
2024-03-25 12:20




| 翻译:庄表伟

| 校对:王永雷

| 编辑:周晶晶

| 设计:大政

It's nearly impossible these days to build software without using open source code. But all that free software carries additional security risks.


Organizations grapple with how best to secure their open source software supply chain. But there's another problem: Many companies don't even know how many open source applications they have — or what's in them.


The worst-case scenarios include debacles like 2021's Log4j security vulnerability, or what happened with SolarWinds' proprietary Orion network monitoring product, which was infected with malware in 2020.


For companies that build and ship software, the best practice is to "ship what you know and know what you ship," according to Suzanne Ambiel, director of open source marketing and strategy at VMware Tanzu. And that "shipping manifest" applies to open source and proprietary code equally.

VMware Tanzu公司的开源营销和战略总监Suzanne Ambiel说,对于构建和交付软件的公司来说,最好的做法是 "交付你所知道的,并知道你所交付的"。这种 "交付清单 "同样适用于开放源代码和专有代码。

"Your customer and user community is trusting that what you are providing to them is good and clean and secure," she said. "They trust you to have done the hard work, and that you know what's in your software."


In order to get a handle on the potential risks involved with using open source, companies need to have a clear understanding of what open source code is used in their environment, stay up to date on patching, and even conduct their own vulnerability scans and assessments if necessary.


An open source program office (OSPO) — a bureau of open source experts within your organization dedicated to overseeing how your company uses, creates and contributes to free software — can help coordinate all these efforts.

开源项目办公室(OSPO) -- 一个在你的组织内专门负责监督你的公司如何使用、创建和贡献自由软件的开源专家局办公室--可以帮助协调所有这些努力。

An OSPO can help a company get a handle on the open source code it uses and establish visibility into open source projects and tools, said Liz Miller, vice president and principal analyst at Constellation Research.

Constellation Research公司副总裁兼首席分析师Liz Miller说,OSPO可以帮助公司了解其使用的开放源代码,并建立对开放源代码项目和工具的可见性。

"Fundamentally, the purpose of an open source program office is to centralize the understanding of dependencies, implementation and utilization of open source code across an enterprise," Miller said. "There is a significant security benefit to an OSPO."



What's In Your Open Source Code?


Today's software is made up of components from a variety of sources. "It's never 100% one thing," said VMware's Ambiel.


"There's some code that you have written for the first time, so you obviously know what's in there. But you may have used some containerized software. And you are going to be reusing some code. And everyone uses open source code."


Recent studies differ on exactly how much open source code enterprises use, but it's a lot:


  • A survey by The Linux Foundation, the TODO Group and The New Stack, published in September, found that 81% of respondents use open source software in their non-commercial or internal products at least sometimes, and 67% use it in their commercial or external products.

  • 由Linux基金会、TODO工作组和The New Stack在9月发布的一项调查发现,81%的受访者至少有时在其非商业或内部产品中使用开源软件,67%的受访者在其商业或外部产品中使用开源软件。

  • Last April, application security testing company Synopsys reviewed the code of more than 1,500 enterprise software projects, both internal and commercial, and found that 98% of them contained some open source code. For an average application, 75% of the codebase was open source.

  • 去年4月,应用安全测试公司Synopsys审查了1500多个企业软件项目的代码,包括内部和商业项目,发现其中98%的项目包含一些开放源代码。对于一个普通的应用程序,75%的代码库是开放源代码。

Here's the scary part: In Synopsys' analysis, 84% of the codebases had at least one vulnerability. And 91% of the open source components used hadn't seen any maintenance of the past two years.


Even open source code that has been in circulation for years and has been seen and used by millions can include vulnerabilities lurking layers deep in the code, said Miller.


"The reality of open source is that for the security professional, hearing that a software supply chain is filled with unchecked, unknown and completely invisible open source code is the stuff nightmares are made of," she said.


