$30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million.
亚马逊、爱立信、谷歌、英特尔、微软和 VMWare 已经承诺提供3000万美元。更多资金已经在路上了,亚马逊AWS已经承诺额外提供1000万美元。
从Strust2、Heartbleed、Solarwinds到Log4j,可以看到供应链/开源软件的漏洞影响是多么深远,现在越来越多的科技巨头加入治理,希望能改善供应链/开源软件这块“金三角”;对应国内类似的相关治理建议,可以参考CNCERT的《2021 年开源软件供应链安全风险研究报告》。
White House joins OpenSSF and the Linux Foundation in securing open-source software | ZDNet
During this meeting, Google announced the creation of its new “Open Source Maintenance Crew” — a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects. In addition to this initiative, we contributed ideas and participated in discussions on improving the security and trustworthiness of open source software.
在这次会议(前面提到的OpenSSF会议)上,Google宣布成立新的“开源维护小组”——一个由Google工程师组成的敬业团队,他们将与上游维护者紧密合作,提高关键开源项目的安全性。除了这一举措,我们还提出了一些想法,并参与了关于提高开放源码软件的安全性和可信度的讨论。
谷歌是开源的最大商业用户之一,如果没有开源软件,Google的大部分服务都不会存在。 其实整个互联网行业都是开源软件的最大受益者,但它们已经白嫖习惯了……
Shared success in building a safer open source community
HoneyPot technology has a long history, through the mixed deployment of decoy assets and real assets of users, to enhance the sense of intranet Knowledge and increasing the complexity of attacks are important means to break the asymmetry between attack and defense.
However, traditional honeypot deception defense solutions often fail to achieve high coverage due to issues such as cost and authenticity, forming an "impossible triangle".
Cloud Honeypot uses four techniques to break the impossible: