Highlights from Armis State of Cyberwarfare and Trends Report: 2022-2023

Armis, the asset visibility and security company, has divulged findings from the Armis State of Cyberwarfare and Trends Report: 2022-2023, which measured global IT and security professionals’ perceptions of cyberwarfare. It found that while 84% of UK organisations claimed they had programmes and practices in place to respond to cyberwarfare threat, only one-third (32%) said their plans are validated by best practice frameworks, which is less than the global average of nearly 40%. In addition, 57% of UK organisations have stopped or stalled digital transformation projects due to threat of cyberwarfare – slightly higher than the global average of 55%.

 

The cyberwarfare threat is growing

The Russian invasion of Ukraine has not only tragically upended the lives of countless people in a sovereign nation, but it is also causing geopolitical shockwaves of cyberwarfare that will reverberate for the foreseeable future. Today’s targets extend well beyond the higher levels of the opposition governments; any organisation is a potential victim, with critical infrastructure and high-value entities at the top of the list. The study shares responses from more than 6,000 respondents globally and across multiple industries, including healthcare, critical infrastructure, retail, supply chain and logistics, and more.

The study showed that cyberwarfare was one of the lowest-ranking priorities for UK organisations – despite a majority of organisations (59%) agreeing that the threat of cyberwarfare has increased since the start of the Ukrainian conflict, and 62% claiming to be somewhat or very concerned about the threat of cyberwarfare on their organisations.  In the UK, for instance, 42% of security professionals claimed to have had to report an incident of cyberwarfare to authorities, which is significantly higher than the European average of one-third of companies, but lower than the global average of 45%. A further 28% of UK organisations reported more threat activity on their networks in the past six months compared with the six months prior.

In additions, other UK findings Armis noted were:

  Almost half (46%) of UK security professionals have said they’re reconsidering suppliers as a result of the Ukrainian conflict.

  Almost three-fifths (57%) of UK security professionals support a conscription to a cyber defence league if the UK was drawn into a cyberwar conflict.

  Almost one in ten (9%) of UK companies spend less than 5% of IT budget on cybersecurity, while the majority (43%) spend between 5-10%.

  When it comes to paying for ransomware, almost a quarter (24%) of security professionals in the UK said they have an “always pay” policy, while a quarter (25%) have a “never pay” policy and 31% would only pay if customer data was at risk.

  The UK has a relatively high confidence in its government protecting from cyberwarfare threats (77%), compared with the European average of just 67% being confident in their governments.

 

What does this mean in light of Network & Information Systems (NIS) Regulations?

A majority of organisations in the UK somewhat (46%) or strongly (25%) support the extension of NIS regulations to all businesses, while 27% remain indifferent to the legislation. Historically, NIS regulations applied to operators of essential services and relevant digital service providers, but have since seen updates in the NIS2 iteration that extend to “important” services as well.

The study also examined UK security professionals’ adoption of NIS and found that only one-third (33%) strongly agree that they have mapped their cybersecurity programmes to NIS. 

A further 78% of organisations somewhat (41%) or strongly (37%) agree that they review cybersecurity risks coming from immediate suppliers, with 34% strongly agreeing that they are able to address vulnerabilities in their supply chains. However, when broken down into industry sectors, OT sectors in the UK fell significantly below this baseline average of being able to confidently address supply chain vulnerabilities at 28%. Almost half (46%) of UK security professionals in all sectors have said they’re reconsidering suppliers as a direct result of the Ukrainian conflict.

“The first of the minimum set of requirements for NIS2 is to have adequate risk analysis. This alone is a major issue for many essential or important entities, because risk analysis is founded on an understanding of the critical assets that comprise the essential function, and for most organisations an up to date and accurate asset register is either non-existent, out of date or partial at best,” said Andy Norton, European Cyber Risk Officer at Armis. “To validate cyber security expenditure is not simply a house of cards, it will be vital for organisations to prove their risk analysis is adequate and appropriate and in line with NIS2 law. The study indicates that UK organisations are taking some action to comply with new regulations and validate cybersecurity programmes against best practice frameworks, but also that there is still significant room for improvement.”

