Anyone want to catch me up on the state of open source security? I remember after heart bleed there was a big effort to get critical open source projects better funding. Problem solved?? Still an issue?
-
-
Replying to @robknake
-Improvements:
@github tools, SBOM,@linuxfoundation efforts, DevOps tools, etc. -New attack surface: package managers. -Existing issues still remain: few contribs from corps, poor commit rigor, etc. cc@jlwilker@USSJoin@joshcorman@allanfriedman3 replies 0 retweets 4 likes -
Replying to @beauwoods @robknake and
A decent summary of how much things aren't solved: https://arstechnica.com/information-technology/2019/08/the-year-long-rash-of-supply-chain-attacks-against-open-source-is-getting-worse/ … and a pessimistic take https://opensourcesecurity.io/2019/08/28/backdoors-in-open-source-are-here-to-stay/ … (which SBOM can help with)
1 reply 0 retweets 1 like -
Replying to @allanfriedman @beauwoods and
thanks Allan -- just when I was having one of those "England can make it" moments, you come in all doom and gloom. I might as well invite
@adamshostack into the conversation to pile on to the "everything is horrible" party1 reply 0 retweets 1 like
We'll just have to look at those other countless solutions in your book to make the world better.
oh, and #SBOM :)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.