LFD121 is a free course offered by OpenSSF that takes about 14-18 hours to complete. Any student who passes the final exam gets a certificate that is valid for two years.  

The course is broken down into three parts. The first part covers the basics of secure software development, like how to implement secure design principles and how to secure the software supply chain. Part two covers implementation of those basics and then part three finishes up with security testing and also covers more specialized topics like threat modeling, fielding, and formal methods for verifying that software is secure. 

The new interactive labs are not required for completing the course, but do enhance the experience, OpenSSF explained. The labs launch directly in the web browser, meaning no additional software needs downloading. 

Each lab involves working through a specific task, such as validating input of a simple data type. “Learning how to do input validation is important,” said David Wheeler, director of open source supply chain security, at OpenSSF. “Attackers are *continuously* attacking programs, so developers need to learn to validate (check) inputs from potential attackers so that it’s much harder for attackers to malicious inputs into a program.”

Each lab includes a general goal, background on the issue, and information about the specific tasks. Students will work through a pre-written program that has some areas that will need to be filled in by the student. 

According to Wheeler, the goal of all of the labs isn’t to learn specific technologies, but to learn core concepts about writing secure software. For example, in the input validation lab, the student only needs to fix one line of code, but that line of code is the one that does the validation, and therefore, is critically important. 

“In fact, without the input validation line to be crafted by the user, the code has a vulnerability (specifically a ‘cross-site scripting vulnerability’),” said Wheeler.

Students can also get help throughout the lab by requesting context-specific hints that take into account where they are stuck. Wheeler explained that the hints help students progress through the labs even if they’re not familiar with the particular programming language used in the lab. 

The post OpenSSF updates its Developing Secure Software course with new interactive labs appeared first on SD Times.

Passkeys are a safer alternative to passwords where users can authenticate using biometrics, a PIN, or pattern, and have been adopted by a number of other technology companies, like Amazon, GitHub, Google, PayPal, and more. 

With the new API support for third-party passkey providers, users will be able to utilize their preferred external passkey app. To implement this, Microsoft has been partnering with providers like 1Password, Bitwarden, and others.

“At Microsoft, we truly believe that security is a team sport. By partnering with OEMs, app developers and other partners in the ecosystem, and by helping people be better at protecting themselves—we are continuing to make Windows more secure by design and more secure by default,” Katharine Holdsworth, partner group product manager for Windows Security at Microsoft, wrote in a blog post. 

The experience for creating and using passkeys has also been improved. When a user visits a website that supports passkeys, they will be prompted about how they want to save those passkeys, with one of the options being to save to their Microsoft account. Users saving to their Microsoft account will need to go through a one-time setup where they will create a recovery key that will later be used to verify their identity and protect their passkeys. Once this initial setup is complete, they will be able to sign in to the website and save their passkey through Windows Hello. 

Passkeys saved through Windows Hello can be synced to multiple Windows 11 devices, providing users a more seamless sign-on process across all of their computers. 

“Microsoft is committed to making passkeys more readily available wherever you need them, with the experience, flexibility and durability that you expect when using Windows,” Holdsworth wrote. 

According to Microsoft, these three new features will start rolling out to the Windows Insider channels over the next several months. The company will also be sharing more information during sessions at Authenticate 2024 from October 14 to 16. 

The post Microsoft makes improvements to the passkey experience on Windows 11 appeared first on SD Times.

“The health and security of our global software infrastructure depends on open source maintainers,” Donald Fischer, co-founder and CEO, Tidelift, said in an announcement of the report. “Paying maintainers improves their ability to ensure their projects meet the stringent security requirements that enterprise users require. These survey results show that organizations can positively impact their own security by funding the important work of the open source maintainers whose projects they rely on.”

Among the report’s key findings are that 16% of the 400 respondents to a Tidelift survey identified as unpaid hobbyists and would not want to get paid, while 44% of those unpaid said they would appreciate getting paid. The report noted concern that the percentage of maintainers getting paid for their work hasn’t changed, even with organizations placing a greater focus on software supply chain security.

Maintainers who are paid get their income through donation programs, employers and Tidelift, which did the survey.

About half of the maintainers surveyed said they are underappreciated, and 43% of them said it adds stress to their lives. Not surprisingly, 60% of maintainers have either quit or considered quitting the maintenance work.

One area that has seen growth is in the percentage of maintainers aware of such things as the OpenSSF Scorecard project, the NIST Secure Software Development Framework and the SLSA framework, with the percentage of those unaware of such standards and initiatives decreasing from 52% in 2023 to 40% this year, according to the report.

In light of the XZ Utils hack, two-third of respondents said they are less trusting of pull requests from non-maintainers, but only 37% reported they are less trusting of co-maintainer contributions. According to the report, one maintainer wrote in response to this question:  “I feel the need to add a layer of vetting, but adding any additional layer of friction to a possible open source contributor would just scare them away. I cannot afford to be pushing people away.”

When it comes to AI-based coding tools, maintainers expressed concern, with 45% saying these tools withh have a somewhat negative or negative impact on their work, and 64% saying they’d be less likely to accept contributions they knew were creating using AI. The report found that younger maintainers are more likely to use AI-based tools than their senior counterparts.

You can read the full report here.

The post The state of open source maintainers appeared first on SD Times.

JFrog Runtime is a new security solution that enables developers to discover vulnerabilities in runtime environments. It monitors Kubernetes clusters in real time to identify, prioritize, and remediate security incidents based on their risk.

It provides developers with a method to track and manage packages, organize repositories by environment types, and activate JFrog Xray policies. Other benefits include centralized incident awareness, comprehensive analytics for workloads and containers, and continuous monitoring of post-deployment threats like malware or privilege escalation.

“By empowering DevOps, Data Scientists, and Platform engineers with an integrated solution that spans from secure model scanning and curation on the left to JFrog Runtime on the right, organizations can significantly enhance the delivery of trusted software at scale,” said Asaf Karas, CTO of JFrog Security.

Next, the company announced an expansion to its partnership with GitHub. New integrations will provide developers with better visibility into project status and security posture, allowing them to address potential issues more rapidly. 

JFrog customers now get access to GitHub’s Copilot chat extension, which can help them select software packages that have already been updated, approved by the organization, and safe for use. 

It also provides a unified view of security scan results from GitHub Advanced Security and JFrog Advanced Security, a job summary page that shows the health and security status of GitHub Actions Workflows, and dynamic project mapping and authentication. 

Finally, the company announced a partnership with NVIDIA, integrating NVIDIA NIM microservices with the JFrog Platform and JFrog Artifactory model registry. 

According to JFrog, this integration will “combine GPU-optimized, pre-approved AI models with centralized DevSecOps processes in an end-to-end software supply chain workflow.” The end result will be that developers can bring LLMs to production quickly while also maintaining transparency, traceability, and trust. 

Benefits include unified management of NIM containers alongside other assets, continuous scanning, accelerated computing through NVIDIA’s infrastructure, and flexible deployment options with JFrog Artifactory. 

“As enterprises scale their generative AI deployments, a central repository can help them rapidly select and deploy models that are approved for development,” said Pat Lee, vice president of  enterprise strategic partnerships at NVIDIA. “The integration of NVIDIA NIM microservices into the JFrog Platform can help developers quickly get fully compliant, performance-optimized models quickly running in production.”

The post JFrog helps developers improve DevSecOps with new solutions and integrations appeared first on SD Times.

Copilot Autofix in GitHub Advanced Security (GHAS) analyzes vulnerabilities, explains their importance, and offers suggestions on how to remediate them. 

“For developers who aren’t necessarily security experts, Copilot Autofix is like having the expertise of your security team at your fingertips while you review code,” Mike Hanley, chief security officer and SVP of engineering at GitHub, wrote in a blog post.  

When GHAS finds a vulnerability, there is now a button that developers can click and have Copilot Autofix generate a fix. Then, developers can either dismiss the suggestion or have it create a new pull request with a code change that remediates the issue. 

It can generate fixes for dozens of classes of vulnerabilities, including SQL injection and cross-site scripting. 

Copilot Autofix was first introduced as a public beta in March, and according to the company, beta participants were able to fix vulnerabilities three times faster than developers fixing them manually. Fixing cross-site scripting vulnerabilities was seven times faster and fixing SQL injection vulnerabilities was 12 times faster. 

According to GitHub, Copilot Autofix will help cut down on technical debt when it comes to vulnerabilities. The company explained that the longer a vulnerability remains in a codebase, the more difficult it is to remove them.

“When a developer is asked to fix vulnerabilities in code that they haven’t seen in a while or aren’t familiar with, it can take hours to assess the surrounding code and experiment with manual fixes,” Hanley wrote.

The new functionality is available to any GitHub customer with an Advanced Security license, and, starting in September, Copilot Autofix will be made available for free to open source maintainers as well. 

“As the global home of the open source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open source software is safer and more reliable for everyone,” Hanley wrote. 

