The Linux Foundation

Subscribe to The Linux Foundation feed The Linux Foundation
Decentralized innovation, built on trust.
Updated: 1 hour 36 min ago

Academy Software Foundation: Digital Transformation of the Entertainment Industry is Driven by Open Technology and a Visionary, Inclusive Community

Tue, 03/15/2022 - 21:00

In a new case study released by Linux Foundation Research, in collaboration with the Academy Software Foundation, entitled Open Source in Entertainment: How the Academy Software Foundation Creates Shared Value, we learn a compelling story of how open technology and the people who create visual effects (VFX) for motion pictures transformed a highly competitive industry.

Download Report


The Academy Software Foundation (ASWF) was formed as an entertainment industry collaboration with the Academy of Motion Picture Arts & Sciences, the organization behind the Academy Awards (aka the Oscars). ASWF has been steadily releasing software projects contributed since its inception in 2018. Four projects are fully adopted, and six are in incubation. 

Adopted Projects
  • OpenVDB is an industry-standard library for manipulating sparse dynamic volumes used by visual effects studios to create realistic volumetric images such as water/liquid simulations and environmental effects like clouds and ice. 
  • OpenColorIO is an industry standard for consistent color management across VFX and animation pipelines used on hundreds of feature film productions. It touches nearly every pixel of every visual effects frame in most major motion pictures. 
  • OpenEXR is a standard HDR image file format for high-quality image processing and storage, one of the foundational technologies in computer imaging. 
  • OpenCue is an open source render management system used to break down complex jobs into individual tasks. 
Incubating Projects
  • OpenTimelineIO is an Open Source application programming interface and interchange format for editorial timeline information.
  • MaterialX is an open standard for exchanging rich material and look-development content across applications and renderers. 
  • Rez is an open source, cross-platform package manager that creates standalone configured environments for third-party and proprietary digital content creation software. 
  • DPEL is the Digital Production Example Library, which are digital sample assets that content creators can use for instructional purposes 
  • RawtoACES  is a software package that converts digital camera RAW files to ACES container files containing image data encoded according to the Academy Color Encoding Specification (ACES) 

The entertainment industry now has a home, process, and governance structure to manage open source projects essential to movie, television, and gaming production. Any new project can be proposed, and projects are managed according to a project lifecycle policy that provides various requirements and project benefits. Many ASWF projects have been foundational to creating visual effects and major motion pictures in their entirety. These elements continue to thrill audiences around the world.

The ASWF has been steadily releasing new software projects since its inception in 2018.

In addition to hosting technologies for the entertainment industry, the ASWF provides a neutral forum to coordinate open source project efforts, a common build and test infrastructure, open governance, more consistent open source licensing, and a clear path to participation for individuals and organizations wanting to advance the open source ecosystem for the motion picture industry. 

In doing so, the ASWF has brought together leading studios such as DreamWorks Animation, Sony Pictures Imageworks, Walt Disney Studios (including Pixar, LucasFilm, Industrial Light & Magic, Blue Sky Studios), Warner Bros., DNEG, Netflix, and technology vendors that support the film and gaming industries. 

Open Source collaboration in the entertainment industry was not always such a pretty picture

Circa 2014, the motion picture industry faced fragmented software infrastructure issues, with proprietary solutions not based on open source software or running on open source operating systems. These platforms were also not providing the innovation needed to create the landmark films and television programs we enjoy today. So it necessitated that each VFX and film studio build their own tools.

The studios had a core desire to move from their closed systems to more open ones like Linux. However, the motion picture industry’s challenges were not about accepting open source software but about getting the industry ecosystem to participate and collaborate in open environments. 

As we learn in the case study, at visual effects studios such as SONY Pictures and ILM, there were no common build systems outside any company’s networks, so it became increasingly difficult to figure out the proper instructions to build the open source software that any industry contributor had released. 

It was challenging to align dependencies and versions, leading to “versionitis” as projects required different versions of dependencies. Additionally, when maintainers left a company that “owned the project,” the codebase languished – such was the case with SONY DreamWorks’ OpenColorIO and ILM’s OpenEXR software, as detailed in the report.

As a result, studios were reluctant to take dependence on other companies’ projects and even more unwilling to contribute their intellectual property back to another company’s project. Add in a layer of one-sided contribution agreements, modifications to standard open source licenses, and other legal impediments. It was clear the status quo could not scale to meet the industry’s growing needs. 

The entertainment industry’s open source ecosystem depends on its people

As detailed in the report, the Academy and Linux Foundation spent nearly two years working with industry stakeholders to build a better, collaborative solution, resulting in the ASWF and its associated projects. None of the success that ASWF now enjoys would have been possible without the engineers, the software developers, and the filmmakers that support the underlying ecosystem. And participating in this ecosystem has tangible benefits for the contributors.

ASWF has also become a focal point for driving new interest in software development in the motion picture industry and recognizing the contributions of its community members thanks to the “Behind the Screens” interview series featuring over two dozen software developers in the industry, along with the launch of a Diversity and Inclusion working group to raise the profile of underrepresented people in these roles.

While the ASWF has made great strides since its inception in 2018, it is still a young organization but has found its place in the industry. Diversity and Inclusion initiatives are leading the way towards educating the entertainment industry to help them attract more diversity within its ranks. New efforts underway, such as DPEL (formerly Open Asset Repository), will provide sample content to breed and help new aspiring content creators learn the trade.

Why is this research so valuable? We’ve seen related examples in telecommunications, energy, automotive, and public health, where many of these projects started as individual efforts looking for a neutral home at the Linux Foundation. Over time, these communities of competitive contributors found it beneficial to collaborate. 

Suhscribe to LF Research

Although the entertainment industry has unique requirements for its vertical applications, the story behind the creation of the ASWF can serve as a “roadmap” for leaders in other industries to get a win-win by shared investment and collaboration in open technologies. Open source in entertainment is another example of open source value creation. Read the full report HERE.

The post Academy Software Foundation: Digital Transformation of the Entertainment Industry is Driven by Open Technology and a Visionary, Inclusive Community appeared first on Linux Foundation.

Block Joins the Linux Foundation

Fri, 03/11/2022 - 05:41

You know Block – but you may not know that you know the company. After changing their name in December from Square, Inc. to Block, the company is made up of Square, Cash App, TIDAL, Spiral, and TBD54566975. We are excited to announce that Block joined the Linux Foundation as a Silver Member.    

At their core, Block is a global technology company with a focus on financial services. They work to help diverse audiences—sellers, individuals, artists, fans, developers, and all the people in between—overcome barriers to access the economy. From enabling sellers to adapt to a new, contactless and omnichannel economy, to finding new ways for musicians to get paid and pursuing many crypto initiatives aimed at improving the Bitcoin ecosystem, they are innovating every day to help shape a more inclusive economy of the future. 

Collaboration is a priority for them—they understand the value it brings to innovation as they pursue their purpose of economic empowerment. Consequently, they want to build and collaborate in the open, making their partnership with the Linux Foundation a natural fit. The Linux Foundation helps communities and corporate participants collaborate at scale on open source projects that are critical to organizations like Block.

Max Sills, a leader in open source partnerships and legal issues, and Counsel at Block, explains, “At Block, we believe everyone deserves to participate in the economy, and a critical portion of that work is pursuing a decentralized and permissionless future for financial services. The open source model is directly aligned with this mission. As we continue building our blockchain initiatives, we’re proud to join the Linux Foundation to drive access and empower people around the world.”

It may seem counterintuitive for a financial services company to want to develop in the open, but Block recognizes open and secure go together. They know that community is strength, and they understand strength comes from working together. 

Jim Higgins is Block’s Chief Information Security Officer, “The open source model is a critical part of Block’s infrastructure, and building and operating in the open is a priority for us. The open source community is at a turning point, and we need to band together to iron out some of the snags to make software safe and accessible for everyone.” 

The Linux Foundation empowers open source innovators. Jim Zemlin, Executive Director at the Linux Foundation said, “We know that innovation comes from everywhere and that the Open Source Community is addressing the challenges of industry and technology for the benefit of society. We are excited to have Block as a partner on this path.” 

The post Block Joins the Linux Foundation appeared first on Linux Foundation.

FINOS and The Linux Foundation Partner with Fintech Week London, Strengthening European Presence

Wed, 03/09/2022 - 03:08

Registration opens for FINOS’ Open Source in Finance Forum (OSFF) London, taking place alongside partner event Fintech Week London 

London, UK – March 8, 2022 – FINOS, the Fintech Open Source Foundation and financial sector arm of the Linux Foundation, and The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced its partnership with Fintech Week London. Their annual event, Open Source in Finance Forum (OSFF), will take place in London on 13 July, during Fintech Week London, which will run from 11 – 14 July.

This partnership highlights the elevated presence of open source software and open collaboration in the financial services industry, and will allow attendees of both conferences an opportunity to learn more about integrating open source software into their technology strategies. Through partnering with Fintech Week London, FINOS bolsters its European footprint – one it is focused on expanding over the course of 2022.

“Partnering with Fintech Week London signifies the growing recognition and appetite for financial services and fintechs to adopt and contribute to open source,” said Gabriele Columbro, Executive Director of FINOS. “Each year, our goal with OSFF is to not only inspire attendees to foster the open source community within financial services, but also bring industry leaders from financial institutions, fintechs and the regulatory space together to discuss how open source can drive innovation across the industry. This partnership is a natural way to bridge the efforts of Fintech Week London and FINOS in fostering technological innovation in the financial services industry.”

The Open Source in Finance Forum is dedicated to driving collaboration and innovation in financial services through open source software and standards. The first iteration of this conference, previously known as the Open Source Strategy Forum, took place in 2017, and it has since then grown to become the flagship event for the fast growing open source movement in financial services and its unique challenges. OSFF will also be held in New York City, USA on 8 December. The call for proposals is open for both events – view suggested topics and submit talks for each event at the links provided here: 

“The momentum of financial institutions looking to and relying on open source technology to scale and grow their businesses is growing at a rapid rate.” said Jim Zemlin, Executive Director, The Linux Foundation. “Holding Open Source in Finance Forum London as part of Fintech Week London will allow us to make even more financial institutions – especially in the UK – open source ready.”

Fintech Week London shines a light on the most interesting topics in financial

technology. Traditional financial institutions come together with fintechs and other financial services companies, in one of the world’s oldest leading financial districts. The event brings together high-street banks, challengers, technology giants, and disruptors, to discuss and showcase fintech’s global presence and the forces driving innovation in the industry. 

“I’m very excited that we have the Open Source in Finance Forum as part of the official programme this year,” said Raf De Kimpe, CEO of Fintech Week London. The overall theme for #FTWLondon 2022 is ‘The Coming of Age of the Fintech Industry’; the industry is moving past its infancy to be a full-blown player in finance services. With so many mergers, acquisitions and partnerships taking place, collaboration and innovation are cornerstones of our programme. A day dedicated to open source software and standards is essential to have a well rounded view on evolutions in the Fintech Industry for all our attendees. On the third day of Fintech Week London, etc. Venues 133 Houndsditch will be transformed into the place to be for our attendees to learn how to best and safely leverage open source software to solve industry challenges”

FINOS’ commitment to fostering the adoption of open source reaches beyond US institutions, with an even distribution of contributors in both the United States and Europe. In recognition of its strong European grassroots, FINOS actively invests in nurturing its relationships across seas. Partnerships such as this bring an increased awareness to the collaborative work of developers, contributors and financial institutions driving adoption around the world.    

“Collaborative efforts through open source adoption go far beyond US financial institutions,” said James McLeod, Director of Community for FINOS. “FINOS recognizes the potential power that world-wide collaboration possesses to drive innovation on a grand scale, and that’s why we continue to nurture relationships with our established European developers, financial organizations and fintechs. To continue this progression, we invest in forming new connections to support and expand the work being done by our community.”

Click here to learn more about and register for Open Source in Finance Forum London. To learn more about and register for Fintech Week London, please click here.

About FINOS

FINOS (The Fintech Open Source Foundation) is a nonprofit whose mission is to foster adoption of open source, open standards and collaborative software development practices in financial services. It is the center for open source developers and the financial services industry to build new technology projects that have a lasting impact on business operations. As a regulatory compliant platform, the foundation enables developers from these competing organizations to collaborate on projects with a strong propensity for mutualization. It has enabled codebase contributions from both the buy- and sell-side firms and counts over 50 major financial institutions, fintechs and technology consultancies as part of its membership. FINOS is also part of the Linux Foundation, the largest shared technology organization in the world. Get involved and join FINOS as a Member.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 2,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

Visit our website and follow us on Twitter, Linkedin, and Facebook for all the latest event updates and announcements.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. 

About Fintech Week London

The Coming of Age of The Fintech Industry

Fintech Week London shines a light on the most interesting topics in financial

technology, with a 2-day conference at its core. Traditional financial institutions come together with fintechs and other financial services companies, in one of the world’s oldest leading financial districts: London. From high-street banks to challengers, technology giants to disruptors, this five-day event showcases some of the best that London and global fintech has to offer. 

Mark your calendars for the second edition on July 11-15, 2022. 

To learn more about Fintech Week London please visit our website : www.fintechweek.london


FINOS Media Contact:
Ross Stevens
Caliber Corporate Advisers for FINOS
ross@calibercorporate.com

Fintech Week London Media Contact:
Raf De Kimpe
Fintech Week London 
raf@fintechweek.london

The post FINOS and The Linux Foundation Partner with Fintech Week London, Strengthening European Presence appeared first on Linux Foundation.

DENT 2.0, Secure and Scalable Open Source Network Operating System Aimed at Small and Mid-Size Enterprises, Released

Wed, 03/09/2022 - 01:55

The DENT project is an open source network operating system utilizing the Linux Kernel, Switchdev, and other Linux based projects, hosted under the Linux Foundation. The project has announced DENT 2.0 is available for immediate download

The “Beeblebrox” release adds key features utilized by distributed enterprises in retail and remote facilities, providing a secure and scalable Linux-based Network Operating System (NOS) for disaggregated switches adaptable to edge deployment. This means DENT provides a smaller, more lightweight NOS for use at the small, remote edges of enterprise networks.

DENT 2.0 adds secure scaling with Internet Protocol version 6 (IPv6) and Network Address Translation (NAT) to support a broader community of enterprise customers. It also adds Power over Ethernet (PoE) control to allow remote switching, monitoring, and shutting down. Connectivity of IoT, Point of Sale (POS), and other devices is highly valuable to retail storefronts, early adopters of DENT. DENT 2.0 also adds traffic policing, helping mitigate attack situations that overload the CPU. 

“DENT has made great strides this past year and with its edge and native Linux approach, with a rich feature set for distributed enterprises like retail or remote facilities. DENT continues to expand into new use cases and welcomes community input with an open technical community, under the Linux Foundation,” said Arpit Joshipura, GM of Networking & Edge at The Linux Foundation.

DENT 2.0 Main Features to enable secure and scalable development

  • Secure scaling with IPv6 and NAT to appeal to a broader community of SME customers
  • PoE control to allow remote switching, monitoring, and shutting down
  • Rate limiting to protect against broadcast storms, creating a stronger OS under erroneous BUM (Broadcast, Unicast, Multicast) traffic

DENT enables enterprises to transition to disaggregated network switches and use cases available with the distributed enterprise and edge networking. The open source NOS provides key technology leverage in retail, a sector that is leading innovation in digital transformation. The Amazon public showcase of DENT hardware at re:Invent in November 2021 reached 20,000+ attendees.

“This new release of DENT 2.0 adds critical updates focused on smaller enterprise needs. This was the goal of DENT all along, and I would like to thank our members and the wider community for this broad, concerted effort to move DENT significantly forward,” said Steven Noble, DENT Technical Steering Committee Chair. “It’s not easy building a flexible, accessible network OS, and this is why I’m proud of all the effort and coordination by so many talented individuals. If you are looking for an open source disaggregated network OS, now is great timing for looking at DENT.”

Retail stores, warehousing, remote locations, enterprise, and Small and Mid-Size Enterprises are all ideal environments for DENT deployment. Wiring closets in many facilities are small. Staff expertise may be limited, and branch-office switches from leading suppliers can require costly contracts. DENT is easily deployed on white-box hardware in small spaces. It can be set up to support dozens of wireless access points and IoT sensors, creating a manageable network to track inventory, monitor shelf real estate, scan customer activity, and perform automated checkouts.

DENT premier members include Amazon, Delta Electronics Inc, Edgecore Networks, and Marvell. Important contributions to the DENT project have come from NVIDIA, Keysight Technologies, and Sartura.

“Delta has built complete white box networking platforms based on DENT technology, helping drive a disaggregation model in edge that offers cost and flexibility benefits to customers looking for OEM solutions,” said Charlie Wu, Vice President, Solution Center at Delta Networks. “The deployment of our 1G and 10G Ethernet switch boxes with Marvell’s Prestera® devices and the DENT OS in real world applications demonstrates the power of open source to accelerate technology innovation in networking.” 

“Edgecore Networks, as the premier member of DENT, is pleased to see the groundbreaking second release of DENT 2.0, enabling DENT community members to use the DENT’s simplified abstracts, APIs, drivers, to lessen development and deployment overhead,” said Taskin Ucpinar, Senior Director of SW Development. “This innovative product development approach enables the community to build robust solutions with minimal effort and immediately help System Integrators deploy a networking solution to remote campuses and retail stores.”

“As the chairing company for DENT Test Working Group, Keysight has partnered with the open-source community to host the system integration test bed in Keysight labs,” said Dean Lee, Senior Director Cloud Solution Team. “Being a neutral test vendor, we have worked with the community to harden the DENT NOS in multi-vendor interoperability, performance, and resiliency. We are delighted to contribute to the success and wide adoption of DENT.”

“Marvell is accelerating the build-out of Ethernet switching infrastructure in emerging edge and borderless enterprise applications, and DENT is a key component to our offerings,” said Guy Azrad, Senior Vice President and General Manager, Switch Business Unit at Marvell. “With DENT incorporated on our Prestera® switch platforms, we are currently enabling retailers to transform physical stores to smart retail connected environments that benefit consumers through easy and efficient in-store experiences.”

Download and test DENT 2.0: https://github.com/dentproject/dentOS

Additional DENT Resources

The post DENT 2.0, Secure and Scalable Open Source Network Operating System Aimed at Small and Mid-Size Enterprises, Released appeared first on Linux Foundation.

A Summary of Census II: Open Source Software Application Libraries the World Depends On

Mon, 03/07/2022 - 22:00
Introduction

It has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions. FOSS is an increasingly vital resource in nearly all industries, public and private sectors, among tech and non-tech companies alike. Therefore, ensuring the health and security of FOSS is critical to the future of nearly all industries in the modern economy. 

In March of 2022, The Linux Foundation, in partnership with the Laboratory for Innovation Science at Harvard (LISH), released the final results of an ongoing study, “Census II of Free and Open Source Software – Application Libraries.” This follows the preliminary release, “Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software” in February 2020 and now identifies more than one thousand of the most widely deployed open source application libraries found from scans of commercial and enterprise applications. This study informs what open source projects are commonly used in applications warrant proactive analysis of operations and security support. 

Download Report

The completed report from the Census II study identifies the most commonly used free and open source software (FOSS) components in production applications. It begins to examine the components’ open source communities, which can inform actions to sustain FOSS’s long-term security and health. The stated objectives were:

  • Identify the most commonly used free and open source software components in production applications. 
  • Examine for potential vulnerabilities in these projects due to:
  • Widespread use of outdated versions; 
  • Understaffed projects
  • Use this information to prioritize investments and other resources needed to support the security and health of FOSS
What did the Linux Foundation and Harvard learn from the Census II study?

The study was the first to analyze the security risks of open source software used in production applications. It is in contrast to the earlier Census I study that primarily relied on Debian’s public repository package data and factors that would identify the profile of each package as a potential security risk.

To better understand the commonality, distribution, and usage of open source software within organizations, the study used software composition analysis (SCA) data supplied by SnykSynopsys, and FOSSA. SCA is the process of automating visibility into any software, and these tools are often used for risk management, security, and license compliance. SCA solution providers routinely scan codebases used by private and public sector organizations. The scans and audits provide a deep insight into what open source is being used in production applications.

With this data, the study created a baseline and unique identifiers for common packages and software components used by large organizations, which were then tied to a specific project. This baselining effort allowed the study to identify which packages and components were the most widely deployed. 

Census II includes eight rankings of the 500 most used FOSS packages among those reported in the private usage data contributed by SCA partners. The analysis performed is based on 500,000 observations of FOSS usage in 2020.

These include different slices of the data based on versions, structure, and packaging system.  For example, this research enables identification of the top 10 version-agnostic packages available on the npm package manager that were called directly in applications:

Other slices of the data examined in the study include versioned versus version agnostic, npm versus non-npm, direct versus indirect (and direct) packages. All eight top 500 lists are included in an open data repository on Data.World. 

Observations and analysis of these specific metrics led the study to come to certain conclusions. These were:

  • Software components need to be named in a standardized schema for security strategies to be effective. The study determined that a lack of naming conventions used by packages and components across repositories was highly inconsistent. Thus, any ongoing effort to create software security and transparency strategies without industry participation would have limited effect and slow such efforts. 
  • The complexities associated with package versioning. In addition to the need for standardized naming schema mentioned above, Software Bill of Materials (SBOM) guidance will need to reflect versioning information consistent with the public “main” repository for that package, rather than private repositories. Many of the versions that our data partners reported did not exist in the public repositories for those packages because developers maintained internal forks of the code.
  • Developer accounts must be secured. The analysis of the software packages with the highest levels of usage found that many were hosted on individual (personal) developer accounts. Lax developer security practices have considerable implications for large organizations that use these software packages because they have fewer protections and less granularity of associated permissions. The OpenSSF encourages MFA tokens or organizational accounts to achieve greater account security.
  • Legacy open source is pervasive in commercial solutions. Many production applications are being deployed that incorporate legacy open source packages. This prevalence of legacy packages is an issue as they are often no longer supported or maintained by the developers or have known security vulnerabilities. They often lack updates for known security issues both in their codebase or in the codebase of dependencies they require to operate. 
  • Apache log4j, version 1.x, for example, was ten times more prevalent than log4j 2.x (the version requiring recent remediation), and 1.x still has known unpatched disclosed vulnerabilities because the software was declared end-of-life (EOL) in 2015.
  • Legacy packages present a vulnerability to the companies deploying them in their environments — it means they will need to know what open source packages they have deployed and where to maintain and update these codebases over time.
  • The prevalence of “supercoders” in the FOSS community. Much of the most widely used FOSS is developed by only a handful of contributors – results in one dataset show that 136 developers were responsible for more than 80% of the lines of code added to the top 50 packages. Additionally, as stated in the Census II preliminary results in 2020, project atrophy and contributor abandonment is a known issue with legacy open source software. The number of developer contributors who work on projects to ensure updates for feature improvements, security, and stability decreases over time as they prioritize other software development work in their professional lives or decide to leave the project for any number of reasons. Therefore, it is much more likely that these communities may face challenges without sufficient developers to act as maintainers as time goes by.
What resources exist to better understand and mitigate potential problem areas in Open Source Software development? 

The Linux Foundation’s community and other open source projects initiatives offer important standards, tooling, and guidance that will help organizations and the overall open source community gain better insight into and directly address potential issues in their software supply 

chain.

Software Bill of Materials: Adopt the ISO/IEC 5962:2021 SPDX SBOM Standard

An actionable recommendation from Census II is to adopt Software Bill of Materials (SBOM) within your organization. SBOMs serve as a record that delineates the composition of software systems. Software Package Data Exchange (SPDX) is an open international standard for communicating SBOM information that supports accurate identification of software components, explicit mapping of relationships between components, and the association of security and licensing information with each component. 

Many enterprises concerned about software security are making SBOMs a cornerstone of their cybersecurity strategy. The Linux Foundation recently published a separate study on SBOM readiness within organizations, The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness. The report offers fresh insight into the state of SBOM readiness by enterprises across the globe, identifying patterns from innovators, early adopters, and procrastinators. 

Differentiated by region and revenue, these organizations identified current SBOM production and consumption levels and the motivations and challenges regarding their present and future adoption. This report is for organizations looking to better understand SBOMs as an important tool in securing software supply chains and why it is now time to adopt them.

Take the free training on secure software development 

The Open Source Security Foundation (OpenSSF) has developed a trio of free courses on how to develop secure software. These courses are part of the Secure Software Development Fundamentals Professional Certificate program.  There’s a fee if you want to try to earn a certificate (to prove that you learned the material). However, if you just want to learn the material without earning a certificate, that’s free; simply audit the course. You can also start for free and upgrade later if you pay within the upgrade deadline. All three courses are available on the edX platform.

