versions to see their work disrupted.

It should be noted that almost 90% of the browsers used by all Internet users are based on Chromium. In this way, Google may not be using, as Microsoft did in the 90s, its predominance to sell its products, but it has made it clear that it continues to have the upper hand in some decisions that may be critical.

See the article here:
why the giants fight over open source - Gearrice

Whether youre a programmer, creative professional, or someone who just wants to browse the web, there are times when you find yourself finding the differences between files.

There are two main tools that you can use for comparing files in Linux:

But there are several other tools with different features for comparing files. Here, let me mention some useful GUI and CLI tools for checking the differences between files and folders.

Note: The tools arent ranked in any particular order. Choose what you find the best for you.

Diff stands for difference (obviously!) and is used to find the difference between two files by scanning them line by line. Its a core UNIX utility, developed in the 70s.

Diff will show you lines that are required to change in compared files to make them identical.

Key Features of Diff:

And, the best part is, diff comes pre-installed in every Linux distro.

As you can see in the screenshot above, its not easy to understand the diff command output in the first attempt. Worry not. We have a detailed guide on using diff command for you to explore.

For some reason, if you find Diff utility a bit bland in terms of colors, you can use Colordiff which is a modified version of the diff command utility with enhanced color and highlighting.

Key Features Colordiff:

Installation:

Colordiff is available in the default repository of almost every popular Linux distribution and if youre using any Debian derivative, you can type in the following:

Wdiff is the CLI front end of the Diff utility, and it has a different approach for comparing files i.e it scans on a word-per-word basis.

It starts by creating two temporary files and will run Diff over them. Finally, it collects the output from youre met with word differences between two files.

Key Features of Wdiff:

Installation:

Wdiff is available in the default repository of Debian derivatives and other distros. For Ubuntu-based distros, use the following command to get it installed:

Key Features of Vimdiff:

Its one of the most powerful features that you get with Vim editor. Whether you are using Vim in your terminal or the GUI version, you can use the vimdiff command.

Vimdiff works in a more advanced manner than the usual diff utility. For starters, when you enter vimdiff command, it starts the vim editor with your usual diff. However, if you know how to get around your way through Vim and its commands, you can perform a variety of tasks along with it.

So, Id highly recommend you to get familiar with the basic commands of Vim if you intend to use this. Furthermore, having an idea of how to use buffers in Vim will be beneficial.

Installation:

To use Vimdiff, you would need to have Vim installed on your system. We also have a tutorial on how to install the latest Vim on Ubuntu.

You can use the command below to get it installed (if youre not worried about the version you install):

As its name suggests, this utility works over a Git repository.

This command will utilize the diff command we discussed earlier and will run over git data sources. That can be anything from commits, and branches to files and a lot more.

Key features of Gitdiff:

Installation:

Gitdiff does not require any separate installation unless you dont have Git installed on your system. And if youre looking for the most recent version, we have a tutorial on how to install the latest Git version on Ubuntu.

Or, you can just follow the given command to install Git on your Ubuntu-based distro:

Looking for a GUI tool that not just differentiates files, but also allows you to create and apply patches to them?

Then Kompare by KDE will be an interesting choice!

Primarily, it is used to view source files to compare and merge. But, you can get creative with it!

Kompare can be used over multiple files, and directories and supports multiple Diff formats.

Key Features of Kompare:

Installation:

Being part of the KDE family, Kompare can be found easily on the default repository of popular Linux distros and the software center. But, if you prefer the command-line, heres the command:

Tools like Kompare may overwhelm new users as they offer a plethora of features, but if youre looking for simple, Meld is a good pick.

Meld provides up to three-way comparison for files and directories and has built-in support for version control systems. You can also refer to a detailed guide on how to compare files using Meld to know more about it.