You may also like…

Harness software intelligence to conquer complexity and drive innovation

Software engineering leaders must act to manage integration technical debt

The post GitHub’s Copilot Autofix generates remediation fixes for code vulnerabilities appeared first on SD Times.

Here is an edited and abridged version of that conversation:

One of the things that stuck out to me in this year’s list is this idea that there’s been this shift from generative AI to agentic AI. Can you explain what agentic AI is and what the shift means?

Absolutely, the trend you’re talking about is a shift from focusing purely on generation of text using artificial intelligence to building AI agents that actually are capable of accomplishing actions on people’s behalf. When we think about an AI agent, we think about a piece of software that’s going to actually be able to take a general set of instructions, and be able to generate a visualization or access a database or trigger actions within another application.  The most exciting thing we see right now is the shift towards actually using these next generation models in more of an action taking context. 

As you wrote in the report, the rise of these AI agents is sort of giving way to a number of other emerging technologies on the list, including TuringBots, edge intelligence, autonomous mobility and extended reality. Can you briefly explain those other technologies and why AI agents are so important for their growth?

I think it’s important, before I get to those other technologies, to also explain the idea of an AI creating an intelligent agent. Earlier AIs that could go do things were narrow and constrained to a particular environment, using things like reinforcement learning. What we’re seeing today is taking the capabilities of large language models to break those instructions into specific steps and then go execute those steps with different tools. 

When we think about that kind of design and how that might play out across a bunch of other emerging technologies in our list, a really interesting story starts to emerge. For example, one of the other emerging technologies we have is TuringBots, which we’ve been writing about since 2020. TuringBots are autonomous coding bots, and what we saw in 2020 was the ability, in theory, that given enough training data — like all the source code in a repository that you kept in a GitHub repository — you could train a machine learning algorithm to go write code based on that training data. 

What we saw with generative AI in 2022 was that capability was dramatically accelerated, because before it gets compiled, software code is just text. So we saw that accelerate. When we first identified TuringBots as an emerging technology, we put it in the five to 10 years before we thought there would be benefit for most average enterprises. This year we moved it into the one to two year near term benefit horizon because of the acceleration that state of the art generative AI models are improving their ability to generate useful code. 

We recognize that a TuringBot is itself an agent, and what we’re seeing is the use of agent methodologies to create, perhaps swarms of TuringBots that are operating in different developer capacities, from design to coding to testing to deployment. 

And when we think about this, if we can produce software code with much lower human effort, we can iterate much more quickly. And if we can iterate on innovation ideas more quickly, we can get through the ones that aren’t good and produce the ones that are much, much faster. And we know that leads to an uptick in the pace of business changes. 

You asked about the other emerging technologies, and I’ll be a little more brief. Edge intelligence is about using information that’s outside the data center or outside the cloud, outside of a centralized location, to process information and use that information to create action and intelligence. Prior to this year, it was mostly focused on things like computer vision. So you had a very narrow model trained to recognize certain kinds of objects, and it would go do that computer vision recognition well. But what you did with that recognition, frankly, then had to be programmed in some kind of heuristics or code. 

What we’re beginning to see is — for instance, in the Apple Intelligence announcement but there’s others as well — how we are able to take agents that can do things, train them, and make them small enough to run on various edge devices. And then those edge environments, beyond just being able to perhaps converse in natural language with humans on the edges, can converse among themselves. 

The example that we give is there is a vendor who is looking at creating augmented reality overlays in the next generation firefighting helmet, which is an effort being sponsored by Homeland Security. If we begin to think about putting agents in those helmets, then a lot of the communication those firefighters would have to do themselves could be handled by agents in each one of these helmets, looking at those augmented reality displays and making decisions about where different firefighting assets need to be placed to offload that from the need for human communication in a scenario like that. 

So that’s an example of how generative AI is kind of serving as the foundation for agents, and those are then creating new innovation possibilities in edge intelligence. Same is true for autonomous mobility. We’re going to see these agents deployed in IoT environments, so that drones and robots can be a lot smarter in their communication with the surrounding environment. So we just see this whole idea of acceleration from generative AI creating a revolution in the ability to use it to do things, and then that’s moving into a bunch of other emerging technologies in our list and accelerating them.

A lot of the items on the list were AI related, but there are also three security items on it, so I kind of want to shift over to that side of things. So what have you been seeing in the security space that’s influenced the technologies that were on the list?

