Ama-Scorecards Ezokuphepha: Iyini futhi yini entsha kunguqulo yayo entsha engu-2.0?

Ama-Scorecards Ezokuphepha: Iyini futhi yini entsha kunguqulo yayo entsha engu-2.0?

Ama-Scorecards Ezokuphepha: Iyini futhi yini entsha kunguqulo yayo entsha engu-2.0?

Ezinsukwini ezimbalwa ezedlule a inguqulo entsha 2.0 kusuka kuphrojekthi yomthombo ovulekile okuthiwa "Amakhadi wamaphuzu Ezokuphepha", okuwumsebenzi owasungulwa ngoNovemba 2020 ngu -Google futhi i I-Open Source Security Foundation (OpenSSF).

Ngalesi sizathu, kulokhu kushicilelwa sizocubungula ngokujulile kule phrojekthi esetshenzisiwe kanye ne- inguqulo entsha 2.0, lokho manje sekukhona Ukuhlolwa okuthuthukisiwe namakhono nokwandisa idatha eyenzelwe ukuhlaziywa okwengeziwe.

I-OpenSSF

Futhi njengoba le phrojekthi iphethe i- I-OpenSSF, sizoshiya ngokushesha isixhumanisi se- okuthunyelwe kwangaphambilini okuhlobene ngawo, ukuze kuthi uma kunesidingo, labo abanentshisekelo yokufunda kabanzi nge-Foundation eshiwo bangayifinyelela kalula:

"ILinux Foundation isimemezele ukwakhiwa kwephrojekthi entsha ebizwa nge- "OpenSSF" (Open Source Security Foundation) enenhloso yayo enkulu yokuhlanganisa umsebenzi wabaholi bemboni emkhakheni wokuthuthukisa ukuphepha kwe-software. Ngalokhu, i-OpenSSF izoqhubeka nokuthuthukisa izinhlelo ezifana ne-Infrastructure Initiative kanye ne-Open Source Security Coalition (Central Infrastructure Initiative kanye ne-Open Source Security Coalition) futhi izohlanganisa ndawonye omunye umsebenzi ohlobene nokuphepha owenziwa yizinkampani ezijoyine iphrojekthi ." I-OpenSSF: iphrojekthi egxile ekwenzeni ngcono ukuphepha kwesoftware yomthombo ovulekile

I-athikili ehlobene:
I-OpenSSF: iphrojekthi egxile ekwenzeni ngcono ukuphepha kwesoftware yomthombo ovulekile

I-athikili ehlobene:
ISigstore: Iphrojekthi yokwenza ngcono ukuthengwa kwemithombo evulekile

Ama-Scorecards Ezokuphepha: Amakhadi Ezikolo Zokuphepha

Ama-Scorecards Ezokuphepha: Amakhadi Ezikolo Zokuphepha

Ayini ama-Scorecards Ezokuphepha?

Ngokusho kwe- ukushicilelwa okusemthethweni kwe-Google Open Source, le phrojekthi ichazwe ngale ndlela elandelayo:

""Ama-Scorecards Ezokuphepha" angenye yamaphrojekthi okuqala azoshicilelwa ngaphakathi kohlaka lwe-OpenSSF selokhu yasungulwa ngo-Agasti 2020. Inhloso ukuzenzela "amaphuzu okuphepha" emiklamo evulekile yokusiza Abasebenzisi banqume ukwethenjwa, ubungozi, kanye ukuma kokuphepha kwecala labo lokusebenzisa.

Ama-Scorecards ezokuphepha achaza inqubo yokuqala yokuhlola ezosetshenziselwa ukwenza ikhadi lesikolo lephrojekthi yomthombo ovulekile ngendlela ezenzakalelayo ephelele. Njalo isheke ekhadini lesikolo liyenzeka. Amanye amamethrikhi wokuhlola asetshenzisiwe afaka phakathi inqubomgomo yezokuphepha echazwe kahle, inqubo yokubuyekezwa kwamakhodi, nokufakwa kokuhlolwa okuqhubekayo ngokuhlaziywa kwekhodi emile namathuluzi wokudida I-Boolean ibuyiswa kanye nesilinganiso sokuzethemba kokuhlolwa ngakunye kokuphepha.

Ngokuhamba kwesikhathi, i-Google izothuthukisa la ma-metric ngeminikelo yomphakathi nge-OpenSSF." Amakhadi wokuthola amaphuzu ezokuphepha zemithombo evulekile

Asebenza kanjani ama-Scorecards Ezokuphepha?

