The "Open Atomic Developer Workshop" is an offline open source exchange event for developers initiated by the Open Atom Open Source Foundation. It aims to share developers' experiences and experiences in participating in community building and share development experience. Exchange development experience with like-minded developers, share development insights, and obtain cutting-edge technology trends.
With the rapid development of technology and the acceleration of digitalization, open source software has become an important trend in software development. Open source security issues are becoming increasingly prominent. How to consolidate the cornerstone of open source security and build a secure open source "moat" has become an important issue for enterprises to achieve high-quality development.
On September 15, the third phase of the "Open Atomic Developer Workshop" hosted by the Open Atomic Open Source Foundation was successfully held. With the theme of "Source Security - On the Security of Open Source Projects", the event invited Wang Zhenxing, CTO of Sangfor Qianlimu Security Technology Center, Yang Xuan, Asia Pacific Director of the Linux Foundation, Li Xiang, a major member of ZTE OSPO, Director of OpenSSF and Huawei Open Source Development Four big names, Director & Open Source Security Leader Cui Jinguo, gathered together for a wonderful collision of ideas. Zeng Hui, senior community manager of Beluga Open Source, hosted the event.
Identify vulnerabilities and identify risks
Daily tips for open source security
Moderator: How does the development team effectively manage open source dependencies and timely update them daily to reduce the security risk of component vulnerabilities? What tools or programs are needed to improve the current situation?
Linux Foundation Asia Pacific Director
Yang Xuan
Yang Xuan: Using open source software requires comprehensive considerations from many aspects. The first is personnel capabilities. Developers need to have a complete understanding of the open source system and understand the characteristics of each open source software license to avoid unnecessary trouble; the second is that developers need to establish a software usage list for their own projects. Understand how to control versions and whether there are vulnerabilities, patches and other issues; third, it is also very important to establish an open source security framework for enterprises and teams. There are many tools on the market that can automatically scan and generate usage lists to improve work efficiency. At the same time, team participants need to fully understand the open source community attributes of the software they use so that they can respond quickly when problems arise.
CTO of Sangfor Qianlimu Security Technology Center
Wang Zhenxing
Wang Zhenxing: The improvement plan covers both "management" and "technical" levels. Taking the technical perspective as an example, the first is the bill of materials. With the help of good tools, the data that the open source software relies on can be directly sorted out; the second is the risk In terms of identification, domestic CNVD and NVDB, as well as foreign CVE vulnerabilities, can ensure full coverage of vulnerabilities and can be updated in a timely manner; third, in the face of the risk that vulnerabilities may be exploited , taint tracking can be carried out and the code can be sorted out. Function calling relationship; fourth, in terms of repair, you can consider integrating a secure SDK and using RASP technology for code incubation. There are multiple working groups in the OpenSSF Foundation that focus on different fields and solve practical problems through technologies suitable for different scenarios.
OpenSSF Director, Huawei Open Source Development Director & Open Source Security Leader
Cui Jinguo
Cui Jinguo: In terms of management, first of all , many open source communities have dedicated security working groups, while commercial companies need to establish modules, organizations and technical tools related to software open source and security to shoulder more legal responsibilities and customers. Delivery and contractual responsibilities, so establishing a set of management practices related to open source security is critical. Secondly , on the basis of security regulations, it is necessary to establish a corresponding management mechanism for the open source software supply chain, including the management of the open source software life cycle, so that it can develop more high-quality software under the management framework. Finally , relevant execution teams and corresponding tools are needed to provide support. Only with tools, personnel and management specifications, and under constant regulatory constraints, can developers form muscle memory and ensure that the community develops safe and high-quality software.
ZTE OSPO main member
Li Xiang
Li Xiang: First of all , there are certain risks in using open source software. Generally speaking, companies need to formulate relevant rules and regulations to govern the use of open source software to ensure that the risks caused by introducing open source software into products are minimized. Secondly , regarding dependency and update issues, we tend to maintain the stability of the product and try to keep the version within a relatively reasonable range. Usually this cycle is within 4 years. Finally , in order to ensure product security, SCA scanning needs to be performed before product release to form an SBOM to manage all high-risk vulnerabilities and low-risk vulnerabilities that may affect the product.
