Written Offer for Source Code

For third party technology that you receive from Oracle in binary form which is licensed under an open source license that gives you the right to receive the source code for that binary, you can obtain a copy of the applicable source code from this page. If the source code for the technology was not provided to you with the binary, you can also receive a copy of the source code on physical media by submitting a written request to:

Or, you may send an email to Oracle using this form. Your request should include:

We may charge you a fee to cover the cost of physical media and processing. Your request must be sent (i) within three (3) years of the date you received the Oracle product that included the component or binary file(s) that are the subject of your request, or (ii) in the case of code licensed under the GPL v3, for as long as Oracle offers spare parts or customer support for that product model.

See original here:
Source Code for Open Source Software Components - Oracle

The Linux Foundation and edX are making a self-paced, open-source course on container technology available to students anywhere in the world.

edX is a provider of massively open online courses (MOOCs), most of which are free, with the option to pay to receive a certification. edX was originally started by Harvard and MIT and has now partnered with dozens of education and non-profit organizations to bring university-level online courses to people all over the world.

One of those organizations is the Linux Foundation, which offers more than 50 courses about Linux and other open-source softwares topics on the edX website.

The Linux Foundation is a non-profit technology consortium that promotes the use of the open-source operating system Linux. It originally began in 2000 as the Open Source Development Labs (OSDL) and later became the Linux Foundation when OSDL merged with the Free Standards Group (FSG).

The Linux Foundation works to promote the growth and commercial adoption of the Linux operating system. It also facilitates collaboration on open-source software projects and promotes diversity and inclusion in the Linux community. As part of its mission, the Linux Foundation offers various training courses and resources to help amateurs and experts alike learn more about Linux.

SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)

The Linux Foundation has partnered with edX to host its Linux courses on the edX website. Because edX is largely free, it fits well with the Linux Foundations mission to promote open-source software and make it as accessible to as many people as possible.

All told, the Linux Foundation offers more than 50 courses on the edX website, ranging from beginner to advanced. The topics arent just confined to Linux and cover multiple other subjects, including DevOps and FinOps and open-source software platforms such Kubernetes, Jenkins, GraphQl and more. The foundation also offers seven professional Linux certifications that bundle related Linux Foundation courses into a targeted education experience.

Its impossible to cover all of the 50+ Linux Foundation courses hosted on edX, but we wanted to highlight a few of them here to give you a sense of the depth and diversity of the course offerings currently available. For this list, we will specifically be focusing on the Linux classes, but there are many other excellent courses offered by the Linux Foundation that are also worth exploring.

If you are brand new to the world of Linux, then you cant go wrong with this Introduction to Linux course, which boasts more than 1 million in enrollment; there is also a Spanish language version available as well. The self-paced class is designed to be spaced across 14 weeks, with approximately five to seven hours of lessons and homework each week.

Topics covered include how to navigate through major Linux distributions, system configurations and graphical interface of Linux, basic command-line operations, and common applications of Linux. By the end, participants should have a good working knowledge of Linux and be ready to move onto more advanced lessons.

This self-paced course on Linux Tools for Software Development is designed to take place over 14 weeks for one to two hours a week. While this course is still classified as an introductory level, the instructions say that in order to make the most of it, you should ideally have experience as a developer on any operating system, though not necessarily Linux. Experience in working at the command line is not necessary but would be helpful.

In this course, participants will learn how to use essential command-line tools for everyday tasks as well as construct scripts and perform complicated tasks in an automated way. They will also discuss how Linux works with various types of file systems, compile programs in Linux, and use different types of shared and static libraries. Finally, they will build packages out of software in Linux in both RPM and Debian systems, so it can be distributed to other developers of Linux distributions.

