Linux Foundation and LISH publish latest open-source census with suggestions to boost security

Linux Foundation and LISH publish latest open-source census with suggestions to boost security Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter (@Gadget_Ry) or Mastodon (@gadgetry@techhub.social)


The latest open-source census has been published by the Linux Foundation and Laboratory for Innovation Science at Harvard University (LISH) with some interesting observations.

Now in its second edition, the census examines the current state of open-source software. The latest report, catchily titled “Vulnerabilities in the Core, a Preliminary Report and Census II of Open Source Software," focuses on common Free and Open Source Software (FOSS) used in production applications.

Jim Zemlin, executive director at the Linux Foundation, said:

“The Census II report addresses some of the most important questions facing us as we try to understand the complexity and interdependence among open-source software packages and components in the global supply chain.

The report begins to give us an inventory of the most important shared software and potential vulnerabilities and is the first step to understand more about these projects so that we can create tools and standards that results in trust and transparency in software.”

The report identifies the top 10 most popular JavaScript libraries:

  • Async: provides straight-forward, powerful functions for working with asynchronous JavaScript.

  • Inherits: Browser-friendly inheritance fully compatible with standard node.js inherits.

  • Isarray: Array#isArray for older browsers and deprecated Node.js versions

  • Kind-of: Grabs the native JavaScript type of a value.

  • Lodash: A modern JavaScript utility library delivering modularity, performance & extras.

  • Minimist: Parses argument options.

  • Natives: Enables interactions with Node.js’s native JavaScript modules.

  • Qs: A querystring parsing and stringifying library with some added security.

  • Readable-stream: Node.js core streams for userland.

  • String_decoder: Node-core string_decoder for userland. 

And the top 10 non-JavaScript libraries:

  • Com.fasterxml.jackson.core:jackson-core: Core part of Jackson that defines Streaming API as well as basic shared abstractions.

  • Com.fasterxml.jackson.core:jackson-databind: General data-binding package for Jackson (2.x)

  • Com.google.guava:guava: Google core libraries for Java.

  • Commons-codec: Apache Commons-Codec encoding software.

  • Commons-io: A library of utilities for IO operations.

  • Httpcomponents-client: Responsible for creating and maintaining a toolset of low-level Java components focused on HTTP and associated protocols.  

  • Httpcomponents-core: Responsible for creating and maintaining a toolset of low-level Java components focused on HTTP and associated protocols. 

  • Logback-core: A Java logging framework.

  • Org.apache.commons:commons-lang3: A package of Java utility classes for the classes that are in java.lang’s hierarchy.

  • Slf4j: Simple Logging Facade for Java.

Modern apps are comprised of over 80 percent FOSS, which highlights the importance of ensuring good code and security practices are being used.

The census reports are part of the multi-million Linux Foundation Core Infrastructure Initiative (CII) which helps to fund open source projects. If there was any doubt as to how important the industry views the multi-million CII, the project is backed by companies like Microsoft, Amazon Web Services, Google, Huawei, IBM, Qualcomm, Intel, Facebook, and more.

CII was born in the aftermath of the Heartbleed security bug discovered in the OpenSSL cryptography library in 2014. Some estimates put the number of web servers impacted by Heartbleed at half a million, or almost 20 percent.

“Open source is an undeniable and critical part of today’s economy, providing the underpinnings for most of our global commerce. Hundreds of thousands of open-source software packages are in production applications throughout the supply chain, so understanding what we need to be assessing for vulnerabilities is the first step for ensuring long-term security and sustainability of open-source software,” said Zemlin.

A companion report provides advice on how to counter the issues raised in the census publication. The eight best practices covered in the report are:

  • Roles and responsibilities.

  • Security policy.

  • Know your contributors.

  • The software supply chain.

  • Technical security guidance.

  • Security playbooks.

  • Security testing.

  • Secure releases and updates.

You can find the full companion report, titled "Improving Trust and Security in Open Source Projects,” here (PDF).

Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located 5G ExpoIoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.

Author

  • Ryan Daws

    Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter (@Gadget_Ry) or Mastodon (@gadgetry@techhub.social)

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *