Here are highlights of the event so far: 

AWS open sources Cedar policy language and SDK  

The Cedar language enables you to set permissions in your applications using easy-to-understand policies. By making use of Cedar, application teams can decouple access control from application logic. 

It supports role-based access control and attribute-based access control, and was developed using verification-guided development, which ensures Cedar is correct and secure. 

The language’s SDKs are also being made available, which include libraries for creating and evaluating policies. 

AWS hopes that by open sourcing the language, they can foster more innovation in the industry around fine-grained access management and make access control more accessible to all. 

AWS also announces new open-source fuzzing framework

According to AWS, current fuzzing practices require large codebases to be refactored in order to work properly. The new framework, Snapchange, allows targets to undergo fuzz testing with minimal modifications.

Built in Rust, Snapchange enables developers to build fuzzers that replay snapshots of physical memory in a KVM virtual machine.

SPDX Release Candidate 3.0 now available

Software Package Data Exchange (SPDX) is an open source standard for communicating the information in a bill of materials. It is currently hosted by the Linux Foundation. 

In RC 3.0, there are now six unique profiles that are designed for popular use cases, with the goal being that SPDX better meets the needs of the industry. The profiles were created based on community input and include specifications for security, licensing, AI, datasets, and software packaging build processes. 

According to the Linux Foundation, the United States’ executive order on cybersecurity and Europe’s Cyber Resiliency Act served as inspiration for the need to have an international standard for supply chain security, which SPDX hopes to be. 

OpenSSF gets major funding from Google and Microsoft, new members

Through its Alpha-Omega Project, OpenSSF has recently received $2.5 million from Google and $2.5 million from Microsoft. 

OpenSSF also announced that Hitachi, Lockheed Martin, Salesforce, and SAP have become general members.

The foundation also announced that Omkhar Arasaratnam will be its new general manager and Brian Behlendorf will be chief technology officer. 

Meta joins the OpenJS Foundation

The OpenJS Foundation provides support for the open source JavaScript community. With Meta joining the foundation as a Gold Member, they will be able to contribute and advocate in the community further.

Meta had already been highly involved with the open source JavaScript community, through its projects React, Jest, and Flow. Jest is an open source testing framework, which Meta contributed to the OpenJS Foundation last year. 

“The broader JavaScript ecosystem benefits from Meta becoming an OpenJS Foundation member. In fact, we’ve already been working together in multiple different ways, and this makes official what has already been a great relationship,” said Shayne Boyer, OpenJS Foundation Board Director. “

The post Open Source Summit: AWS open sources Cedar, SPDX Release Candidate 3.0, and OpenSSF updates appeared first on SD Times.

SLSA’s framework is split into several different levels that describe increasing security severity so users can feel confident that software has not been tampered with and can be traced back to its source.

“The OpenSSF is working hard to put more rigor into the software development process,” said Brian Behlendorf, general manager of the OpenSSF. “The stable release of SLSA v1.0 is an important milestone in improving software supply chain security and providing organizations with the tools they need to protect their software.”

According to the company, SLSA’s specifications can be helpful for software consumers and producers alike. Producers can follow the guidelines to increase the security of their software supply chain, and consumers can use SLSA to make choices about whether to trust a software package.

With SLSA, users gain a common vocabulary to speak about software supply chain security, a method for assessing upstream dependencies by determining how trustworthy the artifacts a customer uses are, and a checklist designed to help improve the security of the software being developed.

Furthermore, this release provides a way to measure developers’efforts towards compliance with Executive Order Standards in the Secure Software Development Framework.

To get started using SLSA, visit the website.

The post Version 1.0 of SLSA provides specifications for software supply chain security appeared first on SD Times.

The guide covers aspects of security such as how to develop secure code, how to verify third-party components, and how to harden the build environment, among other things. It’s also part of the government’s effort to bolster supply chain security stemming from last year’s Executive Order, which aims to curb the 650% growth in supply chain attacks, according to Sonatype’s 2021 State of the Software Supply Chain.

The guide encourages developers to take regular and relevant security training and that they should be evaluated periodically, at least annually. The security training for the development team is ideally conducted by a centralized, expert security team that can help product teams grow their expertise in secure development. 

