Open Source Sabotage Incident Hits Software Supply Chain | eSecurityPlanet – eSecurity Planet

An astonishing incident in recent days highlights the risks of widespread dependence on open source software while also highlighting the free labor corporations benefit from by using open source software.

Marak Squires, an open source coder and maintainer, sabotaged his repository to protest against unpaid work and his failed attempts to monetize faker.js and color.js, two major NPM packages used by a huge range of other packages and projects.

The software industry relies on various interdependent ecosystems and resources. This incident shows a well-known and unsolved issue for the software supply chain: the dependency hell. Its especially true in the world of Nodes.js and JavaScript, but its also a common concern with open source software in general.

Hackers try to infect legitimate apps during a supply chain attack to distribute malware. In the case of faker.js and color.js, we have a pretty rare variant that leverages the highest privileged access.

See also: Open Source Security: A Big Problem

NPM is the package manager for Node.js. Its the worlds largest software registry, with hundreds of thousands of packages.

Its free to use, and you dont even need to register or log in to download tons of third-party scripts and libraries.

Colors is a pretty popular package, with millions of downloads, and is used by JavaScript and Node.js developers to get custom colors and styles in their console. According to GitHub, 4.3 million projects were using it, which includes many other popular packages.

As a result, new releases are downloaded by myriad installations as soon as they are available, making the package quite essential in the supply chain.

Just days earlier, Squires ended another well known repository (used by 168,000 projects) called faker.js with an explicit commit message: endgame.

The main files have disappeared; only some configurations remain.

Squires posted the following on his GitHub repository:

Its come to our attention that there is a zalgo bug in the v1.4.44-liberty-2 release of colors.

The name of the branch merged in the core was odd and the associated commit named fix bug contained malicious instructions to trigger an infinite loop:

The above code is located in the index.js file, which runs automatically when the library is used. Zalgo text refers to special non-ASCII characters that dont render as expected and trigger UI glitches.

When executed, the code never stops. Its a logic issue known as an infinite loop. Everything from the integer used to initialize the loop (666) to the limit fixed by the author (Infinity) suggests it was intentional.

At first sight, it looks like a joke for anyone that has ever played with JavaScript, but there were consequences for projects that rely on this famous library, breaking many CI/CD pipelines and terminal prompts:

faker.js sabotage

Squires is not the only maintainer of the repository, but he revoked other maintainers access to make sure nobody could revert his action. A message he subsequently posted on Twitter sparked significant debate about the open source model, with some sympathizing and others saying the open source agreement was always clear.

Users could potentially revert to previous versions of the software, which seems easier in the case of colors. The faker.js page appears to have been thoroughly wiped, but theres always archive.org as a possible solution. Such a fix should only be temporary, though, as these repositories cannot be trusted anymore. There are alternative packages, and in the case of faker, an alternative has already emerged.

Github has issued an advisory in the case of colors.

See also: Top Code Debugging and Code Security Tools

On his blog, the developer said no company has supported faker.js and color.js financially. He received only a few donations via GitHub Sponsorships, and the donors were fellow developers.

He tried to monetize his code by starting a cloud service with monthly subscription plans, but did not reach enough users he claimed one of his GitHub sponsors (also appearing to be a registered subscriber) coopted his idea to launch the same offer.

An open-source dead end is not completely uncommon and can lead to extreme reactions in worst-case scenarios, such as what Squires did with his repositories.

It could potentially inspire more open-source maintainers and even become a trend if no one finds sustainable economic models, especially when many private and profit organizations use or fork public resources.

Even if GitHub and NPM have reacted quickly, removing the packages and temporarily suspending the authors account, the damage has been done.

Developers should prepare for such incidents with better dependency management.

While you cannot anticipate such radical actions, you may be able to improve your preparation. There are open-source security best practices you can apply to mitigate incidents, such as:

Further reading: Top Vulnerability Management Tools for 2022

Here is the original post:
Open Source Sabotage Incident Hits Software Supply Chain | eSecurityPlanet - eSecurity Planet

Open-source software and threats to critical infrastructure. – The CyberWire

The direct warning of a Russian threat to US infrastructure that CISA, NSA, and the FBI jointly issued earlier this week came after some weeks of work to find and remediate vulnerabilities in the Apache Foundation's vulnerable Log4j open source library. Yesterday US Cyber Command formally attributed the activities of the threat group familiarly known as MuddyWater to Iran's intelligence agencies, specifically to the Ministry of Intelligence and Security (MOIS). Among the tools the group uses are variants of the open-source PowGoop DLL Side-Loader. MuddyWater seems to have been more involved in espionage than sabotage, but its dependence on open-source tools is noteworthy.

Senior representatives of tech companies and US Government agencies are meeting today to discuss ways of addressing the open-source security issues that have gained prominence during the prolonged search for and remediation of Log4j vulnerabilities. CyberScoop reports the list of attendees:

"The full tech participant list includes Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, Linux Open Source Foundation, Microsoft, Oracle, RedHat and VMware.

"Feds attending include representatives from the departments of Commerce, Defense, Energy and Homeland Security, as well as agencies like the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the National Science Foundation, the Office of the National Cyber Director and the Office of Science and Technology Policy."

Log4j is a single case of a more widespread challenge. We saw Tuesday that the Apache Software Foundation intended to argue that downstream users of open source software should play a larger role securing the supply chain on which so many of their products depend. Kent Walker, President, Global Affairs & Chief Legal Officer Google and Alphabet, this morning commended the Administration's decision to convene the meeting:

"Given the importance of digital infrastructure in our lives, its time to start thinking of it in the same way we do our physical infrastructure. Open source software is a connective tissue for much of the online world it deserves the same focus and funding we give to our roads and bridges. Todays meeting at the White House was both a recognition of the challenge and an important first step towards addressing it."

Claroty's blog yesterday outlined hopes for the summit:

"Many open source projects are under-resourced and poorly funded; these challenges often dont come to light unless a critical vulnerability surfaces. Heartbleed, the crypto vulnerability found in 2014 in OpenSSL, shone a harsh light on the lack of resources keeping OpenSSL afloat, despite the fact the software lived everywhere from commercial software, to smartphones, to industrial devices. There was a skeleton crew maintaining OpenSSL at the time, woefully behind on updates, yet faithful to keeping the project on track. Heartbleed put a lot of businesses at risk and reactively, the industry was forced to create groups to audit the code base and funnel money and development resources to the project.

"Tomorrows White House meeting is a concrete step the Biden administration is taking toward proactively assessing the risks posed by open source software."

Several industry sources began by pointing out that "critical infrastructure" isn't merely an homage to a fashionable buzzword or a set of agency equities, but that the designation of some system as "critical" represents the end result of serious reflection on risk. Tim Erlin, VP of Strategy at Tripwire put it this way:

Its important to remind ourselves that critical infrastructure is more than just a phrase. It describes a vast cross-section of infrastructure on which our nation relies. Critical infrastructure really is critical.

"This alert not only contains information about the threat, but real, actionable information that organizations can use to defend themselves. The use of the MITRE ATT&CK framework to identify the malicious activity, and to map to valid mitigation actions is highly valuable.

"This alert is focused on a specific set of threats and actions to identify and respond to those threats. Organizations should also review their preventive controls against the tools and techniques described in this alert. Identifying the attack in progress is important, but preventing the attack from being successful at all is better.

Erich Kron, security awareness advocate at KnowBe4, thinks it important to understand that the risk of attacks on critical infrastructure rises with international tensions:

Targeting critical infrastructure is nothing new, however, the increased attacks are certainly something to be concerned with, especially given the tensions between the U.S. and Russia over the Ukraine border crisis. Russia has very advanced cyber warfare skills which keep them hidden once a network is compromised, although ironically, the initial attack vectors are typically those of low-tech email phishing campaigns, taking advantage of people reusing already compromised passwords or using easily guessed passwords.

"To strengthen organizations against these attacks, it is critical that they have a comprehensive security awareness program in place to help users spot and report suspected phishing attacks and to educate them on good password hygiene. In addition, technical controls such as multi-factor authentication and monitoring against potential brute force attacks can play a critical role in avoiding the initial network intrusion.

Mark Carrigan, Cyber Vice President, Process Safety and OT Cybersecurity at Hexagon PPM, is betting on form and is happy to name names. He thinks the GRU outfit that's been active against power grids (Western cognomen "Energetic Bear") is likely to be heard from again:

"The political leverage that can be gained from infiltrating critical infrastructure is enormous. The fingerprints of Energetic Bear, the Russian organization behind past attacks on critical infrastructure, are visible in these recent activities. The highly-sophisticated threats from state-sponsored actors arent going away and companies large and small are in the cross-hairs. For OT/ICS security managers, 2022 should be the year of resilience. We know its not if but when you will be attacked as history has proven. The most important foundational element of resilience is ensuring you have a trusted restore point that includes configuration settings for common devices and critical OT equipment.

Eric Byres, CTOat aDolus Technology Inc., wants to remind infrastructure operators not to overlook validating and authenticating patches before you apply them.

"This CISA alert certainly has general advice on best practices to reduce cybersecurity risk, but it missed a critical point in the Vulnerability and Configuration Management section. CISA says to update software and use a centralized patch management system, but they fail to mention the critical importance of validation or authentication before installing those patches. There is no point updating a vulnerability with a malware-infested, counterfeit patch.Operators of critical infrastructure need to verify that the patch theyve got in hand is safe to install and did indeed come from their vendor (and not a Russian agency)."

Ron Brash, VP of Technical Research ataDolus Technology Inc., added a recommendation of resources that organizations trying to cope with patches and updates:

"To assist with the triaging and prioritization of patches, asset owners should be using resources like SBOMs and VEX documents these types of documents help vendors share with their customers what vulnerabilities are present and actually exploitable (because most of them arent). aDolus worked with several major ICS vendors to produce the first real-world VEX documents in response to the Log4j vulnerability. This kind of effort highlights the advantage of intelligent vulnerability response vs. blanket knee-jerk patch everything statements."

