The Linux Foundation Member Summit 2020

Finding code reuse attacks is a mandatory step for exploiting software vulnerabilities in the real world. In this talk, Ed will explain the history of defenses that led to the creation of code reuse attacks, and a gentle introduction to one of the most well-known examples, Return-Oriented Programming (ROP). He will briefly introduce some of his own research, which measures how much code an attacker needs access to in order to perform such attacks. (Short answer: very little.) Finally, he will explain some of the concrete actions that developers can take to harden their software against code reuse attacks on a variety of platforms.

Because open source licensing clarity should be not be an issue, ClearlyDefined is solving license clarity and compliance issues at scale and for everyone by scanning and reviewing every FOSS project licenses. 10 million package scans later, learn the license ways and issues of key FOSS package ecosystems and discover in depth the state of open source licensing clarity with ClearlyDefined open data.

What if every the licensing of every open source package were clearly defined? The mission of the ClearlyDefined project is exactly that: help free and open source software projects be more successful through clarity in licensing.

How? by massively scanning for license and origin all the packages and then reviewing these scans one by one for accuracy in the open with a community of license curators (and with a bit of machine assistance too).

Join me to survey the licensing approach of FOSS package ecosystems (both for system/Linux distro and application packages) and review in depth the state of open source licensing clarity and quality using the ClearlyDefined open data set.

The Common Vulnerability Scoring System (CVSS) is widely used to score vulnerabilities found in docker images. But how do you score the risk level of an entire workload, with its runtime configurations, network configurations, Pod Security Policy, privileges and capabilities added, etc.?

Julien will explore the Kubernetes Common Configuration Scoring System (KCCSS), an open-source framework to calculate risk scores for Kubernetes workloads, and kube-scan, an open-source scanner that implements the KCCSS. Based on CVSS, it categorizes risks associated with each runtime setting while considering how settings affect one another, and offers a global risk score for each workload—not just for individual settings. Attendees will learn how the KCCSS works, how it’s being used by end users for DevSecOps, and best practices for bullet proofing their own K8s applications.

Understanding the health and security posture of open source projects can be a challenge for software development organizations. These challenges can make utilizing open source resources a high-risk proposition for enterprise environments. However, researchers are leveraging new metrics and machine learning models, to develop unique ways to quantify the health and relative security posture of open source projects.

In this discussion, we'll discuss work that is being done in both academics and private business to establish tangible measures of open source project health. We'll share some of the initial results of this ongoing research as well as lessons learned and a vision of where this research is headed.

The session will discuss how these new measures of project health can be put to practical use. Attendees will leave with a better understanding of how quantifying the trustworthiness of projects can enable developers. We'll demonstrate how this enablement can improve both development efficiency and overall security posture of applications.

More than Just Licenses: Compliance and Conformance for Linux Foundation Projects

In open source projects, the topic of “compliance” is often seen as primarily referring to open source license compliance. It’s understandable why this is the case, as license compliance is an extremely important issue and is relevant to all projects. But “compliance” encompasses a broader set of considerations where FOSS projects can help themselves, and their communities, by taking steps to comply with legal and regulatory obligations and to support community members’ related expectations.

In this talk, we will walk through different aspects of the compliance support activities that the LF provides to its projects. We will discuss license compliance and scanning, but will also go beyond it to discuss other compliance topics such as export controls and data privacy. We will also briefly discuss project trademarks and the related role that conformance programs can play in enabling a diverse yet interoperable ecosystem of downstream solutions.

This is the 9th year of the Software Package Data Exchange (SPDX) project and in this session Kate Stewart and William Bartholomew will provide a brief overview of the history of the SPDX project, dive into the upcoming 2,2 release of the specification, and walk through the proposed changes for the 3.0 major release.

The 3.0 release of SPDX is being built in conjunction with the Object Management Group (OMG) Software Bill of Materials working group and aims to enable SPDX to be used for more software bill of materials scenarios beyond licensing.

The OpenChain Specification is an increasingly adopted standard that outlines the key requirements of a quality open source compliance program. Available as a de-facto standard since late 2016, it is now positioned to be the first ISO standard produced via the Joint Development Foundation fast-track submission process. This talk will outline how the Linux Foundation has created a fast-track process in collaboration with Joint Development Foundation, how the OpenChain Project has engaged, and what lessons we have learned. It will also give a brief picture of what is coming next for both the OpenChain Project and broader standardization efforts in the Linux Foundation.

Software supply chains today are vulnerable to a wide set of compromises, mostly due to the fact that parts are opaque. We’re missing effective ways to express the elements transparently and accurately. By pulling open source software efforts together we would like to create a framework of tools and formats that can provide insight, and enable verification of the elements used to create products, from the version control systems, though to deployment on embedded devices, and into cloud images. Building on the starting points from the In-toto and SPDX ecosystems we can extend them to solve this challenge and provide a fully-transparent pipeline that covers from development and into deployment. This approach will be demo’d in the talk.