As presented at the Bay Area Cyber Security Meetup on January 25th, 2018.
Open source development paradigms have become the norm for most software development. This is regardless of whether you're making the next great IoT device, a new container microservice, or desktop application. While open source components are often viewed as free, and definately help solve problems in a scalable way, using them in a secure manner requires an understanding of how open source development really works.
In this sesssion, I covered how secure development practices with data center regulations can benefit from an understanding of open source development. Specifically, we looked at fork management, community engagement and patch management. We ended with an open source maturity model.
As presented via webinar.
The Open Source 360 survey is in its 11th year and surveyed over 800 IT professionals about their use of open source components and technologies. In prior years, this survey was known as the Future Of Open Source.
Key takeaways include:
- Open Source usage is growing within global organizations
- Organizations recognize risks of consumption exist
- Tooling to keep pace with risks is limited
- Contributions to project communities are key to success
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
Welcome & The State of Open Source SecurityJerika Phelps
Open Source software is the foundation for application development today. Open source use is growing rapidly worldwide because of the development cost reductions and innovation it enables. Black Duck discovers open source in nearly every application it analyzes and finds that 35% of the average commercial software application is open source. Home-grown applications typically contain 50% or more open source.
The dramatic growth in open source use has been accompanied by an array of security and management challenges related to a lack of visibility into and control of the open source in use. Leading organizations are aggressively pursuing ways to increase their use of open source and do so without compromising effective security or management.
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges.
In this webinar Learn how open source security vulnerabilities are found, how to address any open source security concerns within your organization and understand the difference between securing your open source components and your proprietary code.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
As presented via webinar.
The Open Source 360 survey is in its 11th year and surveyed over 800 IT professionals about their use of open source components and technologies. In prior years, this survey was known as the Future Of Open Source.
Key takeaways include:
- Open Source usage is growing within global organizations
- Organizations recognize risks of consumption exist
- Tooling to keep pace with risks is limited
- Contributions to project communities are key to success
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
Welcome & The State of Open Source SecurityJerika Phelps
Open Source software is the foundation for application development today. Open source use is growing rapidly worldwide because of the development cost reductions and innovation it enables. Black Duck discovers open source in nearly every application it analyzes and finds that 35% of the average commercial software application is open source. Home-grown applications typically contain 50% or more open source.
The dramatic growth in open source use has been accompanied by an array of security and management challenges related to a lack of visibility into and control of the open source in use. Leading organizations are aggressively pursuing ways to increase their use of open source and do so without compromising effective security or management.
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges.
In this webinar Learn how open source security vulnerabilities are found, how to address any open source security concerns within your organization and understand the difference between securing your open source components and your proprietary code.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
The first quarter of 2016 was a big one for new open source security vulnerabilities. The Glibc vulnerability was by far the biggest. It impacts nearly 900K of the 1 million different open source projects. In this webinar, we’ll dive into Glibc and the Q1 data to help you:
- Understand latest trends in open source security threats and what it means to your organization in 2016
- Simple steps to quickly find and protect yourself from newly reported threats
- Prepare your organization to respond to new vulnerabilities in open source projects
2015 saw continued growth for open source software across many dimensions, a trend expected to continue in this coming year and a range of interesting developments that we reviewed in the last webinar.
In this webinar, the panelists will discuss:
- Open source and application security
- Community-centered compliance as reflected in OpenChain and SPDX
- The explosion of company involvement in collaborative projects
- The direction of the VMware case and other topics we anticipate being hot this year
Register now to join Black Duck, Mark Radcliffe and Karen Copenhaver on to discuss the hot topics generating buzz in the year to come.
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyBlack Duck by Synopsys
Today, open source drives technology and development, and its worldwide adoption ranges from companies with a single employee to large corporations like Microsoft and Apple. All of these organizations rely on open source to innovate, reduce development costs, and speed time to market. Recent research reports point out that open source comprises 80% to 90% of the code in a typical application. Our Open Source 360° survey provides an update on the rapid evolution of open source development, use and management.
The 2017 Open Source 360° survey was conducted through Black Duck’s Center for Open Source Research & Innovation (COSRI), focusing on four important areas of open source – usage, risk, contributions and governance/policies. Our respondents include input from new players, established leaders, and influencers across vertical markets and communities. This range of respondents drives broad industry awareness and discussions of these key issues.