One issue Wheeler finds is that the report assumes that all software is developed by large software development teams, but the reality is that it’s not true for all industries.

“They’re making all these assumptions about multiple reviews on large teams. And that’s assuming that there’s some sort of internal computer network,” Wheeler said. “For a lot of organizations, that doesn’t exist. And in fact, it’s moved towards zero trust to move away from trust in an internal network. And so they’re kind of making old school assumptions or whatever they get old, you’ll see that again, and again, they are making some really unreasonable development environment requirements.” 

Wheeler said that there also seems to be a lack of understanding about open-source security (OSS).

“The term commercial item by definition includes open-source software, and yet they talk about commercial as though it’s not the same as open source software,” Wheeler said. 

Lastly, there doesn’t seem to be any adequate industry interaction or public review for a draft during the creation of the guidance, according to Wheeler. 

“Most software expertise is outside the U.S. government, not in it, as that’s where most software development is today. The document has many other problems, which in part stem from inadequate public review,” Wheeler said. 

Wheeler is adamant that the education system and software supply chain needs to do better in teaching developers the basic fundamentals of designing software with security in mind, and welcomes the fact that the guide provides some guidance targeted at developers. 

“Historically, the U.S. government is kind of famous for spending a lot of effort on trying to configure insecure software and somehow magically transform it into secure software. That hasn’t worked,” Wheeler said. “With this, I’m really glad that they’re putting in guidance for developers.” 

Wheeler appreciates that the guide is encouraging developers to use design principles from the Saltzer & Schroeder list, that have withstood the test of time.  The Saltzer & Schroeder list is a set of eight design principles for secure computer systems. The principles are named after their creators, Jerome H. Saltzer and Michael D. Schroeder, who published them in 1974.

He added that developers should at least know what the most common kinds of vulnerabilities are, including the CWE Top 25 and OWASP Top 10, and know the major kinds of security tools and how to apply them. Developers should know that they need to do “negative testing” and to understand the importance of high-coverage automated testing.

They should also know how to evaluate OSS, how to use tools like package managers to automate their management. Lastly, they should focus on protecting their environments and to start using MFA tokens that stop many attacks.

The post NSA’s and CISA’s recent security guidance: The good and the bad appeared first on SD Times.

“Security is our top priority at AWS,” said Mark Ryland, director of the Office of the CISO at AWS. “As a result, we are committed to contributing to the quality and safety of open source software. We see great value in contributing both engineering efforts and also projects, tools, training, and guidelines to help improve the security of open source software. These efforts benefit us, our customers, and the broader community.”

OpenSSF is an initiative that is working to identify and fix security vulnerabilities in open source software. 

The goals of OpenSSF include developing improved tooling, training, research, best practice, and vulnerability disclosure practices.

In October 2021, the Linux Foundation had announced that it raised $10 million for OpenSSF from a number of companies, including Amazon. 

“This pan-industry commitment is answering the call from the White House to raise the baseline for our collective cybersecurity wellbeing, as well as ‘paying it forward’ to open source communities to help them create secure software from which we all benefit,” said Jim Zemlin, executive director at the Linux Foundation, back in October 2021 at the time of the initial announcement. 

In addition to increasing its investment by $10 million, AWS is also promising to commit additional engineering personnel to contribute to open source projects. 

The post AWS increases its commitment to OpenSSF by $10 million appeared first on SD Times.

Microsoft and Google are supporting the project, which aims to improve global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code with a $5 million investment.

The project is being split into two sides, Alpha and Omega. Alpha will work with the most critical open source projects to improve their security posture. The projects will include standalone projects and core ecosystem services that will be selected based on the work by the OpenSSF Securing Critical Projects working group.

Omega will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.

“Open source software is a vital component of critical infrastructure for modern society. Therefore we must take every measure necessary to keep it and our software supply chains secure,” said Brian Behlendorf, the general manager of OpenSSF. “Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open source projects through proactively finding, fixing, and preventing vulnerabilities. This is the start of what we at OpenSSF hope will be a major channel for improving OSS security.”

Additional details are available here.

The post OpenSSF announces new project for improving supply chain security appeared first on SD Times.