Open source software security vulnerabilities exist for over four years before detection

It can take an average of over four years for vulnerabilities in open source software to be spotted, an area in the security community that needs to be addressed, researchers say. 

According to GitHub’s annual State of the Octoverse report, published on Wednesday, reliance on open source projects, components, and libraries is more common than ever. 

Over the course of 2020, GitHub tallied over 56 million developers on the platform, with over 60 million new repositories being created — and over 1.9 billion contributions added — over the course of the year. 

“You would be hard-pressed to find a scenario where your data does not pass through at least one open source component,” GitHub says. “Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software. The artifacts of open source code serve as critical infrastructure for much of the global

Read More

Open source data startup Hazelcast fills five leadership roles

  • The data processing and computing platform Hazelcast announced Wednesday that it has hired a new chief financial officer and chief marketing officer, and it promoted a new chief product officer, chief technology officer, and chief revenue officer. 
  • Hazelcast CEO Kelly Herrell says the next phase for the company is to continue scaling, as it plans to double its growth rate and forge partnerships with companies like IBM.
  • Hazelcast’s cofounders have all left the company, but cofounder Talip Ozturk still serves on the advisory board.
  • Visit Business Insider’s homepage for more stories.

The data processing and computing platform Hazelcast has completely revamped its leadership team as it races towards aggressive growth targets. In a mix of promotions and new hires, the 12-year-old firm has made five new appointments: 

Hazelcast promoted former consultant David Brimley to chief product officer, former VP of solution architecture John DesJardins to chief technology officer, and former

Read More

Open Source Web Engine Servo to be Hosted at Linux Foundation

SAN FRANCISCO, Nov. 17, 2020 /PRNewswire/ — KubeCon — The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced it will host the Servo web engine. Servo is an open source, high-performance browser engine designed for both application and embedded use and is written in the Rust programming language, bringing lightning-fast performance and memory safety to browser internals. Industry support for this move is coming from Futurewei, Let’s Encrypt, Mozilla, Samsung, and Three.js, among others. 

“The Linux Foundation’s track record for hosting and supporting the world’s most ubiquitous open source technologies makes it the natural home for growing the Servo community and increasing its platform support,” said Alan Jeffrey, Technical Chair of the Servo project. “There’s a lot of development work and opportunities for our Servo Technical Steering Committee to consider, and we know this cross-industry open source collaboration model will enable us

Read More

Open Source Software Terrascan Extends Policy as Code Support to Helm, Kustomize

OPA-Based architecture eases governance across multiple cloud native technologies

From KubeCon + CloudNativeCon North America – Accurics, the cloud cyber resilience specialist, today announced that Terrascan, the open source static code analyzer that enables developers to build secure infrastructure as code (IaC), has been extended to support Helm and Kustomize, both projects from the Cloud Native Computing Foundation (CNCF) that have gained immense popularity. This enables organizations to ensure applications on Kubernetes clusters are secure and compliant before they are deployed.

“Given the increasing scale and velocity of cloud breaches, organizations need policy guardrails to ensure that cloud native infrastructure is securely defined and managed,” said Cesar Rodriguez, creator of Terrascan and head of Developer Advocacy at Accurics. “Now, with the additional support for Helm and Kustomize, teams using Terrascan to programmatically establish Policy as Code guardrails in their high-velocity, component-based Kubernetes projects have a way to reduce security

Read More

Zilliz raises $43 million as investors rush to China’s open source software

For years, founders and investors in China had little interest in open source software because it did not seem like the most viable business model. Zilliz’s latest financing round shows that attitude is changing. The three-year-old Chinese startup, which builds open source software for processing unstructured data, recently closed a Series B round of $43 million.

The investment, which catapults Zilliz’s to-date raise to over $53 million, is a sizable amount for any open source business around the world. Storied private equity firm Hillhouse Capital led the round joined by Trustbridge Partners, Pavilion Capital, and existing investors 5Y Capital (formerly Morningside) and Yunqi Partners.

Investors are going after Zilliz as they increasingly recognize open source as an effective software development strategy, Charles Xie, founder and CEO of Zilliz, told TechCrunch at an open source meetup in Shenzhen where he spoke as the first Chinese board chairperson for Linux Foundation’s AI

Read More

How to build a successful business model around open source software

Open source software is an increasingly important part of many organizations. Yet establishing sustainable business models to support open source development is a non-trivial problem because the underlying technologies are given away for free. 

But it’s still possible to build a successful business around open source software — I know, because my team already did it. KNIME has managed to establish a new business model for providing production-ready open source enterprise software, let explain how.

Unlike business models based on selling a proprietary version of an open source software application, we went for offering two separate but complementary pieces of software.

I’ve found this allows for a clear division between the open source application and the commercial offering so that individuals have the typical open source innovation climate, while the commercial software helps the organization productionize their results in a scalable and risk-mitigated way.

[Read: The new Chinese digital consumers

Read More

Uber in talks to sell its ATG self-driving unit to Aurora – source

FILE PHOTO: An Uber sticker is seen on driver Margaret Bordelon’s car in Lafayette, Louisiana, U.S. February 16, 2020. REUTERS/Callaghan O’Hare

(Reuters) – Uber Technologies Inc UBER.N is in talks to sell its autonomous driving unit, Uber Advanced Technologies Group (ATG), to self-driving car startup Aurora, a source familiar with the matter told Reuters.

The talks are still ongoing and there is no certainty a deal could be reached, the source said, adding that Uber is also considering taking stake in the new company if Aurora takes over ATG.

Uber’s ATG, which works to develop autonomous driving technology, counts Toyota Motor Corp 7203.T and SoftBank Group Corp 9984.T among its investors. Earlier last year, the unit had raised $1 billion (758 million pounds) from a consortium of investors including SoftBank, that valued it at $7.25 billion.

Uber has been seeking options for its autonomous vehicle divisions, a heavy cash burn

Read More

Alleged source code of penetration testing software Cobalt Strike published on GitHub

Source code allegedly belonging to commercial penetration testing software Cobalt Strike has been published on GitHub, potentially providing a new path for hackers to attack companies.

Penetration testing, usually abbreviated as pen testing, has legitimate uses as a security tool to test security but can also be used by bad actors to attack a company. Ethical pen testing involves simulated attacks on a computer system to evaluate the security of the given system. In the hands of hackers, the same pen testing software can be used to identify security issues that can be exploited.

Cobalt Strike, which pitches itself as a legitimate pen testing solution, has been controversial for years thanks to its use by hacking groups, though they had to pay $3,500 per year for a license to use the software or use a pirated copy. Malpedia has a page dedicated to Cobalt Strike, noting that it allows an

Read More