The courses included in the program are:

Focus on building security best practices into your open source projects

The OpenSSF develops and hosts its Best Practices badging program for open source software developers. This initiative was one of the first outputs produced as a result of the Census I, completed in 2015. Since then, over 4,000 open source software projects have engaged, started, or completed obtaining a  Best Practices Badge.

Projects that conform to OpenSSF best practices can display a badge on their GitHub page or their own web pages and other material. In contrast, consumers of the badge can quickly assess which FLOSS projects are following best practices and, as a result, are more likely to produce higher-quality and secure software. Additionally, a Badge API exists that allows developers and organizations to query the practice score of a specific project, such as Silver, Gold, and Passing. This means any organization can do an API check within their workflow to check against the open source packages they’re using and see if that project’s community has obtained a badge.

More information on the OpenSSF Best Practices Badging program, including background and criteria, is available on GitHub. The projects page shows participating projects and supports queries (such as a list of projects that have a passing badge). Project statistics and criteria statistics are available. 

Understand the vulnerability vectors of your software supply chain

In addition to reviewing the Census II findings, we encourage you to read the Linux Foundation’s Open Source Supply Chain Security Whitepaper. This publication explores vulnerabilities in the open source software ecosystem through historical examples of weaknesses in known infrastructure components (such as lax developer security practices and end-user behavior, poorly secured dependency package repositories, package managers, and incomplete vulnerability databases). It provides a set of recommendations for organizations to navigate potential problem areas. 

Conclusion

The Census II study shows that even the most widely deployed open source software packages can have issues with security practices, developer engagement, contributor exodus, and code abandonment. Therefore, open source projects require supporting toolsets, infrastructure, staffing, and proper governance to act as a stable and healthy upstream project for your organization. 

Subscribe to LF Research

The post A Summary of Census II: Open Source Software Application Libraries the World Depends On appeared first on Linux Foundation.

Three Ways to Engage with Open Source Program Offices

Fri, 03/04/2022 - 06:19
Share and learn by speaking at OSPOCon, joining Work Day activities, and more opportunities from TODO

Do you engage in open source-related tasks within your organization? You know that collaboration is key. Here are three ways to engage and network with your open source peers and leverage your organization’s open source program! 

1) Speak at OSPOCon, the premier event for OSPOs

Aiming to provide continuous education and ease OSPO adoption across organizations, the TODO Group, in collaboration with the Linux Foundation, launches OSPOCon 2022 Call for Proposals. OSPOCon is the premier event for Open Source Program Offices to share information, solve problems, and learn how to build effective Open Source initiatives within organizations. 

Why consider submitting a proposal to speak at OSPOCon?

OSPOCon is a go-to place where those working in open source program offices (or similar initiatives) in organizations can:

  • Share best practices, tooling, and lessons learned
  • Learn the newest OSPO trends
  • Connect and learn from the wide diversity of open source professionals’ visions
  • Take part in real-time discussions and give to get feedback from the community

Overall, people can come together to learn and share best practices, experiences, and tools to overcome OSPO challenges and similar open source initiatives.

OSPOCon NA and Europe are in-person and virtual events that are part of Open Source Summit conference umbrella. To submit a proposal  via the OSSummit CFP (people will also get access to all the other events in the Open Source Summit collection).

Please remember the CFP submissions deadlines for each of the events. We hope to see you in the upcoming OSPOCon series!

2) Contribute to OSPO resources with the broader community in the new TODO Work Day Activities

TODO comprises individual community contributors and 70+ organizations with years of experience running open source programs. They all want to collaborate on practices, tools, and other ways to run successful and effective open source projects and programs. We have a wide range of ongoing OSPO initiatives where everyone (from the most seasoned OSPOers to students) can participate and become a contributor.

Why consider attending the next Work Day meeting?

A good practice to keep learning from OSPOs is to share knowledge and be inspired by other community participants that run open source initiatives when working on common tooling and resources. 

TODO organizes Work Day activity monthly meetings to ease community participation and work together with other OSPOers and open source experts on the various issues and PRs in the TODO Group GitHub organization.

Work Days have even a handful of things sorted by TODO project contribution level that we expect people to work during these meetings.

Learn more in the dedicated repo and review the upcoming meeting dates:

  • Wednesday, March 9, 2022, at 16:30 PM UTC
  • Monday, March 14, 2022, at 10:00 AM UTC
3) Study and discuss the status of OSPOs with OSPOlogy and TODO Sync calls

The OSPOlogy repo provides continuous OSPO learning and discussions with other OSPOers thanks to the OSPOlogy monthly community meetings, TODO Sync calls, and OSPO Forum.

Bonus: Resources for practical OSPO implementation

We went through three popular OSPO networking spaces where people can engage with the different professionals involved in open source program offices or similar open source initiatives within organizations. 

The good news is that TODO Group goes far beyond a place to connect with other OSPOers. This group also drives open source education and adoption powered by course materials, research studies, and resources created by experienced professionals to keep learning about OSPOs, anytime.

Here is a list of the most popular resources that can help people find inspiration by the vision of open source professionals and guidance.

  • [NEW]  The Evolution of the Open Source Program Office Study: provides a set of patterns and directions, as well as a checklist, to help implement an OSPO or an open source initiative within corporate environments. This includes an OSPO maturity model, practical implementation from noted OSPO programs across regions and sectors, and a handful of broad OSPO archetypes (or personas), which drive differentiation in OSPO behavior
  • TODO Guides: A collection of best practices from the leading companies engaged in open source development aims to help organizations successfully implement and run an open source program office.
  • OSPO Survey:  The TODO Group is committed to running an annual survey of the status of Open Source Program Offices and sharing the results and data with the wider community. People can find the open data and previous results at Linux Foundation Research
  • OSPONews: Never miss a thing of the newest OSPO trends! This is the monthly newsletter to stay up to date on Open Source Program Office (OSPO) trends.

TODO Group is a great place to begin and advance in the OSPO journey. The open source community is always welcome to be part of TODO. Welcome to the OSPOverse!

The post Three Ways to Engage with Open Source Program Offices appeared first on Linux Foundation.

The Linux Foundation and Harvard’s Lab for Innovation Science Release Census of Most Widely Used Open Source Application Libraries

Wed, 03/02/2022 - 22:00
Census II identifies more than one thousand of the most widely deployed applications libraries that are most critical to operations and security 

SAN FRANCISCO – March 2, 2022 — The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the final release of “Census II of Free and Open Source Software – Application Libraries.” This follows the preliminary release of Census II, “Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software” and identifies more than one thousand of the most widely deployed open source application libraries found from scans of commercial and enterprise applications. This study informs what open source packages, components and projects warrant proactive operations and security support.  

The original Census Project (“Census I”) was conducted in 2015 to identify which software packages in the Debian Linux distribution were the most critical to a Linux server’s operation and security. The goal of the current study (Census II) is to pick up where Census I left off and to identify and measure which open source software is most widely deployed within applications developed by private and public organizations. This Census II allows for a more complete picture of free and open source software (FOSS) adoption by analyzing anonymized usage data provided by partner Software Composition Analysis (SCA) companies Snyk, the Synopsys Cybersecurity Research Center (CyRC), and FOSSA and is based on their scans of codebases at thousands of companies.

“Understanding what FOSS packages are the most widely used in society allows us to proactively engage the critical projects that warrant operations and security support,” said Brian Behlendorf, executive director at Linux Foundation’s Open Source Security Foundation (OpenSSF). “Open source software is the foundation upon which our day-to-day lives run, from our banking institutions to our schools and workplaces. Census II provides the foundational detail we need to support the world’s most critical and valuable infrastructure.” 

Census II includes eight rankings of the 500 most used FOSS packages among those reported in the private usage data contributed by SCA partners. These include different slices of the data based on versions, structure, and packaging system.  For example, this research enables identification of the top 10 version-agnostic packages available on the npm package manager that were called directly in applications:

  • lodash
  • react
  • axios
  • debug
  • @babel/core
  • express
  • semver
  • uuid
  • react-dom
  • jquery

To review all of the Top 500 lists in their entirety, please visit Data.World.

The study also surfaces these five overall findings that are detailed in the report: 

1) The need for a standardized naming schema for software components so that application libraries can be uniquely identified

2) The complexities associated with package versioning – SBOM guidance will need to reflect versioning information that is consistent with the public “main” repository for that package, rather than private repositories

3) Much of the most widely used FOSS is developed by only a handful of contributors – results in one dataset show that 136 developers were responsible for more than 80% of the lines of code added to the top 50 packages

4) The increasing importance of individual developer account security – the OpenSSF encourages the use of MFA tokens or organizational accounts to achieve greater account security

5) The persistence of legacy software in the open source space

Census II is authored by Frank Nagle, Harvard Business School; James Dana, Harvard Business School; Jennifer Hoffman, Laboratory for Innovation Science at Harvard; Steven Randazzo, Laboratory for Innovation Science at Harvard; and Yanuo Zhou, Harvard Business School. 

“Our goal is to not only identify the most widely used FOSS but also provide an example of how the distributed nature of FOSS requires a multi-party effort to fully understand the value and security of the FOSS ecosystem. Only through data-sharing, coordination, and investment will the value of this critical component of the digital economy be preserved for generations to come,” said Frank Nagle, Assistant Professor, Harvard Business School. 

Supporting Quotes FOSSA

“Open source software plays a foundational role in enabling global economic growth. Of course, the ubiquitous nature of OSS means that severe vulnerabilities — such as Log4Shell — can have a devastating and widespread impact. Mounting a comprehensive defense against supply chain threats starts with establishing strong visibility into software — and we at FOSSA are thrilled to be able to contribute our market-leading SBOM capabilities and experience helping thousands of organizations successfully manage their open source dependencies to improve transparency and trust in the software supply chain.” – Kevin Wang, Founder & CEO, FOSSA

Snyk

“The Linux Foundation’s latest multi-party Census effort is further evidence that OSS is at the very heart of not only today’s modern application development process, but also plays an increasingly vital behind the scenes role throughout all of society,” said Guy Podjarny, Founder, Snyk. “We’re honored to have made significant contributions to this latest comprehensive assessment and welcome all future efforts that help to empower the developers building our future with the right information to also effectively secure it.”

Synopsys

“With businesses increasingly dependent upon open source technologies, if those same businesses aren’t contributing back to the open source projects they depend upon, then they are increasing their business risk. That risk ranges from projects becoming orphaned and containing potentially vulnerable code, through to implementation changes that break existing applications. The only meaningful way to mitigate that risk comes from assigning resources to contribute back to the open source powering the business. After all, while there are millions of developers contributing to open source, there might just be only one developer working on something critical to your success.” – Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center

 

Additional Resources About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members. The Linux Foundation is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

 

###

 

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Jennifer Cloer

503-867-2304

jennifer@storychangesculture.com

The post The Linux Foundation and Harvard’s Lab for Innovation Science Release Census of Most Widely Used Open Source Application Libraries appeared first on Linux Foundation.

Open Source Security Foundation Attracts New Commitments, Advances Key Initiatives in Weeks Since White House Security Summit

Tue, 03/01/2022 - 22:00

SAN FRANCISCO, March 1, 2022, The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important open source security initiatives, today announced 20 new organizations have joined OpenSSF to help identify and fix security vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. It is also announcing the latest milestones achieved across a variety of its technical initiatives, all of which underscore the cross-industry momentum that is taking place as a result of increasing awareness in the wake of recent security incidents and since the recent White House Open Source Security Summit and recent Congressional hearings.

“The time is now for this community to make real progress on software security. Since open source is the foundation on which all software is built, the work we do at OpenSSF with contributions from companies and individuals from around the world is fundamental to that progress,” said Brian Behlendorf, executive director at OpenSSF. “We’ve never had more support or focus on building, sustaining, and securing the software that underpins all of our lives, and we’re happy to be the neutral forum where this can happen.”

New Premier Member commitments come from 1Password, Citi, Coinbase, Huawei Technologies, JFrog, and Wipro. New General Member commitments come from Accuknox, Alibaba Cloud, Block, Inc, Blockchain Technology Partners, Catena Cyber, Chainguard, Cloudsmith, DeployHub, MongoDB, NCC Group, ReversingLabs, Spotify, Teleport, and Wingtecher Technology. New Associate Members include MITRE and OpenUK. For a complete review of the OpenSSF member roster, please visit: https://openssf.org/about/members/

These commitments come on the heels of the recent White House Open Source Security Summit, where the Linux Foundation and OpenSSF represented hundreds of its project communities and discussed how best to support software security and open source security posture going forward. This summit was a major milestone in the Linux Foundation’s engagement with the public sector and underscored its position supporting not only the projects it hosts but all of the world’s most critical open source infrastructure.

