NEWS
NEWS
NEWS
The Linux Foundation launches a new initiative to foster security in the open-source community
In theory, the more people are involved in a software project, the lower chance of a vulnerability slipping through. But in practice, the open-source community suffers from a fair share of security issues that periodically rise to the surface like the Heartbleed exploit discovered last year, which The Linux Foundation hopes to address with a new initiative meant to foster safer development.
The program is launching under the wing of the Core Infrastructure Initiative (CII), one of the many groups in its vast ecosystem, which will start handing out badges to projects that meet the requirements outlined in a standard published this week. The lengthy document covers everything from basic eligibility criteria concerning licensing and documentation to more nuanced details such as the method with which code is delivered.
The program mandates that downloads must be served through a secure connection that can’t be intercepted and that the project organizes should provide a likewise private way for their users to report security vulnerabilities. The remaining counts pertain mainly to the code base itself and how it’s managed, which can be checked using an autonomous diagnosis tool available to participants.
Projects that are found to meet the requirements of the CII standard are given a specific combination of badges reflecting their level of compliance. It’s not exactly a foolproof defense against security issues, especially given that participation is entirely voluntary, but does hold the potential to establish a much needed baseline to foster safer code.
Creating a tangible distinction between projects that employ security best practices and those that don’t in the form of a badge clearly visible to any prospective user could be what it takes to produce the competitive necessity needed to motivate those who don’t meet the standard to catch up. But to do that, the CII first needs to establish its standard as a reliable benchmark, which is why it’s actively soliciting input for the document from members of the open-source community.
The group’s efforts seem to be bearing fruit. The Linux Foundation announced that two key influencers, BlackHat Review Board member Adam Shostack and NCC Group Plc. cryptography services head Tom Ritter, have joined the CII leadership in conjunction with the launch of the certification program to help its efforts along.
Photo via Geralt
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
