SAN FRANCISCO, Aug. 17, 2022 The Open Source Security Foundation (OpenSSF), a cross-industry organization hosted at the Linux Foundation that brings together the world's most important software supply chain security initiatives, on Wednesday announced 13 new members from leading financial services, technology, employment, software development, cybersecurity, telecommunications, and academic sectors.

New premier member, Capital One, joins the OpenSSF Governing Board. New general member commitments come from Akamai, Indeed, Kasten by Veeam, Scantist, SHE BASH, Socket Security, Sysdig, Timesys, and ZTE Corporation. New associate members include Eclipse Foundation, Purdue University, and TODO Group. "We are excited to welcome new members to the OpenSSF," says Brian Behlendorf, General Manager of OpenSSF. "As open source software security vulnerabilities continue to draw attention from governments and businesses around the world, interest in the work of the OpenSSF has been rapidly increasing."

"A growing community of organizations, developers, researchers, and security professionals are investing the time and resources needed to strengthen open source security," said Jamie Thomas, OpenSSF Board Chair and IBM Enterprise Security Executive. "New members of OpenSSF are joining at a time when cross-industry collaboration and innovation are needed more than ever to proactively respond to pervasive cybersecurity threats."

Resolving the systemic issues that led to major security vulnerabilities like the Log4shell incident emphasizes the urgency and importance of the work of OpenSSF. A recent Cyber Safety Review Board report declared that Log4j has become an "endemic vulnerability" that will be exploited for years to come and that the 10-point mobilization plan introduced earlier this year at the Open Source Software Security Summit II by the OpenSSF will improve the resiliency and security of open source software.

OpenSSF will host a full day of sessions on Tuesday, Sept. 13, at OpenSSF Day EU on the eve of Open Source Summit Europe (OSS EU) in Dublin. Working Group leaders and community members will host sessions, panels, and fireside chats about ongoing work to secure the software supply chain and the future of open source security. Registration and attendance are free for all those attending the OSS EU.

Premier Member Quote

Capital One

"Today some of the most groundbreaking digital experiences created for customers are based on open source software. As a company that widely adopts this technology, Capital One is incredibly proud to join the OpenSSF and the world's technology leaders as we collaborate to strengthen the software security supply chain. As a highly regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration. We look forward to working together to identify solutions that advance the OpenOSSF mission and give back to the open source community."

General Member Quotes

Akamai

"Improving the security of open source software so central to the internet ecosystem is one of the most critical security challenges we face today. Only by gaining visibility into the network and the software supply chain can we reliably address security flaws when they occur at the code level. The technology community must support the open source communities we depend on with financial and technological resources to limit our collective risk. As a leading security and cloud services provider, we look forward to contributing to the Open Source Security Foundation and helping to advance this important work."

Kasten by Veeam

"We are honored to be part of the Open Source Security Foundation (OpenSSF) and champion this initiative alongside our peers. Kasten by Veeam has an open source heritage, and with Kubernetes data protection as our core offering, security remains a critical underpinning for Kasten K10 design and implementation. As Kubernetes adoption continues to fuel Digital Transformation journeys for enterprises, more attention is rightfully being placed on security, especially with the inexorable rise of ransomware attacks. Kasten by Veeam is committed to ensuring the security and data protection of cloud native environments to better protect business applications."

Scantist

"On one hand, the software industry is benefiting substantially from the rapid growth of open source, which has become the basic building blocks of the digital world. On the other hand, open source security is becoming more critical and all these risks are multiplied by the interdependent nature of open source. Now as a member of OpenSSF, we would like to contribute to the OpenSSF missions based on our recent research on open source ecosystem analysis to provide a quantitative view to understand the complexity and security of open source. We want to become the active participant, evangelist and ambassador for OSS governance in southeast Asia to promote open source software supply chain security."

SHE BASH

"Since our inception, SHE BASH has witnessed a variety of predatory industry practices that get shielded from extensive scrutiny via the protective veil of closed source. At our core, open source software is a public institution that enables everyone to build their future.

"The combination of decades of apathy and the incentive mechanisms that sustain a culture of 'don't care' has allowed our company to stand out among tech's largest and most culpable companies. We have always considered 'best practice first' as one of the main value propositions we can provide as a company, albeit a small one. Open Source Software provided us the level playing field to make differences in key technological shifts within the public sector, and the evolution of these shifts are the development of best practices born from the open source that sustains all software life today. It's a true honor to be of assistance to the work OpenSSF is leading to remedy large structural mistakes that grew from decades of neglect."