Key Features of Meld:

Installation:

Meld is popular software and can be found easily on the default repository of almost any Linux distro. And for installation on Ubuntu, you can use this command:

Coming from the developers of the famed Sublime Text editor, Sublime Merge is targeted at programmers who are constantly dealing with version control systems, especially Git, as having the best workflow with Git is its primary focus.

From command line integration, powerful search, and flexibility to Git flow integration, anything that powers your workflow comes with it.

Like Sublime Text, Sublime Merge is also not open source. Similarly, it is also free but encourages you to buy a license for continuous use. However, you can continue using it without purchasing the license forever.

There are a few more tools like Sublime Merge. P4Merge and Beyond Compare come to my mind. These are not open source software but they are available for the Linux platform.

In my opinion, the diff command and Meld tools are enough for most of your file comparison needs. Specific scenarios like dealing with Git could benefit from specialized tools like GitDiff.

What do you find the best for your use case? Share your thoughts in the comments down below.

More:
Compare Files in Linux With These Tools - It's FOSS

Flags of China and the United States are seen near a ByteDance logo in this illustration picture taken Sept. 18, 2020.

Florence Lo | Reuters

The high-stakes battle between the U.S. and China for supremacy in artificial intelligence has domestic lawmakers growing increasingly concerned over what losing out could mean for national security, the economy and American prosperity.

But as the world's two largest economies pour resources into the race for dominance in the field, there's also collaboration afoot. Indeed, some AI experts even say that cross-border cooperation is key to getting the most out of advancements in computing.

Engineers from Microsoft and China's ByteDance, the parent of TikTok, are doing their part to advance that notion. Through a project called KubeRay, they're working together on software intended to help companies more efficiently run AI apps.

At the Ray Summit this week in San Francisco, ByteDance software engineer Jiaxin Shan and Microsoft principal software engineer Ali Kanso discussed their progress with data scientists, machine learning experts and other developers interested in building large applications using open source software called Ray.

Shan and Kanso explained the technical details behind KubeRay and pitched the software as helpful in powering AI apps that run on multiple computers, or distributed computing.

"Jiaxin and I have been working for like a year on an open source project and this is the beauty of a community gathering like this," said Kanso, who has a Ph.D. in computer science. "We're not in the same company, but we meet every week, we collaborate every week."

Shan, who previously worked as a software engineer at Amazon Web Services, is based in the Seattle area, near Microsoft's headquarters, according to his LinkedIn profile.

Companies often partner and share engineering resources to contribute to open source projects, which have gained popularity in recent years and have seeded numerous startups. The Microsoft-ByteDance collaboration is notable because of the brewing rivalry between the U.S. and China with respect to AI and intellectual property, and concerns over how technological advancements could be used for surveillance and privacy intrusion.

Microsoft has been investing heavily in AI along with competitors like Amazon, Google parent Alphabet, Facebook parent Meta and Apple. Like Google once did, Microsoft maintains an AI research lab in China, helping it tap into the country's academic talent.

Meanwhile, as TikTok's usage has exploded in recent years, ByteDance has been diving into various AI open source projects. In 2020, for instance, ByteDance debuted its NeurST software tool kit for AI-powered speech translation.And last year the company debuted its CloudWeGo open source enterprise software.

The Ray Summit was organized by software startup Anyscale, whose technology is built on Ray. Anyscale, which also contributed to KubeRay, was co-founded in 2019 by a group of engineers that included Ion Stoica, a computer science professor at the University of California at Berkeley. Stoica has a long history in open source software and co-founded Databricks, a data analytics company that was valued at $38 billion in a financing round last year.

Databricks was built on top of Apache Spark, which was developed at Berkeley under Stoica's direction. Anyscale is trying to follow a similar path, and said this week that it's just raised a fresh $99 million.

Tech giants like Microsoft and Meta often use open source projects as a way to propagate their own internal technological ideas to the wider community. Doing so helps lure potential recruits and serves as way to market the companies as technology leaders to developers.