That's why software needs to come with a "bill of materials" said Ambiel, a complete inventory of all the components that go into a software package, and their versions and license terms.

这就是为什么软件需要附带 "物料清单 "的原因,Ambiel说,这是一份软件包中所有组件的完整清单,以及它们的版本和许可条款。

And there's a lot happening on that front. An OSPO can help companies stay on top of the latest recommendations, she said.


For example, last May President Biden issued an executive order requiring a software bill of materials (commonly known as an SBOM) from vendors that provide software to the federal government.


Two days later, the Cloud Native Computing Foundation (CNCF) released a best-practices white paper recommending that all vendors provide an SBOM where possible, with clear and direct links to dependencies.


The CNCF white paper also recommended that companies scan their software with software-composition analysis tools to detect vulnerable open source components, and use penetration testing to check for basic security errors or loopholes and resistance to standard attacks.


> Companies need to have a clear understanding of what open source code is used in their environment, stay up to date on patching, and even conduct their own vulnerability scans and assessments if necessary. An OSPO can help coordinate those efforts.

> 公司需要清楚地了解他们的环境中使用了哪些开放源代码,保持最新的补丁,甚至在必要时进行自己的漏洞扫描和评估。OSPO可以帮助协调这些工作。

And more recently, the Linux Foundation published a report that provides additional insights and recommendations for best practice management of your software supply chain.


With an in-house OSPO in place, the professionals in that office can help educate developers on the best practices for creating SBOMs and also help establish Software Data Package Exchange (SDPX) standards, which is how SBOM information is communicated.


It can also help devs keep abreast of emerging concepts like the new framework for software supply chain integrity, called Supply-Chain Levels for Software Artifacts, or SLSA, introduced by Google in collaboration with OpenSSF in 2021.


Keeping up to date with these best practices is a challenge, said Ambiel. “Being a developer is hard enough, and asking them to take on that challenge pulls them away from the applications or products they’re trying to build.”


An OSPO “can bring in the best practices and apply them in the best way possible, given the company you are and the software development that you do,” Ambiel said.

安比尔说,OSPO "可以引入最佳实践,并以最佳方式应用它们,考虑到你的公司和你所做的软件开发,"。


Protecting Open Source Software from Attack


Attacks on the open source software supply chain increased 650% last year compared to 2020, according to Sonatype's state of the software supply chain report, released in September.

根据 Sonatype 公司 9 月份发布的软件供应链状况报告,与 2020 年相比,去年对开源软件供应链的攻击增加了 650%。

And that’s before the Log4J vulnerability came to light, called the most dangerous Java exploit in years by security researchers.


An OSPO can help developers stay abreast of new developments in open source security and build more secure applications, while also staying on top of required updates and patches.


Software is constantly changing, and it’s a constant challenge for companies to keep up with those changes. An OSPO can also help create and maintain connections to open source communities that keep track of the latest changes in software, and these connections can help companies stay on top.


“What’s current today is technical debt tomorrow,” said Ambiel. “It’s a big job. But when it comes to these big ecosystem challenges, that’s where the open source community really shines and can step up.”


Keeping on top of code changes is a problem that everyone has, she said: “No one is excluded. Everybody has to pay attention to this.”


When companies open themselves up to new ideas from beyond their corporate borders, that’s when the best solutions come to bear, she added.


For example, the open source community has been working on supply chain security and compliance for years. The Linux Foundation’s Tern project, which inspects container images, is part of its Automated Compliance Tooling initiative.


“What’s current today is technical debt tomorrow. It’s a big job. But when it comes to these big ecosystem challenges, that’s where the open source community really shines and can step up.”

—Suzanne Ambiel, director of open source marketing and strategy, VMware Tanzu


-Suzanne Ambiel,VMware Tanzu开源营销和战略总监

An OSPO can also tap outside expertise through the OpenSSF, which is working on system solutions and ways to combat increasing attacks like typosquattingand malicious code.


All of this is important because attackers are getting proactive, said David Wheeler, director of open source supply chain security at the Linux Foundation.