POLITICO reports that talks between Russian and NATO officials yesterday ended in a "standoff." NATO Secretary-General Jens Stoltenberg offered a glum assessment: There is a real risk of a new armed conflict in Europe. We are clear-eyed. So we also conveyed a message to Russia that if they use military force there will be severe consequences; economic sanctions; political sanctions.

Senior Russian officials, according to Newsweek, blame the US for deteriorating relations. Vyacheslav Volodin, Speaker of the Duma's lower house, complained that Washington was acting like "an elephant in a china shop," carelessly destroying the structures that had been carefully built up in Europe after World War Two to preclude another such conflict. (As if NATO had been a construct negotiated with the Soviet Union, and not an alliance designed to keep the Soviets from engulfing more of Europe than they already had.)

See the original post:
Open-source software and threats to critical infrastructure. - The CyberWire

Google wants secure open-source software to be the future – TechRadar

After attending the recent White House Open Source Software Security Summit, Google is now calling for a public-private partnership to not only fund but also staff essential open-source projects.

In a new blog post, president of global affairs and chief legal officer at both Google and Alphabet, Kent Walker laid out the search giant's plans to better secure the open-source software ecosystem.

For too long, businesses and governments have taken comfort in the assumption that open source software is generally secure due to its transparent nature. While many believe that more eyes watching can help detect and resolve problems in the open source community, some projects actually don't have many eyes on them while others have few or none at all.

To its credit, Google has been working to raise awareness of the state of open source security and the company has invested millions in developing frameworks and new protective tools. However, the Log4j vulnerability and others before it have shown that more work is needed across the ecosystem to develop new models to maintain and secure open source software.

In his blog post, Kent proposes creating a new public-private partnership to identify a list of critical open source projects to help prioritize and allocate resources to ensure their security.

In the long term though, new ways of identifying open source software and components that may pose a system risk need to be implemented so that the level of security required can be anticipated and the appropriate resources can be provided.

At the same time, security, maintenance and testing baselines need to be established across both the public and private sector. This will help ensure that national infrastructure and other important systems can continue to rely on open source projects. These standards also should be developed through a collaborative process according to Kent with an emphasis on frequent updates, continuous testing and verified integrity. Fortunately, the software community has already started this work with organizations like OpenSFF working across industry to create these standards.

Now that Google has weighed in on the issue of open source security, expect other tech giants like Microsoft and Apple to propose their own ideas regarding the matter.

We've also rounded up the best open source software and the best business laptops

Link:
Google wants secure open-source software to be the future - TechRadar

Baumer, Infineon, Qualcomm Innovation Center, Percepio and Silicon Labs Select Zephyr RTOS for their Next Generation of Products and Solutions – Yahoo…

SAN FRANCISCO, Jan. 13, 2022 /PRNewswire/ -- The Zephyr Project announces a major milestone today with Baumer joining as a Platinum member and Infineon Technologies, Qualcomm Innovation Center, Inc., Percepio and Silicon Labs joining as Silver members. These new members have selected Zephyr RTOS as one of the key technologies to build their next generation of connected products and solutions.

(PRNewsfoto/The Zephyr Project)

Zephyr, an open source project at the Linux Foundation that builds a safe, secure and flexible real-time operating system (RTOS) for resource-constrained devices, is easy to deploy, secure, connect and manage. It has a growing set of software libraries that can be used across various applications and industry sectors such as Industrial IoT, wearables, machine learning and more. Zephyr is built with an emphasis on broad chipset support, security, dependability, longterm support releases and a growing open source ecosystem.

"Zephyr fits where Linux can't," said Kate Stewart, Vice President of Dependable Embedded Systems at the Linux Foundation. "It will help these new members with development, delivery, and maintenance across a wide variety of products and models. We look forward to working with our new members to improve the technology their products and solutions are based on."

Zephyr LongTerm Support (LTS) ReleaseIn October 2021, the Zephyr community of almost 500 contributors made the LTS v2 release available that offers vendors a customizable operating system that supports product longevity, security and interoperability. Product developers aren't locked into a particular architecture, back-end platform or cloud provider and will have the freedom to choose from an ecosystem of hardware. Additionally, products based on the LTS release will benefit from a maintained code base throughout their development and deployment lifecycle. The LTS will serve as the baseline for the auditable version of Zephyr, which will benefit both the maintained LTS and development branches. Learn more about the LTS v2 here.

Story continues

Commitment to ZephyrBaumer, one of the international leading companies for smart sensors, encoders and digital cameras for industrial automation, joins other Platinum members Antmicro, Google, Intel, Meta, Nordic Semiconductor, NXP and Oticon. Roman Kellner, Embedded Software Team Lead at Baumer, will join the Governing Board and its commitment to ensure balanced collaboration and feedback that meets the needs of its community.