Since the OpenSSF announced initial commitments in October, the community has continued to advance the OpenSSF mission. Some selected highlights include:

New Alpha-Omega Project Launches with $5m Investment to Improve OSS Security Posture

OpenSSF also recently announced the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. It is initially supported by Microsoft and Google with a combined investment of $5 million. The Project improves global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

Automated Security Tool, Scorecards, Increases Scans from 50,000 to 1 Million Projects

Scorecards is an OpenSSF project that helps open source users understand the risks of the dependencies they consume. OpenSSF members GitHub and Google recently announced Scorecards v4, which includes Scorecards GitHub Workflow Action to automate the identification of how changes to a project affected its security. It also includes License Check to detect the presence of a project license and Dangerous-Workflow check to detect dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows. The Scorecards project has also increased the scale of scans from 50,000 projects to one million projects. These software projects are identified as most critical based on their number of direct dependencies, giving a more detailed view of the ecosystem and strengthening supply chain security as users see improved coverage of their dependencies.

Project Sigstore Sees Massive Contribution, Adoption to Sign, Verify and Protect OSS 

Sigstore recently released a project update that reported nearly 500 contributors, 3,000 commits, and over one million entries in Rekor. For more information on what is driving this adoption, please visit the Sigstore blog.

The “Great MFA Distribution” Distributes Codes to Claim Free Hardware Security Tokens to Almost 1000 Top OSS Developers

In the pursuit of encouraging wider adoption of multi-factor authentication (MFA) by developers of critical open source projects, The Securing Critical Projects Working Group coordinated the distribution of nearly 1000 codes for free MFA tokens (graciously donated by Google and Github) to developers of the 100 most critical open source projects. This dsiribution is a small but critical step in avoiding supply chain attacks based on stolen credentials of key developers.

To join OpenSSF and/or contribute to these important initiatives, please visit: https://openssf.org/

Premier Member Quotes 1Password

“We’re proud to be among like-minded organizations and individuals that share a collective commitment to improving the security posture of open source software,” said Pedro Canahuati, Chief Technology Officer at 1Password. “Much of the technology we use today is built on open source software. Given 1Password’s human-centric approach to building user-friendly applications, it’s important to us that its integrity and security is protected.”

Citi

“The security of open source software and its supply chain is an essential aspect to Citi. We have worked with the open source community on bolstering security in these areas, and we look forward to strengthening this mission by joining the Open Source Security Foundation,” said Jonathan Meadows, Head of Cloud & Application Security Engineering, Citibank.

Coinbase

“Coinbase is the world’s most trusted cryptocurrency exchange, and the security of our open source dependencies — as well as the broader crypto ecosystem — is paramount. The OpenSSF’s goals align with our own, and Coinbase is proud to be contributing to increasing the security of open source software for the benefit of all,” said Jordan Harband, Staff Developer Relations Engineer, Coinbase.

Huawei Technologies

“The importance of open source software security is well recognized by the customer, industry, and government. It is time for the community to take strategic, continuous, effective, and efficient actions to advance the open source software security posture.  We are very glad to see OpenSSF launching initiatives (Scorecard, Alpha-Omega, SigStore, etc.) to improve the open source software security directly,” said Dr. Kai Chen, Chief Security Strategist, Huawei. “Huawei commits to strengthen investment on cybersecurity and to maintain a global, secure and resilient  open source software supply chain.”

JFrog

“Open source software is the foundation of today’s modern systems that run enterprises and government organizations alike – making software part of a nation’s critical infrastructure,” said Stephen Chin, VP of Developer Relations, JFrog. “JFrog is honored to be part of OpenSSF to accelerate innovation and advancement in supply chain security. Projects coming out of OpenSFF help make JFrog’s liquid software vision a secure reality.”

Wipro

“With the increasing adoption of open source software and its growing importance in enabling innovation and transformation comes commensurate cybersecurity risks. The community needs a concerted effort to address them. We are excited to join the governing board of OpenSSF to collaborate with other members on defining and building set of solutions and frameworks and best practices to help ensure the integrity of the open source software supply chain and contribute our domain expertise, breadth of resources and global reach to this important effort,”  said Subha Tatavarti, CTO, Wipro Limited.

General Member Quotes Accuknox

“In the Shift Left, DevSecOps Developer-led adoption of Security Tools and platforms an OpenSource led approach is imperative. We are thrilled to see OpenSSF launching path-breaking initiatives to help end-users and technology providers harness the power of open source and contribute to the collective knowledge capital,” said Nat Natraj, co-founder, CEO, AccuKnox.

Alibaba Cloud

“Open Source software has become a key software supply chain of IT, and Open Source software security has a huge impact on infrastructure security. Alibaba Cloud, as the world’s leading cloud vendor that always puts security and data privacy as the priority, is keeping investing in security research. For a long time, the public has felt that open source software is very safe because of transparency, all software developers can review the code, find and fix vulnerabilities. But In fact, there are many widely used open-source software that is still possible to have security bugs that have not been noticed for a long time. It is great to have an organization like OpenSSF, which can connect so many great companies and open source communities to advance open source security for all.  As a member of Open Source Security Foundation, we’re looking forward to collaborating with OpenSSF to strengthen the Open Source security,” said Xin Ouyang, Head of Alibaba Cloud Security, Alibaba Cloud.

Block, Inc.

“Block is very excited to join with other industry leaders to help step up the quality of open source security.  I strongly believe that as an industry, it is our priority to address security concerns in a supply chain that we all use.  We may compete on products, but we should never compete on security, and OSSF is a fantastic example of this idea,” said Jim Higgins, CISO of Block.

Blockchain Technology Partners

“Open source software is mainstream and underpins much of the world’s critical infrastructure as well as powering enterprises across the globe. Against this backdrop, OpenSSF’s mission to secure the open source supply chain is fundamental to our future,” said Duncan Johnston-Watt, CEO and Co-founder of Blockchain Technology Partners. “Collaboration is key to OpenSSF’s success, and so we are delighted to contribute to this initiative which complements our existing involvement in the Hyperledger Foundation, CNCF, and LF Energy.”

Catena Cyber

“Open source leads to a massive sharing of knowledge. Beyond the quantity of information, the quality of it becomes important to bring value to society,” said Philippe Antoine, CEO of Catenacyber. “We are glad to join OpenSSF to contribute to improving the cybersecurity of open source projects through fuzzing and other means. Let’s fix all the bugs!”

Chainguard

“Making the software lifecycle secure by default is increasingly critical as open source has become the digital backbone of the world. A vibrant, open software security ecosystem is essential to that mission. We are excited to be members of the Open Source Security Foundation and to continue working with the community to make the software lifecycle secure by default,” said Tracy Miranda, head of open source at Chainguard.

Cloudsmith

“Having a single source of truth for software artifacts has never been more vital to supply chains, especially for the open-source community. OSS engineers need trust and provenance, and a trusted source for secure end-to-end software delivery, from build through to production. At Cloudsmith, our mission is to evolve the cloud-native supply chain, making it simple for the OSS community to secure their software delivery at scale through Continuous Packaging. We are thrilled to join OpenSSF, and we look forward to being part of the continued mission to improve the security posture of open source software universally,” said Alan Carson, CEO at Cloudsmith.

DeployHub

“At DeployHub, we have been laser-focused on tracking the consumption of microservices, including their versions. These relationships make up our new application-level Software Bill of Materials (SBOMS). There is no better place to have this supply chain conversation than the OpenSSF,” explains Tracy Ragan, CEO DeployHub.

MongoDB

“As all industries increasingly rely upon open source software to deliver digital experiences, it is our collective responsibility to help maintain a vibrant and secure ecosystem,” said Lena Smart, Chief Information Security Officer, MongoDB. “You can have all the tools in the world, but at the end of the day, it is people across multiple organizations around the world working together that will ensure an expansive cybersecurity program. One of MongoDB’s values is “Build Together,” and we’re excited to join and further cross-industry collaboration to move the security of open source software forward.”

NCC Group

“Even if your code is perfectly secure, chances are it has vulnerable dependencies. And the number of unpatched vulnerabilities “in the wild” outpaces the speed at which the security community can patch or even identify them. Security, as it is practiced now, doesn’t scale at the rate needed to keep things at least as secure as they were yesterday, and we have compelling reasons to expect this to get even worse for defenders. However, through harnessing dedicated investment and coordinating industry-wide efforts to improve the security of the most critical open source components and find scalable interventions for the entire ecosystem, we have an opportunity to improve software security at a massive scale. But we can only do this together, and it is for this reason that NCC Group is excited to contribute to the work of OpenSSF,” said Jennifer Fernick, SVP & Global Head of Research at cybersecurity consulting firm NCC Group.

ReversingLabs

“The software supply chain has become a major risk vector for new threats, including those from the open source ecosystem. The inherent dependencies and complexities of the modern software supply chain means that companies often lack visibility and the ability to track each component through the entire software development process. Recognizing these challenges, ReversingLabs is pleased to join the OpenSSF and offer its contributions to the community that help drive the automation of more comprehensive software bills of material and mitigate software supply chain and package release risks,” said Mario Vuksan, CEO and Co-founder, ReversingLabs.

Spotify 

“As a technical community we all have a responsibility to improve the security and trust of an open source ecosystem that so many of us rely upon. Spotify has always relied on open source software, and contributes to the community through projects like Backstage. We believe open source software forms the backbone of our industry and we look forward to supporting the foundation’s goal of ensuring everyone can depend on a healthy and secure software ecosystem,” said Tyson Singer, VP, Head of Technology and Platforms at Spotify.

Teleport

“The complexity of modern infrastructure has broadened attack surface areas to the point where data breaches are just about an everyday occurrence,” said Ev Kontsevoy, CEO of Teleport. “These risks have been exacerbated by the rise of remote and hybrid workplaces. With an eye on global attacks, the open source community’s commitment to improving open source security is critical to ushering in a new era of computing. Offering a solution to increase security, ease usability, and help scale enterprise development access, Teleport is pleased to be a part of the OpenSSF.”

Wingtecher Technology

“As a fast-growing startup, Wingtecher focuses on exploring the technologies that secure various kinds of open source softwares. We are excited to join OpenSSF and ready to collaborate with the community to overcome the emerging open source security challenges worldwide,” said Vincent Li, COO Wingtecher Technology.

About OpenSSF

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit: https://openssf.org/

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Jennifer Cloer

503-867-2304

jennifer@storychangesculture.com

The post Open Source Security Foundation Attracts New Commitments, Advances Key Initiatives in Weeks Since White House Security Summit appeared first on Linux Foundation.

Red Hat Joins Magma Core Foundation at Premier Level, Community Set to Further Open Source Mobile Packet Core

Mon, 02/28/2022 - 22:00

SAN FRANCISCOFebruary 28, 2022  Today, the Magma project, an open-source software platform that gives network operators an open, flexible and extendable mobile core network solution, announced continued community growth as Red Hat joins Arm, Meta, and Qualcomm as Magma’s newest premier member, while sixteen other organizations join as General or Associate members: AMD, AQSACOM, Althea, Canonical, ecrio, free5GC, GenXcomm Inc., Lekha Wireless Solutions, Platform 9 Systems, Radtonics, Ramanujan College, Sempre.ai, Telaverge, WaveLabs, Whitestack, and ZEDEDA. Additionally, Emily Yousling, Product Manager, joins the Magma Governing Board as the Meta representative. 

“I am excited to join the Magma community as part of the Governing Board,” said Emily Yousling, Product Manager, Meta. “The collaborative nature of the project and the diversity of membership is a powerful tool in creating innovative core networking solutions in the open.” 

“We are pleased to see the Magma community continue to evolve at the Linux Foundation as a leader in network innovation,” said Arpit Joshipura, general manager, Networking, Edge, and IoT, the Linux Foundation. “The addition of Red Hat and other leading industry organizations are a welcome addition to our growing community. We are creating a venue for enabling change in the packet core space and integration across the stack.” 

Since moving to the Linux Foundation in early 2021, Magma has grown considerably as a community with robust set of new members; the adoption of a master architecture roadmap (that’s 3GPP generation and access network agnostic); formation of a neutral governance structure; the hosting of its first Linux Foundation-managed event, Magma Day, (which was co-located with KubeCon + CloudNativeCon Europe 202); availability of the Magma 1.6 release; and demonstration of “Zero Touch Magma Automation with LFN EMCO” at the Linux Foundation Demo Pavilion at the 2021 Open Networking and Edge (ONE) Summit.  

