BMW Group Joins the Linux Foundation’s Yocto Project – PR Newswire

The German carmaker formalizes its contributions with membership in the project that helps developers build custom Linux-based systems

SAN FRANCISCO, July 15, 2022 /PRNewswire/ -- The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced that BMW Group is joining the Yocto Project as a member.

BMW Group's membership restates their commitment to work with, and in, sustainable ecosystems and software and to support open source and key tools they use to build their products. The Yocto Project welcomes this support and looks forward to benefiting from their input and experience. They are joining other members including Intel, Comcast, Arm, Cisco, Facebook (Meta), Xilinx, Microsoft, Wind River, and AWS.

With the rise of devices and sensors being used across every industry, developers today require a common set of tools that help them manage software stacks, configurations, and best practices tailored for Linux images for embedded and IoT devices. Over the last decade Yocto Project has been tuned for this purpose and today is the de facto set of tools for building and supporting a new generation of devices. In short, it helps developers create custom Linux-based systems regardless of the hardware architecture.

The Yocto Project has grown significantly since it was created, rising to the constantly evolving challenge of building custom operating systems for products in a maintainable and scalable way. The project leads in build system technology with bitwise identical build output every time, advanced software manifests, license handling capabilities, and strong binary artifact reuse among many other developments. Yocto Project 4.0 (aka Kirkstone) was released in April. Based on Linux kernel 5.15, glibc 2.35, and roughly 300 other recipe upgrades, Yocto 4.0 supports SPDX SBOM generation and is the latest Long Term Support (LTS) release.

"Recognising sustainability in the context of open source is an extremely welcome development, and we look forward to working more closely with BMW Group to further enhance the project" Richard Purdie, Linux Foundation Fellow. "We hope that others will follow their lead in sustainability and together we can strengthen and allow open source projects to reach their full potential".

For more information about the Yocto Project, please visit: https://www.yoctoproject.org/

About BMW Group

The BMW Group is the world's leading premium manufacturer of automobiles and motorcycles with its BMW, MINI, Rolls-Royce, and BMW Motorrad brands, and a provider of premium financial and mobility services. The BMW Group production network comprises 31 production and assembly plants in 15 countries; the company has a global sales network with representatives in over 140 countries.

Long-term thinking and responsible action are the basis of economic success. Ecological and social sustainability, comprehensive product responsibility and a clear commitment to conserving resources are therefore an integral part of our strategy.

About Yocto Project

The Yocto Project is an open source collaboration project that creates highly customisable, maintainable, and scalable Linux-based systems primarily for embedded and IOT projects, regardless of the hardware platform and product. For additional information, please visityoctoproject.orgor contact us.

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation's methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: http://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. Other names and brands may be claimed as the property of others.

Contact:Dan Whiting202-531-9091[emailprotected]

SOURCE Yocto Project

Read the original here:
BMW Group Joins the Linux Foundation's Yocto Project - PR Newswire

Free and Open Source Software (FOSS) – UNESCO

Software plays a crucial role in access to information and knowledge;

Different software models, including proprietary, open-source and free software, have many possibilities to increase competition, access by users, diversity of choice and to enable all users to develop solutions which best meet their requirements;

The development and use of open, interoperable, non-discriminatory standards for information handling and access are important elements in the development of effective infostructures;

The community approaches to software development has great potential to contribute to operationalize the concept of Knowledge Societies;

The Free and Open Source Software (FOSS) model provides interesting tools and processes with which people can create, exchange, share and exploit software and knowledge efficiently and effectively;

FOSS can play an important role as a practical instrument for development as its free and open aspirations make it a natural component of development efforts in the context of the Sustainable Development Goals (SDGs);

Consistent support plays an important role in the success and sustainability of FOSS solutions;

All software choices should be based upon the solution's ability to achieve the best overall return on technology investments.

Go here to see the original:
Free and Open Source Software (FOSS) - UNESCO

Know Your Enemy and Yourself: A Deep Dive on CISA KEV – Security Boulevard

Why your real-world firmware risk is way bigger than you think

In November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) began publishing their Known Exploited Vulnerabilities Catalog (KEV). Designed to help government agencies and private sector organizations prioritize the vulnerabilities known to be actively exploited by malicious actors, as of June 22, 2022, the list contains 778 actively exploited CVEs, encompassing 20 years of computing (2002-2022). In fact, CISA recommends these KEVs be addressed even prior to other High or Critical vulnerabilities that are not yet known to be exploited, citing the fact that less than 4% of vulnerabilities are ever exploited in the wild. With more than 20,000 CVEs discovered in 2021 alone, the KEV gives organizations a highly distilled list of vulnerabilities that are most likely to have a real-world impact based on observed actions in the wild.

So important are the KEVs, that a new Binding Operational Directive 20-01 Develop And Publish A Vulnerability Disclosure Policy requires Federal Civilian Executive Branch agencies (aka FCEBs) such as the DOJ, DOT, DHS, DOE, GSA, SEC etc., to implement entire vulnerability management programs built around it, along with auditable documentation that is publicly visible to all. An example of the changes enforced by this order would be the DOJs VDP page here, which outlines the DOJs Vulnerability Disclosure Program.

Note that while the BOD does not directly require private/commercial entities that sell into these FCEBs to create a VDP and prioritize KEVs, it is suggested that they might do so.

Although not bound by BOD 22-01, every organization, including those in state, local, tribal, and territorial (SLTT) governments and private industry can significantly strengthen their security and resilience posture by prioritizing the remediation of the vulnerabilities listed in the KEV catalog as well.

Security trust and parity across organizations and the vendors that sell their software and devices into them is paramount to national security. Private organizations would be wise to leverage the significant DFIR telemetry, FBI and Fusion Center telemetry, researcher and trust-community initiatives in place, and the overall publicly funded effort it takes to curate the KEVs; as a defensible, actionable, and structured approach to vulnerability risk management.

CISA itself does not yet categorize the vulnerabilities, so we augmented their list by assigning categories to each vulnerability to get a better understanding of the types of assets and code that threat actors are targeting the most.

By categorizing each vulnerability, we are able to identify exploitation trends over the last 20 years which gives some perspective into the evolution of attacker targets.

Trended over time, it is no surprise to see the number of actively exploited vulnerabilities increasing year over year, and its important to note that CISA adds vulnerabilities as exploitation is detected. As a result, the number of exploited CVEs in a previous year could climb based on the data CISA has available.