"The mission of the Governing Board is to cultivate an innovative relationship among stakeholders to advance the Zephyr Project's support of new hardware, developer tools, sensors, and drivers, while maximizing the functionality of devices that run applications developed using the Zephyr RTOS," said Barna Ibrahim, Zephyr Governing Board member and Marketing Committee Chair. "We are ecstatic to welcome Roman to the board and look forward to working more closely with Baumer."

"Baumer as a sensor manufacturer relies on the capabilities of microcontrollers in a wide performance range for our product portfolio," said Roman Kellner. "Zephyr was chosen as our next sensor platform for its MCU vendor openness, reliability, high configurability, its added value compared to a pure RTOS scheduler and the future ability to cover non-safe and safe products with the same code base. We are happy to contribute our expertise to attribute Zephyr RTOS as a high performance sensor platform."

The Zephyr Project also welcomes Silver members:

Infineon, a world leader in semiconductor solutions that make life easier, safer and greener;

Qualcomm Innovation Center, a subsidiary of Qualcomm Technologies, that focuses on enabling and optimizing open source software that work with Qualcomm Technologies' solutions;

Percepio, a leader in visual trace diagnostics for embedded systems and IoT; and

Silicon Labs, a leader in secure, intelligent wireless technology for a more connected world.

These members join AVSystem, BayLibre, Eclipse Foundation, Fiware, Foundries.io, Golioth, Laird Connectivity, Linaro, Memfault, Parasoft, Pat-Eta Electronics, RISC-V, SiFive, Synopsys and teenage engineering, and Wind River.

"The Zephyr Project is driving stability to developers which allows them to focus on product innovation and at Infineon, we are happy to be a part of helping customers drive differential value," said Danny Watson, Principal Product Marketing Engineer at Infineon. "Infineon aims to be a key contributor to the underlying scalable goals of the Zephyr Project and to shape it into providing more performance and intelligent based Open Source Software for Infineon's PSoC 6 Microcontrollers."

"The Qualcomm Innovation Center (QuIC) is proud to become a new member of the Zephyr Project community," said Anthony Scarpino, Senior Director of Engineering at Qualcomm Canada ULC. "QuIC looks forward to contributing to the Zephyr Project to collaborate in building the best-in-class RTOS for secure, connected, resource-constrained devices. QuIC supports the building of micro-controller-based devices as part of the hardware and software ecosystems in upcoming products and sees participation in Zephyr as a path to world- leading innovative solutions."

"At Percepio, we've long recognized the potential of Zephyr RTOS as the leading independent platform for small IoT devices where Linux isn't an option, yet capable enough for complex embedded IoT/Edge applications," said Mike Skrtic, Vice President of Sales and Marketing at Percepio. "The latest Zephyr release brings expanded support for software tracing, which facilitates debugging and allows for improved reliability, security, and performance of embedded systems. We're pleased to have made significant contributions to the new tracing subsystem, to provide full kernel tracing support, enabling the high-end visual trace diagnostics Tracealyzer is known for."

"We've had our eye on Zephyr for some time and are excited to officially be a member of this RTOS project," said Benny Chang, Vice President, Platform and Chief of Staff at Silicon Labs. "We appreciate the measures the Zephyr community is taking to build a reliable, well-tested RTOS for the IoT and look forward to connecting Zephyr users with our industry-leading hardware and connectivity solutions."

To learn more about Zephyr RTOS, visit the Zephyr website and blog.

About the Zephyr ProjectThe Zephyr Project is an open source, scalable real-time operating system (RTOS) supporting multiple hardware architectures. To learn more, please visit http://www.zephyrproject.org.

About the Linux FoundationFounded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world's leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation's projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation's methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Media Contact:Maemalynn Meanormaemalynn@linuxfoundation.org

Cision

View original content to download multimedia:https://www.prnewswire.com/news-releases/baumer-infineon-qualcomm-innovation-center-percepio-and-silicon-labs-select-zephyr-rtos-for-their-next-generation-of-products-and-solutions-301460263.html

SOURCE The Zephyr Project

See original here:
Baumer, Infineon, Qualcomm Innovation Center, Percepio and Silicon Labs Select Zephyr RTOS for their Next Generation of Products and Solutions - Yahoo...

How Open Source Is Shaping The World Around Us – Outlook India

Recently, the billionaire space race sparked everything from debates to frenzied excitement, depending on who you ask. But theres one thing we can all agree on humans are making real, significant strides in space exploration. We only have to look at the Ingenuity Mars Helicopter, which departed Earth for its 293 million mile trip to Mars aboard the Perseverance Rover last July. Marking a huge milestone for humanity, the 1.8 kilogram helicopter hovered 10 feet above the surface of Mars, in an atmosphere thats less than 1% of earths density, proving for the first time that its possible for a helicopter to achieve lift-off on Mars.

