Those who know me understand that I am trying to find positiveness at every moment. However, it must be said that the escalation of cybersecurity incidents over the past few years has made it extremely difficult to find a silver lining.
A glance at some of the data-driven insights into the growing plight reveals something like a barrel. 33 billion records stolen by cybercriminals in 2023 alone175% increase from 2018. The cost of cybercrime is projected to reach $ 10.5 trillion by 2025And the average cost of data breaches has skyrocketed US $ 4.24 million (However, just by looking at incidents such as Equifax and Solar Winds, you can: Much worse).
We’ve been waiting for a long time for heroes to come and save us from cybersecurity bad guys who seem to have more power than we thought, even 10 years ago. We’re waiting for more cybersecurity experts to join, but that’s a gap we can’t fill. We are waiting for a silver bullet tool solution that promises to automate us from increasing risk, but it does not exist and is very unlikely to exist. I’m waiting for Luke Skywalker to help me fight the dark side.
After all, help (and hope) is underway in the following ways: Open source software security mobilization plan..
This 10-point plan was led by the Open Source Software Foundation (OpenSSF) and the Linux Foundation in collaboration with White House officials, top CISOs, and other senior leaders from 37 private technology companies. With this combined support in both action and funding, open source software security standards are set to be much stronger.
Of particular interest is the focus on developer-level baseline education and certification, as well as measures designed to streamline internal Software BOM (SBOM) activities. Both of these are notorious for being difficult to implement in a way that has a lasting impact, so let’s take a look inside.
Security Certification for Developers: Are We There Anymore?
One thing we certainly know is that security-savvy developers are still a rare product. This is a reality for many reasons. That is, until recently, developers were not part of the equation when it comes to software security strategies within an organization. In combination with developers who have little reason to prioritize security (their training is inadequate or nonexistent, time consuming, not part of the KPI, and their main concern is what they are best at. You are developing, not really ready to deal with security at the code level, and play a role in the latest DevSecOps-centric software development life cycle (SDLC). Not a team.
Looking at the Open Source Software Security Mobilization Plan, the first step in a 10-point plan is to address developer security skills and “provide baseline secure software development education and certification for everyone.” These highlight the issues we have discussed so far, including the fact that secure coding is the MIA for most software engineering courses at higher education levels. It is very encouraging to see this supported by individuals and departments that can change the status quo of the industry. 99% of the world’s software, including at least A few Open source codeThis development area is a great place to start focusing on developer training on security.
The plan is Basics of OpenSSF Secure Software Extensive, long-standing resources from the course, and OWASP Foundation.. These information hubs are invaluable. The curriculum is open source safe development in partnership with educational institutions for the developments proposed to publish these materials to skilled developers.
The plan is to maintain an open source library on how to win the hearts of software engineers around the world, many of whom are strengthening security as not their job or priority, both developers. Working engineers who need to detail the rewards and recognition strategies targeted at, and confirm the value of security certification.
Experience has shown that developers respond well to incentives, and that a hierarchical badge system that demonstrates progress and skills works equally well in learning environments such as Steam and Xbox.
However, the concern is that it does not address one of the major issues. It is the provision of a learning module. I’ve worked closely with developers for much of my career, so I know how skeptical they are when it comes to tools and training. It goes without saying that it can seem to confuse your top priority. To be a developer, you need to be continuously involved in the course materials. To be successful, it must make sense in the context of everyday work.
There’s only one basic, but once you’ve mastered that layer, what’s the next step? Learning paths for building security skills are plentiful even at the developer level, and in order to share security responsibilities in a meaningful way, the course understands the impact of practical, concrete, and inadequate coding patterns. You need to be able to. Both in the code written and in the potential pitfalls within the OSS project. Education and accreditation may not be taken as seriously as we would like until they realize that they have the power to close the window of opportunities that can lead to disastrous violations.
Software BOM: Will this plan break the barriers to adoption?
Another area the plan is trying to address is a common disaster in the creation and maintenance of software bill of materials (SBOM), in the stream “SBOM Everywhere — Improve SBOM Tools and Training to Promote Recruitment.” We are investigating how to make this easy for developers. And their organizations create, update, and use SBOMs to improve security outcomes.
Currently, SBOM is not widely adopted in most industries, making it difficult to realize the potential for mitigating security risks. The plan includes good strategies for defining key standards for SBOM creation and tools to facilitate creation that fits the developer’s way of working. These alone will greatly help ease the burden of yet another SDLC task for developers who are already spinning many plates to create software at the rate of demand.
But what I’m afraid of is that in the average organization, security responsibilities can be a true gray area for developers. Who is responsible for security? Ultimately it’s a security team, but if we need their help, developers need to go on a journey. Tasks and expectations need to be clearly defined, and it takes time to take these additional steps of success.
From OSS to the world of other software
Open source software security mobilization plans are ambitious, bold, and exactly what is needed to drive developer responsibility for security. We needed a “Rebel Alliance” to bring together powerful players, leaving the idea that we’re heading in the right direction and magically closing the cybersecurity skill gap. Useful as evidence.
It’s our new hope and we all need to move this structure beyond OSS. I’m ready.
https://sdtimes.com/security/the-open-source-software-security-mobilization-plan-a-new-hope-for-developer-driven-security/ Open Source Software Security Mobilization Plan: A New Hope for Developer-led Security