供应链/开源软件安全

Open Source Security Foundation and Linux Foundation Call for $150 Million to Improve Open Source Security

$30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million.

开源安全基金会和 Linux 基金会呼吁1.5亿美元来改善开源安全

亚马逊、爱立信、谷歌、英特尔、微软和 VMWare 已经承诺提供3000万美元。更多资金已经在路上了,亚马逊AWS已经承诺额外提供1000万美元。

从Strust2、Heartbleed、Solarwinds到Log4j,可以看到供应链/开源软件的漏洞影响是多么深远,现在越来越多的科技巨头加入治理,希望能改善供应链/开源软件这块“金三角”;对应国内类似的相关治理建议,可以参考CNCERT的《2021 年开源软件供应链安全风险研究报告》。

参考阅读

White House joins OpenSSF and the Linux Foundation in securing open-source software | ZDNet

Google’s Open-Source Maintenance Crew

During this meeting, Google announced the creation of its new “Open Source Maintenance Crew” — a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects. In addition to this initiative, we contributed ideas and participated in discussions on improving the security and trustworthiness of open source software.

Google宣布成立“开源维护组”

在这次会议(前面提到的OpenSSF会议)上,Google宣布成立新的“开源维护小组”——一个由Google工程师组成的敬业团队,他们将与上游维护者紧密合作,提高关键开源项目的安全性。除了这一举措,我们还提出了一些想法,并参与了关于提高开放源码软件的安全性和可信度的讨论。

谷歌是开源的最大商业用户之一,如果没有开源软件,Google的大部分服务都不会存在。 其实整个互联网行业都是开源软件的最大受益者,但它们已经白嫖习惯了……

参考阅读

Shared success in building a safer open source community

行业动态

AliCloud Cloud Native Honeypot Released

HoneyPot technology has a long history, through the mixed deployment of decoy assets and real assets of users, to enhance the sense of intranet Knowledge and increasing the complexity of attacks are important means to break the asymmetry between attack and defense.

However, traditional honeypot deception defense solutions often fail to achieve high coverage due to issues such as cost and authenticity, forming an "impossible triangle".

Cloud Honeypot uses four techniques to break the impossible:

  1. VPC black hole probe
  2. Covers mainstream application types
  3. The degree of camouflage can be configured arbitrarily
  4. Proper operation of defense and traceability countermeasures
Powered by Fruition