To make this launch possible, Ingenuitys software required intense preparation, no margin for error and real time collaboration. But behind Ingenuitys expansive software there was another crucial element thousands of open source developers from all over the world, many of whom were unaware of the significance of their contributions. With nearly 12,000 people on GitHub contributing code, documentation, graphic design, and more, its fair to say that the explosion of open source made this historic space mission possible.

And its not just space exploration. The world is powered by software. It touches every aspect of our lives, from our cars, to how we communicate, connect, live and work. Today, 99% of software projects are developed using open source. The mobile phones we use everyday are underpinned by open source technology, with Android OS and Apples iOS both relying on many open source components. These operating systems have revolutionised the way we use smartphones and created a flourishing mobile economy. WordPress uses open source so people and businesses can easily create websites, forming the backend of many websites you regularly visit. Even the US air traffic control (ATC) relies on Linux, one of the most popular open source operating systems, to monitor aeroplanes in the sky. The list goes on with industries such as automotive, finance, telecommunications, and many more all using open source.

Its easy to see why open source software is attractive to so many organisations and why its experiencing increased adoption across verticals. Open source democratises technology and enables fast innovation by giving organisations access to a global pool of talent and the tools needed to develop secure, reliable and scalable software. Plus, it almost always offers a cost advantage and high functionality. Theres also a passionate and ever-growing worldwide community to tap into when it comes to support and bug fixes. Businesses are paying attention to these benefits and are realising that increasing the use of open source software and adopting more collaborative development methodologies is now a competitive economic advantage.

The power of open source has captured the attention of governments as well. The Indian government, for example, is a strong advocate and promoter of open source, having recognised how it can help bridge the digital divide in India. Driving open source innovation and open APIs has been a central pillar to the governments Digital India vision. Many of the governments citizen connect initiatives like Aarogya Setu, the AADHAR initiative, and the Cowin app for managing the Covid-19 vaccine drive, have all made use of open source. This has helped accelerate the development of these programs and also allows others to integrate and build on top of them.

India has a unique advantage, given the large and diverse STEM talent pool, and is already playing a leading role in the global open source community. We have some of the largest systems integrators as well as global innovation centres that are creating compelling projects, plus a diverse ecosystem of start-ups and enterprises that are driving digital transformation. Im proud, and truly inspired, by the Indian developers who are building and enabling the software of the future, thanks to their participation and contribution to open source projects.

In the next five years, open source development will be driven by an increased demand for applications and software. Were already seeing this trend within the open source community in India. The number of contributions to public open source repositories surged by 80 percent on GitHub in 2020 from India and it is the world's fastest growing country in terms of new open source developers. Over one million developers in India created their first repository on GitHub this past year, more than any other country in the world! The GitHub developer community in India totals 5.8M developers as of March 2021 and by February 2023, we believe more than 10 million developers in India will be calling GitHub home. India is well and truly an innovation powerhouse, with open source software development at the core, and uniquely positioned to continue driving innovation that accelerates human progress.

Read the original:
How Open Source Is Shaping The World Around Us - Outlook India

The Projects and People That Shaped Security in 2021 The New Stack – thenewstack.io

With the peak of the holiday season here, when most are running on lean teams and may not have the resources to respond to a serious cyberattack, the latest exploitation of log4j logging library has sent developers in a scramble. This breach capitalizes on what has been another whirlwind of a year in cybersecurity, froth with porous technology that has been steadily increasing the workloads for developers.

The ever-expanding cloud native landscape and broader adoption of open source software were met with increased pressure to accelerate release cycles, placing many businesses at greater risk this year. For many, the ransomware attacks, and the battlespace of the modern supply chain, gave adversaries a number of vulnerabilities to explore, while the U.S. presidential administration issued an executive order, requiring vendors who manufacture and distribute software to detail what is actually in their products particularly open source software in a software bill of materials (SBOM).

From building in security processes earlier in the application life cycle to revisiting existing security technology with evolving new practices, these are the top security stories of the year that influenced developers to keep hackers out of the cloud native ecosystem.

Top Security Stories of 2021:

#1: The Web App Firewall Is Dead and We Know Who Killed It Web Application Firewalls (WAFs) entered the market in the late 1990s and have traditionally served to protect data and assets from being exploited and attacked. But now, with many organizations operating under faster application release cycles, can the traditional WAF keep up? Check out this story by our sponsor Check Point, for the latest insights to maintain WAFs that will keep up with the speed of DevOps.

#2: Shell-less Kubernetes: Talos Systems Introduces the Common Operating System Interface Conventionally, Kubernetes is run on top of a standard Linux distribution but Talos Systems takes a different approach with its container-specific operations system (CSOS), Talos OS, which is driven by application programming interfaces (API)s. Talos Systems believes it is better to run Kubernetes on a CSOS than a general-purpose Linux because it avoids unnecessary overhead and lacks any built-in coordination with Kubernetes. Further, the attack surface is smaller than they would be with a general-purpose host OS, presenting fewer opportunities to compromise a container-specific host OS.

#3: Defend the Core: Kubernetes Security at Every Layer Kubernetes has exploded to 88% widespread adoption, yet more than half of respondents in Red Hats latest survey said theyve delayed deploying Kubernetes applications into production due to security concerns. In this story, Jimmy Mesta, Head of Security Research at Fastly, looks at the implications of containers and offers his advice of best practices to help keep the hackers out.

#4: Why Open Source Project Maintainers Are Reluctant to Use Digital Signatures, Two-Factor Authentication Open source continues to be abused by unscrupulous developers. In fact, a recent survey revealed that when asked if the open source projects they worked on required the use of 2FA such as theGitHub organizational setting Require two-factor authentication, almost half of the developers said they didnt use it. How then should open source organizations manage programmers to say who they are?

#5: How Parlers Data Was Harvested When the right-wing social network Parler was turned off by Amazon Web Services (AWS), Parlers data, including death threats and geotagged deleted messages was scraped and published on numerous public websites. Deleted messages were also captured as Parlers proprietary program didnt actually delete them. Instead, it marked them to be invisible to users which revealed bad security programming. Heres the story by The New Stacks Steven J. Vaughan-Nichols of how Parlers former members became victims of the community.

#6: Managing Kubernetes Secrets with AWS Secrets Manager GoDaddy, one of the leading web-hosting companies, open sourced an internal project called Kubernetes External Secrets. In this last story of a series by Principal Analyst, Janakiram MSV at Janakiram & Associates, he walks through how the project can used to configure secrets backed by Amazon Web Services Secrets Manager. Launched this year as part of Amazons CodeGuru service for developers, Amazons Secrets Detector machine learning feature automatically finds confidential system credentials that might be hidden in source code, helping to find bugs and security vulnerabilities then suggesting remedies.

Continued here:
The Projects and People That Shaped Security in 2021 The New Stack - thenewstack.io

Log4j: Where’s Fancy Bear been? Right there, choppin’ lumber… – The CyberWire

One of the mysteries about Log4shell so far has been the relative absence of Russian exploitation, whether by privateers or intelligence services. Given the extensive activity observed on the part of China, North Korea, Iran, and Turkey, where have the Russian threat actors been? BGRnoted that the usual Russian operators seemed to have been quiet, so far. Mandiant, in its own rundown of cyberespionage taking advantage of Log4j vulnerabilities, sensibly said, "We expect threat actors from additional countries will exploit it shortly, if they havent already. In some cases, state sponsored threat actors will work from a list of prioritized targets that existed long before this vulnerability was known. In other cases, they may conduct broad exploitation and then conduct further post-exploitation activities of targets as they are tasked to do so."

SecurityScorecard has solved that mystery. It reported this morning that it's observed Drovorub activity, and Drovorub points to its masters at Fancy Bear, APT28, Russia's GRU military intelligence service. Drovorub, which means "woodcutter," is a toolkit developed by the GRU's 85th Main Special Services Center for use against Linux-based systems. And that activity has been extensive. SecurityScorecard regards Russian reconnaissance, probing, and probable exploitation as comparable in scale to what's been observed from China. More developments can be expected, the researchers write: "Its important to remember that we are still in the very early days of trying to understand this security issue and how its being used by threat actors."

There's reason to think that self-propagating worms are under development to take advantage of Log4j bugs. Researcher Greg Linares believes at least three groups are working on a Log4j worm. SecurityWeek, which cites Linares, also quotes other researchers who think the news of a coming worm is unproven at least, unlikely at best, or probably likely to lead to worms less serious than some of the high-profile cases observed earlier this century.

The US Cybersecurity and Infrastructure Security Agency (CISA) this morning issued Emergency Directive 22-02, directing the US Federal agencies that fall within its remit to identify and update all vulnerable systems no later than 5:00 PM Eastern Standard Time on December 23rd. CISA gives the agencies until December 28th to report completion. In full, the required actions are as follows:

"By 5 pm EST on December 23, 2021:

"By 5 pm EST on December 28, 2021:

Log4j is from Apache's open source library, and some have asked if the vulnerability exposed as Log4shell should call into question the very idea of using open-source software. The short answer would be, according to some, not at all. IT World Canada has a useful discussion of the issue, in which they point out that the Open Source Security Foundation is well-funded, backed by deep-pocketed tech firms, and that securing open source software is not a hobbyist's labor of love. The piece quotes the CTO of NCC Group, Ollie Whitehouse, who frames it this way:

All software, open-source, closed-source, has latent cybersecurity vulnerabilities. We are only now getting to a point where we understand how to industrialize the detection and remediation of that. And the Open Source Security Foundation, with very large technology vendor backing now, is making concerted efforts to give it support, understanding that some of these projects are maintained by small teams.

MIT Technology Review takes the contrary view, arguing that the security of open-source software is indeed overlooked and underfunded. Their article quotes Veracode's CTO, Chris Wysopal, who says, The open-source ecosystem is up there in importance to critical infrastructure with Linux, Windows, and the fundamental internet protocols. These are the top systemic risks to the internet.

