We have successfully initiated the 3 security audits that we committed to starting by the end of the year. The statements of work have been fully executed, and we are currently in the process of coordinating with the projects and the security audit company to determine a suitable timeline for the work to be completed.
The projects that will be covered in these audits are:
- Eclipse Jetty: an open-source Java-based web server that provides a HTTP server and servlet container.
- Eclipse JKube: a toolkit for building container images and deploying them to Kubernetes.
- Eclipse Mosquito: an open-source IoT platform that enables the development and management of connected devices.
The audit is expected to begin in the first quarter of 2023, and we will promptly share the reports once the audit has been completed.
We have some positive news regarding security measures on our 1000+ Github repositories. Over the last 3 months, the number of committers that have 2FA (two-factor authentication) activated has increased by 8.8%. This means that 63.8% of all Eclipse committers are now using 2FA, which helps to protect our codebase and prevent unauthorized access. Also, approximately 31% of the organizations managed by the Eclipse Foundation have 90% or more of their committers using two-factor authentication (2FA), which is an 18% increase from the previous quarter.
We continue to encourage all committers to enable 2FA on their Github accounts to further enhance the security of our repository.
We have hired a talented Technical Program Manager who will be starting on January 9th. They bring a wealth of experience and knowledge to the team. They will create security / vulnerability policies, procedures, and guidelines that adhere to industry best practices and consider the current practices of Eclipse Open Source projects.
In addition, we have a solid lead on a Software Engineer who will be focused on custom development projects designed to improve the security posture of our projects. As part of his role, he will be responsible for creating SLSA attestations generators for Jenkins-based pipelines and developing tools to efficiently manage GitHub organizations on a large scale