This self-paced course on Open Source Software Development: Linux for Developers is designed to take place over 14 weeks for one to two hours a week. While this course is still classified as an introductory level, the instructions say that in order to make the most of it, you should ideally have experience as a developer on any operating system, not necessarily Linux. Experience in working at the command line is not necessary but would also be helpful. You will also need a computer installed with a current Linux distribution, either a physical computer or a Linux virtual machine.

Participants will leave the course with a good understanding of Linux systems and utilities. They should be able to work comfortably at the command line and discuss the key concepts involved in developing open-source software. The course will also review open-source software licensing issues and cover the known best practices for long term sustainability of projects.

Dont have an edX account and want another way to learn about Linux? Check out our Linux course roundups featuring classes on Udemy, LinkedIn Learning and Skillshare and start your Linux education todayfrom the comfort of your home.

Visit link:
Learn Linux online for free with Linux Foundation Courses from edX - TechRepublic

Teach devs security fundamentals to bolster supply chain resilience, argues Wheeler

Addressing a decades-old deficiency in coding curriculums could have a profound effect on the security of the software supply chain, a leading expert on the subject tells The Daily Swig.

In particular, David A Wheeler, director of open source supply chain security at the Linux Foundation, draws a link between a failure to incorporate security into entry-level developer courses and the vast majority of vulnerabilities belonging to a small number of common bug classes.

The IT PhD and Certified Information Systems Security Professional (CISSP) also moonlights as adjunct professor of computer science at Virginias George Mason University, and in 2020 concluded a 33-year spell at the US Institute for Defense Analyses.

Daily Swig: David, can you summarize your background and what your current roles involve?

David A Wheeler: Ive loved computers since junior high school and paid my way through school doing computer consulting. I also briefly maintained the worlds first commercial, entirely text-based multiplayer roleplaying game, Scepter of Goth.

Now I teach at George Mason University on how to develop secure software which Ive studied over many decades.

Most of my work is with the Open Source Security Foundation, OpenSSF [whose members include AWS, Google, and Microsoft]. I view my role as being a kind of catalyst or accelerant. I can run around as a subject matter expert to help organizations improve the security of their software.

David A Wheeler has studied the secure development of software for decades

DS: And what are the biggest barriers to improving application security?

DAW: The fundamental problem is that we do not teach software developers how to write secure software.

I don't care if its a separate course or embedded [in other coding courses] that's not the question. The question is: when software developers are learning the basics of their craft, do they learn the basics of developing secure software? And the answer is mostly no.

A 2019 Forrester study found that none of the top US coding schools and none of the top five non-US computer science schools were teaching this. Another study found that only one school did at UC, San Diego. So good for them, shame on the rest.

DS: Lets imagine all coding schools immediately revamped their courses to incorporate security fundamentals. Would we see a steady fall in vulnerabilities as a new wave of security-savvy developers emerge?

DAW: Its generally estimated that somewhere between 90% to 95% of all vulnerabilities are in a relatively small set of common ones [classes].

So, if you educate developers to prevent them systemically, and then use tools to find the stragglers, we can dramatically reduce by at least one order of magnitude and maybe two the number of vulnerabilities that actually slip out.

They can also find and fix the problems created in the past.

Right now, detection, response, and recovery is overwhelmed by the sheer number of vulnerabilities going into deployed systems, so it will be much easier to counter the attackers when vulnerabilities are much rarer. And that's really the argument of shift left in general: the sooner you can get rid of the problems, the better.

DS: Why is security neglected in the coding curriculum given the potentially severe consequences of software vulnerabilities?

DAW: Our educational system does not always respond to societal needs. There was an open letter written by Oracle and some other folks 10, 15 years ago or so, where they basically begged universities [to educate them properly].

But sometimes they [universities] want to teach what they want to teach, and it doesnt matter what societys needs are.

DS: Could this partially reflect the fact that many educators learned their craft when cyber threats were less numerous and severe?

DAW: On the [early] internet people were mostly connected to folks they felt they could trust. But once you saw this growth of the internet and the worldwide web running on top of it in the 90s, then very quickly [they realized] no, you cant just trust arbitrary computers you connect to.

