The Linux Foundation is holding one of its most expansive physical and virtual showcases this week at its Open Source Summit North America 2022 in Austin, Texas.
The event is a staging ground for some of the most important announcements and cutting-edge topics touching open source today.
LF built the Summit as an umbrella for the open-source projects and technologies that are fundamental across software and other industries. It highlighted those that are poised for growth and widespread use.
“The event provided the collaborative environment and knowledge sharing needed to drive innovation across the fold,” said Angela Brown, senior vice president and general manager of events at The Linux Foundation.
The Summit covered 14 events, including LinuxCon, Embedded Linux Conference, SupplyChainSecurityCon, CloudOpen, OSPOCon, Emerging OS Forum, and ContainerCon. The schedule featured 300 talks ranging from keynote presentations, conference sessions, and tutorials.
It provided a major audience for several key LF announcements and critical releases, including launching the 10th Annual Open Source Jobs Report, 500 scholarships for Linux Foundation training and certifications, plus new training courses on “Securing Your Software Supply Chain with Sigstore” and “Introduction to DevSecOps for Managers.”
Newly added functionality to existing courses will enable secure software development, one of the cornerstones of the recent Open Source Software Security Mobilization Plan from the Open Source Security Foundation (OpenSSF) and its members.
Big News Highlights the Big Shows
LF issued several key announcements related to the open-source industry, Linux training, software security, and supply chains:
- Updates on the Alpha-Omega project to improve software supply chain security for 10,000 OSS projects. Part of this includes funding for critical security work by various software foundations.
- Secure Software Development Training is now available for organizations’ Learning Management Systems.
- The launch of a new podcast called The Untold Stories of Open Source, including an episode featuring Brian Behlendorf, general manager of OpenSSF.
- The release of the State of Open Source Security Report, a study by Snyk and the Linux Foundation that addresses cybersecurity challenges in open-source software.
LF on Wednesday also released the 10th Annual Open Source Jobs Report, which examined trends in open-source hiring, retention, and training. The report reinforced hiring shortfalls from recent years as technology careers are now more lucrative as open-source software becomes dominant and talent gaps persist.
OSS Security Reports Critical Concerns
Organizations lack high confidence in open-source software security, according to the Snyk and LF report. Modern application development teams are leveraging code from all sorts of places.
They reuse code from other applications they have built and search code repositories to find open-source components that provide the functionality they need. The use of open source requires a new way of thinking about developer security that many organizations have not yet adopted, cautioned the report.
Less than half (49 percent) of organizations have a security policy for OSS development or usage. This number is only 27 percent for medium-to-large companies. A scant three in ten organizations without an open-source security policy openly recognize that no one on their team is directly addressing open-source security.
Once they plug in an open-source component, developers become dependent on that component and are at risk if that component contains vulnerabilities. The report shows this risk is compounded by indirect, or transitive, dependencies, aka the dependencies of plugged-in dependencies. These account for 40 percent of all vulnerabilities within transitive dependencies.
Time to fix vulnerabilities more than doubled from 49 days in 2018 to 110 days last year. As application development has increased in complexity, the security challenges faced by development teams have also become increasingly complex. The report found that fixing vulnerabilities in open-source projects takes much longer than in proprietary projects.
Money Needed to Fill Linux Jobs
The need for open-source talent is strong as cloud adoption and digital transformation continue across all industries.
As the Covid pandemic wanes, both retention and recruitment have become more difficult than ever, with 73 percent of professionals reporting it would be easy to find a new role and 93 percent of employers struggle to find enough skilled talent.
Movement between jobs is picking up. The majority of open-source professionals (63 percent) reported their employment did not change in the past year. While one-in-three reported they either left or changed jobs, putting additional pressure on employers trying to hold onto staff with necessary skills.
The shift to permanent remote or flexible work arrangements carried out by many organizations is making recruiting talent more expensive, as financial incentives become a bigger differentiator. Some 47 percent of employers increased wages for open-source professionals more than other job roles.
“Every business has struggled with recruiting and retaining talent this past year, and the open-source industry has been no different,” noted Linux Foundation Executive Director Jim Zemlin in announcing the job report’s release.
He also offered tips to make recruiting more successful. For instance, organizations need to not only differentiate themselves to attract talent but also must look at ways to close the skills gap by developing net new and existing talent.
The skills gap will worsen before improving, the report warns. Nearly half (46 percent) of employers plan to increase their open-source hiring in the next six months.
Paychecks are now a greater differentiating factor for two-in-three open-source professionals saying a higher salary would deter them from leaving a job. Flex time and remote work are the new industry standard.
The 10th Annual Open Source Jobs Report is now available to download for free with no form fill required.
Big Changes Planned for Cloud Data, Infrastructure
LF on Tuesday announced the new Open Programmable Infrastructure (OPI) Project to foster a community-driven, standards-based open ecosystem for next-generation architectures and frameworks. The new technologies are based on data processing and infrastructure processing units (DPU and IPU).
OPI is designed to facilitate the simplification of network, storage, and security APIs within applications to enable more portable applications in the cloud and datacenter across DevOps, SecOps, and NetOps.
When new technologies emerge, they bring so much opportunity for both technical and business innovation. But barriers often include a lack of open standards and a thriving community to support them, observed Mike Dolan, senior vice president of projects at the Linux Foundation.
“DPU and IPU are great examples of some of the most promising technologies emerging today for cloud and datacenter, and OPI is poised to accelerate adoption and opportunity by supporting an ecosystem for DPU and IPU technologies,” Dolan said in the announcement. DPU and IPU comprise a growing trend supporting high-speed network capabilities and packet processing for 5G, AI/ML, Web3, crypto, and more. Their flexibility aids in managing resources across networking, compute, and storage domains instead of servers being the infrastructure unit for cloud, edge, or the data center.
Operators can now create pools of disaggregated networking, compute, and storage resources supported by DPUs, IPUs, and CPUs to meet their customers’ application workloads and scaling requirements.
Founding members of OPI include Dell Technologies, F5, Intel, Keysight Technologies, Marvell, Nvidia, and Red Hat, with a growing number of contributors representing a broad range of leading companies in their fields ranging from silicon and device manufacturers, ISVs, test and measurement partners, OEMs to end-users.
Costly OSS Security Mobilization Plan
Discussions involving the private sector, U.S. government experts, and OSS foundations at a January 2022 meeting at the White House brought consensus to three overarching goals:
- Securing OSS production by preventing security defects and code vulnerabilities;
- Improving vulnerability discovery and remediation processes for finding them;
- Shortening ecosystem patching time to distribute fixes.
LF officials released a white paper suggesting a comprehensive portfolio of 10 initiatives ready to start addressing three fundamental goals for hardening the software supply chain.
The plan tackles vulnerabilities and weaknesses in widely deployed software that present systemic threats to the security and stability of modern society, since government services, infrastructure providers, nonprofits and the vast majority of private businesses rely on software in order to function.
Roughly 70 to 90 percent of any software stack consists of open-source software. They pose shared risks of exposure to vulnerabilities, according to the report, and incur the same disruption and corruption that hits any physical supply chain. It will require financial investments to shift security from a largely reactive exercise to a proactive approach.
A small team of domain experts drawn from the OpenSSF community drafted the streams to the targeted 10 goals. The report projects cost estimates for the first two years of technical implementation.
Source: The Open Source Software Security Mobilization Plan
The price tags range from $2 million to $42 million for the first two years for attempting to fix the software supply chain via the 10 suggested streams.