 

For further information on the Armis State of Cyberwarfare and Trends Report: 2022-2023, including the availability of the full report, visit: https://www.armis.com/cyberwarfare/ 

 

Methodology

Armis surveyed 6,021 IT and security professionals in firms with more than one hundred employees across the UK (1003), USA, Spain, Portugal, France, Italy, Germany, Austria, Switzerland, Australia, Singapore, Japan, the Netherlands, and Denmark. Those findings were gathered between September 22, 2022 and October 5, 2022 and depict the state of cyberwarfare globally across various regions and industries. 

 

The post Highlights from Armis State of Cyberwarfare and Trends Report: 2022-2023 appeared first on IT Security Guru.

Stupid Easy Way to Transfer Small Files to or from Ubuntu 22.04

There are quite a few ways to transfer files between different machines. For Ubuntu and most other Linux, here’s an easy way for choice.

Usually, I use a USB cable or a messenger app for transferring photo images between my personal PC and mobile devices.

However, my USB cable is always NOT near at hand and I hate to scan QR code again and again on PC for logging 3rd app. In this case, creating a temporary http file server with Python is an easy and good choice.

Upside and downside

Python is pre-installed in most Linux Distros. So this is an universal method for Linux. It also works in Windows and macOS with Python programming language installed.

As a simply http server, any devices with a web browser can download (or upload) files from/to the server side either over local network or internet.

However, http is NOT designed for transferring files. It’s OK to handle small files (e.g., photo images and short videos less than a few hundred MB). But for large files with a few GB or more file size, it may not work! As well, it’s NOT secure for accessing important files outside from local network.

Single command to create a Python http server:

For those who are new to Linux, user may first open file manager, navigate to the folder that contains the files to share with other device, right-click on blank area and select “Open in Terminal”.

It will open a terminal window and automatically navigate to that folder as working directory.

Or, you can also open terminal from start menu and run cd command to navigate directory. For example, run the command below to navigate to user’s Pictures folder:

cd ~/Pictures

Then, run the single command to start a http file server (For some Linux, replace python3 with python in command):

python3 -m http.server

By default, it listens to port 8000. If the port is already in use, use python3 -m http.server 9090 to set another port number (change number 9090 as you want).

After that, visit http://ip-address:8000 (change number 8000 if you set another port) in any device via a web browser. You can then open and/or right-click save as to download any file from that folder.

Create python http server with upload support

1. If you want to send files from any device to Ubuntu Linux, open terminal and run command:

python3 -m pip install --user uploadserver

Install pip first via sudo apt install python3-pip if the command above does not work. This command will install a Python module uploadserver.

2. Then open or navigate to your desired folder in terminal window, and run command to create simple http file server with both download and upload support:

python3 -m uploadserver

Also specify port number if you want, for example, python3 -m uploadserver 9990

3. Finally, visit http://ip-address:8000 in any device via web browser can access and download files. Or, go to http://ip-address:8000/upload for uploading files.

For security reason, you may add a token authentication so client machines need to verify before being able to upload a file. To do so, run the command below instead in Ubuntu Linux:

python3 -m uploadserver -t password_here

How to Compile & Install Pinta 2.1 from Source in Ubuntu 22.04 |22.10

For Pinta users who do NOT like the Snap and Flatpak packages that run in sandbox. Here’s how to build the 2.1 release from source tarball in Ubuntu 22.04 & 22.10.

Pinta has switch to .NET 6.0 framework since version 2.0. Which however needs internet connection to fetch something for the first time during the build time. And, most Linux so far still has Pinta v1.x in their system repositories.

Thankfully, building Pinta 2.1 from source is not hard. And, here’s the step by step guide show you how!