Actually, I’d like to answer that question the other way around. Why are things happening with the other emerging technologies that make security so important? This year when we did the research the idea dawned on us that those who achieve these future benefits are going to be the ones with the presence of mind to invest in security today. 

I’m seeing this play out over and over as I talk to clients who are telling me stories that they’ve been meaning to invest in better IoT security for years, and they just don’t see the value in it, because it costs money and it’s complicated and it doesn’t have an immediate top line impact. IoT security is on our list and IoT security has been around as long as there have been devices to secure, you know, 30 years. Why is it there this year? We see an enormous amount happening in the space, and the reason for that is, very simply, all these AI tools that the enterprises are getting and figuring out how to use to their advantage are also tools available to the bad actors. 

What’s happening is organizations invest in more devices, more smart connected things, and we’re essentially increasing the attack surface by which smart hackers with an army of very smart bots can launch attacks to get in an operational technology environment, your faxes, your printers, that thing that you haven’t updated the firmware for in 15 years is sitting in the corner in your office, connected to your network. 

So IoT securities have really become really important, and there’s an awful lot going on in that space right now in terms of vendors and how they’re providing new capabilities for inventory and remediating all your IoT devices.

The other two are zero trust edge and quantum security. Zero trust edge is essentially a packaged set of technologies that give you a whole bunch of capabilities that combine networking and security into a cloud-based, as-a-service delivery model. So you get all the features of managed cloud services, and you get the ability to manage your security down at the network level, which means, according to principles of zero trust, you don’t have a firewall anymore. You inspect everything and trust nothing, and therefore you’re looking at all the packets going across your network. 

The problem is that it requires firms to be pretty modern in their approach to cloud native software deployment and management, and a lot of firms are still pretty behind on that. There’s a lot of legacy devices out there, that fax machine sitting in the corner that doesn’t use modern protocols, modern security, doesn’t easily connect to this kind of agent-based zero trust edge architecture. It’s complicated, and the vendors are busy consolidating. So that’s why we think it’s going to take five more years before this really pays off. That doesn’t mean that today you can’t start working on it by making sure that you’re ready for a modern cloud-native way to manage both networking and security together. There’s a lot that needs to be done. 

There’s also been a lot of hype around quantum computers for the last 10 years, and we think quantum computers are 10 to 15 years out from actually being able to threaten today’s best PKI encryption. So it’s easy to say, well, it’s 10 to 15 years out, I don’t need to do anything now. But nobody knows how fast quantum computers are going to advance. It could be a lot faster, could be five years. What you have to worry about is the attack of save now, decrypt later. You’ve got to start now implementing quantum safe algorithms to make sure your data is protected.

But the real reason we put it on the on the top 10 list this year is because implementing quantum safe algorithms and being able to rapidly change algorithms as quantum computers advance and new quantum safe algorithms are put forward, is part of a broader effort around cryptographic agility, and cryptographic agility has many benefits beyond protecting you from quantum attacks. New hacks are coming out all the time, so by looking at cryptographic agility solutions today in preparation for being ready for quantum attacks, you’re actually improving your whole security posture. There’s many benefits to starting now, which is why we put it in the top 10. 

We covered a lot here today, so is there a takeaway that developers and leaders should come away with as they think about what to focus on in the next year? 

You have to spread your investments out. Short term is easy, it gives me benefits that I can measure, my finance people like it. But you have to take some of those mid and long-term shots as well. And a lot of the long term things that we have will require big foundational investments to be ready. 

I think corollary to that is with the speed of acceleration that we’re seeing happening primarily because of the advancements in AI today, we’re much less certain what the future is going to hold, and we’ll have much less time to deal with it. What that means is instead of saying here’s what the future is going to be, here’s our bet, you’re going to have to spread your bets out across a range of possible options. So you’re going to have to hedge your bets a little bit and use more of an options-based strategy to figure out where you spend your money, so that no matter which things break and go, we have a better chance of being ready for whatever happens.

The post Q&A: 10 emerging technologies to watch in 2024 appeared first on SD Times.

The AAKB includes a database of common code issues, complete with examples on how to remediate them and explanations on how to implement specific code patterns. 

Google already does scan Android apps for vulnerabilities, and informs developers so they can remediate the issue or it removes the app if the issue isn’t fixed. 

“We know that it isn’t always enough to just tell you about a vulnerability in your app; you need to know how to fix the issue and how to prevent similar issues from cropping up in the future,” the Android team wrote in a blog post. 

According to Google, the AAKB is aligned with the OWASP Mobile Application Security Verification Standard (MASVS). It is also vetted by technical experts from different organizations, including Microsoft. 