The Microsoft-ByteDance relationship has some history to it. In 2020, Microsoft sought to acquire TikTok from ByteDance at a time when then-President Donald Trump threatened to ban the social media app over unspecified security reasons. A year later, Microsoft CEO Satya Nadella called the botched deal "the strangest thing" he's ever worked on.

WATCH: Former TikTok CEO Kevin Mayer on ByteDance decision to scrap IPO plans

The rest is here:
Microsoft and ByteDance are collaborating on a big AI project, even as US-China rivalry heats up - CNBC

SAN FRANCISCO, Aug. 17, 2022 The Open Source Security Foundation (OpenSSF), a cross-industry organization hosted at the Linux Foundation that brings together the world's most important software supply chain security initiatives, on Wednesday announced 13 new members from leading financial services, technology, employment, software development, cybersecurity, telecommunications, and academic sectors.

New premier member, Capital One, joins the OpenSSF Governing Board. New general member commitments come from Akamai, Indeed, Kasten by Veeam, Scantist, SHE BASH, Socket Security, Sysdig, Timesys, and ZTE Corporation. New associate members include Eclipse Foundation, Purdue University, and TODO Group. "We are excited to welcome new members to the OpenSSF," says Brian Behlendorf, General Manager of OpenSSF. "As open source software security vulnerabilities continue to draw attention from governments and businesses around the world, interest in the work of the OpenSSF has been rapidly increasing."

"A growing community of organizations, developers, researchers, and security professionals are investing the time and resources needed to strengthen open source security," said Jamie Thomas, OpenSSF Board Chair and IBM Enterprise Security Executive. "New members of OpenSSF are joining at a time when cross-industry collaboration and innovation are needed more than ever to proactively respond to pervasive cybersecurity threats."

Resolving the systemic issues that led to major security vulnerabilities like the Log4shell incident emphasizes the urgency and importance of the work of OpenSSF. A recent Cyber Safety Review Board report declared that Log4j has become an "endemic vulnerability" that will be exploited for years to come and that the 10-point mobilization plan introduced earlier this year at the Open Source Software Security Summit II by the OpenSSF will improve the resiliency and security of open source software.

OpenSSF will host a full day of sessions on Tuesday, Sept. 13, at OpenSSF Day EU on the eve of Open Source Summit Europe (OSS EU) in Dublin. Working Group leaders and community members will host sessions, panels, and fireside chats about ongoing work to secure the software supply chain and the future of open source security. Registration and attendance are free for all those attending the OSS EU.

Premier Member Quote

Capital One

"Today some of the most groundbreaking digital experiences created for customers are based on open source software. As a company that widely adopts this technology, Capital One is incredibly proud to join the OpenSSF and the world's technology leaders as we collaborate to strengthen the software security supply chain. As a highly regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration. We look forward to working together to identify solutions that advance the OpenOSSF mission and give back to the open source community."

General Member Quotes

Akamai

"Improving the security of open source software so central to the internet ecosystem is one of the most critical security challenges we face today. Only by gaining visibility into the network and the software supply chain can we reliably address security flaws when they occur at the code level. The technology community must support the open source communities we depend on with financial and technological resources to limit our collective risk. As a leading security and cloud services provider, we look forward to contributing to the Open Source Security Foundation and helping to advance this important work."

Kasten by Veeam

"We are honored to be part of the Open Source Security Foundation (OpenSSF) and champion this initiative alongside our peers. Kasten by Veeam has an open source heritage, and with Kubernetes data protection as our core offering, security remains a critical underpinning for Kasten K10 design and implementation. As Kubernetes adoption continues to fuel Digital Transformation journeys for enterprises, more attention is rightfully being placed on security, especially with the inexorable rise of ransomware attacks. Kasten by Veeam is committed to ensuring the security and data protection of cloud native environments to better protect business applications."

