Upstream

Upstream LIVE 🚨 and in person in Boston! For the first time ever, we’re taking Upstream live and we’re inviting people in the Boston area to come join the conversation! For this first event, Tidelift CEO and co-founder Donald Fischer is hosting a roundtable discussion centered around “rethinking vulnerability management.” Why do we need to rethink vulnerability management? The reality is that development teams are overwhelmed triaging long lists of #vulnerabilities, with little context on which are the most important to patch to actually reduce risk. And open source maintainers are swamped with vulnerability reports to investigate, many of which end up being false positives. 😖 We’ve managed to create an endless game of security whack-a-mole and, worst of all, it may not be delivering the real outcome we desire: actual risk reduction. 🔨 🔁 This session is for you if your organization is: - Developing applications using open source languages like Python, Java, JavaScript, Ruby, Rust, and Go - Concerned about security risks or software supply chain attacks impacting #opensource - Exploring more impactful ways to reduce risk beyond the traditional #vulnerability detection and remediation approach many organizations use today Other amazing guests joining the roundtable discussion: - John Mark Walker, Director of the OSPO at Fannie Mae - Jordan Harband, mega-maintainer of 500+ JavaScript projects - And you? 🫵 Let’s work together to come up with a better solution. 👊 Join us on Wednesday, Sept. 18 from 4 p.m. to 6 p.m. ET. at CIC at 245 Main St, Cambridge, MA 02142, United States. RSVP now, spots are limited! ▶️ https://lnkd.in/gjrZSw4y See you there! 👋

🔒 Upstream 2024 recap: Escaping the CVE dungeon 🔒 What happens when CVEs are submitted to GitHub Issues? 🧐 During Upstream 2024, James Berthoty, tackled this frustrating process in his talk, "How can we get CVEs out of GitHub Issues?" James shed light on the challenge that both security professionals and maintainers face when vulnerability scanners flag #CVEs. These are often reported to maintainers without proper validation, overwhelming them with unverified #vulnerabilities. As James pointed out, "The goal here is to find our way out of the CVE dungeon in which we have unfortunately locked ourselves in." He highlighted the importance of clearer maintainer security policies and called for vulnerability scanners to focus on upstream direct dependencies rather than the endless transitive ones that cause unnecessary noise. 🎯 This talk is a must watch for anyone navigating the complexities of #opensource security. Watch the full talk here 👉 https://lnkd.in/ghqxEzqc

Open source is under a microscope at the moment. 🔬 Ever since the xz utils backdoor hack, the open source community has been on edge. Trust has been broken and fingers are being pointed in every direction. However, open source isn’t going anywhere, and it’s time for all of us to be the standard bearer for open source. At Upstream this year, a panel of industry experts such as Josh Bressers of Anchore; Jordan Harband, prolific Javascript maintainer; Rachel Stephens from RedMonk; Roshunda Martin, CISA ,CISM, IT and security management consulting principal from BlackIce Solutions; and Terrence F. from Boeing, joined Tidelift VP of product Lauren Hanford to discuss how the xz hack has changed the landscape of open source software supply chain security. From Rachel during the talk: “Overall, I would love to see people supporting the OSI more. I would love to see people coming together to actually rally around the importance of truly open software. So if you want to have proprietary software, great, but if you want to have your software be open source, then that means something and it needs to mean something to the people who are making it into the people who are using it.” (Mic drop.) Watch the full talk here: https://lnkd.in/egYKaNwK

When we think about the fundamental purpose of patching a #security vulnerability, it's ultimately about avoiding being compromised. Unfortunately, many people jump to to the mistaken conclusion that, in order to avoid being compromised, you must be completely vulnerability free. As it turn out, evidence shows that most vulnerabilities do not and will not ever see exploitation. And with tens of thousands of #vulnerabilities pinging on scanners, the conversation needs to be more about "what" needs to be patched rather than "how many." At this year's Upstream, Donald Fischer, CEO and co-founder at Tidelift, sat with Vincent Danen, VP of Product Security at Red Hat, to challenge our thinking around the “patching everything” mentality. 🛠 Vincent says the best way to achieve this goal is to narrow our focus to the vulnerabilities with the biggest impact and start from there. From the talk: "...we're looking at those vulnerabilities that, if exploited, are going to lead to those unintended breaches and compromises or those that are most likely to be exploited. This number was around 25,000 CVEs in a year. If I go to Verizon’s DBIR report it says about 5% of breaches are based on software vulnerabilities, that means there's about 1000 vulnerabilities in there that would potentially lead to a breach." "So if we reduce this 25,000, down to 1000, that are actually meaningful—if we focus our attention on those 1000 versus the 25,000 as a whole, that saves everybody an immense amount of time, effort, and energy." Watch the full talk and other Upstream talks here! https://lnkd.in/e8Tk65gr

Simply put: organizations should strive to work with and support #opensource maintainers to secure and maintain the open source software supply chain. It's been a month since Upstream and we're looking back at some of the highlights from our talks featuring esteemed guests and panelists discussing #opensource, the open source software supply chain, and open source software #security. In this featured clip, Aeva Black, Section Chief, Open Source Security at Cybersecurity and Infrastructure Security Agency (CISA), talks about how organizations can get started with improving their open source usage, including signing the Secure by Design Pledge. From Aeva: "...there are a lot of these new tools being developed to help surface up the trustworthiness of a project at a given point in time, based on, a lot of, again, volunteers working together to track and measure these relationships. And it's not foolproof, it's not perfect; there are bugs in all software. Open source is still just software. So like with any software, mistakes might happen, but through working together and maintaining those relationships, it's pretty darn good. " We agree, it's pretty darn good. 👏 Watch the full talk here 👉 https://lnkd.in/gJztHSsz

Aaaand that’s a wrap! 👏 #Upstream2024 has come to a close. We’re incredibly thankful for all those who attended and for those who gave their time to present on some amazing topics. 🧡 Did you miss out on Upstream? No worries! We’ve got it handled. All talks are on-demand: https://bit.ly/3V8K8gf

Our much anticipated #Upstream2024 maintainer state of the union is starting now! 📣 Hear from Tatu Saloranta of jackson-databind; Wesley Beary, who maintains popular Ruby projects fog and excon; Irina Nazarova of Evil Martians and Valeri Karpov, from Mongoose, who will discuss the state of life as an #opensourcemaintainer in 2024. Join the conversation: https://bit.ly/3Vq0Uc8

Andrey Sitnik, front-end principal at Evil Martians is LIVE NOW at #Upstream2024 giving a fantastic talk about how to make your open source project popular. To hear more about what are good or bad reasons to create an open source project or how to write readable docs and to even learn a few tricks on how to reduce #burnout, join here ➡️ https://bit.ly/3wTVX1U

Fun fact: this FINOS panel live right now was the first panel we filmed for #Upstream2024 this year! And now is finally your chance to hear from #finserv experts like Gabriele Columbro, Tosha Ellison, and John Mark Walker. Donald Fischer is your host. Join here: https://bit.ly/3RcMPfu

We all know that the nature of vulnerability scanners and compliance requirements can lead #security teams to submit tons of unvalidated #vulnerabilities upstream—this is NOT a good solution. James Berthoty thinks there’s a better way. 💡 Watch live: https://bit.ly/4584iLO #Upstream2024