About Red Hat

Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies. Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.

“Open source is at the core of everything we do at Red Hat,” said Azhar Sayeed, Senior Director, Global Telco Technical Development, Red Hat. “The Magma Core Foundation has grown as an open source community and a leader in network innovation by providing operators with the flexibility and adaptability they need in a mobile core network solution. Joining the Magma Core Foundation as a premier member is a natural fit for Red Hat because we feel that together, we can continue to support and advance the adoption of open source technologies and the communities of developers that drive them.”

Additional new member support

free5GC

“The ultimate goal of free5GC is to implement a full commercially operational core network including Operation, Administration and Management (OAM), orchestrator, and network slicing,” said Jyh-Cheng Chen, leader of the free5GC project. “We are pleased to join the Magma community to co-develop a complete ecosystem and facilitate innovations in 5G and beyond.” 

Wavelabs

“5G and Magma Core is the center of our strategy, and we believe Magma Core will enable a plethora of innovative 5G use cases at the Network Edge,” said Mansoor Khan, CEO of Wavelabs. At ‘Wavelabs.ai,’ we are committed to contributing to the Magma Core Opensource from architecture to development and testing. As a trusted partner to our customers, we advance Magma Core adoption and its use cases leveraging our deep expertise by offering Magma distro, support, and integration services. We serve equipment vendors, service providers, hyperscales, and enterprises and help them in accelerating their Journey to Future Connectivity.

Whitestack 

“We joined Magma as part of our strategy to help accelerate the adoption of key open source technologies that will play a key architectural role in the networks of the future.Over the past three years, we have seen Magma evolve into a production grade component, which we are happy to have helped to deploy in Telcos,” said José Miguel Guzmán,  Co-founder  and Senior Solutions Architect at Whitestack.

For a full list of Magam Core membership, visit: https://www.magmacore.org/members 

Resources

About the Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

# # #

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

The post Red Hat Joins Magma Core Foundation at Premier Level, Community Set to Further Open Source Mobile Packet Core appeared first on Linux Foundation.

American Tower Joins LF Edge as Premiere Member,  Community Adds EdgeGallery to Project Roster

Mon, 02/28/2022 - 22:00

LF Edge furthers innovation at the open source edge across a unified ecosystem, with induction of Edge Gallery —an open-source MEC edge computing project —and adds leading innovator American Tower as Premiere member and Ritsumeikan University as new Associate member

SAN FRANCISCO February 28, 2022 LF Edge, an umbrella organization within the Linux Foundation that aims to establish an open, interoperable framework for edge computing independent of hardware, silicon, cloud, or operating system, today announced American Tower has joined the project as  a Premier member. Additionally, the project announced Edge Gallery has joined the umbrella as a Stage 1 project, RITSUMEIKAN University has joined as an Associate member, and the community issued its 2021 Annual Report.

American Tower, a global leading infrastructure provider of wireless, data center, and interconnect solutions to enable a connected world, joins other existing LF Edge Premiere members: Altran, Arm, AT&T, AVEVA, Baidu, Charter Communications, Dell Technologies, Dianomic, Equinix, Ericsson, F5, Fujitsu, Futurewei, HP, Huawei, Intel, IBM, NTT, Radisys, RedHat, Samsung, Tencent, VMware, Western Digital, ZEDEDA.

“We are pleased to see even more leading technology innovators joining as LF Edge members,” said Arpit Joshipura, general manager, Networking, Edge and IOT, the Linux Foundation. “The proliferation of new technologies joining collaborative innovation at the open source edge means scalability, interoperability, and market innovation is happening across the ecosystem.”

About America Tower

American Tower, one of the largest global REITs, is a leading independent owner, operator and developer of multitenant communications real estate with a portfolio of approximately 219,000 communications sites. For more information about American Tower, please visit americantower.com.

”We are excited to join LF Edge and their members to accelerate innovation, enabled by edge network architecture. A distributed model, positioning critical data closer to the user, provides the low-latency infrastructure to deliver the automation, performance, and cognitive insight required by manufacturing, healthcare, transportation, and more.” – Eric Watko, Vice President, Product Line Management, American Tower.

American Tower is joined by new Associate member, RITSUMEIKAN University, a private university in Kyoto, Japan, that traces its origin to 1869. With the Kinugasa Campus in Kyoto, and Kyoto Prefecture, the university also has a satellite called Biwako-Kusatsu Campus and Osaka-Ibaraki Campus. Ritsumeikan university is known as one of western Japan’s four leading private universities. 

EdgeGallery Joins LF Edge Umbrella

Celebrating it’s two-year mark as an umbrella project, LF Edge welcomes its tenth project, Edge Gallery. Edge Gallery is an open-source MEC edge computing project initiated by Huawei, carriers, and vertical industry partners that joined the Linux Foundation in late 2021. Its purpose is to build a common edge computing platform that meets the “connection + computing” characteristics of the telecom industry, standardize the openness of network capabilities (especially 5G network capabilities), and simplify lifecycle processes such as MEC application development, test,migration, and running. 

EdgeGallery joins the nine existing projects – Akraino, Baetyl, FledgeEdgeX Foundry, Home Edge, Open Horizon, Project EVE, Secure Device Onboard (SDO) and State of the Edge – that support emerging edge applications across areas such as non-traditional video and connected things that require lower latency, and faster processing and mobility. LF Edge helps  unify a fragmented edge market around a common, open vision for the future of the industry.

LF Edge 2021 Annual Report

The LF Edge community also issued a report of its progress and results from the past year. “LF Edge  “ summarizes key highlights (including blueprints, deployments and momentum) Governing Board, Technical Advisory Board, Outreach Committee and General Manager. To download the report, visit: https://www.lfedge.org/resources/publications/

More details on LF Edge, including how to join as a member, details on specific projects and other resources, are available here: www.lfedge.org.

About The Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

# # #

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

The post American Tower Joins LF Edge as Premiere Member,  Community Adds EdgeGallery to Project Roster appeared first on Linux Foundation.

Linux Foundation Announces New Project “CAMARA – The Telco Global API Alliance” with Global Industry Ecosystem

Mon, 02/28/2022 - 15:00

Open source project to address industry API interoperability leveraging GSMA OPG requirements and Linux Foundation’s Developer Ecosystem

SAN FRANCISCO and BARCELONA, Spain Mobile World Congress 2022 February 28, 2022The Linux Foundation, the nonprofit organization enabling mass innovation through open source, and the GSMA, a global organization unifying the mobile ecosystem to discover, develop and deliver innovation foundational to positive business environments and societal change, today announced a new, open source project: “CAMARA – The Telco Global API Alliance”. The global partnership will address challenges in porting and reproducing API services across heterogenous operator and cloud architectures. 

CAMARA will help customer and developer ecosystems by developing an open, global, and accessible API solution with access to operator capabilities, in whatever networks customers are in, allowing applications to run consistently between telco networks and different countries. In addition, CAMARA offers new opportunities for collaboration between network and cloud companies (including telcos, ISVs, device manufacturers, etc.) to address challenges of porting and reproducing API services across heterogeneous operator architectures. This prevents fragmentation of telco and cloud developers and enables faster, more versatile advancement of global portability and broad industry adoption of new features and capabilities.   

A close collaboration has been set up between the CAMARA project and the GSMA’s Operator Platform initiative that is defining a federated platform solution for exposing operator network capabilities to external applications. This collaboration will ensure that developers relying on the CAMARA project’s API solution and abstraction will facilitate users across operator networks.

“We are thrilled to enter into this next chapter of collaboration with the GSMA,” said Arpit Joshipura, general manager, Networking, Edge and IoT, the Linux Foundation. “By harnessing existing open source communities within CNCF, LF Networking, LF Edge and aligning to GSMA’s OPG industry requirements, we are poised to address current challenges in API accessibility.”

“The Operator Platform initiative welcomes new members to join more than 40 leading operators, and 35 ecosystem partners, already working together on requirements and APIs. This type of collaboration with CAMARA is essential in accelerating scale to meet today’s integration demands,” said Henry Calvert, head of Networks, GSMA. “We are very pleased to be working with Linux Foundation, and our membership, on developing reliability and resilience in APIs, and simplifying challenges for our developer communities.”

Learn more about CAMARA during MWC Barcelona in keynote session of: https://www.mwcbarcelona.com/agenda/session/cloud-edge-a-new-approach-to-innovation

More details about “CAMARA – The Telco Global API Alliance”, are also available via GitHub: https://github.com/camaraproject

CAMARA is supported by leading industry organizations, including: AT&T, Capgemini, Deutsche Telekom, Ericsson, GSMA, Google Cloud, IBM, Intel, Kandy, KDDI, Microsoft, MobiledgeX, Nokia, Orange, NGMN, Scenera, T-Mobile US, TIM, Telefonica, TELUS, the Linux Foundation and Vodafone. 

More details about the GSMA’s Operator Platform initiative (and its closely related Telco Edge Cloud activity), are also at https://www.gsma.com/operatorplatform.

About GSMA

The GSMA is a global organization unifying the mobile ecosystem to discover, develop and deliver innovation foundational to positive business environments and societal change. Our vision is to unlock the full power of connectivity so that people, industry, and society thrive. Representing mobile operators and organizations across the mobile ecosystem and adjacent industries, the GSMA delivers for its members across three broad pillars: Connectivity for Good, Industry Services and Solutions, and Outreach. This activity includes advancing policy, tackling today’s biggest societal challenges, underpinning the technology and interoperability that make mobile work, and providing the world’s largest platform to convene the mobile ecosystem at the MWC and M360 series of events. We invite you to find out more at gsma.com.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 2,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

###

The post Linux Foundation Announces New Project “CAMARA – The Telco Global API Alliance” with Global Industry Ecosystem appeared first on Linux Foundation.

Leveraging the Open Source Program Office: New Research Unpacks the Evolution of the OSPO (and a Whole Lot More)

Sat, 02/26/2022 - 04:02

OSS is a growing phenomenon, and every journey to open source best practices is unique. At the same time, there’s a whole lot of room to grow some more. Many organizations use Open Source Program Offices to align their open source efforts under a management system and policies designed to create a positive experience for internal developers and external participants to the communities they participate in and contribute. 

While the Linux Foundation, under the auspices of The TODO Group, has previously published whitepapers about the benefits of open source and OSPOs, it became apparent that it needed an established model for evolving an OSPO within an organization. Beyond the modeling, it was important to supplement pathways to open source best practices with good old-fashioned storytelling in OSPO leadership and formation to help other leaders and practitioners see themselves in the process. It’s hard not to be inspired by the vision of some of the community’s innovators, so why not share their stories?

The TODO Group, in collaboration with Linux Foundation Research, is pleased to release a new whitepaper, The Evolution of the Open Source Program Office, as a roadmap for others to follow.

Ana Jiménez Santamaría, TODO Group’s OSPO Program Manager, further explains the motivations behind the development of the roadmap and case study: 

“I have seen an increasing need for OSPO guidance in many organizations. I hope this study provides a way to better frame and visualize the OSPO ecosystem complexity and provide a roadmap to ease OSPO planning and adoption. We welcome the open source community to contribute and collaborate to these resources, expanding the initial archetype scope or improving the documentation for each of the stages.”

This whitepaper provides a set of patterns and directions – and even a checklist! – to help implement an OSPO or an open source initiative within corporate environments. This includes an OSPO maturity model, practical implementation from noted OSPO programs across regions and sectors, and a handful of broad OSPO archetypes (or personas), which drive differentiation in OSPO behavior.

Intending to drive differentiation in OSPO behavior, this whitepaper features a set of OSPO Archetypes from a company perspective, including:

  • Industry Collaboratives
  • Cross-Industry Collaboratives
  • Project Facilitators
  • Open Source First Organizations
  • Technology Strategy Experts
  • Software Companies

The OSPO maturity model has been developed based on a series of interviews from leaders of noted OSPO programs, including some of the most influential technology firms such as Red Hat, Microsoft, SAP, and VMware, as well as some of the most iconic brands. And yes, the research dug into recent OSPO survey data, too.

As the culmination of the research process, the whitepaper features three case studies of the evolution of  OSPOs in end-user organizations in different industry verticals: Bloomberg (financial services), Comcast (media), and Porsche (transportation/automotive). Each case is structured as a journey through the stages of the OSPO model to put it into practice. 