In terms of categories, firmware led the way overall, followed by server software, operating systems, and web browsers. Lets analyze each category in more detail.

While the prevalence of firmware-based CVEs may be a surprise to some, it is a reflection of the large-scale shift of adversaries targeting firmware within enterprise and network infrastructure. Its also important to note that the numbers arent skewed simply due to an anomalous spike in the data. Firmware has been one of the leading categories of vulnerabilities over the past 5 years and continues to be thus far for 2022. Firmware is the leading category over virtually any time horizon we choose.

This is a troubling trend for many organizations given that traditional vulnerability management programs often dont reach down to the firmware level. Firmware makes up the foundation of modern computing, running on every device before the operating system even loads.very computer contains multiple components like CPU, memory, network adapter, video cards, and hard drives and each of these components contains firmware, difficult to monitor due to running at a level below the operating system. The compromise of firmware can provide an attacker with persistent access, even if the operating system is fully reinstalled or even if the hard drives are replaced.

While it is one thing to acknowledge these firmware vulnerabilities are known to be exploited, it is quite another to realize that the actors behind these active attacks are some of the most prolific and notorious there are, and responsible for some of the longest-running campaigns against both government and critical infrastructure. While the table of KEVs does not specifically identify (aka attribute) a given actor with a given vulnerability thats been exploited, it is easy enough to infer by simply reviewing the long list of recent CISA advisories, or even their high-level Shields Up! initiative. There, the reader can gain a much deeper insight into the campaigns and TTPs (Tools, Tactics, Procedures), leveraging vulnerabilities to meet their objectives. Well known Russian and Chinese nation-state sponsored attacks, as well as cyber criminal and ransomware actor groups, as well as attacks against our software supply chain, managed service providers, telecom infrastructure, hospitals and more. The initial vector into the attacked organizations is more often than not, the firmware of externally-facing devices such as routers, firewalls, VPN devices, and soho devices. Equally apparent, is that these same actors are also leveraging vulnerable firmware on devices internal to the network in order to persist, gather credentials, tunnel C2 (command and control) and exfiltrate data.

Network devices also run firmware, and while they also run an operating system, unlike desktops and servers they lack the advanced security tooling deployed across many enterprises. Due to their mission criticality, they are extremely high-value targets as they can be leveraged to further breach a network, monitor or redirect traffic, or even shut down large parts of the Internet.

Servers are naturally high-value targets for attackers as they frequently store large amounts of sensitive data such as email, databases, code repositories, and customer data. In 2017, the MS17-010 vulnerability in SMB Server facilitated both the WannaCry and NotPetya cyber attacks, causing billions of dollars in damage, shutting down shipping ports, and impacting businesses worldwide. Likewise, threat actors have notably exploited vulnerabilities in Microsoft Exchange Server in order to steal confidential information and deploy ransomware. Most recently, the industry experienced widespread attacks against Atlassian Confluence Server by attackers using a previously unknown vulnerability (CVE-2022-26134) affecting all versions of Confluence Server.

Operating systems serve the end-user(s) and applications on a given device, and any compromises to the OS can give attackers access to data and privileges, and open additional vectors of attack. Threat actors can use this access to maintain persistence, move laterally to other hosts, steal data, and deploy ransomware.

Securing and monitoring operating systems for compromise has become a multi-billion dollar industry, evolving from basic antivirus software in the 1990s to current cloud-based solutions which monitor every action on the system in an attempt to catch patterns of events known to be malicious.

Operating system vendors have improved over the years in terms of providing automated updates to ensure that any vulnerabilities are mitigated quickly in order to reduce their exposure to threat actors. Yet in spite of these efforts, OS vulnerabilities continue to be popular with threat actors including 42 vulnerabilities from 2021 alone. These vulnerabilities were mostly spread across versions of Windows operating systems and Apples iOS.

As the majority of applications have shifted to the browser, so too has cybersecurity risk. Virtually all of a users experiences are delivered through a browser, and users can easily use dozens or even hundreds of web-based sites and applications in a given day. This creates a target-rich environment for attackers, who can lure users into risky clicks or use automated exploit kits to deliver malware to vulnerable browsers.

Browser CVEs have proven to be popular in the wild with attackers. In particular, vulnerabilities in Google Chrome were found to be popular such as CVE-2021-21224, which was targeted by the Magnitude Exploit Kit.

End-user applications such as the Microsoft Office suite and Adobe Acrobat have long been targeted by attackers. Vulnerabilities in these applications can allow an adversary to gain code execution by luring users into opening a malicious file and have been a mainstaying of phishing campaigns for many years. Notably, the KEV catalog includes the Microsoft vulnerability CVE-2022-30190, which can be exploited by an attacker even if the user does not open the malicious file.

In order to maximize their targets, attackers have naturally focused on applications that are virtually ubiquitous. This has made Adobe Acrobat and Acrobat Reader particularly popular targets. For example, the recent Adobe vulnerability, CVE-2021-28550, was first observed in the wild as a 0-day vulnerability, allowing attackers to gain arbitrary code execution on a victim device.

While much of modern computing runs in a web browser, users and organizations still rely on a variety of traditional desktop applications. Popular chat applications like WhatsApp have been targeted by companies like NSO Group, who famously used a zero-day exploit to compromise and subsequently spy on Amazon CEO, Jeff Bezos. The KEV catalog includes multiple WhatsApp vulnerabilities including CVE-2019-3568 and CVE-2019-18426, as well as vulnerabilities in common applications such as Team Viewer Desktop.

Open source software has become an essential part of modern application development, allowing developers to quickly integrate capabilities into their applications and projects. However, this widespread reuse of code means that vulnerabilities in open source projects can likewise be incorporated into countless applications. For example, the notorious Heartbleed vulnerability in the OpenSSL library affected hundreds of thousands of devices globally. More recently, in December 2021, a remote code execution vulnerability in the popular Log4j library came under widespread exploitation. A Neustar International Security Council (NISC) survey indicated an estimated 60% of organizations had been targeted through this vulnerability. CISA also released an alert on June 23rd 2022 warning organizations that malicious actors have been using the Log4j exploit to breach VMWare servers before moving laterally inside the network.

Additionally, attackers have begun employing a new tactic: inserting malicious code into popular libraries. While it is hard to quantify the number of successful attacks resulting from this tactic, GitHub has updated its advisory database to include malware found in open source projects.

Virtualization is a relatively new attack vector in computing, and due to the rapid rise of cloud computing and containerization is one that will likely increase. However, much like attackers have targeted the execution environment of operating systems, they can similarly target the virtual environments and containers that support modern workloads. Vulnerabilities in these areas are potentially significant as they can allow an attacker to escape the virtualized environment and gain control over the physical host. The recent exploitation of the VMware vulnerability, CVE-2022-22960, provides a case in point.

Ultimately an organizations cybersecurity strategy must be informed by the risks and threats observed in the real world. CISAs KEV catalog is a powerful tool, arming security teams with insight into the vulnerabilities that matter most.

When it comes to firmware, there is an opportunity for organizations to see an area where they are likely under-appreciating their risk. The KEV data indicates that firmware has become a top target for real-world adversaries. This could be due to the powerful and strategic nature of firmware itself, or the fact that firmware often does not get updated and patched with the same rigor as other forms of code, or a combination of the two. However, regardless of the motivation, the data shows that firmware has consistently been an area of focus in real-world attacks, and it is up to security teams to build the processes to ensure the posture and integrity of their critical firmware.

For any questions, regarding the data in this post or to learn more about firmware security, please contact the Eclypsium team at [emailprotected].

View original post here:
Know Your Enemy and Yourself: A Deep Dive on CISA KEV - Security Boulevard

CD Foundation Announces State of CD in 2022 Report, Opens Third Annual cdCon with New Project CDEvents, New… – DevOps.com

CD Foundation veteran Fatih Degirmenci joins as General Manager

San Francisco, June 7, 2022 The Continuous Delivery Foundation (CDF), the open source software foundation that seeks to improve the worlds capacity to deliver software with security and speed, today announced its State of CD Report in 2022, a new project called CDEvents building a vendor-neutral specification for defining the format of event data, new members, and more. The announcement comes at the start of CDFs third annual cdCon (June 7-8, 2022). cdCon 2022 is being run as a hybrid event from Austin, TX.

State of CD Report in 2022

A key function of CDF is providing vendor-neutral data on key DevOps and development metrics showing where continuous delivery stands in 2022 and beyond. The Continuous Delivery Report Series started last year; this is the third report in the series.

Key findings include:

As of Q1 2022, less than a quarter (23%) of developers are not involved in any DevOps-related activities, indicating continued growth in the adoption of practices that increase an organizations ability to deliver software at high velocity.

47% of developers use either continuous integration or deployment but only one in five use both continuous integration and deployment approaches to automate all building, testing, and deployment of code to production.

There is an increase in DevOps adoption in every development sector. Mobile app development has now even leapfrogged desktop development, such is its shift in embracing DevOps approaches.

The full report is available for free: View the Report (PDF)

New Project CDEvents Hosted by CD Foundation

CDF recently announced it is hosting the CDEvents project, a vendor-neutral specification for defining the format of event data to provide interoperability across services, platforms and systems. Todays CI/CD systems do not talk to each other in a standardized way. Defining a standard set of specifications is critical in solving the interoperability issues across the continuous delivery (CD) ecosystem. Having a common format for events in the CD space will enable an ecosystem of tools to collect, store, visualize and analyze events across CD platforms. This will cover use cases like measuring DevOps metrics and performance and visualizing end-to-end workflows, from the initial development all the way to operations and remediation flows. The current release of the CDEvents specification is available here: https://github.com/cdevents

cdCon Kicks Off Today in Austin, TX

cdCon is a two-day virtual event running June 7-8, 2022, focusing on improving the worlds capacity to deliver software with security and speed. This years sessions are grouped into 3 channels: Technology Teams, Enterprise Leadership, and Open Source Communities. cdCon is sponsored by IBM, JFrog, Armory, CircleCI, OpsMx, Camunda, Capital One, CloudBees, Cloudsmith, Cloud Native Computing Foundation, Liquibase, Spacelift, and more.

The full cdCon schedule is available here: https://events.linuxfoundation.org/cdcon/program/schedule/

Were excited to have our first physical event in two years. The pandemic has shown more than ever how important continuous delivery is to industries as they navigate industry and global changes. cdCon generates passionate participation and is a great platform for connecting with peers and understanding best practices, said Fatih Degirmenci, Continuous Delivery Foundation General Manager. CDF is committed to providing a clear path for companies to participate in a vendor-neutral structure that can greatly improve organizations abilities to deliver software securely and quickly. Come join us at cdCon, theres still time to register and participate virtually!

Keynotes include industry experts and well-known specialists like Isaac Cory Doctorow, Science Fiction Author, Activist, and Journalist; Joe Sepi, Program Director of Open Tech, IBM; Melissa McKay, Developer Advocate, JFrog; Michael Stahnke, Vice President of Platform, CircleCI; Gopal Dommety, CEO, OpsMx; Brian Behlendorf, General Manager, Open Source Security Foundation; Grace Francisco, Vice President, Developer Relations Strategy & Experience, Cisco; Stephen Atwell, Principal Product Manager, Armory; Isaac Mosquera, Principal GTM Leader, Serverless, AWS; and Fatih Degirmenci, Continuous Delivery Foundation General Manager, The Linux Foundation.

CD Foundation Welcoming New Members

Cloudsmith, Spacelift, Stackhawk and Tenable are joining the CD Foundation as new members. They join premier members AWS, Armory, CloudBees, Fujitsu, Google Cloud, Huawei, JFrog, Netflix, and Red Hat, as well as the broader open source CI/CD community, in helping to strengthen the growth and evolution of continuous delivery models.

Cloudsmith Cloudsmith is a cloud-native, global, universal artifact management platform for engineers looking to set up a secure artifact repository in 60 seconds. Cloudsmith is a Belfast-headquartered startup that has raised $15 million in Series A funding. This is the largest ever Series A funding round in Northern Ireland.

We are delighted to join the CD Foundation. How companies deliver software securely and quickly is key to their success, and we believe joining will provide even more value to our customers by connecting us to the broader community of continuous delivery companies and developers around the world, said Lee Skillen, Co-Founder & CTO, Cloudsmith. The future of cloud-native software delivery, artifact management and the whole supply chain is critical to industries everywhere, so we are excited to contribute our knowledge of continuous packaging to it.

