Mythos is real. I know a big chunk of the industry thinks it’s a marketing stunt, and I get why. I get it. But I’ve seen the findings, and they’re bad. These aren’t “whoops, this line right here is wrong, and that’s RCE.” They’re novel combinations of a few dozen issues out of thousands of things every SAST scanner already finds, chained together into something much worse. It’s real creativity, like Move 37. That’s not a better scanner. That’s a different category of threat.
In some ways, it doesn’t even matter. Even if this specific model were a hoax, the capability is coming regardless. Some days, I wish it were a hoax. We’d have more time. But you can believe me or not. The rest of this post is about what we do about it either way, and I’m getting started now.
Washington has been tracking this for a while, but you can’t regulate something most of the industry thinks is made up. Now that every boardroom is in preparation mode (and they are), DC finally gets to start thinking through what steps they can take. It’s clear they need to play a role, but it’s not clear how or what it should be. And they’re in a really tough spot.
Regulate too little, and you risk a US-based company accidentally creating a weapon that puts our critical infrastructure at risk. Regulate too much, and the same thing happens in China instead. The whole thing feels like gain-of-function research on viruses. Everyone knows you should wash your hands before leaving the lab, but just because we make it mandatory doesn’t mean the rest of the world will. We’ve already seen how that story goes in Wuhan.
Here’s the structural problem that limits what any government can do: despite Europe’s best attempts with the CRA, open source isn’t governable. Laws and executive orders don’t apply to people around the world putting things on the internet for free. The US realizes this, so they’re focusing where they can and where they should: on consumption. That’s the right instinct, and it’s exactly where the rest of this post is going.
The open source ecosystem and consumption model is not ready for this
I’ve been working on this problem every day of my life for the last decade. I helped found the OpenSSF and Alpha-Omega while at Google. I created Sigstore, Scorecards, and the first open source malware scanners. I funded the grants that put Rust in the Linux kernel and MFA on PyPI. Then I started Chainguard to do all of this commercially, at scale. I’m telling you all of this not to brag, but because I need you to believe me when I say: the way the world consumes open source software is fundamentally broken, and no amount of incremental improvement is going to fix it in time.
Not in its current form. Maybe not ever. It’s going to have to change.
Most companies have been consuming open source freely for years without really thinking about it. Modern apps are layers of dependencies, and when something goes wrong in one of them, fixing it can cascade through an entire stack. For…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
