As the open-source model continues to prove its sustainability in the enterprise, the software community is ramping up its security mindedness. That concern was evident in recent weeks as leading Linux groups led the way for better code security.
Google announced a new initiative to zero in on software vulnerabilities. Already a generous provider of patching incentives, the software developer upped the ante to encourage more researchers to submit troublesome codes for cash.
Edgeless Systems made a striking open-source contribution, JFrog offered advancements in support a more polished Rust Foundation, and Facebook, too, pushed the limits for Meta AI.
Google Offers Bug Bounty for Infected Open-Source Code
Google launched its Open Source Software Vulnerability Rewards Program (OSS VRP) at summer’s end to reward discoveries of vulnerabilities in Google’s open-source projects such as Golang, Angular, and Fuchsia. The program joins the bounty campaign Google started some 12 years ago.
Over time, the campaign expanded to include programs focused on Chrome, Android, and other areas. Collectively, these programs have rewarded more than 13,000 submissions, totaling over $38 million paid.
The addition of this new program addresses the ever more prevalent reality of rising supply chain compromises. Last year saw a 650% year-over-year increase in attacks targeting the open-source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open-source vulnerability.
Google’s OSS VRP is part of a $10 billion commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open-source consumers worldwide.
“Securing open-source software and the broader software supply chain remain a top concern for security organizations globally. By leveraging the human intelligence of the researcher community, Google is showing that they are committed to ensuring its open-source projects are secure.
“This represents a great step being taken by a leader in OSS to ensure they are providing secure OSS components,” said Dave Gerry, chief operating officer at crowdsourced cybersecurity firm Bugcrowd.
How It Works
The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia. After the initial rollout, Google plans to expand this list.
Researchers must focus on discoveries that have the greatest impact on the supply chain. Target code includes vulnerabilities leading to supply chain compromise, design issues causing product vulnerabilities, and other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.
Depending on the severity of the vulnerability and the project’s importance, rewards will range from $100 to $31,337. The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged.
See the program rules for more information. If submissions better suit another Google code-hunting campaign, Google will submit it for you to a different VRP.
Also check the Patch Rewards program, which rewards security improvements to Google’s open-source projects such as up to $20,000 for fuzzing integrations in OSS-Fuzz.
“OSS projects already have the advantage of having more eyes on the code, which leads to vulnerabilities often being found and fixed quickly. A bug bounty program like this will incentivize people to take a deeper look.
“Ideally, a program like this could expand outside of ‘sponsored’ projects with ties to large tech companies to help other vital, but not so well funded, OSS projects too,” said Mike Parkin, senior technical engineer at Vulcan Cyber, a SaaS provider for enterprise cyber risk remediation.
Industry Gets First Runtime-Encrypted Kubernetes as Open Source
Edgeless Systems on Sept. 13 released the first Confidential Kubernetes based on Confidential Computing. It is available for all users on GitHub.
The Constellation open-source project keeps Kubernetes clusters verifiably shielded from the underlying cloud infrastructure and encrypted end-to-end. Confidential Computing is a hardware-based technology that shields computer workloads from their environments and keeps data encrypted even during processing.
This development helps to meet a massive safety requirement as computing spans increasingly diverse environments. It helps enterprises and developers manage increasing security and compliance concerns. With Constellation being open-sourced, more Kubernetes users can secure all their data in rest, in transit, and now in use.
JFrog Adds to Rust’s Efforts To Root Out OSS Vulnerabilities
The open-source community is gaining traction in raising the security of code that runs in the vast majority of the world’s software, including propriety programs.
JFrog, the Liquid Software company and creators of the JFrog DevOps Platform, on Sept. 13 announced a new initiative with the Rust Foundation, an independent non-profit organization that stewards the Rust programming language. The partnership focuses on identifying and eliminating threats to the Rust platform and ecosystem.
Starting immediately, the JFrog Security Research team will provide access to all information on known software vulnerabilities, ongoing threat research, and developer resources to proactively amend discovered platform issues and prevent emerging security vulnerabilities from having future impacts.
“Securing the software supply chain cannot be achieved with a one-time effort. It requires ongoing commitment, plus a multi-layered approach. We believe memory-safe languages play a big role in that plan,” said Stephen Chin, vice president of developer relations at JFrog.
“By working hand-in-hand with the Rust Foundation, we can ensure this cornerstone programming language remains a recommended best practice in the development of modern, secure software,” he added.
A study by Google indicated memory safety issues have represented almost the same proportion of security vulnerabilities designated as critical vulnerability exposures (CVEs) for more than a decade. The Rust programming language, reportedly used by 2.2 million developers over the past two years, was designed from the ground up to be both memory-safe and deliver high-performance.
This means the language does not allow users to access memory they are not permitted to access. This, in turn, significantly reduces their ability to unknowingly inject malicious code that could make the language insecure.
Thus, Rust has been identified as a “critical open-source software project” by the Open Source Security Foundation (OpenSSF) and granted support under the OpenSSF’s Alpha-Omega Project to help identify new and as-yet-undiscovered vulnerabilities to improve Rust’s security posture.
The inherent stability and performance of Rust, coupled with JFrog’s advanced security tools, research, and expertise, will help ensure the safety of the Rust language over time.
“I believe this investment will keep Rust safe, secure, and sustainable, enabling new use cases and wider industry adoption,” said Bec Rumbul, Executive Director, Rust Foundation.
PyTorch and Deep Learning Initiatives
Meta on Sept. 12 announced the PyTorch Foundation: A new era for the cutting-edge AI framework.
The pre-existing PyTorch organization is now the independent PyTorch Foundation under The Linux Foundation (LF) umbrella. The project joins LF with a diverse governing board comprised of representatives from AMD, Amazon Web Services, Google Cloud, Meta, Microsoft Azure, and Nvidia, with the intention to expand over time.
PyTorch Foundation will act as a steward for the technology and support PyTorch through conferences, training courses, and other initiatives. The goal is to drive the adoption of AI tooling by fostering and sustaining an ecosystem of open source, vendor-neutral projects with PyTorch. It will democratize state-of-the-art tools, libraries, and other components to make these innovations accessible to everyone.
In conjunction with this arrangement, LF the same day announced its Training & Certification community is introducing a new course, PyTorch and Deep Learning for Decision Makers (LFS116x). The content targets technical and non-technical individuals interested in understanding how deep learning and PyTorch can be used to create business value through the development and deployment of AI applications.
Visit The Linux Foundation for enrollment details.