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Black Duck by Synopsys
In open source security and cybersecurity news: Take the opportunity to join the Open Source 360 Survey and help give the world a snapshot of the state of open source in usage, risk, contributions and governance/policies. The top four sessions you don’t want to miss at Dockercon 2017. Does the Cloudera IPO really argue against open source business? TechCrunch creates a new index to track the explosive growth of open source. Why creating an open source ecosystem doesn't mean you're taking on security risks. And building containerized ecosystems with Ansible Container.
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they?
In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about:
The current challenges of the security and development teams when it comes to AppSec
The contradicting views and gaps between the teams on DevSecOps maturity
How to break the silos and advance toward DevSecOps maturity
Supply Chain Solutions for Modern Software DevelopmentSonatype
The concepts of supply chain management, the industrial revolution and the transformation of software development with open source are all tied together in this talk by Brian Fox, VP of Product Management, during the January 2015 Long Island OWASP user group meetup.
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...WhiteSource
The best approaches and practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising on security.
In the movie, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". We built our own RoboCop in order to bring law and order to our CI/CD pipeline. DevOps practices are all about enabling fast and frequent delivery of new software. In order to keep pace in a DevOps culture, application security must be reliably integrated into the CI/CD pipeline.
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
Past history, differing world views of their roles, shadow IT development, force-fitting security tools, and past frictions can all can make gelling as a cross-functional team difficult. Yet, it’s essential to achieve fast software creation and delivery, while also ensuring the applications created are secure and risk is always appropriately managed.
Where do we start? Start with this webinar featuring Mitch Ashley, security technologist and CEO of Accelerated Strategies Group, who will explore strategies for successful DevSecOps.
You will learn:
How to successfully implement purpose-built, developer friendly secrets management tools security professionals and dev teams are thrilled to embrace.
The State of Open Source Vulnerabilities ManagementWhiteSource
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
In this webinar, SANS's Serge Borso and WhiteSource's Rami Elron provide a product review of our solution. In this webinar, you will learn how WhiteSource's solution can be easily integrated into the software development lifecycle to, detect open source vulnerabilities in real time, prioritize and remediate vulnerabilities and automate policy enforcement throughout the SDLC.
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
Tsaela Pinto, Director of Knowledge R&D at WhiteSource, spoke at the Azure DevOps meetup in Tel Aviv about how develpers should part in maintaining open source security
Accelerating Innovation with Software Supply Chain ManagementSonatype
We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry?
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
In the past, security was seen as function of the ‘security’ organization. With DevOps, we aim to break down these silos, and make security a shared responsibility. What do Security and Development teams need know about each other to work together more effectively?
Security in the age of open source - Myths and misperceptionsTim Mackey
As delivered at Interop ITX 2017.
The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
The first quarter of 2016 was a big one for new open source security vulnerabilities. The Glibc vulnerability was by far the biggest. It impacts nearly 900K of the 1 million different open source projects. In this webinar, we’ll dive into Glibc and the Q1 data to help you:
- Understand latest trends in open source security threats and what it means to your organization in 2016
- Simple steps to quickly find and protect yourself from newly reported threats
- Prepare your organization to respond to new vulnerabilities in open source projects
2015 saw continued growth for open source software across many dimensions, a trend expected to continue in this coming year and a range of interesting developments that we reviewed in the last webinar.
In this webinar, the panelists will discuss:
- Open source and application security
- Community-centered compliance as reflected in OpenChain and SPDX
- The explosion of company involvement in collaborative projects
- The direction of the VMware case and other topics we anticipate being hot this year
Register now to join Black Duck, Mark Radcliffe and Karen Copenhaver on to discuss the hot topics generating buzz in the year to come.
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyBlack Duck by Synopsys
Today, open source drives technology and development, and its worldwide adoption ranges from companies with a single employee to large corporations like Microsoft and Apple. All of these organizations rely on open source to innovate, reduce development costs, and speed time to market. Recent research reports point out that open source comprises 80% to 90% of the code in a typical application. Our Open Source 360° survey provides an update on the rapid evolution of open source development, use and management.