1. Firstly, press Ctrl+Alt+T on keyboard to open terminal. When it opens, run command to install .NET 6 as well as dev libraries for building the package.

sudo apt install dotnet-sdk-6.0 debhelper autotools-dev autoconf-archive gettext intltool libgtk-3-dev

NOTE: If you’ve already installed dotnet 7.0 from Microsoft repository, skip dotnet-sdk-6.0 in command.

2. Next, download the source tarball from github release page (under ‘Assets’ section):

3. Then, extract the tarball in file manager. Right-click on source folder and select “Open in Terminal”.

4. The last step will open a terminal window and automatically navigate to the Pinta source folder as working directory.

In the terminal window, run command to configure the source:

./configure

And, finally compile and install it via:

sudo make install

NOTE: This step needs internet connection if you’re first time using dotnet to build a package. And, it may fail if you’ve ever installed .NET 7.0 but removed (not completely) and use .NET 6.0 now.

If everything’s done without any error, you should now be able to search for and launch Pinta from system start menu (‘Activities’ overview).

Uninstall:

Until you remove the source folder, you can run sudo make uninstall at any time from in that folder to uninstall Pinta package.

If you’ve removed the source folder, re-do the previous steps and replace the last command with sudo make uninstall.

Add Media Control & Remove Buttons from Ubuntu 22.10 System Menu

For Ubuntu 22.10 and other Linux with GNOME 43, it’s now easy to add Media Control, Notifications, or Volume Mixer to the top-right corner system status menu (aka Quick Settings), or remove useless buttons.

It’s ‘Quick Settings Tweaker‘, an extension for the new GNOME desktop. With it, your system menu can be configured to look like:

New items can be enabled or disabled separately and moved to top or bottom. And, it removes the corresponding items from date & time menu, so it will look like:

No media control & notifications in date time menu

As well, it allows to remove any button from the system menu that you don’t use via ON/OFF toggles. Differently, turn on a toggle will remove the corresponding button, while turn it off to leave it unchanged.

Remove useless buttons from top-right sy
stem menu

Step 1: Install ‘Quick Settings Tweaker’

For Ubuntu 22.10, firstly search for and install ‘Extension Manager’ tool from Ubuntu Software.

Install Extension Manager in Ubuntu 22.04+

Then, search for and open the tool from ‘Activities’ overview screen.

Finally, use Extension Manager to search and install the extension under ‘Browse’ tab.

For other Linux with GNOME 43, go to extension website and install via on/off toggle.

Step 2: Configure Your Gnome System Menu

After installation, either switch back ‘Installed’ tab in Extension Manager, or install and use ‘Gnome Extensions’ app to open the configuration dialog.

And here are the screenshots of the ‘Quick Settings Tweaker’ configuration pages:




Transacting in Person with Strangers from the Internet

Communities like Craigslist, OfferUp, Facebook Marketplace and others are great for finding low- or no-cost stuff that one can pick up directly from a nearby seller, and for getting rid of useful things that don’t deserve to end up in a landfill. But when dealing with strangers from the Internet, there is always a risk that the person you’ve agreed to meet has other intentions.

Nearly all U.S. states now have designated safe trading stations — mostly at local police departments — which ensure that all transactions are handled in plain view of both the authorities and security cameras.

These safe trading places exist is because sometimes in-person transactions from the Internet don’t end well for one or more parties involved. The website Craigslistkillers has catalogued news links for at least 132 murders linked to Craigslist transactions since 2015. Many of these killings involved high-priced items like automobiles and consumer electronics, where the prospective buyer apparently intended all along to kill the owner and steal the item offered for sale. Others were motivated simply by a desire to hurt people.

This is not to say that using Craigslist is uniquely risky or dangerous; I’m sure the vast majority of transactions generated by the site end amicably and without physical violence. And that probably holds true for all of Craigslist’s competitors.

Still, the risk of a deal going badly when one meets total strangers from the Internet is not zero, and so it’s only sensible to take a few simple precautions. For example, choosing to transact at a designated safe place such as a police station dramatically reduces the likelihood that anyone wishing you harm would even show up.

I recently stumbled upon one of these designated exchange places by accident, hence my interest in learning more about them. The one I encountered was at a Virginia county sheriff’s office, and it has two parking spots reserved with a sign that reads, “Internet Purchase & Exchange Location: This Area is Under 24 Hour Video Surveillance” [image above].

According to the list maintained at Safetradestations.com, there are four other such designated locations in Northern Virginia. And it appears most states now have them in at least some major cities. Safeexchangepoint.com also has a searchable index of safe trading locations in the United States and Canada.

Granted, not everyone is going to live close to one of these designated trading stations. Or maybe what you want to buy, sell or trade you’d rather not have recorded in front of police cameras. Either way, here are a few tips on staying safe while transacting in real life with strangers from the Internet (compliments of the aforementioned safe trading websites).

The safest exchange points are easily accessible and in a well-lit, public place where transactions are visible to others nearby. Try to arrange a meeting time that is during daylight hours, and consider bringing a friend along — especially when dealing with high-value items like laptops and smart phones.

Safeexchangepoint.com also advises that police or merchants that host their own exchange locations generally won’t get involved in the details of your transaction unless specified otherwise, and that many police departments (but not all) are willing to check the serial number of an item for sale to make sure it’s not known to be stolen property.

Of course, it’s not always practical or possible to haul that old sofa to the local police department, or a used car that isn’t working. In those situations, safetradestations.com has some decent suggestions:

  • Meet at a police station where you can exchange and photocopy each others’ identification papers, such as a driver’s license. Do NOT carry cash to this location.
  • Photocopy the license or identification paper, or use your phone to photograph it.
  • Email the ID information to a friend, or to someone trusted (not to yourself).
  • If you’re selling at home, or going to someone’s home, never be outnumbered. If you’re at home, make sure you have two or three people there — and tell the person who is coming that you will have others with you.
  • At home or an apartment, NEVER let someone go anywhere unaccompanied. Always make sure they are escorted.
  • Never let more than one group come to your home at one time to buy or sell.
  • Beware of common scams, like checks for an amount higher than the amount of the deal; “cashier’s checks” that are forged and presented when the bank is closed.
  • If you are given a cashier’s check, money order or other equivalent, call the bank — at the number listed online, not a number the buyer gives you — to verify the validity of the check.

Recovery From NHS Attack Could Take Weeks

Last week, Advanced, a key NHS IT partner was hit by a ransomware attack. The IT company has said that it could take three to four weeks for systems to resume normal service.

Advanced runs several key systems within the health service. One of its most important clients is the NHS 111 service.

The UK Government tried to downplay the seriousness of the incident last week by claiming “minimal disruption.” However, reports suggested that it disrupted patient referrals, emergency prescriptions, ambulance dispatches, out-of-hours appointment bookings.

An update was published by Advanced on 10th August which said that they were working with Microsoft DART, Mandiant, and the National Cyber Security Centre (NCSC) to investigate and remediate, with no further incidents detected and the original breach contained.

The statement said: “With respect to the NHS, we are working with them and the NCSC to validate the additional steps we have taken, at which point the NHS will begin to bring its services back online. For NHS 111 and other urgent care customers using Adastra and NHS Trusts using eFinancials, we anticipate this phased process to begin within the next few days.”

“For other NHS customers and care organisations our current view is that it will be necessary to maintain existing contingency plans for at least three to four more weeks. We are working tirelessly to bring this timeline forward, and while we are hopeful to do so, we want our customers to be prepared. We will continue to provide updates as we make progress.”

Advanced also disclosed that other services are also impacted by the attack, including its care home management software (Caresys) and patient record software (Carenotes).

No ransomware group has publicly claimed responsibility for the attack. It is also not yet know whether or not data was stolen.

Before bringing its systems back online, Advanced said they were implementing extra blocking rules, scanning all impacting systems and ensuring they are fully patched, conducting 24/7 monitoring, resetting credentials, and deploying additional endpoint detection and response agents.