所有这些都很重要,因为攻击者越来越主动,Linux基金会的开源供应链安全总监David Wheeler说。

They directly inject malware into software source code or installable packages — sometimes, just submitting an update with malware in it and hoping nobody notices, or by stealing a developer’s password.


“Malicious code injection is the kind of attack that most people think about, yet in practice, it’s less common in open source software,” said Wheeler. “Still, it can be devastating when it happens.”


The most common way to replace legitimate code with malicious code is by creating a duplicate package on a different repository. A developer might think they’re loading a trusted package from their in-house repository but load a package with the same name from a different, public repository because it has a later release date.


“Typosquatting is another common attack,” said Wheeler. This is when the malicious package has almost the same name as the real one. “The developer uses the malicious package instead — often because the developer makes a typo.”

Wheeler说:"Typosquatting是另一种常见的攻击。这是指恶意软件包的名称与真正的软件包几乎相同。开发者使用恶意包来代替 -- 通常是因为开发者打错了字。"


OSPOs and Open Source Communities


To guard against these kinds of attacks, Wheeler recommends that companies engage more with open source communities.


Having an OSPO helps companies do just that. Fifty-six percent of participants in the Linux Foundation survey felt that engaging with the developer community was a chief responsibility of an OSPO, and almost 69% said promoting an open source culture in-house was a chief responsibility of an OSPO.


If an open source project is important to a company but the project doesn’t have multiple people reviewing code upgrades, then it might make sense to join the project.


“The costs of doing so are typically far less than trying to independently develop and maintain your own software,” Wheeler said.


He also suggested that companies get involved in the OpenSSF, a consortium of many organizations working on systemic solutions, such as distributing multifactor authentication tokens to software developers.


“Different organizations may choose to resolve these challenges differently,” Wheeler said. “But OSPOs are often well-placed to help.”


相关阅读 | Related Reading




[研究问卷] AI数据获取与开放的现状调查




开源社成立于 2014 年,是由志愿贡献于开源事业的个人成员,依 “贡献、共识、共治” 原则所组成,始终维持厂商中立、公益、非营利的特点,是最早以 “开源治理、国际接轨、社区发展、开源项目” 为使命的开源社区联合体。开源社积极与支持开源的社区、企业以及政府相关单位紧密合作,以 “立足中国、贡献全球” 为愿景,旨在共创健康可持续发展的开源生态,推动中国开源社区成为全球开源体系的积极参与及贡献者。

2017 年,开源社转型为完全由个人成员组成,参照 ASF 等国际顶级开源基金会的治理模式运作。近七年来,链接了数万名开源人,集聚了上千名社区成员及志愿者、海内外数百位讲师,合作了近百家赞助、媒体、社区伙伴。





Ubuntu 怎么启用 Universe 和 Multiverse 软件源?

《Ubuntu怎么启用Universe和Multiverse软件源?》在Ubuntu中,软件源是用于获取和安装软件的服务器,通过设置和管理软件源,您可以确保系统能够从可靠的来源获取最新的软件... Ubuntu 是一款广受认可且声誉良好的开源操作系统,允许用户通过其庞大的软件包来定制和增强计算体验。这些软件


学习内容源自「软件设计师」 上午题 #1 计算机系统_哔哩哔哩_bilibili 目录 1.1.1 计算机系统硬件基本组成 1.1.2 中央处理单元 1.CPU 的功能 1)运算器 2)控制器 RISC && CISC 流水线控制 存储器  Cache 中断 输入输出IO控制方式 程序查询方式 中断驱动方式 直接存储器方式(DMA)  ​编辑 总线 ​编辑


SPI通信-软件与硬件读写SPI 软件SPI一、SPI通信协议1、SPI通信2、硬件电路3、移位示意图4、SPI时序基本单元(1)开始通信和结束通信(2)模式0---用的最多(3)模式1(4)模式2(5)模式3 5、SPI时序(1)写使能(2)指定地址写(3)指定地址读 二、W25Q64模块介绍1、W25Q64简介2、硬件电路3、W25Q64框图4、Flash操作注意事项软件SPI读写W2