But educational conservatism isnt all bad. Its actually sensible to teach things that have stood the test of time, which security has. The fundamental [computing] design principles have been known [about] since the 1970s.

RECOMMENDED Security teams often fight against developers taking control of AppSec: Tanya Janca on the drive to DevSecOps adoption

DS: Might there be a commercial incentive at work that favours coding quickly over coding securely?

DAW: Maybe to some extent for the for-profits, but I think the bigger for-profit issue is that if you know how to do [secure development], you can probably earn double or triple in industry [compared to teaching]. Youre not gonna teach.

I teach, but thats my side hustle. I enjoy teaching. George Mason University is 20 minutes from me and more connected to industry than some other universities.

DS: How do we persuade or incentivize education providers to embed security into coding courses?

DAW: I think this is a solvable problem basically, society needs to scream more loudly.

The US spends a tremendous amount of money financing degrees, including computer science. If were gonna pay, maybe we could have some criteria?

DS: Could the impetus behind shifting left or DevSecOps help persuade education providers to change emphasis?

DAW: I would like to think so, but I think its much more societal and industry pressure continuing over a period of time [that will make the difference].

Right now DevSecOps [is practised properly by] a minority, and we need to make sure that [secure development is practised] not just the majority, but is [a baseline] expectation [of all developers].

Developers are not being taught general security principles let alone how to apply them, says Wheeler

Years ago, I pushed really hard to get security added to a course on software engineering and after a lot of pressure and debate [the provider] finally added the word security no content, just that security might be important!

The ACM software engineering curriculum guidance at least does talk about knowing how to develop secure software, but lacks key specifics.

But I'm willing to believe that with continued emphasis we can get academia and many other organizations on board with making sure that software developers know the fundamentals.

DS: What fundamentals should newbie developers be taught?

DAW: What are the common problems? How do we prevent them in general? How do you design software so its less likely to be attacked? And what kind of tools can help developers to deal with that?

These general principles and the ability to apply them are important [skills] but lacking today.

Read more secure software development news

The first thing I did when I joined the Linux Foundation in 2020 as an employee was develop a course on developing secure software fundamentals. Thousands of people have now signed up.

George Mason University initially agreed to do my course every other semester, and very quickly, it's in every semester its in demand.

But its an optional graduate course. We do need, in society, people who drill in deeper and [become experts], but we also need every developer to know the basics.

DS: How important is it that developers understand how to use security tools?

DAW: If youre doing DevOps, you pretty much need a CI pipeline, and this is an obvious place to insert security tools. But if the developer doesn't know what theyre doing, they wont know what the tool is telling them and what to do about it.

A fool with a tool is still a fool. Theyre not stupid it's just that no one has told them. Education and tooling go hand in hand.

The tools are going to miss things or report things that are not actually problems in context. Computer programs dont cant know the full context.

But as long as developers know which tools to use and how, then they can do [some] amazing things.

DS: Finally, anything to say on OpenSSFs various initiatives aimed at bolstering software supply chain security?

DAW:Whether its industry, academia or governments, were all using open source software, so my first pitch would be: get involved with the OpenSSF. We would love to see more people involved.

I was deeply involved in the concise guides for developing secure software and evaluating open source software. And earlier, the OpenSSF published guides for open source projects and security researchers on [handling] coordinated [vulnerability] disclosure.

The Alpha-Omega Project has funded the Python Software Foundation and is funding Eclipse, Node... Theyre announced a new partnership with Rust. They've released some tools for finding vulnerabilities again, trying to shift left.

Theres also some funding for SBOM work, a tool for a Python library for SPDX [Software Package Data Exchange], and an [enterprise] end users working group kicking off.

RELATED Developers still struggling with security issues during code reviews, study finds

Read the original here:
We dont teach developers how to write secure software Linux Foundations David A Wheeler on reversing the CVE surge - The Daily Swig

At a glance.