The post Recovery From NHS Attack Could Take Weeks appeared first on IT Security Guru.

Campaign Launched to Stop People From Becoming Money Mules

Interpol has launched a new awareness campaign that aims to urge individuals not to become money mules, after 15 suspects were arrested in connection with a major romance scam conspiracy.

The international policing organisation’s Financial Crime and Anti-Corruption Centre (IFCACC) said the two-week global campaign aims to highlight the critical role mules play in modern crime.

The campaign will use the hashtag #YourAccountYourCrime on social media in an attempt to remind people that they are responsible for keeping their own bank accounts safe and that moving money on behalf of others could land them in trouble.

The campaign will cover how the industry works, the risks associated and how to avoid becoming a money mule.

Police have arrested over a dozen suspected money mules recently, linked to a Japanese man who they believe is responsible for a major romance fraud campaign.

Earlier this month, Hikaru Morikawa, 58, arrived at Kansai airport before being arrested in Ghana, according to reports. Morikawa is suspected of mastermining a group of romance scammers who posed as women on dating sites to tick victims into handing over money.

According to Interpol, the group is thought to have made around 400 million yen ($3m) from their scams.

“Criminals will go to great lengths to recruit money mules, because they play an essential role in distancing themselves from authorities and escaping detection. Money mule schemes can be disguised as employment, romantic relationships or investments, or simply as helping out a friend,” said Stephen Kavanagh, Interpol executive director of police services.

“At the end of the day, however, moving money for someone else, especially across borders, is risky business. Money mules, whether complicit or not, help perpetuate the criminal cycle and could face prosecution.”

The awareness campaign is being launched as part of Project TORAID, an Interpol initiative targeting financial crime funded by the Japanese government.

The post Campaign Launched to Stop People From Becoming Money Mules appeared first on IT Security Guru.

Guest blog: The death throes of the password? Key takeaways from the One Identity Infosecurity Europe survey

By Dan Conrad, AD Security and Management Team Lead at One Identity

Authentication is one of the hottest topics in cybersecurity right now. As biometrics, MFA, and a range of other authentication methods continue to threaten the password’s supremacy, we thought it was worth finding out what industry professionals thought about it all.

So that’s what we did. At InfoSecurity Europe 2022, One Identity surveyed more than 100 security and IT professionals to get a picture of how businesses and their employees approach passwords and authentication.

When asked what they consider the biggest security threat to their business and 56 percent of respondents said they believed it to be users sharing passwords for admin tasks. If that isn’t an argument for passwordless authentication, we’re not sure what is. This was followed by 25 percent of respondents believing that the biggest security threat was users clicking on malicious links or opening rogue attachments. Collectively, this means that 80 percent of respondents believe that human error poses the largest threat to an organization’s security.

Interestingly, while the majority (62 percent) viewed educating staff as the most important factor in preventing cyber-attacks, a rapidly growing segment (30 percent) stated that adopting a zero-trust model was more important.

Moving on to multifactor authentication, we are met with some heartening statistics. 99 percent of respondents told us that their company had adopted MFA for remote access and 97 percent said that it was mandated. This confirms what we already knew – that the password as a standalone authentication method is obsolete.

When looking into users’ connections to passwords, we see some interesting results. While just over a quarter of respondents had an emotional connection to a password (28 percent), the majority said they had a favorite password (84 percent). We can infer from this that while most people don’t reuse passwords for sentimental reasons, they likely do for practical reasons. It is concerning that IT and security professionals, people who are more aware than anyone of the dangers of reusing passwords, persist in this bad habit.

This is yet another mark against the use of traditional passwords – if those in the know aren’t following best practices, how can we expect the layman to? The reality is modern users have so many accounts that it is no longer practical to create and remember a new password for everyone they set up. We’ll chalk this one up as another point in support of modern authentication methods, which eliminate these problems.