Spacelift Spacelift focuses on collaborative infrastructure for modern software teams to manage cloud, infrastructure, or services. Its platform uses Terraform, CloudFormation, Pulumi, and Kubernetes offering features such as runtime configuration, version management, and state management. They are backed by Insight Partners, Blossom Capital, Hoxton Ventures and Inovo Venture Partners.

We are excited to join the CD Foundation. Spacelift provides a collaboration and automation layer for infrastructure as a code, and we focus on openness, flexibility, and customization. We believe this fits well with the CD Foundation, and by contributing to the direction of open-source CI/CD development through the CD Foundation, our customers will benefit, said Sean ODell, Head of Developer Relations at Spacelift. By inviting infrastructure, security, compliance, and platform teams to collaborate on and approve workflows and policies, you can improve your infrastructure delivery platform.

StackHawk StackHawk helps developers find and fix application security bugs as part of software delivery. StackHawk makes security part of the developer workflow by running automated security testing in CI/CD and notifying developers immediately about new security issues as they emerge. StackHawk recently announced it has raised $20.7 million as part of a series B funding round.

With the rapid pace of software development, security teams are finding it more difficult to test for vulnerabilities on an ongoing basis. At StackHawk, we are placing the ability to resolve vulnerabilities in the hands of the developer, and we see the CD Foundation as a key partner to helping us expand our reach and more broadly address this issue of shifting security left in the development cycle, said Joni Klippert, co-founder and CEO at StackHawk. We see the CD Foundations ability to guide changes in software development as a strength that will help drive the reduction in security vulnerabilities that make it to deployment.

Tenable Tenable is a cybersecurity company known as the creator of the vulnerability scanning software Nessus. Approximately 40,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agencies.

As security is a critical component of open source software development and delivery, Tenable will provide expertise and guidance to the CD Foundation, said Glen Pendley, chief technology officer, Tenable. The CD Foundation is uniquely positioned to help steer the course of security-focused development in the continuous delivery space. Tenable looks forward to collaborating with this community to enable end users to influence better solutions that drive value for our customers.

New General Manager Lead

CI/CD open source community leader Fatih Degirmenci has joined the CDF as its new General Manager. Fatih is not new to the CD Foundation. He participated in the very first public meeting during the Open Source Leadership Summit in California in March 2019 when the CD Foundation was announced. Since then, hes been heavily involved in the community including special interest groups (SIG) like the Interoperability SIG and Software Supply Chain SIG. He also served on the Technical Oversight Committee (TOC) as an end-user representative.

Fatih will work closely with the eight CDF-hosted projects CDEvents, Jenkins, Jenkins X, Ortelius, Shipwright, Screwdriver, Spinnaker, and Tekton, and help members and the wider Continuous Delivery CI/CD community improve their software development security and speed when creating cloud-native, legacy infrastructure, mobile, IoT, and bare-metal applications.

Additional CDF Resources

About the Continuous Delivery Foundation

The Continuous Delivery Foundation (CDF) seeks to improve the worlds capacity to deliver software with security and speed. The CDF is a vendor-neutral organization that is establishing best practices of software delivery automation, propelling education and adoption of CD tools, and facilitating cross-pollination across emerging technologies. The CDF is home to many of the fastest-growing projects for CD, including Jenkins, Jenkins X, Tekton, and Spinnaker. The CDF is part of the Linux Foundation, a nonprofit organization. For more information about the CDF, please visit https://cd.foundation

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage Linux is a registered trademark of Linus Torvalds.

Media ContactJesse Casman, Story Changes Culture[emailprotected]415-730-2793

Visit link:
CD Foundation Announces State of CD in 2022 Report, Opens Third Annual cdCon with New Project CDEvents, New... - DevOps.com

Samsung teams up with Red Hat for memory software development – The Korea Herald

A rendered image of a server room (123rf)

Red Hat, an IBM subsidiary, is known for Red Hat Enterprise Linux, a commercial open-source Linux operating system distribution developed by the company.

Under the partnership, Samsung and Red Hat will jointly develop and validate a software that runs on an enterprise Linux or other open source operating systems for existing memory and storage products, as well as those under development.

This marks the first time that Samsung has joined forces with an open source software company for its semiconductor business. Samsung is the worlds largest DRAM chip maker and runs the worlds second-largest foundry business by capacity.

Along with the announcement, Samsung unveiled plans to launch the Samsung Memory Research Cloud, where Samsung and Red Hat develop and verify software solutions on server environments, and where customers and partners are able to match optimal software products with memory hardware products supplied by Samsung.

This comes amid disruptive changes to memory designs to keep pace with the growth of data to store for technological advances like artificial intelligence, augmented reality and the metaverse. Samsung said in a statement the industry is requiring more sophisticated software technologies in sync with the latest hardware advancements to achieve a memory chip technology breakthrough.

Marjet Andriesse, senior vice president and head of Red Hat Asia Pacific (left) and Bae Yong-cheol, executive vice president and head of the memory application engineering team at Samsung Electronics pose for a photo at a signing ceremony earlier in May. (Samsung Electronics)

Read more:
Samsung teams up with Red Hat for memory software development - The Korea Herald

OpenSSF Helping to Secure Open Source Software – ITPro Today

As organizations seek to gain an edge over their competitors, they are finding power in open source, which has led to, in the words of Brian Behlendorf, GM of the Open Source Security Foundation, a "Cambrian explosion" of open source. But with the rise in use of open source code has come a rise in vulnerabilities and so a need to better secure open source software.

During his "The Power of Open Source" presentation at this month's MIT Technology Review Future Compute conference held at MIT's Cambridge, Massachusetts, campus and in an interview with ITPro Today, Behlendorf highlighted the growth of open source and the security challenges that come with that growth.

Related: 2022 State of Open Source Report Details Challenges, Opportunities

According to Sonatype's 2021 State of the Software Supply Chain Report, he said:

The debate about open source code versus proprietary code has largely gone away, according to Behlendorf. "Very rarely are developers or enterprises making a binary choice between the two," he said. Studies have found that 90% of an average application stack is pre-existing open source code that has been pulled together and assembled, with about 10% of that as the custom code.

Related: Why You Should Trust Open Source Software Security

"Defining your edge is really about getting that 10% right and aggressively covering the rest of the 90% with the free stuff that you can find pre-existing," he said.

There is a problem, however, according to Behlendorf: There's a blind spot in the open source space and the software space as a whole to the rise of vulnerabilities in the underlying code.

"I wake up in the morning and fire up my laptop and get that notice, 'Hey, there are updated packages. Do you want to update this before you start your day?'" he said. "And I always get that dopamine hit from clicking 'yes,' partly because I know that that means that to reasonable concern I'm protected against the threats that somebody might want to throw at me today."

In the same vein, organizations need to be ready to update, Behlendorf said. "How do we get enterprises to get to the point where they go for that same dopamine rush that I do when I wake up in the morning and hit 'update' on my laptop?" he asked.

What's troubling is that, according to Sonatype, 29% of the popular open source projects contain known vulnerabilities in either the core code or in their underlying dependencies, Behlendorf said. Some of these vulnerabilities are easy to exploit, like the one recently discovered in the Log4j logging library. The Log4Shell exploit became a poster child, he said, to the point where the U.S. government asked those involved in the open source industry: "Are you OK over there? How did you not catch this?"

To help prevent such exploits, the Linux Foundation in 2020 formed the Open Source Security Foundation, which Behlendorf heads. OpenSSF, which raised $11 million in what is essentially yearly memberships, focuses on improving the state of cybersecurity in the open source space supply chain, he said.

OpenSSF is looking into the question: The way code is built in the software industry and not just open source code but the supply chain that we have in software are there vulnerabilities that are starting to affect that? We need to get smarter about closing some of those opportunities for exploit, he said.

One of the tools to address this is something that the White House has elevated in importance. In May 2021, Executive Order 14028 was issued to improve cybersecurity. The order calls for, among other things, a Software Bill of Materials (SBOM) to be included with every software package delivered to executive branch agencies. Behlendorf compared an SBOM to the ingredients label on a bag of bread, as it enables organizations to see exactly what they are getting.

OpenSSF is looking at how to use SBOMs ubiquitously across software supply chains and get them integrated into core code as well as upstream. As developers write and release software, they will also provide SBOMs, including ingredients that came from previous software "so when an enterprise has to go out and address a remediation, they at least know where they're vulnerable, and that's the beginning of figuring out how to remediate for that work," he said.

OpenSSF is addressing a number of ways to secure open source software.

"This is not about writing the one tool that that automatically improves all of our cybersecurity," Behlendorf said. OpenSSF is about:

"Open source is everywhere, and you've got to figure out how to make use of it," Behlendorf concluded. "But it really is about figuring out, how do you define your edge to be that layer on top and get really good at taking advantage of what's come before us?"

Visit link:
OpenSSF Helping to Secure Open Source Software - ITPro Today

Protestware: what organisations should be aware of when using open source software – Lexology

The recent inclusion of 'protestware' in popular open source software (OSS) codebases highlights some emerging risks to organisations that rely on OSS.

Key takeouts

There have been recent incidents of 'protestware' or malicious codebeing incorporated within open source software (OSS) codebases.

Organisations who rely on business critical software which contains OSS may be subject tosecurity and business risks.

Organisations should implement policies and procedures tomitigate again risksassociated with the use of OSS.

Open source software (OSS) is ubiquitous in commercial software. Both in-house and external developers use community-sourced code from public repositories such as GitHub to more efficiently build, test, launch and maintain software. This shortens release times and helps organisations gain competitive advantage.

While the OSS community generally functions as a gatekeeper for quality control, the sheer volume and widespread use of OSS means that there are still risks associated with its use.

On 8 March 2022, the maintainer of node-ipc, an OSS JavaScript library that is downloaded approximately a million times a week, released an update containing protestware. The release included obfuscated code that determined the approximate location of machines running the software. If the IP address was geocoded as Russian or Belarussian, the software traversed the users filesystem, overwriting any data encountered with heart symbols. The maintainer defended their additions to the module as a protest over Russias invasion of Ukraine.

The Director of Developer Advocacy at Developer Security Platform 'Snyk', which investigated and disclosed the incident, observed that it highlighted a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security. Not surprisingly, the implementation of the node-ipc protestware affected more than just its intended targets subsequent reports claimed that a US NGO running a production server in Belarus was adversely affected.

This is but one example of recent OSS protestware and other OSS-related incidents. In January, the maintainer of two open-source libraries (with more than 3.5 billion total downloads combined) issued an update that caused applications to, amongst other things, repeatedly print the word 'Liberty'. The maintainer stated that this was in protest of larger corporations using his work for free.

And in December 2021, malicious code (referred to as 'Log4Shell') was discovery in Log4j a ubiquitous OSS JavaScript library employed across numerous cloud-based services which allowed hackers to remotely access and take control of affected systems.

These incidents highlight how organisations that are dependent on OSS for business critical software, or that contract with outsourced service providers who that OSS, or products or services that contain OSS, rely on the diligence and good faith of the open-source community. This has the potential of creating a supply chain risk for the organisation.

How can organisations mitigate these risks?

To mitigate these risks, organisations should consider giving effect to the following:

Read the original post:
Protestware: what organisations should be aware of when using open source software - Lexology

Only Microsoft can give open-source the gift of NTFS. Only Microsoft needs to – The Register

Opinion We concentrate on their technical aspects, but file systems can get pretty political. They're one of the last fronts still fighting in the Interoperability Wars. While you can plumb any number of open file systems to Linux if you need what they have, NTFS remains a problem.

Why? Because it's a very practical issue that can't be magicked away into the cloud. There are any number of cases* where the best answer is to marry Linux-based functionality to an NTFS store reliably, flexibly and fast. And until fall last year, it was a case of choose any two.

Then a good thing happened but if 2022 has any lessons for us, it's that we can't have good things.

Before October 2021, when Paragon Software's full-fat NTFS3 driver was accepted into the Linux kernel, the easiest choice was the Linux kernel's long-standing and resolutely read-only NTFS support. If you needed to write, which isn't unknown in file system use cases, Tuxedo could give you read/write NTFS for Linux, only in userspace, not the kernel. Limited and slow. Not what you need to integrate Linux with the primary enterprise file system on the planet.

Then came late 2021's revolution. Paragon's NTFS3 driver was not sexy, not the stuff of analysts' PowerPoint decks, but if you needed it, you needed it like crazypants.

Not so fast, said 2022. Paragon Software is a 200+ employee company that has been doing low level hard disk magic since 1994, but the maintainer of the Linux kernel driver is the company founder and CEO, Konstantin Komarov.

