/PRNewswire/ Spectral, the developer-first cybersecurity company, announced they have become contributors to the Open Source Security Foundation (OpenSSF)..
Citi Working with the open source community is a key component in our security strategy, and we look forward to supporting the OpenSSF in its commitment to collaboration, said Jonathan Meadows, Citi s Managing Director for Cloud Security Engineering.
Comcast Open source software is a valuable resource in our ongoing work to create and continuously evolve great products and experiences for our customers, and we know how important it is to build security at every stage of development. We re honored to be part of this effort and look forward to collaborating, said Nithya Ruff, head of Comcast Open Source Program Office.
David A. Wheeler, the Linux Foundation s Director of Open Source Supply Chain Security, explained that in the Orion attack that the malicious code was inserted into Orion by subverting the program s build environment. This is the process in which a program is compiled from source code to the binary executable program deployed by end-users. In this case, the security company CrowdStrike worked out that the Sunspot malware watched the build server for build commands and silently replaced some of Orion s source code files with malware.
By entering the program before it s even properly a program, this hack makes most conventional security advice useless. For example,
As part of its involvement in the recently announcedOpen Source Security Foundation (OpenSSF), Google has penned a blog post outlining one of the first steps it will take as part of this group, with an attempt at finding critical open source projects.
“Open source software (OSS) has long suffered from a ‘tragedy of the commons’ problem,” they write. “Most organizations, large and small, make use of open source software every day to build modern products, but many OSS projects are struggling for the time, resources and attention they need.”
So as a way to address this problem, and help fund those projects that need funding, Google is releasing the Criticality Score project. The project gives projects a criticality score (a number between 0 and 1) that is “is derived from various project usage metrics” such as “a project’s age, number of individual contributors and organizations involved, user involvement (in terms of new issue requests and updates), and a rough e