The 2017 Open Source 360° survey was conducted through Black Duck’s Center for Open Source Research & Innovation (COSRI), focusing on four important areas of open source – usage, risk, contributions and governance/policies. Our respondents include input from new players, established leaders, and influencers across vertical markets and communities. This range of respondents drives broad industry awareness and discussions of these key issues.
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Black Duck by Synopsys
In open source security and cybersecurity news: Take the opportunity to join the Open Source 360 Survey and help give the world a snapshot of the state of open source in usage, risk, contributions and governance/policies. The top four sessions you don’t want to miss at Dockercon 2017. Does the Cloudera IPO really argue against open source business? TechCrunch creates a new index to track the explosive growth of open source. Why creating an open source ecosystem doesn't mean you're taking on security risks. And building containerized ecosystems with Ansible Container.
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they?
In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about:
The current challenges of the security and development teams when it comes to AppSec
The contradicting views and gaps between the teams on DevSecOps maturity
How to break the silos and advance toward DevSecOps maturity
Supply Chain Solutions for Modern Software DevelopmentSonatype
The concepts of supply chain management, the industrial revolution and the transformation of software development with open source are all tied together in this talk by Brian Fox, VP of Product Management, during the January 2015 Long Island OWASP user group meetup.
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...WhiteSource
The best approaches and practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising on security.
In the movie, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". We built our own RoboCop in order to bring law and order to our CI/CD pipeline. DevOps practices are all about enabling fast and frequent delivery of new software. In order to keep pace in a DevOps culture, application security must be reliably integrated into the CI/CD pipeline.
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
Past history, differing world views of their roles, shadow IT development, force-fitting security tools, and past frictions can all can make gelling as a cross-functional team difficult. Yet, it’s essential to achieve fast software creation and delivery, while also ensuring the applications created are secure and risk is always appropriately managed.
Where do we start? Start with this webinar featuring Mitch Ashley, security technologist and CEO of Accelerated Strategies Group, who will explore strategies for successful DevSecOps.
You will learn:
How to successfully implement purpose-built, developer friendly secrets management tools security professionals and dev teams are thrilled to embrace.
The State of Open Source Vulnerabilities ManagementWhiteSource
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
In this webinar, SANS's Serge Borso and WhiteSource's Rami Elron provide a product review of our solution. In this webinar, you will learn how WhiteSource's solution can be easily integrated into the software development lifecycle to, detect open source vulnerabilities in real time, prioritize and remediate vulnerabilities and automate policy enforcement throughout the SDLC.
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
Tsaela Pinto, Director of Knowledge R&D at WhiteSource, spoke at the Azure DevOps meetup in Tel Aviv about how develpers should part in maintaining open source security
Accelerating Innovation with Software Supply Chain ManagementSonatype
We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry?
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
In the past, security was seen as function of the ‘security’ organization. With DevOps, we aim to break down these silos, and make security a shared responsibility. What do Security and Development teams need know about each other to work together more effectively?
Security in the age of open source - Myths and misperceptionsTim Mackey
As delivered at Interop ITX 2017.
The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.
As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Secure application deployment in the age of continuous deliveryTim Mackey
As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.
The security practitioner's role is changing significantly. Trends like mobile, cloud, DevOps, and Zero Trust are creating new roles and erasing others. This presentation navigates these changes and makes some recommendations for folks wanting to keep up with the curve.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
Jump Start Your Application Security KnowledgeDenim Group
How to Jump-Start Your Application Security Knowledge
For the Network Security Guy Who Knows Nothing about Web Applications
Most security officers are not software developers, and rarely do they have control over the security associated with internally developed software systems. However, CSO's are still frequently held accountable when externally-facing software is compromised and a breach occurs. Unless security professionals radically upgrade their knowledge of software and software development techniques, they will continue to inadequately manage the risk that custom software systems represents to the enterprise.
Presented by John Dickson of Denim Group and Jeremiah Grossman of WhiteHat Security, this webinar will help non-development security managers understand the salient aspects of the software development process and to upgrade their IQ on software. It will help them to identify risks with different assessment approaches, how to inject themselves into the development process at key "waypoints," and to understand ways to influence development peers to write more secure code.
