by Ashwin Ramaswami

June 2022 saw the publication of Addressing Cybersecurity Challenges in Open Source Software, a joint research initiative launched by the Open Source Security Foundation in collaboration with Linux Foundation Research and Snyk. The research dives into security concerns in the open source ecosystem. If you haven’t read it, this article will give you the report’s who, what, and why, summarizing its key takeaways so that it can be relevant to you or your organization.

Who is the report for?

This report is for everyone whose work touches open source software. Whether you’re a user of open source, an OSS developer, or part of an OSS-related institution or foundation, you can benefit from a better understanding of the state of security in the ecosystem.

Open source consumers and users: It’s very likely that you rely on open source software as dependencies if you develop software. And if you do, one important consideration is the security of the software supply chain. Security incidents such as log4shell have shown how open source supply chain security touches nearly every industry. Even industries and organizations that have traditionally not focused on open source software now realize the importance of ensuring their OSS dependencies are secure. Understanding the state of OSS security can help you to manage your dependencies intelligently, choose them wisely, and keep them up to date.

Open source developers and maintainers: People and organizations that develop or maintain open source software need to ensure they use best practices and policies for security. For example, it can be valuable for large organizations to have open source security policies. Moreover, many OSS developers also use other open source software as dependencies, making understanding the OSS security landscape even more valuable. Developers have a unique role to play in leading the creation of high-quality code and the respective governance frameworks and best practices around it.

Institutions: Institutions such as open source foundations, funders, and policymaking groups can benefit from this report by understanding and implementing the key findings of the research and their respective roles in improving the current state of the OSS ecosystem. Funding and support can only go to the right areas if priorities are informed by the problems the community is facing now, which the research assists in identifying.

What are the major takeaways?

The data from this report was collected by conducting a worldwide survey of:

• Individuals who contribute to, use, or administer OSS;
• Maintainers, core contributors, and occasional contributors to OSS;
• Developers of proprietary software who use OSS; and
• Individuals with a strong focus on software supply chain security

The survey also included data collected from several major package ecosystems by using Snyk Open Source, a static code analysis (SCA) tool free to use for individuals and open source maintainers.

Here are the major takeaways and recommendations from the report:

• Too many organizations are not prepared to address OSS security needs: At least 34% of organizations did not have an OSS security policy in place, suggesting these organizations may not be prepared to address OSS security needs.
• Small organizations must prioritize developing an OSS security policy: Small organizations are significantly less likely to have an OSS security policy. Such organizations should prioritize developing this policy and having a CISO and OSPO (Open Source Program Office).
• Using additional security tools is a leading way to improve OSS security: Security tooling is available for open source security across the software development lifecycle. Moreover, organizations with an OSS security policy have a higher frequency of security tool use than those without an OSS security policy.
• Collaborate with vendors to create more intelligent security tools: Organizations consider that one of the most important ways to improve OSS security across the supply chain is adding greater intelligence to existing software security tools, making it easier to integrate OSS security into existing workflows and build systems.
• Implementing best practices for secure software development is the other leading way to improve OSS security: Understanding best practices for secure software development, through courses such as the OpenSSF’s Secure Software Development Fundamentals Courses, has been identified repeatedly as a leading way to improve OSS supply chain security.
• Use automation to reduce your attack surface: Infrastructure as Code (IaC) tools and scanners allow automating CI/CD activities to eliminate threat vectors around manual deployments.
• Consumers of open source software should give back to the communities that support them: The use of open source software has often been a one-way street where users see significant benefits with minimal cost or investment. For larger open source projects to meet user expectations, organizations must give back and close the loop by financially supporting OSS projects they use.

Why is this important now?

Open source software is a boon: its collaborative and open nature has allowed society to benefit from various innovative, reliable, and free software tools. However, these benefits only last when users contribute back to open source software and when users and developers exercise due diligence around security. While the most successful open source projects have gotten such support, other projects have not – even as open source use has continued to be more ubiquitous.

Thus, it is more important than ever to be aware of the problems and issues everyone faces in the OSS ecosystem. Some organizations and open source maintainers have strong policies and procedures for handling these issues. But, as this report shows, other organizations are just facing these issues now.

Finally, we’ve seen the risks of not maintaining proper security practices around OSS dependencies. Failure to update open source dependencies has led to costs as high as $425 million. Given these risks, a little investment in strong security practices and awareness around open source – as outlined in the report’s recommendations – can go a long way.

We suggest you read the report – then see how you or your organization can take the next step to keep yourself secure!

The post Addressing Cybersecurity Challenges in Open Source Software: What you need to know appeared first on Linux Foundation.