Socket Security

"As maintainers of open source packages which are installed over 1 billion times per month, the Socket team is intimately familiar with the massive growth in open source dependency usage. Modern applications use thousands of dependencies written by hundreds of maintainers, and installing even one package leads to dozens of transitive dependencies coming along for the ride. Unfortunately, it is far too easy for a bad actor to infiltrate the software supply chain and wreak havoc. That's why Socket is proud to join OpenSSF and do our part to make open source safe for everyone with our industry-leading approach to software composition analysis which is used by thousands of companies to detect and prevent supply chain attacks. The Socket team is excited to work with other OpenSSF member companies to safeguard the open source ecosystem for everyone."

Sysdig

Sysdig is proud to be part of OpenSSF and work together to help guide open source security standards and secure the software supply chain. As a cloud security company built on open source, we believe the industry must come together to strengthen software for the common good. Having created and contributed Falco to the CNCF to help secure the runtime, we look forward to continuing open collaboration in the OpenSSF. The future of security is open, and what we do now will shape software forever."

Timesys

"With software supply chain breaches up more than 650%, securing the software supply chain is a big focus. We've been working for more than 5 years developing technology to help secure, monitor, and maintain open source-based embedded Linux and Android devices from exposures and vulnerabilities. We are so excited to be joining up on this community effort with OpenSSF and to be a part of the Linux Foundation again. By sharing technology and collaborating to build ecosystems that accelerate open-source technology development, device manufacturers and consumers everywhere will be able to rest easier knowing they are secure."

ZTE Corporation

"We are very pleased to join the OpenSSF. As a world-leading communication equipment manufacturer, more and more open source software is used by us. While actively embracing open source software, it also brings unprecedented risks to software supply chain security. ZTE Corporation has made many efforts to control and manage risks, and regard them as our top priority. After joining the OpenSSF, ZTE Corporation works with a group of members with similar visions and goals to promote the development of open source software supply chain towards a more secure direction."

Additional Resources

About OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry's most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation's methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The rest is here:
OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain - DARKReading

A new company from the creators of the Godot game engine is setting out to grab a piece of the $200 billion global video game market and to do so, its taking a cue from commercial open source software giant Red Hat.

Godot, for the uninitiated, is a cross-platform game engine first released under an open source license back in 2014, though its initial development pre-dates that by several years. Today, Godot claims some 1,500 contributors, and is considered one of the worlds top open source projects by various metrics. Godot has been used in high-profile games such as the Sonic Colors: Ultimate remaster, published by Sega last year as the first major mainstream game powered by Godot. But Tesla, too, has apparently used Godot to power some of the more graphically intensive animations in its mobile app.

Among Godots founding creators is Juan Linietsky, who has served as head of development for the Godot project for the past 13 years, and who will now serve as CEO of W4 Games, a new venture thats setting out to take Godot to the next level.

W4 quietly exited stealth last week, but today the Ireland-headquartered company has divulged more details about its goals to grow Godot and make it accessible for a wider array of commercial use cases. On top of that, the company told TechCrunch that it has raised $8.5 million in seed funding to make its mission a reality, with backers including OSS Capital, Lux Capital, Sisu Game Ventures and somewhat notably Bob Young, the co-founder and former CEO of Red Hat, an enterprise-focused open source company that IBM went on to acquire for $34 billion in 2019.

But first what is a game engine, exactly?

Godot editor demo. Image Credits: Godot

In simple terms, a game engine serves up the basic building blocks required for developers to create games, and may include anything from renderers for 2D or 3D graphics to scripting and memory management. Its basically a software framework that developers can use and reuse without having to redesign the wheel with each new game they create.

This allows developers to utilize pre-made functionality that is common to most games when creating their own, and only create the parts that make the game unique, Linietsky explained to TechCrunch.

While many companies, particularly larger game studios, develop their own engines in-house, as games and the associated development processes have become more complex, third-party general purpose game engines have grown in popularity. This includes long-established incumbents such as Unity, developed by tech powerhouse Unity Software, which is currently in the process of merging with IronSource.

One reason why a studio might use a third-party game engine is to cut down on in-house development costs, but a trade-off here is that it then has to work with a gargantuan code-base, which it has limited control over. And that is why Godot has gained some fans through the years as an open source project, it gives developers an oven-baked game engine that they can tweak and fine-tune to their own needs, with improvements pushed back to the development community for everyone to benefit from.

The result is reduced development costs and more freedom to innovate, Linietsky said. Godot brings to the game industry the same benefits that enterprise software has been enjoying from it [open source software] for decades.

Red Hat Inc. signage is displayed outside the New York Stock Exchange (NYSE). Image Credits: Bloomberg / Getty Images

Anyone who has even remotely paid attention to the technology sphere over the past decade or sowill have noticed that open source is now big business. The likes of Elastic and Cockroach Labs have built billion-dollar businesses off the back of open source projects, while Aiven recently hit double-unicorn status for a business that helps enterprises make the most of open source technologies in cloud environments.

But Red Hat, arguably, remains one of the biggest success stories from the open source world, selling enterprises premium support and services for some of the worlds biggest community-driven projects, from Linux to Kubernetes.

Companies like Red Hat have proven that with the right commercial offerings on top, the appeal of using open source in enterprise environments is enormous, Linietsky said. W4 intends to do this very same thing for the game industry.

Its an interesting parallel, for sure, and one that seems pretty obvious when presented with such a comparison. Linuxs open source credentials were what led it to become the leading operating system for web servers, while Androids mobile market share dominance can substantively be attributed to its Linux kernel base. Elsewhere, other open source projects such as Kubernetes are powering enterprise adoption of microservices and container technologies.

In truth, Godot is nowhere near having the kind of impact in gaming that Linux has had in the enterprise, but its still early days and this is exactly where W4 could make a difference.

We expect Godot to take the same route in the game industry as other open source software has taken in the enterprise, which is to slowly become the de facto standard, Linietsky continued. It is very difficult for companies that create proprietary software to compete with the massive talent pool that popular open source projects have, and unappealing for software users to concede the freedom to use software as they please to a third-party entity.

On top of that, having one of Red Hats original founders on board as an investor can only be construed as a major coup for a startup that is just eight months old.

Bob is an incredible human being who helped create a whole new type of business where nobody expected it was possible, Linietsky continued. He identified the opportunity for Godot and W4 as very similar to Linux and Red Hat two decades ago, and has been very kind to share his wisdom with us, as well as becoming an investor in our company.

Concept illustration depicting technical support. Image Credits: Macrostore / Getty Images

W4s core target market will be broad its gunning for independent developers and small studios, as well as medium and large gaming companies. The problem that its looking to solve, ultimately, is that while Godot is popular with hobbyists and indie developers, companies are hesitant to use the engine on commercial projects due to its inherent limitations currently, there is no easy way to garner technical support, discuss the products development roadmap, or access any other kind of value-added service.

But perhaps more importantly, while Godot is touted as a cross-platform game engine spanning the web, mobile and desktop, it has hitherto lacked direct support for games consoles. The reason for this is that as an open source project served under a permissive MIT license, Godot cant provide support for consoles because it wouldnt be allowed to publish the code required to interact with the proprietary hardware game studios that develop for consoles have to sign strict non-disclosure agreements. Plus, console makers will only work with registered legal entities, which Godot is not.

Put simply, Godot cant be a community-driven open source project and support consoles at the same time. But there are ways around this, which is why W4 hopes to make money by offering a porting service to help developers convert their existing games into a console-compatible format.

W4 will offer console ports to developers under very accessible terms, Linietsky said. Independent developers wont need to pay upfront to publish, while for larger companies there will be commercial packages that include support.

Elsewhere, W4 is developing a range of products and services which its currently keeping under wraps, with Linietsky noting that they will most likely be announced at Game Developers Conference (GDC) in San Francisco next March.

The aim of W4 is to help developers overcome any problem developers may stumble upon while trying to use Godot commercially, Linietsky added.

Its worth noting that there are a handful of commercial companies out there already, such as Lone Wolf Technology and Pineapple Works, that help developers get the most out of Godot including console porting. But Linietsky was keen to highlight one core difference between W4 and these incumbents: its expertise.

The main distinctive feature of W4 is that it has been created by the Godot project leadership, which are the individuals with the most understanding and insight about Godot and its community, he said.

Of Godots 1,500 or so contributors, 10 are more-or-less permanent hires, paid via community donations. Similarly, W4s current team of 12 largely consists of long-standing Godot contributors, spread across eight different countries in the Americas and Europe. This is much like how other companies built on an open source foundation started out, including Red Hat and WordPress.coms parent Automattic, which was one of the most well-known distributed companies out there, long before the remote-work revolution came along in 2020.

Indeed, distributed work is one of the core defining characteristics of open source software development. By way of example, Linietsky is based in Spain, while co-founder and COO Rmi Verschelde works from Denmark. The other two founders, CTO Fabio Alessandrelliand CMO Nicola Farronato, operate from different locations in Italy.

But every legal entity needs to choose somewhere as its corporate home. And similar to many tech companies, W4 elected Dublin, Ireland as its official HQ though this presence is really just on paper, only.