Scantist

"On one hand, the software industry is benefiting substantially from the rapid growth of open source, which has become the basic building blocks of the digital world. On the other hand, open source security is becoming more critical and all these risks are multiplied by the interdependent nature of open source. Now as a member of OpenSSF, we would like to contribute to the OpenSSF missions based on our recent research on open source ecosystem analysis to provide a quantitative view to understand the complexity and security of open source. We want to become the active participant, evangelist and ambassador for OSS governance in southeast Asia to promote open source software supply chain security."

SHE BASH

"Since our inception, SHE BASH has witnessed a variety of predatory industry practices that get shielded from extensive scrutiny via the protective veil of closed source. At our core, open source software is a public institution that enables everyone to build their future.

"The combination of decades of apathy and the incentive mechanisms that sustain a culture of 'don't care' has allowed our company to stand out among tech's largest and most culpable companies. We have always considered 'best practice first' as one of the main value propositions we can provide as a company, albeit a small one. Open Source Software provided us the level playing field to make differences in key technological shifts within the public sector, and the evolution of these shifts are the development of best practices born from the open source that sustains all software life today. It's a true honor to be of assistance to the work OpenSSF is leading to remedy large structural mistakes that grew from decades of neglect."

Socket Security

"As maintainers of open source packages which are installed over 1 billion times per month, the Socket team is intimately familiar with the massive growth in open source dependency usage. Modern applications use thousands of dependencies written by hundreds of maintainers, and installing even one package leads to dozens of transitive dependencies coming along for the ride. Unfortunately, it is far too easy for a bad actor to infiltrate the software supply chain and wreak havoc. That's why Socket is proud to join OpenSSF and do our part to make open source safe for everyone with our industry-leading approach to software composition analysis which is used by thousands of companies to detect and prevent supply chain attacks. The Socket team is excited to work with other OpenSSF member companies to safeguard the open source ecosystem for everyone."

Sysdig

Sysdig is proud to be part of OpenSSF and work together to help guide open source security standards and secure the software supply chain. As a cloud security company built on open source, we believe the industry must come together to strengthen software for the common good. Having created and contributed Falco to the CNCF to help secure the runtime, we look forward to continuing open collaboration in the OpenSSF. The future of security is open, and what we do now will shape software forever."

Timesys

"With software supply chain breaches up more than 650%, securing the software supply chain is a big focus. We've been working for more than 5 years developing technology to help secure, monitor, and maintain open source-based embedded Linux and Android devices from exposures and vulnerabilities. We are so excited to be joining up on this community effort with OpenSSF and to be a part of the Linux Foundation again. By sharing technology and collaborating to build ecosystems that accelerate open-source technology development, device manufacturers and consumers everywhere will be able to rest easier knowing they are secure."

ZTE Corporation

"We are very pleased to join the OpenSSF. As a world-leading communication equipment manufacturer, more and more open source software is used by us. While actively embracing open source software, it also brings unprecedented risks to software supply chain security. ZTE Corporation has made many efforts to control and manage risks, and regard them as our top priority. After joining the OpenSSF, ZTE Corporation works with a group of members with similar visions and goals to promote the development of open source software supply chain towards a more secure direction."

Additional Resources

About OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry's most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation's methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The rest is here:
OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain - DARKReading

A new company from the creators of the Godot game engine is setting out to grab a piece of the $200 billion global video game market and to do so, its taking a cue from commercial open source software giant Red Hat.

Godot, for the uninitiated, is a cross-platform game engine first released under an open source license back in 2014, though its initial development pre-dates that by several years. Today, Godot claims some 1,500 contributors, and is considered one of the worlds top open source projects by various metrics. Godot has been used in high-profile games such as the Sonic Colors: Ultimate remaster, published by Sega last year as the first major mainstream game powered by Godot. But Tesla, too, has apparently used Godot to power some of the more graphically intensive animations in its mobile app.

Among Godots founding creators is Juan Linietsky, who has served as head of development for the Godot project for the past 13 years, and who will now serve as CEO of W4 Games, a new venture thats setting out to take Godot to the next level.

