Which agile methodology should junior developers learn?
Agile methodology breaks projects into sprints, emphasizing continuous collaboration and improvement.
Scrumban (a combination of Scrum and Kanban)
Extreme Programming (XP)
Other methodology
Bah, Waterfall was good enough for my elders, it is good enough for me
Junior devs shouldn’t think about development methodologies.
Open Source / Security

What’s the State of Open Source Security? Don’t Ask.

Forty-one percent of the more than 500 organizations surveyed by The Linux Foundation and Synk don’t have high confidence in the security of the open source software they use.
Jul 5th, 2022 1:13pm by
Featued image for: What’s the State of Open Source Security? Don’t Ask.

AUSTIN, TEX. — How safe is the open source software that virtually every organization uses? You might not want to know, according to the results of a survey released by The Linux Foundation and Snyk, a cloud native cybersecurity company, at the foundation’s annual Open Source Summit North America, held here in June.

Forty-one percent of the more than 500 organizations surveyed don’t have high confidence in the security of the open source software they use, according to the research. Only half of participating companies said they have a security policy that addresses open source.

Furthermore, it takes more than double the number of days — 98 — to fix a vulnerability compared to what was reported in the 2018 version of the survey.

The research was conducted at the request of the Open Source Security Foundation (OpenSSF), a project of The Linux Foundation. For this On the Road episode of The New Stack Makers, Steve Hendrick, vice president of research at The Linux Foundation, and Matt Jarvis, director of developer relations at Snyk, were interviewed by Heather Joslyn, features editor at TNS.

Despite the alarming statistics, Jarvis cautions against treating all vulnerabilities as four-alarm fires, our guests said.

What’s the State of Open Source Security? Don’t Ask.

“Having a kind of zero-vulnerability target is probably unrealistic because not all vulnerabilities are treated equal,” Jarvis said. Some “vulnerabilities” may not necessarily be a risk in your particular environment. It’s best to focus on the most critical threats to your network, applications and data.

One bright spot in the new report: Nearly one in four respondents said they’re looking for resources to help them keep their open source software — and all that depends on it — safe. Perhaps even more relevant to vendors: 62% of survey participants said they are looking to use more intelligent security-focused tools.

“There’s a lot from a process standpoint that they are responsible for,” said Hendrick. “But they were very quick to jump on the bandwagon and say, we want the vendor community to do a better job at providing us tools, that makes our life a lot easier. Because I think everybody recognizes that solving the security problem is going to require a lot more effort than we’re putting into it today.”

Jumping on the ‘SBOM Bandwagon’

Many organizations still seem confused about which of the dependencies the open source software they use has are direct and which are transitive (dependent on the dependencies), said Hendrick. One of the best ways to clarify things, he said, “is to get on the SBOM bandwagon.”

Understanding an open source tool’s software bill of materials, or SBOM, is “going to give you great understanding of the components, it’s going to give you usability, it’s going to give you trust, you’re gonna be able to know that the components are nonfalsified,” Hendrick said.

“And so that’s all absolutely key from the standpoint of being able to deal with the whole componentization issue that is going on everywhere today.

Additional results from the research, in which core project maintainers discussed their best practices, will be released in the third quarter of 2022. Listen to the podcast to learn more about the report’s results and what Linux Foundation is doing to help upskill the IT workforce in cybersecurity.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: The New Stack.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.