  • Bloomberg runs a highly mature OSPO with nine years of experience. With over 6,500 developers engaged and as many as 20 dedicated specifically to OSS, it is a major incubator of projects such as Kserve, bqplot, and PowerfulSeal.

Kevin P. Fleming, who served as the former head of technology engagement at Bloomberg, recalls the need for the organization to have trusted advisors when it comes to open source:

 “As more and more people from management down to individual contributors understood that we wanted to build better relationships and broaden engagement and usage of open source, we became advisors in strategic decision-making. Should we use this particular project from this community? Does it look like a real community, or is it being run by a single company or individual? We helped answer those questions.”

  • Comcast is a five-year veteran of open source adoption, has four full-time engineers in its OSPO, and has been highly active incubating projects such as Apache Traffic Control, Trickster, and Kuberhealthy within the larger OSS community. 

Nithya Ruff, who is a Comcast fellow and also serves on the Linux Foundation Board of Directors as chair, emphasized the need to make working on open source projects easy and to facilitate the process for Comcast employees when they participate:

“A lot of our engineers love being able to contribute to OSS and being able to speak at conferences, publish papers and blogs. Our job is to make it easy to make it work in OSS. We believe OSS is a critical component of innovation as a company and a key advantage in attracting great developers to work with us.” 

Porsche’s OSPO is relatively new, having been in operation for two years, but already has a number of developers and engineers dedicated to open source coding incubating projects such as the Porsche Design System, the OSS Review Toolkit, and the Cookie Consent Banner.

Nik Peters, who runs Porsche’s OSPO, feels that the company’s role in open source is well suited to driving standards adoption in the automotive industry as an OSS end user.

“As an organization, we are in-between being a contributor and being a participant. One of our big goals is to see if we can drive and set open standards—for example, an automotive open source standard … our big goal is to move from 10 to 20 percent in-house embedded software to at least 60 percent over five years. This for us is a game-changer,” 

Not all experiences are equal, but each is unique and valuable in its own right. 

Who should read this report? Anyone who wants to learn about the value of the Open Source Program Office and its significance to organizational compliance, competitiveness, and stewardship of shared technologies in hardware, software, and standards. 

Download the Report

The post Leveraging the Open Source Program Office: New Research Unpacks the Evolution of the OSPO (and a Whole Lot More) appeared first on Linux Foundation.

Open Networking & Edge Executive Forum (ONEEF) Returns Virtually, April 12-14, 2022

Wed, 02/23/2022 - 00:51

Global Industry Executives across telco, cloud and enterprise to share thought-leading visions with global open source networking and edge communities – in across alternating time zones 

SAN FRANCISCO, February 22, 2022 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, in partnership with LF Networking and LF Edge,  ​​today announced the Open Networking & Edge Executive Forum (ONEEF) will take place virtually April 12-14, 2022. The Open Networking & Edge Executive Forum (spring) and Summit (fall) are the industry’s premier open networking and edge computing events focused on end to end solutions powered by open source. 

Building on the successful inaugural ONEEF event last spring, the Linux Foundation, LF Networking, and LF Edge are pleased to announce the 2022 Executive Forum, where leading industry executives will again share their visions from the Telco, Cloud, and Enterprise verticals. Attendees will learn how to leverage open source ecosystems and gain new insights for digital transformation. Presented in a virtual format across three days, this is a one-track event starting in a different time zone each day to better reach our global audience. 

“We are  pleased to welcome thought leaders from across the globe to the virtual stage for ONEEF 2022,” said Arpit Joshipura, general manager, Networking, Edge & IoT, at the Linux Foundation. “This curated experience is designed to complement the Open Networking & Edge Summit with thought leaders and collaborators from around the globe coming together to share insights, best practices, and new ideas that enhance the vertical space across open source networking, edge, cloud and enterprise stacks.”

Details on Executive speakers and session agenda will be available soon, but attendees can expect to hear industry insights from Analysys Mason analyst Caroline Chappell, as well as updates on the direction of major initiatives like the  5G Super Blue Print. Stay tuned for more details.

Speakers and Content from ONEEF 2021, including sessions videos, are available online.

Registration & Sponsorships

Presented in a virtual format across three days, this is a one track event that will be held in a different time zone each day to reach our global audience in the Americas, EMEA, and APAC. There is no cost to attend, but participants must be registered in order to access the sessions: https://events.linuxfoundation.org/open-networking-and-edge-exec-forum/

Sponsorship opportunities are available for this special executive edition of Open Networking & Edge Summit. For more information on sponsoring this event, contact us at events@lfnetworking.org.

The LF Networking developer community will also host the LFN Developer & Testing Forum this Summer, taking place June 13-16, in Porto, Portugal. Registration for that event  is also open, with more details to come. 

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 2,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

The Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. 

###

The post Open Networking & Edge Executive Forum (ONEEF) Returns Virtually, April 12-14, 2022 appeared first on Linux Foundation.

Software Bill of Materials (SBOM) and Cybersecurity: Is Your Organization Ready?

Tue, 02/15/2022 - 22:00

The Linux Foundation recently published findings on The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness, conducted in late 2021. Jason Perlow, LF editorial director, spoke with Stephen Hendrick, vice president of Research, who led the empirical study and quantitative analysis to understand the extent to which the world was implementing cybersecurity standards and what actions need to be taken now.

JP: For those new to SBOMs, what are they? Can you unpack the concept for the absolute beginner?  

SH: A good analogy for this would be when you go to the supermarket and shop for food products. Because we have a Food and Drug Administration in the United States, food manufacturers must follow food packaging and labeling regulations. In our most recent webinar that we held on Feb 1, one of our panelists, Allan Friedman, illustrated this example with a Twinkie snack cake sitting on his shelf.

Original Image: “Hostess Twinkies” by Evan-Amos, CC0, via Wikimedia Commons

A Twinkie has a list of ingredients printed on it, over 35 in all if you look at the food label on Hostess’ website. Now, imagine if you were allergic to one of those ingredients, such as the eggs, or one of the flours. Or, if you were vegetarian, the Twinkie contains beef fat (tallow). 

You’d want to know those things, wouldn’t you? 

The same goes for software that may be running in your enterprise – based on their “ingredients”, components, or packages that are used to make up the software composition of those environments; an SBOM can tell you which of those components you are running may have vulnerabilities your organization may need to address.

JP: So, what many people want to know is, why do we care about SBOMs? What is the context for SBOMs as they relate to software supply chains, wh is the Linux Foundation researching it, and why is it all happening now?

SH: Cybersecurity has been top of mind across government, enterprise, and the open source community. For this reason, research into this topic was a top priority for the Linux Foundation. Much of the interest in SBOMs specifically was driven by 2020’s SolarWinds software supply chain attack and even before the US Executive Order on Cybersecurity. The EO specifically named SBOM as a recommendation for improving cybersecurity. The Apache Log4j vulnerability was disclosed late last year, further accelerating interest in SBOMs. 

For the last several months, the Linux Foundation surveyed enterprises and quantitatively determined their sentiment about SBOMs and their level of adoption, maturity, and progress. Now we have those results.

JP: I get that an SBOM tells you what components are in a software package – whether it’s open source or closed source. How did SBOMs start as an open source initiative, and why has the open source community been at the forefront of this push for supply chain transparency?

SH: Early on in the enterprise adoption of open source, companies were concerned about licensing and ensuring appropriate license compliance. It was an open source effort at the time, primarily because they were exposed to these open source licenses that didn’t come through traditional procurement processes. So the open source community embraced the SBOM concept to provide transparency about which components are used in a package and what licenses were attached to them. 

Over time, however, the openness that an SBOM provides became helpful in other contexts. An organization that requires SBOMs is likely ahead of the game when a new security vulnerability comes out. Log4j has been in the news but imagine you’re an organization with tens or hundreds of thousands of servers, and how do you find and patch all the log4j instances? SBOMs enable you to do that much more easily.

JP: There was a global response to this survey, with 98 percent of organizations expressing concerns about their software security. Virtually all of those organizations are considering implementing changes to their environments, including adopting SBOMs. Were you expecting that sort of drastic response before reviewing the data?

SH: This was a global, multilingual survey, and as such, we received completed surveys from 412 senior IT respondents worldwide. A total of 44% of the respondents came from the Americas, 39% from EMEA (Europe, Middle East, and Africa), and 17% from Asia Pacific (India, China, Russia, Japan, and Australia).

Because this survey focused on cybersecurity and SBOMs, one of the first questions we asked was how concerned the respondent’s organization was about the security of the software it uses.

We observed from the data that the Americas and EMEA show a distribution of concerns that peaks at 49% for the Americas and 55% for EMEA being “very concerned.” Worldwide, 98% of organizations have a level of concern about cybersecurity.

The European Union (EU) has been increasing its cybersecurity footprint considerably in the last decade with the introduction of the General Data Protection Regulation (GDPR) in April of 2016 – this begat efforts with the NIS Directive on Security of Network and Information Systems and the EU Cybersecurity Act in 2019, so this has been brewing outside our country for some time. 

In Asia, the distribution for overall cybersecurity concerns is significantly different from that of the Americas or EMEA. Security concerns in the Asia Pacific gradually ramp up, with 15% “slightly concerned,” 18% “concerned,” 31% “very concerned,” and 35% “extremely concerned.” Nearly twice as many organizations in the Asia Pacific region are “extremely concerned” than EMEA, and 67% more than in the Americas. The reason why software security angst is higher in the Asia Pacific region is explained throughout the report. In summary, it appears that the organizations in the Asia Pacific region have invested less to date in security-related roles, functions, and activities, so now they are trying to catch up.

JP: In the report, you spend a fair amount of time talking about organizational activities and plans for SBOM adoption. Could you summarize what you found?

SH: I spent thirty years as an industry analyst focused on application development and deployment. During these years, I never once heard the term SBOM. When designing this survey, I worried it might be difficult to find much production use of SBOM tools. To address this, the survey contained questions about SBOM familiarity, readiness, and use of tools for SBOM production and consumption.

I was surprised to find that 47% of organizations produced or consumed SBOMs in 2021.  In many cases, this meant using SBOMs in a few or some segments of their business. But a surprising number of organizations were using SBOMs across nearly all of their business segments or had implemented SBOMS as an organizational standard. It was also exciting to see that 41% of organizations plan to use SBOMs beginning in 2022 or 2023. This allowed us to forecast the organizational growth of SBOMs.

By 2022, SBOM organizational growth will be 66%, increasing SBOM penetration across organizations from 47% to 78%. Growth will taper off to 13% during 2023 but still drive an increase in penetration to 88%. This means that 2022 will be the year of the SBOM. This also means that 2022 will be a great year for vendors selling SBOM production and consumption tools.

JP: Given the amazing growth that could take place in 2022, what benefits do organizations expect to see from their increasing use of SBOMs?

SH: There are many benefits from the use of SBOMs. Let’s focus on the consumption of SBOMs because that’s what most end-user organizations will be doing. Overall, 53% of organizations said that the primary benefit would come from the ability of SBOMs to provide information about components to support their compliance and reporting needs.

At the same time, 53% of organizations also said that SBOMs provide information to make better decisions about risk. Another feature of SBOMs is their ability to link to registries that identify known component vulnerabilities. This is also why the third benefit listed here at 49% is the ability to understand new component vulnerabilities and whether the organization is at risk.

The chart above is also segmented by the maturity of organizations in their use of SBOMs. This is where SBOM innovators help identify best practices because they have a much deeper experience in using SBOMs and are better positioned to provide an experienced perspective.

JP: While it seems that organizations are clear on the benefits of SBOM adoption, it also looks as if a large number are concerned about the industry’s commitment to them as a whole. Why do you suppose that is? Do you think that has to do with a perceived lack of an established standard or a lack of guidance and best practices for what they need to contain, overall? How do we get past this industry confidence problem in SBOMs, given that there seems to be heavy operational involvement by organizations as a whole?

SH: The first thing to recognize is that SBOMs are expected to be exchanged between participants in the supply chain, and the software supply chains are global. We need to see the industries adopt standards that the international community has formally reviewed for confidence to emerge. This is why SPDX, after 8 years of being a de facto standard, undertook the step to go through the review process to become an ISO-approved standard. It went to the ISO after incorporating the guidance that had emerged from the NTIA multistakeholder process as to what minimum elements for an SBOM should be.

Since most software today is built on open source, it makes it easy for open source ecosystems to generate SBOMs for their parts, removes some of the lift for organizations, and adds on the parts they modify. A whole software development ecosystem needs to adjust, not just the companies that ship products, which will take time. 

JP: Thank you, Steve, that was very informative.