我公司因为客户覆盖面广的原因经常会开远程会议,有时候说的内容比较广需要引用多份的数据,我记录起来有一定难度,所以一般都用录屏工具来记录会议内容。这次我们来一起探索有什么免费录屏工具可以提高我们的工作效率吧。 1.福晰录屏大师 链接直达:https://www.foxitsoftware.cn/REC/  录屏软件录屏功能就是本职,这款录屏工具在录屏模式上提供了多种选项,可以选择屏幕录制、窗口


在个人财务管理领域,找到一个既免费又开源的解决方案并非易事。HomeBank 正是这样一个项目,它不仅提供了强大的功能,还拥有一个活跃的社区,不断推动其发展和完善。 开源免费:HomeBank 是一个完全开源的项目,用户可以自由地使用、修改和分发。用户友好的界面:提供直观的图形用户界面,使得非技术用户也能轻松上手。数据导入支持:支持从 Quicken、Microsoft Money

PDF 软件如何帮助您编辑、转换和保护文件。

如何找到最好的 PDF 编辑器。 无论您是在为您的企业寻找更高效的 PDF 解决方案,还是尝试组织和编辑主文档,PDF 编辑器都可以在一个地方提供您需要的所有工具。市面上有很多 PDF 编辑器 — 在决定哪个最适合您时,请考虑这些因素。 1. 确定您的 PDF 文档软件需求。 不同的 PDF 文档软件程序可以具有不同的功能,因此在决定哪个是最适合您的 PDF 软件之前,请花点时间评估您的


个人隐私保护概览 在数字时代,个人隐私保护显得尤为重要。随着信息技术的发展,个人信息的收集、存储、使用变得更加便捷,同时也带来了隐私泄露的风险。为了保护个人隐私,我们需要从多个维度出发,采取一系列措施来确保个人信息的安全。 个人隐私泄露风险 个人隐私泄露主要来源于以下几个方面: 社交网络:在社交平台上分享信息时,如果不恰当地设置了隐私权限,可能会导致敏感信息被公开。网络服务:在使用网络服务


这年头,视频到处都是,就跟天上的星星一样数不清。不管你是公司里的新面孔,还是职场上的老狐狸,学会怎么剪视频,就好比找到了赢的秘诀。不管是给上司汇报工作,展示你的产品,还是自己搞点小视频记录生活,只要是剪辑得漂亮,肯定能一下子吸引大家的目光,让人记得你。咱们今天就来侃侃现在超火的三款视频剪辑工具,尤其是PR剪辑,你肯定听说过,这货在剪辑界可是大名鼎鼎,用它剪视频,既专业又麻利。 NO1. 福昕轻松

秒变高手:玩转CentOS 7软件更换的方法大全

在 CentOS 7 中更换软件源可以通过以下步骤完成。更换源可以加快软件包的下载速度,特别是当默认源速度较慢时。以下是详细步骤: 前言 为了帮助您解决在使用CentOS 7安装不了软件速度慢的问题,我们推出了这份由浪浪云赞助的教程——“CentOS7如何更换软件源加快下载速度”。 浪浪云,以他们卓越的弹性计算、云存储和网络服务受到广泛好评,他们的支持和帮助使得我们可以将最前沿的技术知识分


在文章【电子通识】半导体工艺——晶圆制造中我们讲到晶圆的一些基础术语和晶圆制造主要步骤:制造锭(Ingot)、锭切割(Wafer Slicing)、晶圆表面抛光(Lapping&Polishing)。         那么其实当晶圆暴露在大气中或化学物质中的氧气时就会形成氧化膜。这与铁(Fe)暴露在大气时会氧化生锈是一样的道理。 氧化膜的作用         在半导体晶圆