We are based in Ireland because two of the co-founders have previously established there, have relatives and are very familiar with the Irish ecosystem, Linietsky said.

Here is the original post:
How W4 plans to monetize the Godot game engine using Red Hats open source playbook - TechCrunch

The SOS.dev initiative 'Secure Open Source Rewards' will help in preventing assaults on the software supply chain by incentivising researchers to offer security upgrades to essential projects.

This new initiative aims to reward developers and security experts that enhance crucial infrastructure using open source software. According to those who support it, the rewards initiative, which is 'Secure Open Source,' will cover more ground than bug bounty schemes at the current time.

By encouraging academics and developers to make security changes, the programme would "harden vital open source projects" and aid in protecting against application and software supply chain threats.

Save Our Software

The NIST definition of "vital software," the scope of the security enhancements and the number of users, who stand to gain, will be considered when selecting qualified projects for the 'Save Our Software Secure Open Source Rewards'.

For "complex, high-impact and enduring enhancements that virtually surely avert severe vulnerabilities," rewards range from $505 for simple changes to $10,000 or more. As SOS.dev develops, we will add additional enhancements to the goals.

Million Dollar Funding

In contrast to traditional bug bounty programmes, the programe named 'Secure Open Source Rewards' takes help of developers in security enhancements rather than merely vulnerabilities. Additionally, it will provide a small amount of up-front financing for initiatives seeking to enhance security over the long term.

The initiative comes as businesses plan to improve the security of their most important apps and infrastructure. Software supply chains are receiving more attention, particularly the significance of key open source components throughout the ecosystem.

We will continue to see significant breaches resulting from software supply chain attacks if we don't take action right away to address these Achilles' heels. "Supply chain security starts with the original contributor and the security of their coding standards, computing environment and build systems," said Andrew Martin, CEO at ControlPlane and CISO at OpenUK.

Disclaimer: This content is authored by an external agency. The views expressed here are that of the respective authors/ entities and do not represent the views of Economic Times (ET). ET does not guarantee, vouch for or endorse any of its contents nor is responsible for them in any manner whatsoever. Please take all steps necessary to ascertain that any information and content provided is correct, updated and verified. ET hereby disclaims any and all warranties, express or implied, relating to the report and any content therein.

More:
Secure Open Source Rewards' to help in preventing assaults on the software supply chain. Check out how! - Economic Times

Software companies, especially young startups, are always in a development race by definition, they are trying to maximize achievements and minimize their burn rate. That means development teams naturally face an internal tug-of-war. On one hand, they seek to use the newest dev tools that the market can offer, targeting their applications to become better (more secure, more efficient and compliant with the latest standards). On the other hand, they cannot spend money on such tools since they need to save every penny. With the current economic climate, many new investments are being delayed or, at minimum, double-checked.

To appeal to developers, many vendors and software development tool companies offer freemium programs. Some are driven by the spirit and the goodwill of open source and community; others are business-to-developer (B2D) companies relying on the product-led growth (PLG) mode. If developers see value in the free tools, they are more likely to become paying customers later on to get access to more features.

Here, well review the common parameters of popular free developer tools and distinguish their services between the free tier (aka the community tier), the entry-level paid tier and other paid program offerings. Well look at tools for observability, logging, vulnerability scanning, compliance, authentication and VPNs.

Logs are considered to be one of the three pillars of observability and are the bread and butter of troubleshooting and debugging. The more code lines you have in your product, the more loglines you collect, store and aggregate. Logs accumulation can quickly get out of hand and become very heavy on the budget. One logs aggregation vendor, Sumologic, provides a freemium offer that allows log collection up to one gigabyte per day. If you need more volume, you can move to their paid tier that allows for higher volumes or pay more for no limits at all.

Transactions and tests are probably the most imperative features of a freemium offer. It involves the core offering with a quantity limitation, giving you a chance to try the product through practical use, but youll probably have to move up quickly into the first paid tier. Snyk.io, for example, will help you scan your open source software for flaws alongside container vulnerabilities as early as code creation, with up to 200 open source tests and 100 container tests per month.

Its one thing to play with, say, a free AutoCAD seat that doesnt involve sensitive data and another thing entirely to draft the next-generation design that must not leak to your competitors. Security and compliance certification is often included in the freemium tiers; more detailed reports and analysis of security and compliance are for the paying tiers only.

Having a free tool is greatbut if this tool is bound to a proprietary service, then you should probably demand these tools meet the same standards and SLAs that you are offering your customers. Observability platform Rookout offers 24/7 support and dedicated account managers and tools for enterprise customers in all tiers.