Beluga Open Source Senior Community Manager
Zeng Hui
Anchor positioning and quick repair
There are no opportunities to exploit security vulnerabilities
Moderator: When encountering high-risk vulnerabilities, how to quickly locate and repair them? What information sharing and vulnerability warning platforms can the industry establish?
Wang Zhenxing: To discover high-risk vulnerabilities, a combination of tools and manual work can be used. After the product is launched, high-risk vulnerabilities can be managed using vulnerability hunting, traffic monitoring can be carried out using a variety of tools, and known and unknown risk points can be identified through the artificial intelligence engine of semantic syntax. At the same time, combined with the attack package and response package, we can identify the vulnerabilities that have been successfully executed, and then discover the real vulnerabilities.
At present, there are NVDB vulnerability database of the Ministry of Industry and Information Technology, CNNVD of the national test and CNVD of CNCERT. However, there is no platform specifically targeting open source vulnerabilities on the market. The Open Atom Open Source Foundation is preparing a project targeting open source vulnerabilities. This will be a platform that includes open source software vulnerabilities. It is expected that the launch of this platform can fill the current gap in the industry.
Cui Jinguo: Vulnerabilities are not terrible and we need to pay enough attention to them. On the one hand, we need to strengthen the implementation of safe coding standards in the community and reduce vulnerabilities caused by irregular coding; on the other hand, we hope that everyone can report vulnerabilities as much as possible when they find them. The community usually establishes vulnerability reporting mechanisms and norms, and also has relevant legal requirements and guidance to provide solutions in a legal and compliant manner. For the collection of vulnerabilities, corresponding vulnerability platforms have been established at home and abroad. At the same time, the Open Atom Open Source Foundation Security Committee is also building an open source vulnerability information sharing platform. Everyone is welcome to experience it.
Li Xiang: Regarding vulnerabilities, SCA software can only find known vulnerabilities, while unknown vulnerabilities need to be discovered through other security tools and need to have the ability to quickly solve the problem within 48 hours. For projects, important open source software should be identified and have certain code maintenance capabilities so that vulnerabilities can be repaired in an emergency and patches can be submitted to the community in a timely manner.
Build community and keep safety
Developers work together
Moderator: How to establish a long-term mechanism for security maintenance in the open source community to prevent legacy vulnerabilities in old components from not being repaired for a long time? Are approaches like code audits and bug bounty programs feasible?
Yang Xuan: If we regard the whole of China as a large community, the Linux Foundation and the Open Atom Open Source Foundation can work together to learn from the Consumer Council model, so that developers of open source software can also have a mechanism to discover vulnerabilities and report them. In addition, I think the number of developers participating in the open source security field in China is far from enough. Most developers passively wait for others to find bugs and solve problems, lacking the awareness and ability to actively participate in security research and software repair. In order to improve this situation, I call on all developers to actively participate in the construction of open source security. The Linux Foundation has provided some free courses to help everyone improve open source security. Everyone is welcome to participate.
Cui Jinguo: Participating in open source activities is a good way to expand channels. Everyone can exchange practical experience with each other and jointly improve the security management level of the community and software. From a practical perspective, we should follow systematic rules when introducing open source software, download or quote from the official community of open source software, and avoid introducing poisoned or contaminated software. In enterprises that have established open source software compliance management standards, developers generally need to apply for and undergo evaluation before using open source software. In addition, the life cycle management of the introduced open source software also needs to be carried out, and it should be evaluated and governed regularly. At the same time, an exit mechanism should be considered for old open source software that lacks maintenance and should be updated in a timely manner to ensure the stability and security of the product. Finally, we should not think of security as a cost, but as an integral part of quality, which can lead to better user experience and business opportunities.