In truth there are probably significant local variations in resourcing and attention, which is the case with software produced by a variety of teams in any organization.

Vendors are working to patch their products against Log4shell, and it's proving to involve the "struggle" most observers have foreseen, Reuters reports. As the patches are issued, they should of course be applies when practicable.

Ric Longenecker, CISO at Open Systems, wrote to offer an assessment of the Log4shell (and yes, he thinks, the exploits are indeed wormable):

Some are calling Log4J the vulnerability of the decade. Forty percent of organizations are reportedly being targeted, and it is wormable. Weve already gotten a taste of the potential impact of this vulnerability with Kronos Global being hit, and we should be wary of other potential organizations at risk and how it may impact the ability to distribute paychecks before the holidays. Companies must continue taking this very seriously and must ensure round-the-clock monitoring. We strongly encourage all companies to seek out a trusted security partner to help protect themselves against a potential attack. Log4J might be a doorway into an organization thats used as a foothold, but not executed on for several months. When that time comes, enterprises may be able to avert a severe compromise or ransomware attack if proper steps are taken beforehand.

He recommends that all organizations take these steps to protect themselves:

Rezilion also sent us some recommendations, and theirs are directed toward small businesses:

"Scan now with what you have, but make sure your scan also accounts for various types of nested JAR files and for cases in which Log4j isn't explicitly mentioned as part of the JAR name.

"Build a remediation plan that prioritizes patching Log4j instances that are loaded into memory first. This will ensure you patch what's actually exploitable first versus applying remediation efforts where it's not critically needed.

"Devote some resources into validating whether active exploitation of your organization is taking place. For organizations without appropriate commercial solutions, there are some recent open source projects available that are aimed at discovering exploitation attempts."

And the holiday season may be a busy one for IT and security teams. Randal Pinto, CTO of Red Sift, commented:

The log4j vulnerability will still be around for some time and security teams will have a busy holiday season patching up systems. But our advice for organizations is to be thorough in your assessment. Dont only look internally but also at your supply chain, given the number of ways this vulnerability can be exploited. Ultimately this is another stark reminder that hackers will try all channels as a way to infiltrate a system, not only the obvious ones.

Link:
Log4j: Where's Fancy Bear been? Right there, choppin' lumber... - The CyberWire

Aqua Security acquires Argon to protect the software supply chain – VentureBeat

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more

Cloud-native application protection firm Aqua Security announced today it has acquired Argon, a startup with capabilities for securing the software supply chain, amid a growing push to ensure application security from the get-go as part of the development process.

Cofounder and CEO Dror Davidoff said in an email to VentureBeat that combining Aqua Security with Argon creates the industrys first and only solution to secure all stages of software build and release.

Ramat Gan, Israel-based Aqua Security did not disclose the terms of the acquisition, though Davidoff said the acquisition price is in the tens of millions of dollars. Founded in 2020, Tel Aviv, Israel-based Argon had raised $4 million in funding and will bring 30 employees and several dozen customers, in addition to its technology for app development security.

According to a recent study by Sonatype, software supply chain attacks have soared by 650% since mid-2020, due in large part to infiltration of open source software.

Meanwhile, high-profile attacks such as the SolarWinds breach have made the software supply chain issue impossible to ignore. Discovered roughly a year ago, the attack involved malicious code that was inserted into the widely used SolarWinds Orion network monitoring software, then unknowingly distributed to customers including numerous federal agencies.

Other recent software supply chain incidents have included a breach that affected developer tool Codecov, discovered in April.

Increasing pressures on developers appear to be worsening the problem. A recent survey by Invicti Security found that 70% of development teams always or frequently skip security steps due to time pressures when completing projects.

Argon enables users to evaluate existing code repositories and infrastructure, scanning both code and artifacts, to ensure immutability of code from creation through to runtime, Davidoff said.

Argons technology can discover and map continuous integration (CI) and continuous delivery (CD) pipelines, use a zero-trust approach to securing the DevOps toolchain itself, and validate the integrity of code and artifacts at every stageultimately preventing the next SolarWinds or CodeCov attacks, he said.

To date, Aqua has enabled customers to protect their cloud-native application builds starting from the container image or function build stage, and does so for the application artifactsbut not for the CI/CD toolchain itself, Davidoff said.

Argon now allows our customers to both further shift left and start ensuring code integrity earlier in the supply chain, as well as ensuring that the DevOps tools themselves are properly configured and not susceptible to unwanted integrations, webhooks, and triggers, he said.

The injection of malicious code into the pipeline, la SolarWinds, is precisely the type of attack that Argon protects against, Davidoff said. Argon would have identified weak configuration, permissions issues, and non-approved plugins, and detected the malicious code before it was distributed.

Software supply chain protection is an early-stage market, but Aqua expects this segment of the market to grow massively over the next few years, Davidoff said.

With the addition of Argons technology, Aqua sees an opportunity both to expand its customer base and to grow with existing customers, he said.