Keynotes, workshops and sessions will explore innovations in open source 3D development and use of Open 3D Engine (O3DE) for gaming, entertainment, metaverse, AI/ML, healthcare applications and more

SAN FRANCISCO—August 30, 2022—The Open 3D Foundation (O3DF) today announced a slate of keynote speakers for O3DCon, its flagship conference, which will be held October 17-19 in Austin, Texas and online. O3DCon will bring together technology leaders, indie developers and academia to share ideas and best practices, discuss hot topics and foster the future of 3D development across a variety of industries and disciplines. The schedule is available at https://events.linuxfoundation.org/o3dcon/program/schedule/. 

Industry luminaries will headline the keynote sessions, including:

• Bill Vass, vice president of engineering, Amazon Web Services
• Bryce Adelstein Lelbach, principal architect, NVIDIA and standard C++ Library Evolution chair, “C++ Horizons”
• Deb Nicholson, executive director, Python Software Foundation and founding board member, SeaGL (the Seattle GNU/Linux Conference), “Open Source is a Multiplier”
• Denis Dyack, founder, Apocalypse Studios, “The Successes, Challenges and Future of O3DE”
• Mathew Kemp, game director, Hadean, “Supercharging Gameworld Performance Using the Cloud”
• Nithya Ruff, head, Open Source Program Office, Amazon and chair, Linux Foundation Board of Directors, “Game On! How to Be a Good Open Source Citizen” 
• Omar Zohdi, technical ecosystem manager, Imagination Technologies, “O3DE and the Future of Mobile Graphics Development”
• Royal O’Brien, executive director, Open 3D Foundation and general manager of Digital Media & Games, Linux Foundation, “State of the Open 3D Foundation”
• Sheri Graner Ray, CEO and founder, Zombie Cat Studios, “How Big Is Your Dream? Rethinking the Role of Passion in Development”
• Stephen Jacobs, director of Open@RIT and professor at the School of Interactive Games and Media, Rochester Institute of Technology, “Open in Academia, Science and Why O3DE Should Be Part of It All”

Early Bird Registration Ends September 16
Register today at https://events.linuxfoundation.org/o3dcon/register/. Organizations interested in sponsorships can contact sponsorships@linuxfoundation.org.

“After celebrating our first year in July and recognizing the immense growth of our community, we’re excited to connect with them at this year’s O3DCon,” said Royal O’Brien, executive director of O3DF. “Since O3DF’s inception, we’ve grown to 25 member companies, including Epic Games, LightSpeed Studios and Microsoft, and we’ve announced a new O3DE release. This year’s O3DCon will feature a diversity of use cases that go way beyond gaming, including metaverse, cloud, open source licensing, digital twin in healthcare and lots more. If your organization is building 3D stacks for a new generation of applications, O3DCon is an event designed to help you get there.”

The three-day O3DCon conference schedule will also include sessions, lightning talks, panel discussions and exhibits exploring innovations and best practices in open 3D development, open source licensing, interoperability across 3D engines and the benefits of using O3DE to revolutionize real-time 3D development. Sessions of note include:

• Scale Testing Multiplayer Games on AWS
• OpenXR Implementation on O3DE
• Adventures in AI: How to Use O3DE for Advanced Machine Learning
• Introduction to Open Source Licenses
• Creating & Maintaining a Diverse Work Environment
• The Journey to 64 km: Scaling Terrain Performance by 4000x

Attendees can also participate in a slate of hands-on workshops and training sessions on the first day of the conference, October 17.

About the Open 3D Engine (O3DE) Project
O3DE is the flagship project managed by the O3DF. The open source project is a modular, cross-platform 3D engine built to power anything from AAA games to cinema-quality 3D worlds to high-fidelity simulations. The code is hosted on GitHub under the Apache 2.0 license. The O3D Engine community is very active, averaging up to 2 million line changes and 350-450 commits monthly from 60-100 authors across 41 repos. To learn more, please visit o3de.org and get involved and connect with the community on Discord.com/invite/o3de and GitHub.com/o3de.

About the Open 3D Foundation (O3DF)
Established in July 2021, the mission of the O3DF is to make an open source, fully-featured, high-fidelity, real-time 3D engine for building games and simulations, available to every industry. The O3DF is home to the O3DE project. To learn more, please visit o3d.foundation.

About the Linux Foundation
Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. 

For more information, please visit us at linuxfoundation.org. 

Media Inquiries:

pr@o3d.foundation

# # #

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

The post Open 3D Foundation (O3DF) Announces Keynote Lineup for O3DCon—Online and In-Person in Austin, October 17-19 appeared first on Linux Foundation.