“This helps ensure the content is not biased to one party and represents state-of-the-art standards. This also provides an educational place for you to proactively remediate security risks in your applications using industry-wide standards, with direct access to knowledge from subject-matter experts,” the Android team wrote. 

The repository can be accessed through the AAKB homepage or in Android Studio, where remediation guidance now shows up in lint checks, with a link to the relevant AAKB article. 

You may also like…

Android’s new Collections feature brings together relevant content from installed apps into one spot

The evolution and future of AI-driven testing: Ensuring quality and addressing bias

The post Google launches new knowledge base for remediating vulnerabilities in Android apps appeared first on SD Times.

This new free tool automates the process of creating SBOMs. Developers give the SBOM Manager access to their code repositories and it will create an SBOM that includes inventories of components, vulnerabilities, and licenses. Alternatively, they can import an existing SBOM file to speed up the process. 

Once created, owners can edit the details, add custom metadata, and catalog components so that they can be used across different SBOM. 

They can also define custom licenses and manage open source license risks, obsolescence, and copyrights. 

The created SBOMs can be exported into various formats including Excel, Word, PPT, and CycloneDX. 

The platform also includes an interactive dashboard that provides at-a-glance insights of component categories, vulnerabilities, and licenses. 

“The product leverages advanced software intelligence to provide an automated, customizable, and user-friendly approach to SBOM management,” said Greg Rivera, vice president of CAST. “This product is intended for organizations that need to generate and maintain accurate SBOMs without the complexity and high costs associated with traditional solutions.”

You may also like…

Companies still need to work on security fundamentals to win in the supply chain security fight

The post CAST simplifies SBOM creation with new free tool appeared first on SD Times.

CoSAI was founded by Amazon, Anthropic, Chainguard, Cisco, Cohere, GenLab, Google, IBM, Intel, Microsoft, NVIDIA, OpenAI, Paypal and Wiz. It will be hosted at the standards body OASIS Open. 

The group will focus on helping companies mitigate AI-related risks, such as model theft, data poisoning, prompt injection, scaled abuse, and inference attacks. 

CoSAI will initially create three workstreams: software supply chain security for AI systems, preparing defenders for a changing cybersecurity landscape, and AI security governance. 

The organization will also coordinate with other initiatives, such as the Frontier Model Forum, Partnership on AI, Open Source Security Foundation, and ML Commons. 

“We’ve been using AI for many years and see the ongoing potential for defenders, but also recognize its opportunities for adversaries. CoSAI will help organizations, big and small, securely and responsibly integrate AI – helping them leverage its benefits while mitigating risks,” said Heather Adkins, vice president and cybersecurity resilience officer at Google. 

You may also like…

Anthropic, Google, Microsoft, and OpenAI form group dedicated to safe development of frontier AI models

OpenSSF, CISA, and DHS collaborate on new open-source project for creating SBOMs

The post Coalition for Secure AI forms to address security risks of AI appeared first on SD Times.

According to research from IDC, there has been a 241% increase year-over-year in supply chain attacks, but a new survey from JFrog had only 30% of respondents citing supply chain security as a top security concern.

The report also revealed disconnects between how leaders perceive the security of their organization versus the frontline software teams managing it. Ninety-two percent of executives believe their companies have tools to detect malicious open-source packages, compared to only 70% of developers. Similarly, 67% of executives think that code-level security scans are being regularly conducted, compared to only 41% of developers confirming they do this. 

There is a similar disconnect when it comes to AI/ML. Over 90% of executives said that their development teams were using ML models in their applications, but only 63% of developers say that’s true. 

And 88% of executives think that AI tools are being used for security scanning, but only 60% of DevSecOps teams say they are actually using AI-powered security tools. 

“The complexity of today’s software supply chain poses unprecedented risks. Despite leadership efforts to enable frontline teams with the right equipment, developers are struggling to improve efficiency and accelerate productivity due to tool sprawl, lengthy open source and ML model approvals, plus audit and compliance checks,” said Moran Ashkenazi, SVP & CISO, JFrog. “This discrepancy highlights the urgency for organizations to rethink their security strategies, focus more on AI/ML components, and align executives and doers on a mission to fortify their software supply chains.”

You may also like…

Companies still need to work on security fundamentals to win in the supply chain security fight

Developers, leaders disconnect on productivity, satisfaction

The post Report: Execs and devs have different perceptions around supply chain security, AI use appeared first on SD Times.