He saw it pushed live in 2021; by 2022, he'd stopped responding to messages. No code has been touched, no emails answered, nobody's saying why.

The company was founded in Russia and he's Russian, neither of which helps after Vladimir Putin's invasion of Ukraine on February 24, so theories abound. In the end, though, people are free to vanish if they like, for whatever reason, and everybody hopes that Komarov is safe and well, of course.

It's just that if they're the sole maintainer of key open source software, we all have a problem. With nobody to fix bugs, patch vulnerabilities, or track Microsoft's changes, that path is tricky to take.

Open source's primary defence against alien abduction et cetera is that, well, it's open. Anyone can pull the project from the repo, take over the reins, and rescue orphaned code.

You could, if only you knew NTFS internals backwards, write high performance kernel driver code. Of course you'd also need the time and energy to single-handedly cope with the fiery vortex of open source politics at the highest level, and the financial resources to do it all for free in a 24/7 world that needs its data NOW. What's stopping you?

You can see why a person might vanish. The miracle of open source isn't that it has taken over so much of IT, it's that the darn stuff survives at all.

Here, it has taken decades to get it working properly, through the work of one key figure who's spent his working life in the file system sector. Seeking another seems doomed to fail.

There is one way to get the expertise, motivation, resources and commitment to take on NTFS for Linux and make it golden for the long term: Microsoft. That sounds a ridiculous proposition for something the company has treated as one of its crown jewels, a centerpiece of its Windows strategy for both consumer and enterprise. Yet that's fighting an antique war.

Why is NTFS proprietary in the first place? It came out of the OS/2 NT divorce with IBM, when the partners became enemies and wanted any advantage they could jealously guard.

Windows New Technology, with the New Technology File System, came out in 1993 as the first child of that battle.

For decades afterwards, Microsoft's policy was fiercely exclusionary towards all rivals, big or small. It could not and would not stand the idea of anyone producing a better NTFS and gaining any sort of toehold in a market the company considered its exclusive territory.

These were the years when Microsoft's hyper-aggressive approach to other people's technologies saw it fined hundreds of millions of dollars for trying to squelch disk compression company Stac Electronics. These were the years Steve Ballmer described Linux as a cancer. These were bad times. NT as Nineties Tyranny.

Twenty years on,Microsoft loves Linux.

Moreover, Microsoft is severely relaxed about interoperability. It is hard to see how an open NTFS standard would damage the company commercially. Quite the opposite. It would add confidence in the future, but take away nothing from the present.

It certainly doesn't conflict with Microsoft's cloud strategy, where the choice of file system seems as obsolete a concept as decisions about tape formats. It would be a welcome gift to those who have to keep on with the old work, which is to say a very great deal of IT today.

For Microsoft, it would bestow a halo of good citizenship. Microsoft may have embraced the penguin, but it still thinks using Windows 11 as an advertising platform is a great idea.

We still have our memories. We still have our doubts. An act that was unambiguously beneficial to the corporate IT community would help enormously in losing misgivings. It will have some cost, but nothing compared to the billions habitually spunked on stuff nobody asked for nor cared about, let alone the sums spent on killing the competition that we desperately wanted back in the day.

Microsoft. Here's your chance. Do a good thing. One that manifestly helps real world corporate IT, yet one of tremendous symbolic value. New Technology became Nineties Tyranny: let the final transformation be one of New Trust.

* Just a few examples include data security, migration, and platform integration.

Read the original:
Only Microsoft can give open-source the gift of NTFS. Only Microsoft needs to - The Register

This Week in Washington IP: Open Source Cybersecurity Solutions, Civil Capabilities for Space Situational Awareness and Using AI for Effective RegTech…

This week in Washington IP news, the Senate Science Committee convenes an executive session on Wednesday to deliberate over a pair of bills that would direct the Federal Communications Commissions activities on establishing universal telecommunications services. Over in the House, the Investigation and Oversight Subcommittee and the Research and Technology Subcommittee explore issues in the use of open source systems for enterprise-level cybersecurity, the Space and Aeronautics Subcommittee focuses on the federal governments efforts to develop civil capabilities for space situational awareness, and the Task Force on Artificial Intelligence discusses issues related to the use of AI technologies in the growing regtech sector automatic complex regulatory processes in the financial industry.

U.S. Patent and Trademark Office

Patent Public Advisory Committee Public Meeting

At 1:00 PM on Tuesday, online video webinar.

On Tuesday afternoon, the Patent Public Advisory Committee (PPAC) of the USPTO will convene its latest public meeting to discuss several issues overseen by Patent Pendency, Quality, International, Patent Trial and Appeal Board (PQuIP). Topics covered by PQuIP during the upcoming public meeting will include a high-level brief on the external quality perception survey, the Patent Trial and Appeal Board (PTAB) Pro Bono Program, and the PTAB Legal Experience and Advancement Program (LEAP).

U.S. Patent and Trademark Office

Trademark Basics Boot Camp, Module 6: Responding to an Office Action

At 2:00 PM on Tuesday, online video webinar.

This workshop, the sixth module in the USPTOs Trademark Basics Boot Camp series, is designed to teach small business owners and entrepreneurs the basics of how to respond to official letters from USPTO examiners that have completed review of trademark registration applications. Topics covered during this workshop include response timeframes and deadlines, tips for filing a successful response and basics of office actions.

House Committee on Oversight and Reform

Legislative Markup Session

At 10:00 AM on Wednesday in 2154 Rayburn House Office Building.

On Wednesday morning, the House Oversight Committee will convene a legislative markup session to review several bills that would impact various responsibilities of federal government employees. A few of these bills are related to emerging areas of technology including the currently unnumbered Artificial Intelligence Training for the Acquisition Workforce, introduced by Representative Carolyn Maloney (D-NY) and James Comer (R-KY), which would direct the federal government to create an AI training program for acquisition activities; and H.R. 7535, the Quantum Computing Cybersecurity Preparedness Act, introduced by Representatives Ro Khanna (D-CA), Nancy Mace (R-SC) and Gerry Connolly (D-VA), which would direct the Office of Management and Budget to prioritize migration to post-quantum cryptography of agency IT systems within one year of the promulgation of post-quantum cryptographic standards by the National Institute for Standards and Technology (NIST).