One key aspect of free tiers is the legal aspect of using the tool. The dev tool may interact with sensitive data, not only in your own dev environment but also with your customers environments. Your customers may require your dev operations to meet specific criteria, making the free tier a potential legal issue. For example, if you use the free tier of JFrog to manage your supply chain, you wont be able to use Artifactory to publish data to third parties; should you want to do that, you will have to move to one of the paid commercial programs.

Some free tools operate based on a usage modelyou are entitled to a free tier until a certain amount of users or actions is reached. Auth0, for example, a user authentication solution (now part of Okta), provides their service free of charge for up to 7,000 users (generous!) but should you grow beyond that, youll need to graduate to a paid tier and be charged according to your monthly usage.

Some free and freemium offerings are tempered based on connectivity speed, bandwidth and even VPN. Today, you can even get a secure VPN for free, but only to a specific threshold. For example, ProtonVPN will provide you with a free VPN at a medium speed, if you move to the highest speed VPN, youll need to move to a paid tier.

In most cases, the freemium tier will limit a dev tools usage according to one or a few main characteristics but will allow you to perform the basic actions and enjoy the essence of the tool. Some parameters may be trivial, like volume of tests, while others require developers and DevOps teams to carefully monitor usage. Theres a lot of value in free and freemium dev toolsbut make sure you read the fine print.

Read this article:
Free Dev Tools! But Whats the Catch? - DevOps.com

AWS currently has over a $70B run rate so it may come as a surprise to some people that most workloads running on it are using an operating system that is 30 years old and is essentially the same as an even older operating system that is 50 years old. This operating system was built for real physical computers not the virtual ones that developers spin up on Amazon and Google Cloud. Of course we are talking about Linux.

Youd think after 30 years there might be different views on running those workloads and NanoVMs thinks so with its various commercial offerings and its flagship open source Nanos unikernel.

NanoVMs claims to be able to run workloads such as Go and Rust web servers up to 200% faster on GCP and up to 300% faster on AWS all with no users, no passwords, no shells, no remote access of any kind. In fact the unikernel acts like its own operating system running one and only one application versus another that a hacker might want to run.

NanoVMs has revenue from over ten different countries with customers in production for over two years now. They built their advanced R&D with backing from early investors such as Initialized Capital, Bloomberg Beta and famed cybersecurity investors such as Ron Gula from Gula Tech Ventures. They have multiple grants from the National Science Foundation, the Department of Energy and the US Air Force.

How big of a market do they operate in though? The devops market is approaching $15B, exploding to $30B in the next five years, while cybersecurity is reaching over $100B in the next few years. Unikernels represent an unique category creation as their end-users are clearly devops professionals, yet they bring security benefits you wont find in the conference halls of BlackHat or RSA. The ecosystem has very deep moats as well, as at the end of the day even though its Linux binary compatible it is a new operating system.

Github, alone boasts having 83M software developers and in order to get the word out about the technology NanoVMs has launched an equity crowdfunding campaign that allows ordinary investors to invest in the company.

However, it would be wrong to speak of just the number of software engineers. Many tech companies are now built on open source software, each with their own massive valuations. Whether its MongoDB, ElasticSearch, Redis Labs, Confluent, Databricks the list is seemingly endless it all runs on open source software and guess what operating system that code runs on? Thats right, Linux. Even without modifying any of the code many of these companies projects run faster and safer as a unikernel than on Linux. If you do a quick google search youll see there are easily north of ten different vendors for something like ElasticSearch. The fact that even one vendor for one software application can potentially cause a lot of ruckus starts to detail the amount of turbulence this technology is going to generate. The TAM for this market, existing software being provisioned as unikernels, is explosive and volatile as now all these vendors have a new path to build better software and provide deep value differentiation.

Google published a series of papers that eventually turned into a book called The Datacenter as a Computer: An Introduction to the Design of Warehouse-Scale Machines. In it Google details how they operate entire warehouses filled with row upon row of racks on top of racks of servers and treat it as a single entity. Unikernels deal with the reality that the cloud, for many companies, is the new operating system even though developers still micromanage hundreds to thousands of fake virtual machines pretending they are real even if the intention is to only run a single application.

There is a new age of virtualization finally breaking the shackles of decades of stagnation in the operating system space. Unikernels arent just providing better security and higher performance at a lower cost, they are breaking long standing barriers that applications have been constrained to because of their dependence on systems built and architectures designed, in some cases, before the software developers using them were even born.

To learn more about NanoVMs or about how you might invest, check out https://invest.nanovms.com.

Read this article:
This Company is Aiming to Do to the Guest what VMWare and AWS Did to the Host - GeekWire