It’s getting harder by the day to ensure your programs are safe. We used to count on the National Institute of Standards and Technology (NIST) Common Vulnerabilities and Exposures (CVEs), but NIST has almost completely stopped adding analysis to the CVEs. Plus, as CEO and co-founder of coding security company Chainguard Dan Lorenc pointed out, the CVEs themselves are drowning under a flood of bad CVEs, created by AI bots seeking security credibility for their authors. What’s a DevOps pro to do?
The Open Source Security Foundation (OpenSSF) has an answer: Siren, a threat intelligence sharing list.
Security mailing lists, such as oss-security, are nothing new. The OpenSSF is well aware of these. Indeed, it supports them.
Individual lists for particular problems are well and good. However, these days, as most of you know to your pain and sorrow, security issues seldom concern one specific program. They can spring from combinations of operating systems and programs.
The open source community has proven methods of communicating vulnerabilities to others within the community. However, developers don’t have a way to efficiently communicate information about exploits with the broader downstream audience. While consumers and enterprises may have intelligence-sharing structures in place, this does not always extend to the upstream open source community. OpenSSF Siren seeks to bridge these gaps.
As the OpenSSF states, Siren is meant to provide “a secure and transparent environment for sharing Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with recent cyber attacks. Siren is intended to be a post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination.”
So, Siren is the wrong place if you’re looking for information about zero-day security holes before they are disclosed. This isn’t for sharing security problems and answers once they are disclosed and, we hope, fixed.
Since open source powers up to 90% of modern software, the importance of this can’t be understated. Recent attacks on projects like XZ-Utils are stark reminders of the importance of proactive security measures.
Specifically, Siren brings you:
- Open source threat intelligence: Information is shared with the community about actively exploited public vulnerabilities and threats.
- Real-time updates: List members receive email notifications about emerging threats relevant to their projects. This gives you an opportunity to take action to mitigate risks swiftly.
- Adherence to CLEAR guidelines: To facilitate effective, unrestricted, transparent communication, the list follows the Traffic Light Protocol (TLP) CLEAR guidelines for the sharing and handling of intelligence. TLP is a simple color-coded system that designates how far the information should be shared. Red, for example, means the information should only be shared by people actively working on a security problem, while green means the security news should be restricted to the community.
- Community-driven resources: Contributors from diverse backgrounds collaborate to enrich the intelligence database, fostering a culture of shared responsibility and collective defense.
By leveraging the collective knowledge and expertise of the open-source community and other security experts, the OpenSSF Siren hopes to empower projects of all sizes to bolster their cybersecurity defenses and increase their overall awareness of malicious activities.
Ready to act? You can register for an OpenSSF Siren membership to receive real-time threat intelligence updates and talk about these issues. I hope to see you there. Together, we can make the world a little bit more secure for you, me, and everyone else.
Photo credit: Jan Antonin Kolar on Unsplash
