Source: www.darkreading.com – Author: Dark Reading Staff
2 Min Read
Source: MaximP via Shutterstock
The Open Source Security Foundation (OpenSSF) has launched Siren, an email mailing list to share threat intelligence about vulnerabilities in open source software.
Siren aims to “aggregate and disseminate threat intelligence” to provide real-time security warning bulletins and deliver a community-driven knowledge base, according to OpenSSF. Members can use the mailing list to provide and receive information, such as tactics, techniques, and procedures used in attacks on open source software, as well as indicators of compromise from real incidents.
The initiative is driven, in part, by the recent discovery of a backdoor in the XZ Utils library, when it became clear that there was no centralized method for open source projects to distribute and receive threat intelligence. As different researchers dug into the backdoor in XZ Utils, their findings were shared in various forums and independent blogs, but there was no central location for people to find relevant information.
Various industry sectors rely on information sharing and analysis centers (ISACs) to facilitate the distribution of threat information regarding attacks against that sector. The existing oss-security mailing list is useful for communicating vulnerabilities within the community, but there is a “lack of efficient channels for sharing information about exploits with a broader audience, including open source projects, distributors, security researchers, and developers,” OpenSSF said.
OpenSSF’s hope is that the mailing list could fill this gap for open source projects and give the community a centralized location to find information about threats as they occur. Siren will not be a place to disclose new flaws but rather a “post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination.”
Siren will be publicly available. Registration will be required to post on the list. OpenSSF encourages people across the community, “a developer, maintainer, or security enthusiast,” to sign up.
Original Post URL: https://www.darkreading.com/application-security/openssf-siren-to-share-threat-intelligence-for-open-source-software
Category & Tags: –
Views: 0