W4 quietly exited stealth last week, but today the Ireland-headquartered company has divulged more details about its goals to grow Godot and make it accessible for a wider array of commercial use cases. On top of that, the company told TechCrunch that it has raised $8.5 million in seed funding to make its mission a reality, with backers including OSS Capital, Lux Capital, Sisu Game Ventures and somewhat notably Bob Young, the co-founder and former CEO of Red Hat, an enterprise-focused open source company that IBM went on to acquire for $34 billion in 2019.

But first what is a game engine, exactly?

Godot editor demo. Image Credits: Godot

In simple terms, a game engine serves up the basic building blocks required for developers to create games, and may include anything from renderers for 2D or 3D graphics to scripting and memory management. Its basically a software framework that developers can use and reuse without having to redesign the wheel with each new game they create.

This allows developers to utilize pre-made functionality that is common to most games when creating their own, and only create the parts that make the game unique, Linietsky explained to TechCrunch.

While many companies, particularly larger game studios, develop their own engines in-house, as games and the associated development processes have become more complex, third-party general purpose game engines have grown in popularity. This includes long-established incumbents such as Unity, developed by tech powerhouse Unity Software, which is currently in the process of merging with IronSource.

One reason why a studio might use a third-party game engine is to cut down on in-house development costs, but a trade-off here is that it then has to work with a gargantuan code-base, which it has limited control over. And that is why Godot has gained some fans through the years as an open source project, it gives developers an oven-baked game engine that they can tweak and fine-tune to their own needs, with improvements pushed back to the development community for everyone to benefit from.

The result is reduced development costs and more freedom to innovate, Linietsky said. Godot brings to the game industry the same benefits that enterprise software has been enjoying from it [open source software] for decades.

Red Hat Inc. signage is displayed outside the New York Stock Exchange (NYSE). Image Credits: Bloomberg / Getty Images

Anyone who has even remotely paid attention to the technology sphere over the past decade or sowill have noticed that open source is now big business. The likes of Elastic and Cockroach Labs have built billion-dollar businesses off the back of open source projects, while Aiven recently hit double-unicorn status for a business that helps enterprises make the most of open source technologies in cloud environments.

But Red Hat, arguably, remains one of the biggest success stories from the open source world, selling enterprises premium support and services for some of the worlds biggest community-driven projects, from Linux to Kubernetes.

Companies like Red Hat have proven that with the right commercial offerings on top, the appeal of using open source in enterprise environments is enormous, Linietsky said. W4 intends to do this very same thing for the game industry.

Its an interesting parallel, for sure, and one that seems pretty obvious when presented with such a comparison. Linuxs open source credentials were what led it to become the leading operating system for web servers, while Androids mobile market share dominance can substantively be attributed to its Linux kernel base. Elsewhere, other open source projects such as Kubernetes are powering enterprise adoption of microservices and container technologies.

In truth, Godot is nowhere near having the kind of impact in gaming that Linux has had in the enterprise, but its still early days and this is exactly where W4 could make a difference.

We expect Godot to take the same route in the game industry as other open source software has taken in the enterprise, which is to slowly become the de facto standard, Linietsky continued. It is very difficult for companies that create proprietary software to compete with the massive talent pool that popular open source projects have, and unappealing for software users to concede the freedom to use software as they please to a third-party entity.

On top of that, having one of Red Hats original founders on board as an investor can only be construed as a major coup for a startup that is just eight months old.

Bob is an incredible human being who helped create a whole new type of business where nobody expected it was possible, Linietsky continued. He identified the opportunity for Godot and W4 as very similar to Linux and Red Hat two decades ago, and has been very kind to share his wisdom with us, as well as becoming an investor in our company.

Concept illustration depicting technical support. Image Credits: Macrostore / Getty Images

W4s core target market will be broad its gunning for independent developers and small studios, as well as medium and large gaming companies. The problem that its looking to solve, ultimately, is that while Godot is popular with hobbyists and indie developers, companies are hesitant to use the engine on commercial projects due to its inherent limitations currently, there is no easy way to garner technical support, discuss the products development roadmap, or access any other kind of value-added service.

