web analytics

Open Source Security Priorities Get a Reshuffle – Source: www.darkreading.com

open-source-security-priorities-get-a-reshuffle-–-source:-wwwdarkreading.com
Rate this post

Source: www.darkreading.com – Author: Robert Lemos, Contributing Writer

software components connected development

Source: Photon Photo via Shutterstock

Open source components aimed at connecting applications to cloud resources and those written in Python have jumped up the list of critical packages, according to the latest rankings of the open source software ecosystem — a reordering that underscores the projects that need to be well-funded to improve the security of the software ecosystem.

The data-collection effort — known as the “Census of Free and Open Source Software” — classifies the open source projects into eight top 500 lists, depending on their ecosystem, whether version information is included, and whether direct and indirect dependencies are taken into account. The latest survey of software, known as Census III, found that packages for Python software and those meant to connect developers with specific cloud services — such as a toolkit for Amazon’s Elastic Computing Cloud (EC2) or the API for connecting Go programs to Google Cloud — have become much more popular and, thus, critical to software development.

While cloud-native and hybrid development are by no means new, cloud providers have created an increasing number of software development kits (SDKs) for developers. Their widespread use has boosted those tools in the rankings of critical software, says David Wheeler, director of open source supply chain security for the Linux Foundation, which collaborates with Harvard Business School to produce the census.

“Cloud providers offer a lot of specialized services, but the early uses of cloud were a lot of lift-and-shift moves,” he says. “Increasingly, we’re seeing people write software specifically intended to be run on a cloud, [and there is a] rising level of these kinds of packages — it’s something that is dramatically increasing.”

The third “Census of Free and Open Source Software” report comes more than two years after the official publication of Census II in March 2022 — an initial version of that report was released in 2020 — and nine years after the original census report. The data-collection exercises aim to identify the most critical open source software so that the public and private sectors can effectively invest in the projects as a path to improve software security. Each software package is scored using data from software supply chain firms FOSSA, Snyk, Sonatype, and the Synopsys Cybersecurity Research Center (CyRC).

The resilience of the software supply chain has become a major concern of the software industry and national governments. The Biden administration, for example, released a National Cybersecurity Strategy that firmly emphasized finding ways to improve the security of software and the open source ecosystem on which most applications rely.

Critical Connections to the Cloud

The Amazon Web Services (AWS) software development kit for Python, known as Boto3, rose to fifth place on the list of critical software on the “Non-npm, Direct, Version Agnostic Packages” list. The library was not ranked in the previous Census II. A similar package — aws-sdk — rose to the seventh spot on the JavaScript-ecosystem “npm, Direct, Version Agnostic Packages” list, from 307th in the previous census.

Other cloud-focused packages saw similar jumps: The software development kit to connect Go programs to Google Cloud ranked eighth, while the AWS kit for .NET rose to number 30. Neither were ranked in the previous census.

Because the Node Package Manager (npm) ecosystem sees a significant volume of JavaScript downloads — 4.5 trillion in 2024, compared to 530 billion for Python, according to Sonatype — the data overwhelms measurements of popularity. As a result, the census breaks out npm downloads from those for other software ecosystems.

The data underscores the criticality of open source software to the infrastructure underpinning cloud services, says Brian Fox, CTO and co-founder of Sonatype, a software supply chain management firm.

“Open source across the board just continues to see ‘hockey stick’ growth year after year, which is shocking — we’re starting to see really, really big numbers,” he says. “That’s the reason why they’re doing the census, because it is so important to be shining a light on these things.”

Perils of Python 2 Boost Compatibility Library

Replacing or patching outdated software has become a central focus of efforts to eliminate vulnerabilities from software. Over the past decade, for example, Python developers have only slowly moved to use Python 3, which was originally introduced in 2006. Last year, 1% of Python developers used Python 2 as their primary programming language, down from 13% in 2019, according to data from JetBrains’ annual “Developer Ecosystem” report.

As a result, a project designed to allow compatibility between software written in Python 2 and code in Python 3 — the “Six” project — has become a critical software component, according to Census III. Typically, Python versions are supported for five years. Python 3.11 — currently used by 27% of developers as their primary programming language, making it the most popular version at present — will reach its end of life in October 2027. The final version of Python 2 — version 2.7 — passed its end of life in January 2020.

The data does not address how often developers encounter — and interact with — components written in Python 2. The overwhelming shift to Python 3 is driving the use of Six, as developers need to use older code with programs written in the latest version of Python. In addition, certain groups of developers — such as 29% of data scientists and 19% of Web developers — continue to use some Python 2 code, according to data from JetBrains, a maker of development tools.

“If you look at the raw numbers, Python 3 is far more common, but in various specific domains Python 2 is still widely, widely used, which is why Six is showing up more,” the Linux Foundation’s Wheeler says. “I would argue it’s why we’re finally able to get so many more Python 3 users is because the bridge to move from 2 to 3 is easier.”

While Census III is available to download from the Linux Foundation, companies should be automating their package management and regularly testing and updating their software, says Sonatype’s Fox. The real lesson from the census is not which packages should be given the most attention, but which projects need additional funds and paid maintainers.

“The sustainability of the [open source ecosystem] is something that should be top of mind,” he says. “We’re dependent more and more on largely an aging and unpaid workforce for maintaining critical software — those two things together don’t end well.”

About the Author

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Original Post URL: https://www.darkreading.com/application-security/critical-open-source-rankings-shuffle-popularity-python-cloud-grows

Category & Tags: –

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos