The “Subscribe” links goes to a MailChimp sign up page. I have stopped using MailChimp due to its obnoxious marketing tactics. WordPress stopped its service of sending a notice of updated posts. I am now using the Web page and email service of Hey, developed by BaseCamp. Please visit world.hey.com/garymintchell to register for the newsletter. There is no tracking or other privacy-invading tech.
Meanwhile, I spoke at the IoT Workshop of the Precision Metalforming Association and MetalForming magazine virtual IoT Experience with some ideas about IoT projects why and how.
Following is news from my IoT and Networking Security folder that has been accumulating since late summer.
Siemens and Zscaler partner on integrated zero trust security solutions for OT/IT
- Enables secure, on-demand remote access to OT applications and systems
- Delivers Zero Trust OT/IT security approach for office and production networks
- Improves plant uptime and efficiency with secure remote access
Siemens and Zscaler are partnering to enable customers to securely access Operational Technology (OT) systems and applications in the production network from the workplace – whether in the office or working remote. These new capabilities enable users to remotely manage and control quality assurance or diagnoses issues.
To ensure that the OT network is not exposed to any increased threat potential, Siemens and Zscaler have expanded the “Defense-in-Depth” OT concept secured by a Zero Trust Architecture. Based on the principle of “least-privilege access”, Zero Trust only authorizes application-specific access based on verified user identity and context. In combination with the existing OT security mechanisms, such as cell protection firewalls, this allows implementation of a granular access concept.
In addition, production requirements for availability and real-time capabilities continue to be met. This is operationalized by installing the app connector for the cloud-based remote access service Zscaler Private AccessTM (ZPATM) on a Docker container in the Siemens Scalance LPE local processing platform, thus creating an access solution for industrial environments. Centralized management in the Zscaler Zero Trust ExchangeTM cloud platform and the use of outbound connections facilitate more restrictive configuration of existing firewall rules, and the reduction of operating costs for administration and monitoring. Existing legacy systems can also be easily retrofitted with the Zero Trust Exchange solution. This offering is now available to customers through Zscaler and Siemens.
Industrial networks mainly use a protection concept in which the system is subdivided into separate production cells. Each of these cells is individually protected by appropriate measures, such as a cell protection firewall. In office networks, the Zero Trust concept is steadily gaining traction, with all participants, users and devices first having to prove their identity and integrity before communication with a target resource can take place.
Open Source Security Foundation Raises $10 Million in New Commitments to Secure Software Supply Chains
The Linux Foundation https://www.linuxfoundation.org/, the nonprofit organization enabling mass innovation through open source, announced it has raised $9 million in new investments to expand and support the Open Source Security Foundation (OpenSSF), a cross-industry collaboration that brings together multiple open source software initiatives under one umbrella to identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. Open source luminary Brian Behlendorf will serve the OpenSSF community as General Manager.
Financial commitments from Premier members include Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk and VMware. Additional commitments come from General members Anchore, Apiiro, AuriStar, Deepfence, Devgistics, GitLab, Nutanix, TideLift and Wind River.
According to industry reports (“2021 State of the Software Supply Chain,” by Sonatype, software supply chain attacks have increased 650 percent and are having a severe impact on business operations. In the wake of increasing security breaches, ransomware attacks and other cybercrimes tied to open source software, government leaders around the world are calling for private and public collaboration. Because open source software makes up at least 70 percent of all software (“2020 Open Source Security and Risk Analysis Report” by Synopsys), the OpenSSF offers the natural, neutral and pan-industry forum to accelerate the security of the software supply chain.
The OpenSSF is home for a variety of open source software, open standards and other open content work for improving security. Examples include:
● Security Scorecard https://github.com/ossf/scorecard – a fully automated tool that assesses a number of important heuristics (“checks”) associated with software security
● Best Practices Badge https://bestpractices.coreinfrastructure.org/ – a set of Core Infrastructure Initiative best practices for producing higher-quality secure software providing a way for OSS projects to demonstrate through badges that they are following them
● Security Policies – Allstar https://github.com/ossf/allstar provides a set and enforce security policies on repositories or organizations
● Framework – supply-chain levels for software artifacts (SLSA) https://slsa.dev/ delivers a security framework for increasing levels of software supply chain integrity
● Training – free secure software development fundamentals courses https://openssf.org/training/courses/ educating community members on how to develop secure software
● Vulnerability Disclosures – a guide to coordinated vulnerability disclosure for OSS projects https://github.com/ossf/oss-vulnerability-guide
● Package Analysis https://github.com/ossf/package-analysis – look for malicious software in OSS packages
● Security Reviews https://github.com/ossf/security-reviews – public collection of security reviews of OSS
● Research – studies on open source software and critical security vulnerabilities conducted in association with the Laboratory for Innovation Science at Harvard (LISH) (e.g., a preliminary census and FOSS Contributor Survey).
For more information about OpenSSF, click here.
“The Linux Foundation’s focus on security is fundamental to addressing the increasing risks associated with software,” said John Roese, Dell Technologies’ Global Chief Technology Officer. “The Open Source Security Foundation’s work will help us collectively make sure critical software programs and the end to end software delivery pipeline is secure and trustworthy.”
“Open Source Software plays a critical role in Fidelity’s technology strategy. We are proud to be part of the Open Source Security Foundation and to work with others to ensure that Open Source solutions and their supply chains are safe, secure, and reliable, enabling Fidelity to better serve our customers and clients,” said John Andrukonis, SVP, Fidelity Application Architecture.
“As a long-standing member of the open source software community, Intel contributes daily in the upstream projects we collaborate with,” said Greg Lavender, senior vice president, CTO and general manager of Software and Advanced Technology at Intel Corporation. “Along with the Linux Foundation, we believe the Open Security Foundation (OpenSSF) is a unique opportunity to engage in projects and efforts focused on improving the quality and security for today and our future. Intel remains committed to providing contributions that benefit open source software supply chains and improving the security posture of critical projects on which our ecosystem depends.”
“JPMorgan Chase is deeply committed to working with the open source community to solve our most pressing security challenges. As a founding member of the Open Source Security Foundation, we have worked together to improve the security of open source and the integrity of all software. We commend the US Government’s recent initiative to raise awareness on this pressing topic and call to action the technology community to solve one of the most complex security challenges of our time. We welcome the new members to OpenSSF and look forward to continuing the journey of innovation and bringing meaningful change to how we build, secure, and validate software,” said Pat Opet, Chief Information Security Officer, JPMorgan Chase & Co.
“As open source is now core to nearly every company’s technology strategy, securing open source software is an essential part of securing the supply chain for every company, including our own. All of us at Microsoft are excited to participate with others in contributing new investments to the Open Source Security Foundation and we look forward to building more secure software through community-driven efforts to create solutions that will help us all,” said Mark Russinovich, Azure CTO and Technical Fellow, Microsoft.
“Open source is built by millions of empowered developers, who also need to secure this critical foundation of the digital world,” said Guy Podjarny, Founder & President, Snyk. “The vital work of the Linux Foundation and the OpenSSF ensures we collectively live up to this responsibility. The Snyk community is fully committed to this important, collaborative effort and we look forward to working closely with the other OpenSSF members to better secure OSS so it can continue to safely fuel innovation.”
“Every company that uses software should be concerned about their software supply chain,” said Kit Colbert, chief technology officer, VMware. “For two-plus years, VMware has engaged in contributions to open source projects in the broader software supply chain security space and invested in initiatives to help customers further strengthen their security policies and processes. As a member of the Open Source Security Foundation, we’re committed to collaborating across the industry to drive increased level of software supply chain security.
BlackBerry and Deloitte Join Forces to Secure IoT Software Supply Chains
BlackBerry Limited https://www.blackberry.com/us/en and Deloitte https://www2.deloitte.com/ca/en.html announced the two organizations are teaming up to help OEMs and those building mission-critical applications secure their software supply chains.
As part of the agreement, Deloitte will leverage BlackBerry’s flagship software composition analysis tool, BlackBerry Jarvis https://blackberry.qnx.com/en/software-solutions/blackberry-jarvis to provide Open-source Software (OSS), Common Vulnerabilities and Exposures (CVE) and Software Bill of Materials (SBOM) analysis on behalf of their clients across the medical, automotive and aerospace industries, empowering them to keep software safe and secure based on the actionable intelligence the platform provides.
A G7 Transportation Ministry has selected the companies’ joint software and services offering to ensure the security of its traffic management and broader transportation infrastructure.
Designed to address the increasing complexity and growing cybersecurity threats among multi-tiered software supply chains, BlackBerry Jarvis empowers OEMs to inspect the provenance of their code and every single software asset that comes into their overall supply chains to ensure their products are both secure and updated with the most recent security patches.
BlackBerry Jarvis addresses the need to identify and remediate vulnerabilities by identifying them and then providing deep actionable insights in minutes – something that would otherwise involve manual scanning that would take large numbers of experts and an impractical amount of time.
For more information on BlackBerry Jarvis please visit BlackBerry.com/Jarvis.