But perhaps more importantly, while Godot is touted as a cross-platform game engine spanning the web, mobile and desktop, it has hitherto lacked direct support for games consoles. The reason for this is that as an open source project served under a permissive MIT license, Godot cant provide support for consoles because it wouldnt be allowed to publish the code required to interact with the proprietary hardware game studios that develop for consoles have to sign strict non-disclosure agreements. Plus, console makers will only work with registered legal entities, which Godot is not.

Put simply, Godot cant be a community-driven open source project and support consoles at the same time. But there are ways around this, which is why W4 hopes to make money by offering a porting service to help developers convert their existing games into a console-compatible format.

W4 will offer console ports to developers under very accessible terms, Linietsky said. Independent developers wont need to pay upfront to publish, while for larger companies there will be commercial packages that include support.

Elsewhere, W4 is developing a range of products and services which its currently keeping under wraps, with Linietsky noting that they will most likely be announced at Game Developers Conference (GDC) in San Francisco next March.

The aim of W4 is to help developers overcome any problem developers may stumble upon while trying to use Godot commercially, Linietsky added.

Its worth noting that there are a handful of commercial companies out there already, such as Lone Wolf Technology and Pineapple Works, that help developers get the most out of Godot including console porting. But Linietsky was keen to highlight one core difference between W4 and these incumbents: its expertise.

The main distinctive feature of W4 is that it has been created by the Godot project leadership, which are the individuals with the most understanding and insight about Godot and its community, he said.

Of Godots 1,500 or so contributors, 10 are more-or-less permanent hires, paid via community donations. Similarly, W4s current team of 12 largely consists of long-standing Godot contributors, spread across eight different countries in the Americas and Europe. This is much like how other companies built on an open source foundation started out, including Red Hat and WordPress.coms parent Automattic, which was one of the most well-known distributed companies out there, long before the remote-work revolution came along in 2020.

Indeed, distributed work is one of the core defining characteristics of open source software development. By way of example, Linietsky is based in Spain, while co-founder and COO Rmi Verschelde works from Denmark. The other two founders, CTO Fabio Alessandrelliand CMO Nicola Farronato, operate from different locations in Italy.

But every legal entity needs to choose somewhere as its corporate home. And similar to many tech companies, W4 elected Dublin, Ireland as its official HQ though this presence is really just on paper, only.

We are based in Ireland because two of the co-founders have previously established there, have relatives and are very familiar with the Irish ecosystem, Linietsky said.

Here is the original post:
How W4 plans to monetize the Godot game engine using Red Hats open source playbook - TechCrunch

The SOS.dev initiative 'Secure Open Source Rewards' will help in preventing assaults on the software supply chain by incentivising researchers to offer security upgrades to essential projects.

This new initiative aims to reward developers and security experts that enhance crucial infrastructure using open source software. According to those who support it, the rewards initiative, which is 'Secure Open Source,' will cover more ground than bug bounty schemes at the current time.

By encouraging academics and developers to make security changes, the programme would "harden vital open source projects" and aid in protecting against application and software supply chain threats.

Save Our Software

The NIST definition of "vital software," the scope of the security enhancements and the number of users, who stand to gain, will be considered when selecting qualified projects for the 'Save Our Software Secure Open Source Rewards'.

For "complex, high-impact and enduring enhancements that virtually surely avert severe vulnerabilities," rewards range from $505 for simple changes to $10,000 or more. As SOS.dev develops, we will add additional enhancements to the goals.

Million Dollar Funding

In contrast to traditional bug bounty programmes, the programe named 'Secure Open Source Rewards' takes help of developers in security enhancements rather than merely vulnerabilities. Additionally, it will provide a small amount of up-front financing for initiatives seeking to enhance security over the long term.

The initiative comes as businesses plan to improve the security of their most important apps and infrastructure. Software supply chains are receiving more attention, particularly the significance of key open source components throughout the ecosystem.

We will continue to see significant breaches resulting from software supply chain attacks if we don't take action right away to address these Achilles' heels. "Supply chain security starts with the original contributor and the security of their coding standards, computing environment and build systems," said Andrew Martin, CEO at ControlPlane and CISO at OpenUK.

Disclaimer: This content is authored by an external agency. The views expressed here are that of the respective authors/ entities and do not represent the views of Economic Times (ET). ET does not guarantee, vouch for or endorse any of its contents nor is responsible for them in any manner whatsoever. Please take all steps necessary to ascertain that any information and content provided is correct, updated and verified. ET hereby disclaims any and all warranties, express or implied, relating to the report and any content therein.

More:
Secure Open Source Rewards' to help in preventing assaults on the software supply chain. Check out how! - Economic Times

Software companies, especially young startups, are always in a development race by definition, they are trying to maximize achievements and minimize their burn rate. That means development teams naturally face an internal tug-of-war. On one hand, they seek to use the newest dev tools that the market can offer, targeting their applications to become better (more secure, more efficient and compliant with the latest standards). On the other hand, they cannot spend money on such tools since they need to save every penny. With the current economic climate, many new investments are being delayed or, at minimum, double-checked.

To appeal to developers, many vendors and software development tool companies offer freemium programs. Some are driven by the spirit and the goodwill of open source and community; others are business-to-developer (B2D) companies relying on the product-led growth (PLG) mode. If developers see value in the free tools, they are more likely to become paying customers later on to get access to more features.

Here, well review the common parameters of popular free developer tools and distinguish their services between the free tier (aka the community tier), the entry-level paid tier and other paid program offerings. Well look at tools for observability, logging, vulnerability scanning, compliance, authentication and VPNs.

Logs are considered to be one of the three pillars of observability and are the bread and butter of troubleshooting and debugging. The more code lines you have in your product, the more loglines you collect, store and aggregate. Logs accumulation can quickly get out of hand and become very heavy on the budget. One logs aggregation vendor, Sumologic, provides a freemium offer that allows log collection up to one gigabyte per day. If you need more volume, you can move to their paid tier that allows for higher volumes or pay more for no limits at all.

Transactions and tests are probably the most imperative features of a freemium offer. It involves the core offering with a quantity limitation, giving you a chance to try the product through practical use, but youll probably have to move up quickly into the first paid tier. Snyk.io, for example, will help you scan your open source software for flaws alongside container vulnerabilities as early as code creation, with up to 200 open source tests and 100 container tests per month.

Its one thing to play with, say, a free AutoCAD seat that doesnt involve sensitive data and another thing entirely to draft the next-generation design that must not leak to your competitors. Security and compliance certification is often included in the freemium tiers; more detailed reports and analysis of security and compliance are for the paying tiers only.

Having a free tool is greatbut if this tool is bound to a proprietary service, then you should probably demand these tools meet the same standards and SLAs that you are offering your customers. Observability platform Rookout offers 24/7 support and dedicated account managers and tools for enterprise customers in all tiers.

One key aspect of free tiers is the legal aspect of using the tool. The dev tool may interact with sensitive data, not only in your own dev environment but also with your customers environments. Your customers may require your dev operations to meet specific criteria, making the free tier a potential legal issue. For example, if you use the free tier of JFrog to manage your supply chain, you wont be able to use Artifactory to publish data to third parties; should you want to do that, you will have to move to one of the paid commercial programs.

Some free tools operate based on a usage modelyou are entitled to a free tier until a certain amount of users or actions is reached. Auth0, for example, a user authentication solution (now part of Okta), provides their service free of charge for up to 7,000 users (generous!) but should you grow beyond that, youll need to graduate to a paid tier and be charged according to your monthly usage.

Some free and freemium offerings are tempered based on connectivity speed, bandwidth and even VPN. Today, you can even get a secure VPN for free, but only to a specific threshold. For example, ProtonVPN will provide you with a free VPN at a medium speed, if you move to the highest speed VPN, youll need to move to a paid tier.

In most cases, the freemium tier will limit a dev tools usage according to one or a few main characteristics but will allow you to perform the basic actions and enjoy the essence of the tool. Some parameters may be trivial, like volume of tests, while others require developers and DevOps teams to carefully monitor usage. Theres a lot of value in free and freemium dev toolsbut make sure you read the fine print.

Read this article:
Free Dev Tools! But Whats the Catch? - DevOps.com

AWS currently has over a $70B run rate so it may come as a surprise to some people that most workloads running on it are using an operating system that is 30 years old and is essentially the same as an even older operating system that is 50 years old. This operating system was built for real physical computers not the virtual ones that developers spin up on Amazon and Google Cloud. Of course we are talking about Linux.

Youd think after 30 years there might be different views on running those workloads and NanoVMs thinks so with its various commercial offerings and its flagship open source Nanos unikernel.

NanoVMs claims to be able to run workloads such as Go and Rust web servers up to 200% faster on GCP and up to 300% faster on AWS all with no users, no passwords, no shells, no remote access of any kind. In fact the unikernel acts like its own operating system running one and only one application versus another that a hacker might want to run.

NanoVMs has revenue from over ten different countries with customers in production for over two years now. They built their advanced R&D with backing from early investors such as Initialized Capital, Bloomberg Beta and famed cybersecurity investors such as Ron Gula from Gula Tech Ventures. They have multiple grants from the National Science Foundation, the Department of Energy and the US Air Force.

How big of a market do they operate in though? The devops market is approaching $15B, exploding to $30B in the next five years, while cybersecurity is reaching over $100B in the next few years. Unikernels represent an unique category creation as their end-users are clearly devops professionals, yet they bring security benefits you wont find in the conference halls of BlackHat or RSA. The ecosystem has very deep moats as well, as at the end of the day even though its Linux binary compatible it is a new operating system.

Github, alone boasts having 83M software developers and in order to get the word out about the technology NanoVMs has launched an equity crowdfunding campaign that allows ordinary investors to invest in the company.

However, it would be wrong to speak of just the number of software engineers. Many tech companies are now built on open source software, each with their own massive valuations. Whether its MongoDB, ElasticSearch, Redis Labs, Confluent, Databricks the list is seemingly endless it all runs on open source software and guess what operating system that code runs on? Thats right, Linux. Even without modifying any of the code many of these companies projects run faster and safer as a unikernel than on Linux. If you do a quick google search youll see there are easily north of ten different vendors for something like ElasticSearch. The fact that even one vendor for one software application can potentially cause a lot of ruckus starts to detail the amount of turbulence this technology is going to generate. The TAM for this market, existing software being provisioned as unikernels, is explosive and volatile as now all these vendors have a new path to build better software and provide deep value differentiation.

Google published a series of papers that eventually turned into a book called The Datacenter as a Computer: An Introduction to the Design of Warehouse-Scale Machines. In it Google details how they operate entire warehouses filled with row upon row of racks on top of racks of servers and treat it as a single entity. Unikernels deal with the reality that the cloud, for many companies, is the new operating system even though developers still micromanage hundreds to thousands of fake virtual machines pretending they are real even if the intention is to only run a single application.

There is a new age of virtualization finally breaking the shackles of decades of stagnation in the operating system space. Unikernels arent just providing better security and higher performance at a lower cost, they are breaking long standing barriers that applications have been constrained to because of their dependence on systems built and architectures designed, in some cases, before the software developers using them were even born.

To learn more about NanoVMs or about how you might invest, check out https://invest.nanovms.com.

Read this article:
This Company is Aiming to Do to the Guest what VMWare and AWS Did to the Host - GeekWire