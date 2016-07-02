Security and FUD Leftovers
#OSSummit: Don’t Ignore GitHub Security Alerts
In a session at the Open Source Summit in San Diego, California on August 22, Gil Yehuda, senior director, open source and technology strategy at Verizon Media, outlined the security challenges and opportunities facing organizations that build open source projects on GitHub.
GitHub has become the defacto primary place to share code for many organizations engaged in open source, including Verizon Media. Yehuda explained that Verizon Media is a conglomerate, which is effectively made up of what had been Yahoo and AOL and includes many different online media properties. Across all those properties, Verizon Media has started over 330 open source projects, ranging from screwdriver, which is a continuous delivery technology, to Denali design, which is a user interface design language for open source projects.
[...]
However, a challenge that Yehuda pointed out, is not for individual projects, but rather for managing many projects at scale. He noted that it’s great that a project maintainer gets an alert and is diligent about fixing the issue, but what happens if the individual maintainer just ignores the alert and doesn't fix the issue?
Binance Funds 40 Developers to Build Open-Source Crypto Software
Malta-based crypto exchange Binance wants to spur greater research in open-source blockchain development.
Money 2.0 Stuff: Open Binance
How to Make Your CSO Happy with Your Open Source Components [Ed: Mild FOSS bashing by implying that it's FOSS that has defect whereas proprietary software has none]
The secret to a CSO’s heart is through a healthy codebase. If you’re interested in introducing OSS into your company’s network, be prepared for a major security challenge. You’ll need to keep track of your OSS, keep an eye out for vulnerabilities, and keep the company codebase as secure as possible.
Close Agile open source tools vulnerabilities [Ed: Sonatype still ignoring the elephant in the room: defects and intentional 'defects' (back doors) in proprietary software]
Do the benefits of open source software outweigh the risks? [Ed: Let's pretend again that programming the proprietary software away is 100% perfect, has no defects and no secret back doors. Only FOSS is a risk. Every piece of software has some "risk" associated with it. It's not a FOSS thing. Proprietary software comes with a huge risk of EULA enforcement and massive fines, lawsuits. It also has secret back doors, with no liability. No audits. Complicity with spy agencies.]
Corelight’s Brian Dye: Data-Driven Approach, Open Source Tools Key to Building Defensive Cyber Program
Brian Dye, chief product officer at cybersecurity firm Corelight, has said agencies should implement data-driven security approach and open source-based tools to protect their networks from cyber attacks. Dye wrote that some federal agencies have shifted toward that approach with the use of an open-source network analysis framework called Zeek and the Risk Management Framework of the National Institute of Standards and Technology.
“For a high-level, strategic view, agencies need to have all three of those bases covered. If they don’t, it will take significantly longer to find threats, and some won’t be discovered. That puts organizations in the difficult position of not knowing what they don’t know,” Dye said.
[...]
“Open source-based tools are crucial for ensuring that agencies have good data to work with when building a defensive program,” he said. “Such tools provide data that is adaptable, extensible and often irreplaceable. If the right information isn’t in the raw data, no amount of post-processing or analytics will ever compensate for that.”
OPNsense® Partners With Sunny Valley Networks to Provide Next Generation Firewall Features on Its Platform
Today, Deciso® the founder of OPNsense® and Sunny Valley Networks announced the public availability of Sensei, an easy-to-install plug-in, which empowers open source firewalls with next-generation firewall features. Sensei Free Edition is made available at no cost to OPNsense users, while the Premium Subscription, which offers more advanced features is available for purchase through OPNsense webshop.
The technology behind Sensei is a very powerful packet analysis engine which can also provide protection against encrypted cyber-attacks that are gaining momentum. Sensei technology enables cyber security tools with utmost visibility, packet classification and fine-grained policy enforcement for any type of traffic. More packet intelligence means better decision making. Better decision making means better success rates in detecting & preventing cyber-attacks. Sensei provides rich packet intelligence so that the industry can enjoy great cyber security tools.