Li Xiang: The mechanism of the open source community is very important. We hope that organizations such as enterprises and open source foundations can formulate specifications and update requirements for the introduction of open source software and feed them back to the open source community. In the open source community, it is difficult to constrain developers to form a consensus. Therefore, developers need to be encouraged to actively participate in and contribute to the community, fix security vulnerabilities, and share them with the community to help other developers avoid similar problems and improve the overall security of the community. level and promote community progress and development.
Wang Zhenxing: Vulnerabilities that have not been repaired for a long time need to be paid attention to. We can refer to the hierarchical protection system to divide security into different levels, and at the same time identify and prioritize open source components used in key industries and infrastructure. In addition to the scanning methods mentioned above, you can also consider adopting a public testing mode for key projects and software, calling on people with strong offensive and defensive capabilities in society to participate in testing key software and discover key vulnerabilities.
At present, simply using a bounty model to motivate developers has little effect, and there are relatively few interested developers. Therefore, on the one hand , we can consider whether to give spiritual rewards, and on the other hand , we can unite security vendors and communities to introduce more security forces into the open source community by issuing certificates and other methods.
Cultivate talents and maintain skills
Build a harmonious and secure open source ecosystem together
Moderator: Facing the ever-escalating open source security challenges, professional talents are indispensable. What suggestions do teachers have for cultivating open source security talents in enterprises?
Yang Xuan: There is a game process in the security of open source software. We need to balance the relationship between development tasks and security requirements. On the one hand , many open source team leaders are under pressure to complete tasks and often focus primarily on software development progress, while security issues are considered a secondary task. On the other hand , enterprises need to establish a complete system and open source security team to ensure that the development team can meet security needs. At the same time, developers also need to fully understand security practices, develop good habits, and form muscle memory, which can significantly reduce the risk of security risks in the future and better promote the safe development of open source software.
Wang Zhenxing: The cultivation of open source security talents is a problem we must face. Enterprises can cultivate compound talents with comprehensive skills and qualities on their own. Relevant talents need to possess the following key qualities and abilities: first, they need to understand and master certain vulnerability knowledge; second, they need to have certain legal knowledge and understand compliance, etc. requirements; third , it is necessary to understand the market so that security risks can be controlled when purchasing third-party software and hardware. I believe that the best way to cultivate talents is to gain experience in different positions. Through job rotation, developers can be exposed to more business and practical opportunities, thereby better improving their comprehensive skills and quality.
Cui Jinguo: There are no fixed standards for talent training. For open source communities, igniting developers' interest and guiding developers to invest is an important part of developing open source communities. When developers are interested in a certain community or field, they are willing to actively invest time and energy to learn and explore. In the open source community, you can share your experiences and lessons by participating in technical exchange meetings, writing articles, etc., which can not only improve your own abilities and levels, but also contribute to the development of the open source community. At the same time, this is also a good opportunity to make friends and expand interpersonal relationships.
Li Xiang: From the perspective of using open source within the enterprise, we need to pay attention to security training, mid-level security talents, and open source governance. First of all , rules, regulations and processes should be formulated for security training to ensure that developers can meet security requirements in accordance with relevant regulations; secondly , each project should have a director responsible for security, who will lead security within each project according to the company's overall security rules and regulations. Governance work; finally , open source governance is an integral part of product security work. Each project requires a full-time deputy director to be responsible for the open source governance activities of the entire project to ensure that relevant rules and regulations are implemented.
Yang Xuan: The cloud native security certification provided by the Linux Foundation is a very valuable certificate. Passing administrator certification is a prerequisite for obtaining security certifications, and security certifications generally pay more than other certifications. As European and American countries continue to introduce software security regulations, the demand for security talents is also increasing. Although major domestic manufacturers monopolize most security talents, such certificates still provide opportunities for developers who want to join the security field.
At the event, the participants spoke actively and discussed safety issues in their respective fields with the four guests. The experts answered one by one, and the atmosphere of the discussion was very lively.
The follow-up "Open Atomic Developer Workshop" series of offline exchanges will be held regularly. Each issue will carry out technical topics in different fields, communicate and learn with everyone face-to-face, and listen to the voice of the community at close range. Developers are welcome to continue to pay attention and participate.