The post Software Bill of Materials (SBOM) and Cybersecurity: Is Your Organization Ready? appeared first on Linux Foundation.

FINOS, the Fintech Open Source Foundation and Financial Sector Project of The Linux Foundation, Announces Name Change and 2022 Dates for Open Source in Finance Forum

Fri, 02/04/2022 - 05:01

Open Source Strategy Forum is now the Open Source in Finance Forum, with the name changed to better reflect its evolution as the premier event dedicated to driving collaboration and innovation in financial services through open source software and standards. 

SAN FRANCISCO, February 3, 2022 —  FINOS, the Fintech Open Source Foundation and financial sector project of The Linux Foundation, and The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the name change of its event dedicated to driving collaboration and innovation in financial services through open source software and standards from Open Source Strategy Forum to the Open Source in Finance Forum. The event started in 2017 under the auspices of FINOS prior to it joining the Linux Foundation in 2020, and has since grown to become the flagship event for the fast growing open source movement in financial services and its unique challenges. The name is being changed to better reflect the focus of the event within the larger landscape of open source events produced by The Linux Foundation and its projects.

This year, Open Source in Finance Forum will take place in London, England on Wednesday, July 13, and in New York City, USA on Thursday, December 8. Both events will gather experts from financial services, technology and open source who will come together for thought-provoking insights and conversations, providing unique opportunities to hear from and engage with those who are leveraging open source software to solve industry challenges.

The Call for Proposals for Open Source in Finance Forum London and Open Source in Finance Forum New York are now open. View suggested topics and submit talks for all events at the links provided above.


The Linux Foundation strongly values the need to increase diversity, equity and inclusion in open source, and a great place for that to begin is on the conference stage. We encourage those from all marginalized communities to submit to speak. We also welcome and encourage first-time speakers to submit. If you aren’t sure about your abstract or have any questions, please reach out to us

Sponsor
Please contact The Linux Foundation for information on becoming an event sponsor at sponsorships@linuxfoundation.org.

Press
Members of the press who would like to request a press pass to attend should contact Kristin O’Connell.

About FINOS
FINOS (The Fintech Open Source Foundation) is a nonprofit whose mission is to foster adoption of open source, open standards and collaborative software development practices in financial services. It is the center for open source developers and the financial services industry to build new technology projects that have a lasting impact on business operations. As a regulatory compliant platform, the foundation enables developers from these competing organizations to collaborate on projects with a strong propensity for mutualization. It has enabled codebase contributions from both the buy- and sell-side firms and counts over 40 major financial institutions, fintechs and technology consultancies as part of its membership. FINOS is also part of the Linux Foundation, the largest shared technology organization in the world.

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 2,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

Visit our website and follow us on Twitter, Linkedin, and Facebook for all the latest event updates and announcements.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. 

###

Media Contact
Kristin O’Connell
The Linux Foundation
koconnell@linuxfoundation.org

The post FINOS, the Fintech Open Source Foundation and Financial Sector Project of The Linux Foundation, Announces Name Change and 2022 Dates for Open Source in Finance Forum appeared first on Linux Foundation.

The Linux Foundation Releases The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness Research

Tue, 02/01/2022 - 19:00

New data from Linux Foundation measures SBOM progress and adoption to address cybersecurity concerns 

SAN FRANCISCO, Calif., – February 1, 2022 — The Linux Foundation, the nonprofit organization enabling mass innovation through open source, in partnership with OpenSSF, SPDX, and OpenChain, today announced the availability of the first in a series of research projects to understand the challenges and opportunities for securing software supply chains. “The State of Software Bill of Materials and Cybersecurity Readiness” reports on the extent of organizational SBOM readiness and adoption tied to cybersecurity efforts. The study comes on the heels of both the U.S. Administration’s Executive Order on Improving the Nation’s Cybersecurity and the recent White House Open Source Security Summit. Its timing coincides with increasing recognition across the globe of the importance of identifying software components and helping accelerate response to newly discovered software vulnerabilities. 

“SBOMs are no longer optional. Our Linux Foundation Research team revealed 78% of organizations expect to produce or consume SBOMs in 2022,” said Jim Zemlin, executive director at the Linux Foundation. “Businesses accelerating SBOM adoption following the publication of the new ISO standard (5962) or the White House Executive Order, are not only improving the quality of their software, they are better preparing themselves to thwart adversarial attacks following new open source vulnerability disclosures like those tied to log4j.”

An SBOM is formal and machine-readable metadata that uniquely identifies a software component and its contents; it may also include copyright and license data. SBOMs are designed to be shared across organizations and are particularly helpful at providing transparency of components delivered by participants in a software supply chain. Many organizations concerned about application security are making SBOMs a cornerstone of their cybersecurity strategy.

Key findings from survey participants analyzed for the report include:

  • 82% are familiar with the term Software Bill of Materials (SBOM)
  • 76% are actively engaged in addressing SBOM needs
  • 47% are producing or consuming SBOMs
  • 78% of organizations expect to produce or consume SBOMs in 2022, up 66% from the prior year

Survey participants also revealed their top three benefits for producing SBOMs:

  • 51% say it’s easier for developers to understand dependencies across components in an application
  • 49% state it’s easier to monitor components for vulnerabilities
  • 44% noted it’s easier to manage license compliance.

Linux Foundation researchers also revealed that additional industry consensus and government policy will help drive SBOM adoption and implementation. The researchers noted:

  • 62% are looking for better industry consensus on how to integrate the production/consumption of SBOMs into their DevOps practices
  • 58% want consensus on integration of SBOMs into their risk and compliance processes. 53% desire better industry consensus on how SBOMs will evolve and improve
  • 80% of organizations worldwide are aware of the White House Executive Order on improving cybersecurity 
  • 76% are considering changes as a direct consequence of the Executive Order

Finally, research participants revealed their top attributes used to prioritize which open source software components would be used by developers: security ranked highest, followed by license compliance.

Linux Foundation Research conducted this worldwide empirical research into organizational SBOM readiness and adoption in the third quarter of 2021. A total of 412 organizations from around the world participated in the 65-question survey. The Report is authored by Stephen Hendrick, vice president of Research at the Linux Foundation.  The Linux Foundation has also prioritized research to aid collective understanding of the scope of cybersecurity challenges with the first in a series of core research projects to explore important issues related to implementing cybersecurity best practices and standards adoption, beginning with this study of SBOM readiness. 

The Linux Foundation supports numerous open source SBOM and security-related programs, including Open Source Security Foundation (OpenSSF), SPDX (ISO/IEC 5962), sigstore, Let’s Encrypt, in-toto, The Update Framework (TUF), Uptane, and OpenChain (ISO 5230).

Additional Resources
  • Download the The State of Software Bill of Materials and Cybersecurity Readiness report
  • Attend our webinar Understanding The Role Of Software Bill Of Materials In Cybersecurity Readiness on Tuesday, February 1st
  • Join one of six OpenSSF working groups to help improve open source security
  • Read about SPDX as the ISO standard for SBOMs
  • Access free training on generating a free software bill of materials
  • Get certified as a secure software development professional

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members. The Linux Foundation is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Jennifer Cloer

503-867-2304

jennifer@storychangesculture.com

The post The Linux Foundation Releases The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness Research appeared first on Linux Foundation.

On DEI Research: Why the Linux Foundation? Why now?

Fri, 01/21/2022 - 00:00

The open source community is working on many simultaneous challenges, not the least of which is addressing vulnerabilities in the core of our projects, securing the software supply chain, and protecting it from threat actors. At the same time, community health is equally as important as the security and vitality of software code. 

We need to retain talented people to work on complex problems. While we work urgently on implementing security best practices such as increasing SBOM adoption to avoid another Log4J scenario, we can’t put the health of our communities on the open source back burner, either. 

Our communities are ultimately made up of people who contribute, have wants and needs, and have feelings and aspirations. So while having actionable data and metrics on the technical aspects of open source projects is key to understanding how they evolve and mature, the human experience within project communities also requires close examination. 

How participants in open source projects interact with each other and whether they feel included make up a large component of a community’s overall long-term health. It can determine whether or not they can continue productively and positively, attract new participants, create representative technologies, and spawn new projects and communities.

Motivations for a DEI study at the Linux Foundation 

DEI was always something that we wanted to include in the early days of the Linux Foundation Research agenda. The topic fell into the category of “ecosystem” research, where uncovering insights about the community at large was as critical as digging into the state of open source in a given technology horizontal or industry vertical.

As community health and DEI are core values of the Linux Foundation, conducting new research in this area was a complementary and necessary activity to support related inclusion and belonging initiatives already underway.

Research, in general, is essential to dispel myths and misperceptions about open source, regardless of the subject matter. DEI insight, generated through new research, is a vital tool to evaluate success criteria beyond looking solely at the growth of open source in terms of the supply and demand of code. With data, we can determine gaps, trends, and opportunities broadly.

This is why in the spring of 2021, we were thrilled to work with GitHub, the CHAOSS project, and Jessica Groopman from Kaleido Insights on a dedicated study on DEI in open source expanding on GitHub’s Open Source Survey in 2017. Together, we formed a dedicated working group to design and deliver the study, manifesting the notion that research really is a team sport. 

The importance of understanding DEI in open source

We have so many team members working on DEI initiatives, so this topic was a natural area of interest across the organization and within our project communities. Fortunately, we also had a dozen organizations provide sponsorship for this research, which enabled the translation of the survey into ten different languages. The goal of translation was to make the survey as accessible as possible for non-native English speakers.

The research was structured to determine how well we were doing as a community in terms of diversity, but importantly, how underrepresented groups feel within open source – do they feel welcome or unwelcome? Over time, we’ll want to see how this dynamic will change for the better.  

People of varying backgrounds and nationalities participate in open source, so how we measure their sentiment when they show up to work is important. There was no shortage of questions needing answers. For example, how do people view the efficacy of codes of conduct, or do people believe that they are given fair and equal opportunities? And for underrepresented groups, in particular, do they face barriers that others do not? How do we treat each other? 

We designed this research to uncover gaps in belonging within open source so that we can begin not just to think about how we can “do better,” but to inspire the implementation of inclusion strategies. Why? Because study after study shows that diverse teams are smarter and financially outperform their less diverse peers.

Barriers and challenges to achieving DEI in open source

From the data, we know that barriers in open source communities exist depending on the demographics or different segmentations of participants. Whether specific to race, gender, sexual orientation, language, geographic region, or religion – which we didn’t specifically study in this report – there are clear obstacles we need to remove. For example, communities can be more conscious about not scheduling conferences or meetings during religious holidays, such as Rosh Hashanna or Yom Kippur.

Download this infographic for key takeaways from the Linux Foundation DEI study Download Infographic

We also need to be mindful that off-color jokes, sexual imagery, hostility, unwelcome sexual advances, rudeness, and name-calling don’t go over very well in open source, nor in any community for that matter. We need greater awareness that these types of behaviors exist and methods to improve how we deal with them when they occur.

And although English is the lingua franca of open source projects, native language and English fluency are barriers for some open source participants, as are geopolitical factors.

The uncomfortable truth revealed in the survey data is that people from the LGBTQ+ community are more likely to experience threats, inappropriate language, sexual advances, and other forms of toxic behavior. 

So what do we do about it? We need a full-fledged commitment to abiding by and enforcing codes of conduct within our communities. It is incumbent upon us to not tolerate inappropriate and toxic behavior and appropriately support community members when abuse arises.

Above all, it’s perhaps too easy to forget the human being at the other end of a transaction or professional exchange, especially as COVID-19 exacerbated the remoteness nature of our interactions.

The remedy is a combination of many facets of our society – not just within open source – to dedicate resources, inspire leadership, demonstrate moral courage, pursue greater educational initiatives, and spread awareness of the opportunities that come from diverse communities. 

Let’s remember that diverse teams, where inclusion practices are upheld, are stronger, better teams that make more robust, more thoughtful, and higher performing technologies.

You can help the Linux Foundation spread awareness of DEI in your Open Source community by using these graphics and suggested verbiage for including in your social posts.

Linux Foundation DEI Report: By the numbers

The report was sponsored by AWS, CHAOSS, Red Hat, VMware, GitHub, GitLab, Intel, Comcast, Renesas, Panasonic, Fujitsu, Hitachi, Huawei, and NEC. It was written by Hilary Carter, Vice of Linux Foundation Research, and Jessica Groopman of Kaleido Insights. Researcher/Analyst Lawrence Hecht performed a quantitative analysis of the data with the support of Stephen Hendrick, VP of Linux Foundation Research, who conducted a peer review of the survey instrument.

