Skip to main content

OpenSSF launches Open Source Consumption Manifesto

OpenSSF created the Open Source Consumption Manifesto (OSCM) with the main objective of enhancing the utilization of open-source software.

Similar to the Agile Manifesto, OSCM is based on core values and comprises 15 guiding principles for using open source. It is designed to be a continuously evolving document, according to the Open SSF. 

Open Source Software (OSS) is a valuable resource that has greatly enhanced efficiency and innovation. However, not all OSS projects are the same. Some are poorly maintained, lack security standards, or carry risks. Just like any software, OSS has its flaws. Despite this, most organizations lack a strategy for consuming OSS effectively, according to the OpenSSF.

Unlike the scrutiny applied to third-party software, OSS often isn’t subject to the same level of evaluation for security, code quality, and licensing. This oversight is concerning since the risks associated with OSS can be significant, according to the OpenSSF End Users Working Group in a blog post. While third-party software is unlikely to contain malicious content, for those unaware of the intricacies of OSS, the moment of download is where risks emerge.

“We have observed that 96% of the time when a vulnerable component is downloaded, there is already a fixed version available, and nearly two years [after] log4shell, 30% of the downloads are of the known vulnerable versions. This is supporting evidence that the large amounts of open source software is consumed without a defined process or awareness,” Brian Fox, co-founder and CTO at Sonatype, told SD Times. 

The OpenSSF End Users Working Group took on the task of manifesting the change they wished to observe. This initiative acted as a seed sown during meaningful discussions. Over time, this seed evolved into what is now the Open Source Consumption Manifesto.

“The intention of the OSCM isn’t dogma. In fact, we aim for it to be the opposite. It represents an effort from weeks of conversation with input from many disciplines. This resulted in a collaborative collection of best practices forged through experience. And by experience, we mean our own failures and successes,” OpenSSF stated in the blog post. “The OSCM carries an intention of inclusion. It has changed over the course of our discussions, and we invite your future changes as well. Most of all, we hope the values and principles contained in the OSCM prove helpful. And that it serves as a guide to better open source consumption in your organization.”

One of the key points in the manifesto includes improving open-source consumption via audit and quarantine functionality for components matching known vulnerabilities and malicious packages.

“The only way to counter the intentionally malicious component threat is to have systems in place to monitor what components are being consumed. Pairing that with data and behavioral feeds allows your systems to make real time decisions on if something should be allowed, or quarantined pending deeper analysis,” Fox added. “This can buy time for confirmation of actual malicious intent. I like to compare this to credit card fraud systems that evaluate your transactions in real time and make a judgment call to allow, deny or send you a text to confirm if a transaction is outside of your typical spending patterns.”

To begin their observability journey, organizations should first list their applications based on their importance. Following this, they should compile an inventory of the OSS used within those applications, often done through software bills of materials, and identify the different suppliers. Without these steps, addressing the 96% problem mentioned earlier is challenging. Many development teams currently lack these essential elements, according to Fox. 

Next, it’s advisable to pinpoint instances where you might be employing multiple suppliers for a single function, like using various logging frameworks. Following this assessment, organizations should determine the most suitable suppliers by evaluating their secure software development practices. This evaluation should consider factors such as known vulnerabilities, software age, popularity, average time for fixing issues, and more, he added. 

“Each organization will be different though, and will need to make its own choices based on the analysis above. However, there are some obvious points like finding known critical vulnerabilities in an application that manages PII data would be outside most risk tolerances,” Fox said. “With all of the above, you can build the foundation of an OSS consumption policy. But you’re only part of the way there. That needs to be integrated across the SDLC, from development to CI/CD, and often most importantly, release.”

The full list of points in the manifesto is available here.

The post OpenSSF launches Open Source Consumption Manifesto appeared first on SD Times.



from SD Times https://ift.tt/V7c6br1
Labels:

Comments

Post a Comment

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?
Post a Comment
Read more

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet
Post a Comment
Read more

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20
Post a Comment
Read more