Security News
The Linux Foundation announced Linux Foundation Research, a new division that will broaden the understanding of open source projects, ecosystem dynamics, and impact, with never before seen insights on the efficacy of open source collaboration as a means to solve many of the world's pressing problems. Through a series of research projects and related content, Linux Foundation Research will leverage the Linux Foundation's vast repository of data, tools, and communities across industry verticals and technology horizontals.
The report highlights trends in open source usage within commercial applications and provides insights to help commercial and open source developers better understand the interconnected software ecosystem they are part of. It also details the pervasive risks posed by unmanaged open source, including security vulnerabilities, outdated or abandoned components, and license compliance issues.
Logz.io announced its support for the OpenSearch project, the new fork of the Elasticsearch and Kibana codebases recently unveiled by AWS. Logz.io has been working closely with AWS and several other partners to help define the future path and roadmap for the project. Logz.io is confident that the community-based nature of the project will ensure users continue to have a secure, high-quality, fully open source based search and analytics suite with a rich roadmap of new and innovative functionality.
How do such products fare on security? Though the community-based approach toward open source means that security flaws should be identified quickly, patching those flaws and applying the patches is another matter. In a report released Tuesday, design automation company Synopsys looked at commercial applications that use open source code to see how they dealt with security flaws.
Designed to help advance artificial intelligence and machine learning, the experimental research project was designed to aid in the analysis of how "Autonomous agents operate in a simulated enterprise environment using high-level abstraction of computer networks and cybersecurity concepts." Reinforcement learning, Microsoft explains, is a type of machine learning that teaches autonomous agents to make decisions based on the interaction with the environment: agents improve strategies through repeated experience, similarly to playing a video game over and over to become better at it.
Microsoft has open-sourced software that pits machine-learning-powered network intruders against automated defenders inside virtual networks. The tech, dubbed CyberBattleSim by its creators at the Microsoft 365 Defender research team, is a Python-based OpenAI Gym affair, and sets up pretend networks loaded with vulnerabilities and other weaknesses.
Microsoft has open-sourced software that pits machine-learning-powered network intruders against automated defenders inside virtual networks. The tech, dubbed CyberBattleSim by its creators at the Microsoft 365 Defender research team, is a Python-based OpenAI Gym affair, and sets up pretend networks loaded with vulnerabilities and other weaknesses.
DOWNSTREAM ISSUES. The result is that under-resourced teams need to manage vulnerabilities that may or may not be relevant within hundreds of libraries, possibly within many different apps, and always with the possibility that library updates may cause further downstream issues. "Failure to keep libraries updated over time not only increases risk to an organization but also makes library updates much more difficult and time-consuming when they are finally done. When a library stays dormant in an application for multiple years, any new vulnerability is difficult to fix because so much code has been built over it."
Open source security management company WhiteSource on Wednesday announced that it has raised $75 million in a Series D funding round. The latest round, which brings the total raised by WhiteSource to more than $120 million, was led by Pitango Growth, with participation from M12, Susquehanna Growth Equity, and 83North.
Sigstore could eliminate the headaches associated with current software signing technology through public ledgers. The Linux Foundation, in partnership with Red Hat, Google and Purdue University, has announced a new digital signing project, potentially eliminating many of the headaches that come with securing open source software, files, images and binaries.