Jeremy Fleming, director of the UK Government Communications Headquarters, gave a rare speech in London on Tuesday warning the public that Beijing has deliberately and patiently set out to gain strategic advantage by shaping the worlds technology ecosystems. The spy chief said that Chinese Communist Party leadership has plans to use digital currency and satellites, among other existing and emerging technologies, to further its control over global markets and extend its surveillance capabilities around the world.

Fleming also claimed that Chinese efforts to build a central-bank digital currency could allow officials to monitor transactions and potentially evade future international sanctions. Describing the rising threat as the national security issue that will define our future, he also indicated that the Chinese government plans to leverage its tech exports to create client economies and governments and aims to spread its authoritarian practices to other nations. Fleming warned that unless lawmakers invest in emerging security technologies like quantum computing, the divergent values of the Chinese state will be exported through technology.

Mao Ning, a spokeswoman for Chinas Foreign Ministry, denied Flemings claims at a Tuesday daily briefing, stating, The remarks of the British official have no factual basis at all. Chinas technological development is aimed at making lives better for the Chinese people. It does not target anyone, still less pose any threat. Western officials have been sending warning signals about the potential use of equipment exported from Chinese tech leader Huawei Technologies Co. for digital espionage, but both Huawei and Beijing have denied these accusations.

In a bipartisan decision, the US Senate Homeland Security Committee has approved the Securing Open Source Software Act 2022, legislation that calls on the Cybersecurity and Infrastructure Security Agency (CISA) to create a risk framework regarding the use of open source code within the government and critical infrastructure agency. Prompted by the infamous Log4j vulnerability, the draft act requires CISA to hire experts who are able to identify and remediate vulnerabilities in open source code, and any open source software being used will be continuously monitored and checked by CISA. The act also directs some agencies to create in-house open source programs.

"This software needs curation to be secure and the responsibility for that curation lies firmly with the user, in this case our public sectors across the globe," Amanda Brock, CEO of not-for-profit group OpenUK, told Computing. However, as Brock noted, the bill is unclear about how CISA will coordinate this framework, especially when third-party services are involved. "Where there is payment associated with open source software, that is not for the software itself, and understanding that is key. Liability for these - as with any paid for services - rests with the provider, but these are part of the act of curation that all end users need to ensure," Brock added. The draft act will need to be passed by the full Senate before becoming law, but some experts say regardless, clouding companies might take it upon themselves to implement heightened security measures. "I strongly suspect the cloud provider industry will actually solve this meaningfully sooner than the government will, said Michel Isbitski, director of cybersecurity strategy at cloud security firm Sysdig. They have to because of the amount of open source software they use in their offerings. They also have the benefit of scale on their side."

US policymakers gathered yesterday in Washington, DC for Fintech Week, where the Financial Stability Board, which coordinates international financial regulation, is expected to share its plan for regulating the cryptocurrency market. The Washington Post explains that although the board has no power to set legislation, its recommendations have motivated lawmakers in the past. Its fair to say the US wants to lead on this globally and largely has been leading on it, said Patrick Dougherty, a former Securities and Exchange Commission lawyer who is now on the board of the Global Digital Asset and Cryptocurrency Association. The White House is also calling for a crackdown on the illicit use of digital assets, and last week, the Financial Stability Oversight Council issued a warning urging lawmakers to restrict cryptocurrency use before it threatens global finance systems. The board will also examine issuing rules for the use of stablecoins after the fall of the Terra stablecoin in May led to a massive downturn in the crypto market. The cryptocurrency industry continues to push back at the possibility of regulation, with industry group the Crypto Council for Innovation warning that a heavy-handed approach could cut this technology off at its knees.

Read more here:
GCHQ chief warns of Chinese . US open source software bill advances. Financial Stability Board on crypto regulation. - The CyberWire

Blockchain is one of those technologies that has garnered support from many institutions, and it is being touted as a potential solution to some of these problems. The blockchain sector has been growing with the help of open-source technology, as people have become more aware of problems within our current systems and how much better they could be if we made some changes. If you are interested in trading Bitcoin, use a reputable trading platform like the Bitcoin 360 Ai platform.

There is still work to be done before we can say blockchain is revolutionary, but it seems like a helpful technology worth exploring. Innovation may be the biggest issue with supply chains, and blockchain could solve this problem.

There is not a lot of innovation in supply chains because they are international and global in scope. Because so many parties are involved, it is difficult to innovate in addition to geographical constraints. Blockchain technology would address this issue by allowing all participants to communicate seamlessly without going through third parties or intermediaries.

The technology operates on a peer-to-peer basis where transactions do not require intermediaries with a plan. Transparency also contributes to the innovation problem as everyone can access all the information about what is happening in their ecosystem anytime. Lets explore how blockchain has expanded its root in different industries.

What are the advantages of open-source technology?

A significant advantage of open-source technology is that it is collaborative. Many people working together on a common goal would result in a competitive ecosystem and superior results. The quality of an open-source technology would be better than the best effort of any single source. Open-source technology is also readily available to everyone; anyone can use it without paying for licenses, royalties or other expenses.

Open-source technology was initially developed in the 1970s as an alternative to company restrictions regarding how many were using their products and for how long. Open source software was first released in 1983 by a programmer called Richard Stallman, whose idea was to make software free of licensing fees and restrictions.

Security in blockchain due to open source technology:

Another advantage of open-source technology is that the source code is always visible to developers and programmers that use the technology. Any bugs or loopholes in the source code can be easily identified or discovered through users peer reviews of blockchain networks. Security comes with familiarity, and open-source in blockchain makes it easy for enterprise customers to understand how their data is protected, how compliant they are with regulations, and who has access to their data at any time.

Open-source blockchain databases are very secure, and users can access the same source code used by hyper ledger, Ethereum and distributed ledger technology companies. As a result, blockchain is safe, secure, scalable and reliable. Furthermore, using open-source technology, enterprises can collaborate in developing their blockchain solutions without paying licensing fees or being concerned about intellectual property theft.

Blockchain has come a long way:

Blockchain has become an industry standard, with many organizations adopting it worldwide for their business needs. Blockchain networks have matured and scaled up due to the efforts of numerous developers and enthusiasts. The technology has become more reliable as innovative solutions are developed for issues often associated with inefficiencies, such as decentralization, security and transparency.

Blockchain technology has provided enterprises with a platform to understand how organizations can use open-source software to solve business issues presented by the vast amounts of data generated within their enterprise. In addition, because blockchain is a distributed ledger system, it is highly safe and secure. As a result, there is little need for double spending or fraud by eliminating third-party intermediaries such as banks or credit card processors when processing transactions.

Industries that are readily adopting blockchain:

Many industries are already adopting blockchain technology to handle tasks that require a distributed ledger database with multi-signature transactions. For example, ICOs and cryptocurrency transactions have been recorded for years and are now used for fundraising.

Real estate has also started using blockchain technology to track land registries and reduce costs incurred from paper records that result in mismanagement or fraud. As the world becomes more digitized, a secure database is becoming more apparent, especially in banking and finance. Both parties require a transparent database of transactions when dealing with each other.

Healthcare is another industry looking to blockchain technology to build secure, efficient and transformational solutions. Medical records are one area of the healthcare industry where blockchain can potentially transform the system. Hospitals and clinics are using blockchain technology to digitize medical records and make them more secure than paper ledger books used in the past.

Open-source technology has also been introduced for disaster management. A single store of information is kept for each community instead of a central repository vulnerable to malicious attacks or data loss.

Read the original here:
The Blockchain Sector is growing with the help of Open-Source Technology - Wales 247