While it’s clear that users are reusing passwords, it turns out that most respondents are at least adding complexity to their passwords depending on a system’s importance (96 percent). Perhaps unsurprisingly, 76 percent saw banking or financial services as requiring a top tier password, but only 7 percent thought that work emails were deserving of the same protection. This may be an understandable perspective but doesn’t bode well for organizations that routinely share sensitive information through email.

Finally, we make it to how IT and security professionals are storing their passwords. Here, at least, we get some more heartening statistics:

  • 65 percent of respondents said they used passwords managers, which is generally regarded as the safest and most convenient way to keep passwords
  • 23 percent said they wrote their login details down somewhere, which, while not ideal, is safer than using one password across multiple accounts

We did, apparently, come across some cyber-savants claiming they could remember all their login details, but if anything, this suggests that they are reusing passwords for an alarming number of accounts.

The key takeaway here is that the password is on the way out. These results serve as further proof that traditional passwords by themselves are no longer fit for purpose – even leaders in the IT security space fail to follow best practices simply because it isn’t convenient. We’ve seen that businesses are implementing and mandating alternative authentication methods en masse, and it won’t be long before this trend trickles down to the rest of society.

 

The post Guest blog: The death throes of the password? Key takeaways from the One Identity Infosecurity Europe survey appeared first on IT Security Guru.

Ransomware Group Demand £500,000 From Bedfordshire School

Wooton Upper School in Bedfordshire suffered a ransomware attack this week, with hackers demanding £500,000 in ransom, according to reports.
The attack also affected the Kimberley college for 16-19 year olds, with both members of the Wootton Academy Trust. The attack was said to be the work of the Hive ransomware group.
The cybercriminals messaged parents and students to inform them of the compromise. Bank details, medical records, home addresses and psychological reviews were stolen in the attack.
On Tuesday, the Trust updated students and parents by saying that the disruption to its operations was limited due to the upcoming summer school holidays. The attack has, however, affected the production of some grade sheets along with scheduling for next year. They hope that backups will allow them to retrieve some data. Normal operations are expected to return within 10 days.
The Hive group believes that Wooton has £500,000 in cyber insurance, according to Bedford Today, a local newspaper. It has threatened the Trust with the release of all data unless they pay up.
The trust said, “we understand there may be concerns about whether any pupil/student data has been impacted. While we don’t have firm answers to these questions at the moment, this is our number one priority of the ongoing investigations.”
Global cybersecurity advisor at ESET and former head of digital forensics at Dorset Police, Jake Moore, warned that the potential release of stolen data could pose a big problem for the Trust, even though the timing minimised disruption for the school.
Moore suggested that the damage could last for years. He added that local authorities often lack the funds to pay the desired ransoms, suggesting that this may not have been a targeted attack, rather it may have just been an attack caught up in a broader sweep of vulnerable systems.

The post Ransomware Group Demand £500,000 From Bedfordshire School appeared first on IT Security Guru.

OSS Security Highlights from the 2022 Open Source Summit North America

By Ashwin Ramaswami

Last month, we just concluded the Linux Foundation’s 2022 Open Source Summit North America (OSS NA), when developers, technologists, and community leaders from industry, academia, and government converged in Austin, Texas, from June 21-24 to talk about all things open source. Participants and speakers highlighted open source innovation and efforts to ensure a sustainable open source ecosystem.

What did the summit tell us about the state of OSS security? Several parts of the conference addressed different aspects of this issue – OpenSSF Day, Critical Software Summit, SupplyChainSecurityCon, and the Global Security Vulnerability Summit. Overall, the summit demonstrated an increased emphasis on open source security as a community effort with various stakeholders. More ambitious and innovative approaches to handling the open source security problem – including collaboration, tools, and training – were also introduced. Finally, the summit highlighted the importance for open source users to give back to the community and contribute upstream to the projects they depend on.

Let’s explore these ideas in more detail!

Click on the list on the upper right of this video to view the entire OpenSSF Day playlist (13 videos)

Open source security as a community effort

Open source security is not just an isolated effort by users or maintainers of open source software. As OSS NA showed, the stakes of open source security have turned it into a community effort, where a wide variety of diverse stakeholders have an interest and are beginning to get involved.