Ngokusho kwe- I-OpenSSF"Amakhadi wamaphuzu Ezokuphepha" isebenza kanjena:

Khiqiza i- ikhadi lesikolo yephrojekthi yomthombo ovulekile ngendlela ezenzakalelayo ephelele. Noma, okwamanje ikhodi isebenza kuphela ne- Izinqolobane zesoftware yeGitHub, ukunwetshwa kwayo kwamanye amakhosombe ekhodi yomthombo kusephayiphi. Ngaphezu kwalokho, amanye amafayela we- amamethrikhi wokuhlola okusetshenzisiwe kufaka phakathi inqubomgomo yezokuphepha echazwe kahle, inqubo yokubukeza ikhodi, nokufakwa kokuhlolwa okuqhubekayo nge amathuluzi we-fuzzing y static ikhodi ukuhlaziywa.

Ngaphezu kwalokho, ihlola ngezikhathi ezithile ifayela le- amaphrojekthi wemithombo evulekile ebucayi futhi iveze imininingwane (idatha) yamasheke ngokusebenzisa i- Idathasethi yomphakathi ye-BigQuery ebuyekezwa masonto onke. Futhi le datha ingasetshenziselwa ukwengeza noma ikuphi ukwenza izinqumo okuzenzakalelayo lapho kufakwa. ukuncika komthombo ovulekile okusha ngaphakathi kwamaphrojekthi noma izinhlangano.

Ngakho-ke, izinhlangano bezingakwazi nquma ngokufanelekile Lokho noma yikuphi ukuncika okusha con amaphuzu aphansi kufanele udlule kufayela le- ukuhlolwa okwengeziwe. Ngakho-ke lokhu kuhlolwa kungasiza ekunciphiseni ukuncika okunobungozi ekusetshenzisweni kohlelo lokukhiqiza.

Ukukhulisa lolu lwazi kusuka ku- umthombo osemthethweni (OpenSSF) ungahlola okulandelayo isixhumanisi.

Yini okusha kunguqulo 2.0

Lona inguqulo entsha 2.0 ikhishwe kungekudala -Google izokwethula uhlaka olunzulu olubizwa ngokuthi "Izitezi zokuthengiselana zobuciko besoftware" (Amaleveli Wokuthengisela Izinsiza kusebenza zeSoftware - SLSA) efuna ukuqinisekisa ubuqotho bezinto zokusebenza zesoftware nokuvimbela ukuguqulwa okungagunyaziwe ngesikhathi sokwenziwa nokuqaliswa kwayo.

Futhi kufaka kafushane ngendlela ejwayelekile okulandelayo izindaba:

  1. Ukwenza ngcono ekuhlonzweni kwezingozi ezingaba khona ezaziwayo.
  2. Kuqiniswe ukutholwa komnikeli onobungozi ngokudinga ukubuyekezwa kwekhodi yenkampani yangaphandle ngaphambi kokuzibophezela.
  3. Ukuphelelisa ukutholwa kwekhodi esengozini ngokusebenzisa ukwenziwa kwe-static code test kanye ne-fuzzing eqhubekayo.
  4. Ukwenza ngcono ekuhlonzeni ukuncika kokuncipha ukunciphisa izingcuphe zokuphepha ezingaba khona futhi kuvumele ukwenza izinqumo ezifanele kakhulu zokuncishiswa kwazo.

Ukucwaninga ngemininingwane ye- izithuthukisi zamanje noma ukusebenza ungahlola okulandelayo isixhumanisi.

Isifinyezo: Izincwadi ezahlukahlukene

Isifingqo

Siyethemba lokhu "okuthunyelwe okuwusizo okuncane" cishe «Security Scorecards», okuyiProjekthi yethulwe ngu -Google futhi i I-Open Source Security Foundation, osanda kukhipha i- inguqulo entsha 2.0 ukuthi ithuthukise ukuhlolwa namakhono okwenza ngcono idatha ekhiqizelwe ukuhlaziywa okuqhubekayo; inentshisekelo enkulu futhi iyasiza, kuyo yonke «Comunidad de Software Libre y Código Abierto» kanye negalelo elikhulu ekusabalalisweni kwemvelo emangalisayo, enkulu futhi ekhulayo yezicelo ze «GNU/Linux».

Okwamanje, uma ukuthandile lokhu publicación, Ungami yabelana ngayo nabanye, kumawebhusayithi wakho owathandayo, iziteshi, amaqembu noma imiphakathi yokuxhumana nabantu noma amasistimu wokuthumela imiyalezo, okungcono mahhala, okuvulekile kanye / noma okuphephe kakhulu njenge yocingoIsignaliI-mastodon noma enye ye- I-Fediverse, okungcono.

Futhi khumbula ukuvakashela ikhasi lethu lasekhaya ku- «KusukaLinux» ukuhlola izindaba eziningi, kanye nokujoyina isiteshi sethu esisemthethweni se- Yocingo kusuka ku-DesdeLinuxNgenkathi, ukuthola eminye imininingwane, ungavakashela noma yikuphi Umtapo wolwazi oku-inthanethi njengoba I-OpenLibra y JedIT, ukufinyelela nokufunda izincwadi zedijithali (ama-PDF) ngalesi sihloko noma ezinye.


Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.