2 Authors 2 Analysts 2 Designers 3 Editors 4 Deliverables 10 Survey Languages 14 Sponsors 24 Infographics 30 Research Contributors 2350 Survey Completes 7000 Survey Respondents Download the Report

The post On DEI Research: Why the Linux Foundation? Why now? appeared first on Linux Foundation.

The Linux Foundation Announces SupplyChainSecurityCon will be Featured Under the Open Source Summit North America 2022 Conference Umbrella

Thu, 01/20/2022 - 03:34

Open Source Summit continues to focus on covering the most critical topics, innovative technologies and pivotal open source projects as the premier event for the open source community.

SAN FRANCISCO, January 19, 2022 —  The Linux Foundation, the nonprofit organization enabling mass innovation through open source, has announced that SupplyChainSecurityCon, an event launched last fall at KubeCon + CloudNativeCon North America, will be hosted in 2022 as part of Open Source Summit North America, June 21-24, in Austin, TX and virtual.

Open Source Summit is the premier event for open source developers, technologists, and community leaders to collaborate, share information, solve problems, and gain knowledge, furthering open source innovation and ensuring a sustainable open source ecosystem.

Co-hosted by CNCF and OpenSSF, along with The Linux Foundation, SupplyChainSecurityCon will gather security practitioners, open source developers, and others interested in software supply chain security to explore the security threats affecting the software supply chain, share best practices and mitigation tactics, and increase knowledge about how to best secure open source software.  

SupplyChainSecurityCon will be one of thirteen events held under the Open Source Summit North America 2022 umbrella. As the open source ecosystem continues to evolve, Open Source Summit will do so as well, as a conference umbrella composed of a collection of events that will always cover the most important projects, technologies and topics in open source today – in one place.

Open Source Summit North America 2022 is comprised of the following events:

  • LinuxCon – the precursor to OS Summit and the event for Linux developers

  • SupplyChainSecurityCon – addressing supply chain security

  • CloudOpen – covering cloud infrastructure and cloud native for developers

  • OSPOCon – for those working in open source program offices
  • Embedded Linux Conference – the premier vendor-neutral technical conference for developers working on embedded Linux since 2005

  • Critical Software Summit – for developers working to increase dependability of OS projects in safety, mission and business critical applications

  • ContainerCon – for those adopting containerization to further automation, portability and efficiency
  • Emerging OS Forum – where to find out about the latest trends and technologies touching open source
  • Open AI + Data Forum – a forum to drive open source innovation in the AI, ML, DL, and Data domains

Save the Date.
Open Source Summit will be held on the following dates and locations:

Additional locations to be announced shortly. Registration will open in February 2022.

Submit to Speak.
The Call for Proposals for Open Source Summit North America events and Open Source Summit Europe events are now open. View suggested topics and submit talks for all events at the links provided.

The Linux Foundation strongly values the need to increase diversity, equity and inclusion in open source, and a great place for that to begin is on a conference stage. We encourage those from all marginalized communities to submit to speak. We also welcome and encourage first-time speakers to submit.

Sponsor.
Open Source Summit North America 2022 is made possible thanks to our sponsors, including Diamond Sponsor: Google, and Gold Sponsors: InfluxData and Styra. Open Source Summit Europe 2022 is made possible thanks to our sponsors, including Diamond Sponsor: Google, and Gold Sponsor: Styra. For information on becoming an event sponsor, click here or email us.

Press
Members of the press who would like to request a press pass to attend should contact Kristin O’Connell.

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 2,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

The Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

Visit our website and follow us on Twitter, Linkedin, and Facebook for all the latest event updates and announcements.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. 

###

Media Contact
Kristin O’Connell
The Linux Foundation
koconnell@linuxfoundation.org

The post The Linux Foundation Announces SupplyChainSecurityCon will be Featured Under the Open Source Summit North America 2022 Conference Umbrella appeared first on Linux Foundation.

The OpenSSF and the Linux Foundation Address Software Supply Chain Security Challenges at White House Summit

Fri, 01/14/2022 - 05:34

WASHINGTON (January 13, 2022) Today marks an important moment in the Linux Foundation’s history of engagement with public sector organizations. The White House convened an important cross-section of the Open Source developer and commercial ecosystem along with leaders and experts of many U.S. federal agencies to identify the challenges present in the open source software supply chain and share ideas on ways to mitigate risk and enhance resilience.

At the meeting, the Linux Foundation and the Open Source Security Foundation (OpenSSF) represented their hundreds of communities and projects by highlighting collective cybersecurity efforts and sharing their intent to work with the administration across public and private sectors.

Linux Foundation Executive Director Jim Zemlin said, “Safeguarding critical infrastructure includes securing the software that runs its banking, energy, defense, healthcare, and technology systems. When the security of a widely-used open source component or application is compromised, every company, every country, and every community is impacted. This isn’t a problem unique to the US government; it’s a global concern. We applaud the US government’s leadership in facilitating a stronger focus on open source software security and look forward to collaborating with the global ecosystem to make progress. In particular, the OpenSSF is our key initiative to address the broad set of open source software supply chain challenges, and it was very heartening to hear our work identified and endorsed by other participants in the meeting as a basis for further collaboration.” 

Executive Director of the Open Source Security Foundation, Brian Behlendorf commented, “During today’s meeting, we shared a set of key opportunities where, with sufficient commitments from everyone, we could make a substantial impact on the critical endeavors needed to protect and improve the security of our software supply chains. The open source ecosystem will need to work together to further cybersecurity research, training, analysis, and remediation of defects found in critical open source software projects. These plans were met with positive feedback and a growing, collective commitment to take meaningful action. Following the recent log4j crisis, the time has never been more pressing for public and private collaboration to ensure that open source software components and the software supply chains they flow through demonstrate the highest cybersecurity integrity.”

Brian continued, “Through efforts such as our working groups on Best Practices, Identifying Critical Projects, Metrics and Scorecards, Project Sigstore, and more to be announced soon, the OpenSSF has already had an impact on many of the key areas discussed during today’s meeting. We are ready to further these efforts and welcome all new participants and resources that this conversation and further such conversations may bring.”

About the Linux Foundation 

Founded in 2000, the Linux Foundation is supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at https://www.linuxfoundation.org/

About the OpenSSF

The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community, targeted initiatives, and best practices. The OpenSSF brings together open source security initiatives under one foundation.

Media Contacts

Jennifer Cloer

503-867-2304

jennifer@storychangesculture.com

The post The OpenSSF and the Linux Foundation Address Software Supply Chain Security Challenges at White House Summit appeared first on Linux Foundation.

Baumer, Infineon, Qualcomm Innovation Center, Percepio and Silicon Labs Select Zephyr RTOS for their Next Generation of Products and Solutions

Fri, 01/14/2022 - 01:58

SAN FRANCISCO, January 13, 2022 The Zephyr Project announces a major milestone today with Baumer joining as a Platinum member and Infineon Technologies, Qualcomm Innovation Center, Inc., Percepio and Silicon Labs joining as Silver members. These new members have selected Zephyr RTOS as one of the key technologies to build their next generation of connected products and solutions.

Zephyr, an open source project at the Linux Foundation that builds a safe, secure and flexible real-time operating system (RTOS) for resource-constrained devices, is

easy to deploy, secure, connect and manage. It has a growing set of software libraries that can be used across various applications and industry sectors such as Industrial IoT, wearables, machine learning and more. Zephyr is built with an emphasis on broad chipset support, security, dependability, longterm support releases and a growing open source ecosystem.

“Zephyr fits where Linux can’t,” said Kate Stewart, Vice President of Dependable Embedded Systems at the Linux Foundation. “It will help these new members with development, delivery, and maintenance across a wide variety of products and models. We look forward to working with our new members to improve the technology their products and solutions are based on.”

Zephyr LongTerm Support (LTS) Release

In October 2021, the Zephyr community of almost 500 contributors made the LTS v2 release available that offers vendors a customizable operating system that supports product longevity, security and interoperability. Product developers aren’t locked into a particular architecture, back-end platform or cloud provider and will have the freedom to choose from an ecosystem of hardware. Additionally, products based on the LTS release will benefit from a maintained code base throughout their development and deployment lifecycle. The LTS will serve as the baseline for the auditable version of Zephyr, which will benefit both the maintained LTS and development branches. Learn more about the LTS v2 here.

Commitment to Zephyr

Baumer, one of the international leading companies for smart sensors, encoders and digital cameras for industrial automation, joins other Platinum members Antmicro, Google, Intel, Meta, Nordic Semiconductor, NXP and Oticon. Roman Kellner, Embedded Software Team Lead at Baumer, will join the Governing Board and its commitment to ensure balanced collaboration and feedback that meets the needs of its community.

“The mission of the Governing Board is to cultivate an innovative relationship among stakeholders to advance the Zephyr Project’s support of new hardware, developer tools, sensors, and drivers, while maximizing the functionality of devices that run applications developed using the Zephyr RTOS,” said Barna Ibrahim, Zephyr Governing Board member and Marketing Committee Chair. “We are ecstatic to welcome Roman to the board and look forward to working more closely with Baumer.”

“Baumer as a sensor manufacturer relies on the capabilities of microcontrollers in a wide performance range for our product portfolio,” said Roman Kellner. “Zephyr was chosen as our next sensor platform for its MCU vendor openness, reliability, high configurability, its added value compared to a pure RTOS scheduler and the future ability to cover non-safe and safe products with the same code base. We are happy to contribute our expertise to attribute Zephyr RTOS as a high performance sensor platform.” 

The Zephyr Project also welcomes Silver members:

  • Infineon, a world leader in semiconductor solutions that make life easier, safer and greener;
  • Qualcomm Innovation Center, a subsidiary of Qualcomm Technologies, that focuses on enabling and optimizing open source software that work with Qualcomm Technologies’ solutions;
  • Percepio, a leader in visual trace diagnostics for embedded systems and IoT; and
  • Silicon Labs, a leader in secure, intelligent wireless technology for a more connected world.

These members join AVSystem, BayLibre, Eclipse Foundation, Fiware, Foundries.io, Golioth, Laird Connectivity, Linaro, Memfault, Parasoft, Pat-Eta Electronics, RISC-V, SiFive, Synopsys and teenage engineering, and Wind River.

“The Zephyr Project is driving stability to developers which allows them to focus on product innovation and at Infineon, we are happy to be a part of helping customers drive differential value,” said Danny Watson, Principal Product Marketing Engineer at Infineon. “Infineon aims to be a key contributor to the underlying scalable goals of the Zephyr Project and to shape it into providing more performance and intelligent based Open Source Software for Infineon’s PSoC 6 Microcontrollers.”

“The Qualcomm Innovation Center (QuIC) is proud to become a new member of the Zephyr Project community,” said Anthony Scarpino, Senior Director of Engineering at Qualcomm Canada ULC. “QuIC looks forward to contributing to the Zephyr Project to collaborate in building the best-in-class RTOS for secure, connected, resource-constrained devices. QuIC supports the building of micro-controller-based devices as part of the hardware and software ecosystems in upcoming products and sees participation in Zephyr as a path to world- leading innovative solutions.”

“At Percepio, we’ve long recognized the potential of Zephyr RTOS as the leading independent platform for small IoT devices where Linux isn’t an option, yet capable enough for complex embedded IoT/Edge applications,” said Mike Skrtic, Vice President of Sales and Marketing at Percepio. “The latest Zephyr release brings expanded support for software tracing, which facilitates debugging and allows for improved reliability, security, and performance of embedded systems. We’re pleased to have made significant contributions to the new tracing subsystem, to provide full kernel tracing support, enabling the high-end visual trace diagnostics Tracealyzer is known for.”

“We’ve had our eye on Zephyr for some time and are excited to officially be a member of this RTOS project,” said Benny Chang, Vice President, Platform and Chief of Staff at Silicon Labs. “We appreciate the measures the Zephyr community is taking to build a reliable, well-tested RTOS for the IoT and look forward to ​connecting Zephyr users with ​our industry-leading hardware and connectivity solutions.”

To learn more about Zephyr RTOS, visit the Zephyr website and blog.

About the Zephyr Project

The Zephyr Project is an open source, scalable real-time operating system (RTOS) supporting multiple hardware architectures. To learn more, please visit www.zephyrproject.org.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The post Baumer, Infineon, Qualcomm Innovation Center, Percepio and Silicon Labs Select Zephyr RTOS for their Next Generation of Products and Solutions appeared first on Linux Foundation.

Pages