House Subcommittee on Investigations and Oversight

House Subcommittee on Research and Technology

Securing the Digital Commons: Open-Source Software Cybersecurity

At 10:00 AM on Wednesday in 2318 Rayburn.

A recent State of Enterprise Open Source report issued by software firm Red Hat found that, in a survey of 1,296 information technology (IT) leaders, 89 percent of respondents believe that open source software solutions are at least as secure as proprietary software solutions. The view that open source solutions offer a high level of security persists despite vulnerabilities posed by application programming interfaces (API) like Log4j, which was widely used in open source programs distributed by the Apache Software Foundation. The witness panel for this hearing will include Brian Behlendorf, General Manager, Open Source Security Foundation; and Dr. Andrew Lohn, Senior Fellow, Center for Security and Emerging Technology, Georgetown University.

Senate Committee on Science, Commerce, & Transportation

Executive Session

At 10:00 AM on Wednesday in 253 Russell Senate Office Building.

On Wednesday morning, the Senate Science Committee will convene an executive session to review several pieces of proposed legislation, including a pair of bills that would direct the Federal Communications Commission (FCC) to take several actions related to the deployment of infrastructure for universal service. These bills include S. 2427, the Funding Affordable Internet with Reliable (FAIR) Contributions Act, which would direct the FCC to study the feasibility of funding the Universal Service Fund through contributions from edge providers like online search engines; and S. 3692, the Network Equipment Transparency (NET) Act, which would require the FCC to examine the current supply chain for telecommunications network equipment and determine whether there is any lacking availability significantly impacting the deployment of advanced telecommunications capabilities.

U.S. Patent and Trademark Office

Conducting an Effective Patent Examiner Interview

At 12:00 PM on Wednesday, online video webinar.

This USPTO workshop is designed to provide patent applicants with the skills necessary to complete successful examiner interviews to improve applicants ability to complete patent prosecution at the USPTO with a patent grant. Topics covered during this workshop include tips on scheduling examiner interviews, interview preparation and tips for conducting effective interviews.

U.S. Patent and Trademark Office

USPTO Trade Secrets Symposium 2022: Trending Cross-Border Issues

At 1:00 PM on Wednesday, online video webinar.

On Tuesday afternoon, the USPTO will kick off the first day of a two-day symposium focused on exploring the challenges faced by U.S. companies doing business in foreign countries, especially those issues related to economic espionage and trade secret misappropriation. Topics covered during this event include balancing patents and trade secrets as different forms of IP protection, risks associated with overseas talent recruitment programs and coordinating civil investigations with criminal prosecution proceedings.

House Subcommittee on Commerce, Justice, Science, and Related Agencies

Fiscal Year 2023 Budget Request for the National Science Foundation

At 2:00 PM on Wednesday, online video webinar.

In late March, the Biden Administration issued its budgetary request for fiscal year 2023, including $10.5 billion in appropriations earmarked for the National Science Foundation (NSF), which represents an 18.7 percent increase over the NSFs budget for fiscal year 2022. If approved, this funding would support research related to climate science and clean energy, the establishment of the new Directorate for Technology, Innovation and Partnerships, and diversity initiatives to broaden the participation of underrepresented populations within the science and engineering fields. The sole witness for this hearing will be the Honorable Sethuraman Panchanathan, Director, National Science Foundation.

House Subcommittee on Innovation, Entrepreneurship, and Workforce Development

Moving Upwards and Onwards: The Workforce and Innovation Needs of the Aviation and Aerospace Industry

At 10:00 AM on Thursday in 2360 Rayburn.

The aviation industry is undergoing major changes thanks to several waves of innovation in areas like unmanned flight systems and alternative fuels. Incorporating these innovations requires a workforce with a solid education in science, technology, engineering and math (STEM) fields, but the aviation industry is still feeling the effects of the COVID-19 pandemic which has caused labor shortages across an industry that is mainly made up of small businesses. The witness panel for this hearing will include Eric Fanning, President and CEO, Aerospace Industries Association; ML Mackey, CEO, Beacon Interactive Systems, and testifying on behalf of the National Defense Industrial Association; Blake Scholl, Founder and CEO, Boom Technology, Inc.; and Judy Burns, President, Patriot Machine.

House Subcommittee on Space and Aeronautics

Space Situational Awareness: Guiding the Transition to a Civil Capability

At 10:00 AM on Thursday in 2318 Rayburn.

The U.S. federal governments long-term space exploration plans include returning a manned spacecraft to the lunar surface in preparation for the worlds first manned mission to the planet Mars, which is currently planned to take place sometime during the 2030s. Recently, the U.S. Space Force created a 19th Space Defense Squadron responsible for tracking cislunar space and other regions of space outside the outer regions of Earths orbit. In mid-April, state and defense ministers of both the United States and India signed a bilateral agreement on space situational awareness, including plans to collaborate on both space innovation and strategic defense operations. The witness panel for this hearing will include Dr. Matthew Hejduk, Senior Project Leader, The Aerospace Corporation; Dr. Moriba Jah, Associate Professor, Aerospace Engineering and Engineering Mechanics Department, Mrs. Pearlie Dashiell Henderson Centennial Fellowship in Engineering, Oden Institute for Computational Engineering and Sciences, The University of Texas at Austin; Andrew DUva, Senior Policy Advisor, Space Data Association; and Kevin M. OConnell, Founder, Space Economy Rising, LLC.

Brookings Institution

Forensic Algorithms: The Future of Technology in the US Legal System

At 11:00 AM on Thursday, online video webinar.

New algorithm-based technologies are being implemented by law enforcement agencies across the nation in order to improve the identification of criminal suspects from biological matter collected from crime scenes and other matters important to criminal investigations. However, as a report issued last June by the U.S. Government Accountability Office found, many law enforcement agencies experience issues in properly interpreting and communicating the results of these algorithmic-based processes, as well as the potential for programmer bias or operator misuse in applying these processes. This event will feature a fireside chat with Rebecca Wexler, Nonresident Fellow, Governance Studies, Center for Technology Innovation; and Representative Mark Takano (D-CA), Chairman, House Veterans Affairs Committee. Following that chat will be a discussion with a panel including Rebecca Wexler; Rediet Abebe, Assistant Professor of Computer Science, University of California, Berkeley; Glenn Rodriguez, Co-Director of Youth Services, Center for Community Alternatives; Andrea Roth, Professor of Law, University of California, Berkeley School of Law; and moderated by Julia Angwin, Founder, The Markup.

U.S. Patent and Trademark Office

The Path to a Patent, Part V: Understanding the Role of Claims in a Patent Application

At 2:00 PM on Thursday, online video webinar.

This workshop, the fifth part of the USPTOs Path to a Patent series, is designed to teach prospective patent applicants about the role of patent claims during the prosecution of a patent application. Topics covered during this workshop include different parts of a patent claim, examples of claim illustrations from U.S. patents and the viewpoint of patent examiners when reviewing a patent claim.

U.S. Patent and Trademark Office

What You Need to Sell Your Arts and Crafts Online: Building Your Identity, for Native American Visual Artists and Craftspeople

At 3:00 PM on Thursday, online video webinar.

This workshop, the third in a series of monthly webinars focused on the sale of arts and crafts produced by Native American visual artists, is designed to provide these artists with resources for managing the migration of their products from local arts and crafts fairs, which have seen flagging attendance numbers since the onset of the COVID-19 pandemic, to online e-commerce channels.

House Task Force on Artificial Intelligence

Keeping Up With the Codes Using AI for Effective RegTech

At 9:00 AM on Friday in 2128 Rayburn.

Artificial intelligence holds great promise for automating processes in many sectors, especially for regulatory processes in the financial industry that are extraordinarily complex. Global spending in the regtech industry is expected to increase from $68 billion in 2022 up to $204 billion in 2026, and the use of AI systems in digital onboarding processes for regtech is also expected to climb from 8 percent in 2022 up to 26 percent in 2026. The witness panel for this hearing has yet to be announced.

U.S. Patent and Trademark Office

PTAB LEAP: AIA Mock Oral Argument Practicum

At 1:30 PM on Friday, online video webinar.

This workshop, offered by the Patent Trial and Appeal Boards (PTAB) Legal Experience and Advancement Program (LEAP), gives PTAB practitioners a chance to hone their oral argument skills by presenting an America Invents Act (AIA) trial argument to a panel composed of administrative patent judges (APJs) currently working at the PTAB. Participants will receive feedback and a chance to participate in a question-and-answer panel following the practicum.

Read the original post:
This Week in Washington IP: Open Source Cybersecurity Solutions, Civil Capabilities for Space Situational Awareness and Using AI for Effective RegTech...

Red Hat Expands Capabilities to Provide Streamlined Application Development and Delivery in the Cloud – Business Wire

RALEIGH, N.C.--(BUSINESS WIRE)--Red Hat, Inc., the world's leading provider of open source solutions, today announced Red Hat Application Foundations, a connected set of application services that together with Red Hat OpenShift, help accelerate containerized application development and delivery across hybrid and multicloud environments. Red Hat Application Foundations serves as a toolkit for organizations looking to quickly build and integrate application and data services as part of their application and infrastructure modernization strategy.

Investing in the cloud for modern application infrastructure

The pace of application development is continuing to accelerate. According to industry analyst firm IDC, by 2025, 750 million new logical applications are expected to exist.1 With this growth, development to deployment time frames need to be condensed. In order for developers to quickly develop and update software applications to meet the needs of the business, they need self-service access to an application platform with a low barrier to entry that is simple to use and enables more consistent deployment across hybrid and multi clouds.

Red Hat OpenShift, the industrys leading enterprise Kubernetes platform, provides a unified, security-focused hybrid cloud application platform for innovation. Powered by containers and Kubernetes, it provides a foundation for modernizing existing applications, building cloud-native applications, streamlining development, adding intelligence to applications, and integrating third-party services. Through Red Hat OpenShift, developers with a range of technical knowledge can feel empowered to create sophisticated applications. In addition to modernizing existing applications and supporting new cloud-native development, it provides intelligence and data services for cloud-native apps.

Creating the foundation for scalable applications

Red Hat Application Foundations offers developers an integrated solution designed to connect applications both within and outside of the container environment. It is designed and optimized for OpenShift, bringing key application services and components to help developers employ cloud-native application patterns and swiftly bring their applications to customers. With this set of capabilities, developers can more easily create and integrate applications that range in complexity for efficient and scalable execution across hybrid cloud environments.

A toolbox of key application services, Red Hat Application Foundations provides developers with ready-to-implement components that include high-performance data streaming services, API management, service connectivity, lightweight runtimes and frameworks and more. This enables development teams to modernize their application with scalability, agility, and extensibility. These components balance flexibility and compliance, providing developers choice and efficiency through self-service tools and services. In addition to OpenShift, Red Hat Application Foundations can be used alongside software from technology ecosystem partners and in-house developed capabilities, helping organizations create the right applications to achieve their business goals.

In supporting this movement to the cloud, Red Hat Application Foundations unlocks multiple modernization patterns through microservices, APIs, event-driven architectures, and more. As application development and deployment continue to evolve, this foundation will help developers discover new and better ways to create and scale cloud native IT infrastructures. Red Hat Application Foundations supports a healthy continuous integration (CI) and continuous delivery (CD) pipeline, permitting software development and DevOps teams to innovate smoothly together.

Availability

Red Hat Application Foundations is available now. Red Hat customers can contact their account executive to set up this bundle.

Supporting Quotes

Ken Johnson, vice president and general manager, Application Services, Red HatApplication development is undergoing significant change and developers need tools to support this transformation. We designed Red Hat Application Foundations with a developer-centric mindset, created to work seamlessly with Red Hat OpenShift to easily employ and deliver cloud-native applications, resulting in a simplified process to deliver a greater business value.

Additional Resources

Connect with Red Hat

About Red Hat, Inc.

Red Hat is the worlds leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies. Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.

Forward-Looking Statements

Except for the historical information and discussions contained herein, statements contained in this press release may constitute forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. Forward-looking statements are based on the companys current assumptions regarding future business and financial performance. These statements involve a number of risks, uncertainties and other factors that could cause actual results to differ materially. Any forward-looking statement in this press release speaks only as of the date on which it is made. Except as required by law, the company assumes no obligation to update or revise any forward-looking statements.

Red Hat, the Red Hat logo and OpenShift are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the U.S. and other countries. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

1 Source: IDC 750 Million New Logical Applications: More Background, Dec. 2021, Doc # US48441921

Read more here:
Red Hat Expands Capabilities to Provide Streamlined Application Development and Delivery in the Cloud - Business Wire