webAI and MacStadium(link is external) announced a strategic partnership that will revolutionize the deployment of large-scale artificial intelligence models using Apple's cutting-edge silicon technology.
Open source isn't a strategy, it's a philosophy of collaboration. It's the fabric of millions of commercial projects in industries like FinTech, IT and AI. But there's something curious about open source — it makes up the majority of codebases, so surely the packages have hundreds of eyes keeping watch on their security posture? Unfortunately not. But there's good news on the horizon, as the 2023 OSSRA report found the number of applications with high-risk vulnerabilities is at its lowest level in four years (the SBOM Executive Order and SCA uptake get kudos for this). Is there light at the end of the tunnel?
Start with SCA: The New Savior of Open Source Software - Part 1
Good Offense is Good Defense
In mid 2022, the Open Source Software Security Foundation (OpenSSF) launched a 10-point plan to promote and improve the security of open source software. Here are their observations in combination with our own.
Define a Policy
The best and worst part of open source software is its lack of centralized guidance, but this fluctuation shouldn't apply to your organization. You can combine the standardization of proprietary code with the functionality of open source by defining an internal usage policy. Start with the basics and identify the stakeholders who will decide if a package is suitable and procure it. On a deeper level, consider how open source packages fit into your short- and long-term business goals.
Create an Approval Process
Pre-approve a list of open source packages you can trust, and simultaneously define how you give them the stamp of approval. Ideally, you can consider factors like project maturity, the level of support, and vulnerability patterns. This strategy helps your organization avoid vulnerable, unpatched, or out-of-date packages that could compromise operations.
Promote Security Education
Technical and non-technical employees should understand the ins and outs of open source security. Investing in security education improves workflows and development in the long run and reduces the risks of improper open source software usage. Security education can still take a developer-first approach, as the right SCA tool should be easy to integrate with the development tools you already employ.
Build a SBOM For Everything
SCA tools have the ability to generate and export SBOMs, allowing your organization to provide concrete assurance to your customers. With SCA, you can automatically generate a SBOM in seconds to map out all third-party and OSS code dependencies throughout your codebases, therefore eliminating manual analysis and helping maintain high velocity.
Leverage Continuous Monitoring
Patching quickly isn't enough — you'll need to continuously monitor all open source packages. While this sounds like a nightmare for busy developers and security teams, leveraging AI and ML-powered SCA tools does the heavy lifting for you. This type of automation helps you classify the exploitability of OSS dependencies in your code and manage risk without needing to manually manage anything — simply view your SCA product's recommendations.
How to Choose a SCA Vendor
Choosing the right threat intelligence solution is a business-critical decision, and here are a few essential features to help you select yours.
Code Security From Day Zero
Early detection is never early enough when it comes to open source vulnerabilities. A SCA tool should check your dependencies for threats as soon as you declare them (as early as pre-commit), helping you uncover threats and information like the presence of cryptominers, exploitability, and package maintenance history. The vendor should provide alerts regarding out-of-date libraries and block known and unknown OSS packages from reaching your SDLC.
An Advanced Portfolio and a Developer First Approach
Vendors with a strong reputation will always come out on top. By choosing a trusted brand with a range of security tools in its portfolio, you will benefit from the reliability, coverage, and ease of integration with a tool from the same vendor. Simply integrate SCA with your existing systems and development tools thanks to native build plugins. The emergence of SCA has shed a light on its synergy with SAST(link is external), as both assist in prioritization and auto-remediation. The right SCA tool will enable development and security teams to control, recognize, and minimize risk without altering your tech stack, so you can keep the developer-first approach.
Automated and Actionable Threat Intelligence
With a suitable SCA tool, eliminating the risk of malicious or compromised OSS packages shouldn't negatively impact your workflows. Manual intervention can lead to errors and false positives, meaning you could waste time resolving vulnerabilities that are not definite threats. Industry-leading OSS risk management solutions leverage AI and ML to classify the exploitability of OSS dependencies in your code and provide actionable threat intelligence.
Continuously Monitor Your Codebase for Open Source Security Threats
SCA(link is external) is integral for applying consistent open source policies, monitoring operational risk, and gaining visibility over your codebase. Preventing open source exploitation is significantly more efficient in the long run than scrambling to fix the consequences. Take action today by selecting a SCA tool, and let it do the work for you.
Industry News
Development work on the Linux kernel — the core software that underpins the open source Linux operating system — has a new infrastructure partner in Akamai. The company's cloud computing service and content delivery network (CDN) will support kernel.org, the main distribution system for Linux kernel source code and the primary coordination vehicle for its global developer network.
Komodor announced a new approach to full-cycle drift management for Kubernetes, with new capabilities to automate the detection, investigation, and remediation of configuration drift—the gradual divergence of Kubernetes clusters from their intended state—helping organizations enforce consistency across large-scale, multi-cluster environments.
Red Hat announced the latest updates to Red Hat AI, its portfolio of products and services designed to help accelerate the development and deployment of AI solutions across the hybrid cloud.
CloudCasa by Catalogic announced the availability of the latest version of its CloudCasa software.
BrowserStack announced the launch of Private Devices, expanding its enterprise portfolio to address the specialized testing needs of organizations with stringent security requirements.
Chainguard announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure.
Cloudelligent attained Amazon Web Services (AWS) DevOps Competency status.
Platform9 formally launched the Platform9 Partner Program.
Cosmonic announced the launch of Cosmonic Control, a control plane for managing distributed applications across any cloud, any Kubernetes, any edge, or on premise and self-hosted deployment.
Oracle announced the general availability of Oracle Exadata Database Service on Exascale Infrastructure on Oracle Database@Azure(link sends e-mail).
Perforce Software announced its acquisition of Snowtrack.
Mirantis and Gcore announced an agreement to facilitate the deployment of artificial intelligence (AI) workloads.
Amplitude announced the rollout of Session Replay Everywhere.
Oracle announced the availability of Java 24, the latest version of the programming language and development platform. Java 24 (Oracle JDK 24) delivers thousands of improvements to help developers maximize productivity and drive innovation. In addition, enhancements to the platform's performance, stability, and security help organizations accelerate their business growth ...