As Todd Moore (IBM) mentioned in his keynote, incidents such as log4shell have made open source security a bigger priority for governments – and it is important for existing open source stakeholders, both users and maintainers, to work as a community to take a cohesive message back to the government to articulate our community’s needs and how we are responding to this challenge.Speakers at a panel discussion with the Atlantic Council’s Cyber Statecraft Initiative and the Open Source Security Foundation (OpenSSF) discussed the summit held by OpenSSF in Washington, DC on May 12 and 13, where representatives from industry and government met to develop the Open Source Software Security Mobilization Plan, a $150 million plan for better securing the open source ecosystem.A panel discussion explored how major businesses are working together to improve the security of the open source supply chain, particularly through the governance structure of the OpenSSF.

New approaches to address open source security

OSS NA featured several initiatives to address fundamental open source security issues, many of which were particularly ambitious and innovative.

The OpenSSF’s Alpha-Omega Project was announced to address software vulnerabilities for OSS projects that are most critical (alpha) and at the long tail (omega).Eric Brewer (Google) gave a keynote discussing the fundamental problem of ensuring accountability in the open source software supply chain. One way of solving this is through curation: creating a repository of vetted and secure packages.Standards continue to be important, as always: Art Manion (CERT/CC) discussed the history and future of the CVE Program, while Jennings Aske (New York-Presbyterian Hospital) and Melba Lopez (IBM) discussed the importance of a Software Bill of Materials (SBOM).The importance of security tooling was emphasized, with discussions on tools such as sigstore, automation of security checks through Infrastructure as Code tools, and CI/CD pipelines.David Wheeler (Linux Foundation) discussed how education in secure software development is critical to ensuring open source software security. Courses like the OpenSSF’s Secure Software Development Fundamentals Courses are available to help developers learn this topic.

Giving back to the community

Participants at the summit recognized that open source security is ultimately a matter of community, governance, and sustainability. Projects that don’t have the right resources or governance structure may not be able to ensure their projects are secure or accept the right funding to do so.

Steve Hendrick (Linux Foundation) and Matt Jarvis (Snyk) discussed the release of the 2022 State of Open Source Security report from Snyk and the Linux Foundation. The report noted that open source software is often a one-way street where users see significant benefits with minimal cost or investment. It is recommended that organizations need to close the loop and give back to OSS projects they use for larger open source projects to meet user expectations.Aeva Black (Microsoft) discussed approaches to community risk management through drafting and enforcing a code of conduct, and how ignoring community health can lead to sometimes catastrophic technical outcomes for OSS Projects.Sean Goggins (CHAOSS) discussed the relationship between community health and vulnerability mitigation in open source projects by using metrics models from the CHAOSS projects.Margaret Tucker and Justin Colannino (GitHub) discussed the role that package registries have in open source security, beginning to formulate some principles that would balance these registries’ responsibility for safety and reliability with the freedom and creativity of package maintainers.Naveen Srinivasan (Endor Labs) and Laurent Simon (Google) explored the OpenSSF Scorecard to more easily analyze the security of open source projects and proactively improve their security.Amir Montazery (OSTIF) discussed the Open Source Technology Improvement Fund’s efforts to help OSS maintainers to work with security experts to improve their projects’ security posture.

Conclusion

In sum, the talks and conversations at OSS Summit NA help paint a picture of how key stakeholders in the open source software ecosystem – OSS communities, industry, academia, and government – are thinking about conceptualizing big-picture issues and directing efforts around OSS security.

But these initiatives and talks still have a lot of room for input! Whether individually or through your institution, consider adding your voice to this discussion as we continue to support the open source software community. Join an OpenSSF working group, another initiative, or contribute upstream to open source projects that you depend on.

The post OSS Security Highlights from the 2022 Open Source Summit North America appeared first on Linux Foundation.

The post OSS Security Highlights from the 2022 Open Source Summit North America appeared first on Linux.com.