Initial integrations of the technology will be available in the first quarter of 2022, and Aqua expects a full integration before the end of 2022, according to Davidoff.

In terms of headcount, Aqua Security now employs 500 with the addition of the Argon team, he said.

Argons executives will join Aquas R&D and product teams, with their exact titles still to be determined, Davidoff said. The startups founders are Eilon Elhadad and Eylam Milner, who formerly led security and engineering teams within the Israeli military.

Aqua Security describes its offering, the Aqua Platform, as a complete cloud-native application protection platform, or CNAPP. The vendor has seen high double-digit revenue and customer growth for its CNAPP so far this year, said Rani Osnat, senior vice president of strategy at the company, in a recent interview with VentureBeat. Aqua reports having a customer base of 500 enterprises.

The company has offered capabilities for scanning applications during development, including infrastructure as code (IaC) security scanning, since its launch in 2015.

In terms of workload protection, Aqua focused on containers at the beginning and added serverless and virtual machines in 2017 to give it full cloud workload protection capabilities.

Previous acquisitions by Aqua Security included CloudSploit in 2019, which added capabilities to its platform for spotting misconfigurations in cloud infrastructure, also known as cloud security posture management. In July, Aqua Security acquired open source IaC security scanner TFsec.

Recent enhancements to Aquas CNAPP offering have included the addition of cloud-native detection and response, which provides monitoring and detection to identify zero-day attacks in cloud-native environments.

In March, Aqua Security raised $135 million in series E funding, led by ION Crossover Partners, at a $1 billion valuation.

The rest is here:
Aqua Security acquires Argon to protect the software supply chain - VentureBeat

When the open source ecosystem thrives in the cloud: IT leader insights – The Enterprisers Project

Software is eating the world and open sourcehas become the default way to build software. Public cloudhas accelerated the proliferation of open source technologies, and has led to an adjustment in both the enterprise procurement and monetization of software. After a few years of seismic realignment (the aftershocks are still reverberating through the ecosystem), we have reached a point where there are paths for software vendors to partner with or live in the marketplaces of the hyperscalers, says Jerry Chen, a venture capitalist at Greylock. Chen has a long history with open source - he was on the VMware team that made Cloud Foundry an open source project, and later funded Docker as a VC - and has written a series of articles calledCastles in the Cloud. I recently spoke with him as part ofRed Hats livestreaming show,In The Clouds.

Chen notes that one of the strengths of leveraging open source is that as a leader in a community, a company can connect directly to developers, data scientists, or other practitioners. In the past companies would have to find ways to avoid or take on the cloud providers, today the competitive environment looks quite different.

We are also close to seeing more billion dollar open source companies, Chen says, noting the recent IPOs of HashiCorp and GitLab, which both have over $200M in revenue and strong growth. The interview reaffirms that it is an exciting time for the technology industry in general, and for the future of open source software.

For additional insights from Chen, including career advice, commentary on the massive valuations of private companies, and much more,watch this episode of In the Clouds:

Jerry Chen andStu Miniman will also be at AWS re:Inventthe week of November 29th in Las Vegas.

Read the original post:
When the open source ecosystem thrives in the cloud: IT leader insights - The Enterprisers Project

What is open source software? – Red Hat

Open source software matters to everyone, not just programmers, because it unlocks the potential of many more people to become innovators than a closed-source model. Open source communities, for instance, are organized around open source projects where anyone with skills can join and contribute code. These groups still maintain standards around contributing to open source projects just like proprietary software teams do, but they open up this process to anyone in the world who wants to contribute.

This open source development model has resulted in some of the most important applications and cloud platforms in use today. The most popular of which comprise LAMP, a model of service stacks that undergird much of the web. The LAMP acronym stands for:

Other examples of popular open source technologies include the Android mobile OS, the Mozilla Firefox web browser, the widely-used version control system Git, and the two related office suites OpenOffice and LibreOffice. On a broader scale, most innovation in the areas of cloud computing, big data, and artificial intelligence have been derived from open source software projects.

In addition to its instrumental role in the early web and some of the most popular applications used today, open source software has other advantages for businesses and individual programmers. When source code is open, it makes it easier for anyone to study it to develop new programming skills. Open source licensing also allows students to get practice by editing the code and sharing it with friends and the broader open source community, or even contributing fixes to existing open source projects.

Open source software also offers businesses the ability to customize it to meet their specific needs, or innovate new customer experiences not included in the original source code. Some also prefer open source software because there are many more developers looking for security vulnerabilities when the source code is openly available and has an active community supporting it.

Open source software is the result of an open source development model. The open source development model is decentralized and encourages open collaboration and peer production. It has influenced a broader movement in software development, and people often refer to its core principles as "the open source way."

The open source way is so effective because it can attract tremendous technical talent. Much of the innovation in technology is taking place in the open source community, and people all over the world end up using open source software. Behind many popular websites and applications you can find projects like Linux, Kubernetes, and Git, and people access the internet with open source browsers like Firefox and Chromium.

See the original post:
What is open source software? - Red Hat