Open Source evaluation: A comprehensive guide on what you are usingAll Things Open
Presented at All Things Open 2023
Presented by Viral Chhasatia & Karan Marjara - Amazon
Title: Open Source evaluation: A comprehensive guide on what you are using
Abstract: What happens if an open source package your service relies on changes direction or shuts down? This talk provides a step-by-step approach that enables users to thoroughly assess open source software risks and rewards before making a final decision to use it in your product or service.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
At the Synopsys Security Event - Israel, Tim Mackey, Senior Technical Evangelist at Black Duck by Synopsys presents on open source and containers. For more information, please visit our website at www.synopsys.com/software.
Are you new to Black Duck or open source security? Do you need a refresher? Understanding the fundamentals of open source security is critical to keeping your data and organization safe. During this session, we'll share best practices from the world's leading experts to help you establish a foundation for success.
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
Similar to A question of trust - understanding Open Source risks (20)
Secure Application Development in the Age of Continuous DeliveryTim Mackey
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
As presented at LinuxCon/ContainerCon 2016:
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications.
Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment.
Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
Secure application deployment in Apache CloudStackTim Mackey
At the Apache CloudStack Collaboration Conference in Montreal, I presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.
The XenServer virtualization platform is used by well over 100,000 organizations to fulfill their IT objectives. Common scenarios include traditional server virtualization such as that found with VMware vSphere, delivery of large scale cloud services via Apache CloudStack or OpenStack, and as a platform for high performance desktop virtualization through XenDesktop. These use cases all have requirements of scale and manageability which imply solid deployments.
The content in this deck was presented in workshop form at FOSSETCON in 2015. Much of the information contained will work for any XenServer version, but XenServer 6.5 was covered. The audience was assumed to have some familiarity with virtualization concepts, but no assumptions about XenServer was made. Core concepts covered included; storage design, network design and operations, scalability and failure domains, as well as core features such as virtualized graphics.
XenServer Virtualization In Cloud EnvironmentsTim Mackey
= As presented at the CloudStack Silicon Valley Meetup in September 2015. =
XenServer is a virtualization platform which has been deployed in a variety of industries and to support a multitude of workloads. In this session we discuss some of the components which make it valuable not just for traditional server and desktop virtualization, but also within "the cloud". This includes discussion of VM density, network scalability, containers (such as Docker) and GPU virtualization. We end with coverage of how XenServer templates are represented within Apache CloudStack.
Selecting the correct hypervisor for CloudStack 4.5Tim Mackey
Apache CloudStack supports multiple hypervisors out of the box, and the obvious question is which hypervisor is best for CloudStack. In this session we cover core CloudStack components such as networking, storage and virtualization functions to present which hypervisor is able to meet a given requirement. The core take-away is that with an understanding of the services to be delivered the correct hypervisor, or hypervisors, can be selected with relative ease. This deck is as delivered at CloudStack Days 2015 in Seattle.
User Transparent Service Migration to the CloudTim Mackey
While creating a cloud such as OpenStack is fairly easy, template management is more challenging. In this session we discuss how systems engineering and tooling can be combined to allow legacy infrastructure and virtual machines to be converted to templates without downtime. These templates can then be deployed within the cloud and users migrated with minimal interruption. This deck is as delivered at CloudOpen 2015 in Seattle.
CloudOpen Japan - Controlling the cost of your first cloudTim Mackey
As presented at CloudOpen Japan in Tokyo in 2015.
Today everyone is talking about clouds, and some are building them, but far fewer are operating successful clouds. In this session we'll examine a variety of paradigm shifts must IT make when moving from a traditional virtualization and management mindset to operating a successful cloud. For most organizations, without careful planning the hype of a cloud solution can quickly overcome its capabilities and existing best practices can combine to create the worst possible cloud scenario -- a cloud which isn't economical to operate, and which is more cumbersome to manage than a traditional virtualization farm. Key topics covered will include; transitioning the operational paradigm, the impact of VM density on operations and network management, and preventing storage cost from outpacing requirements.
Taming the cost of your first cloud - CCCEU 2014Tim Mackey
Today everyone is talking about clouds, and a few are building them, but far fewer are operating successful clouds. In this session we'll examine a variety of paradigm shifts IT makes when moving from a traditional virtualization and management mindset to operating a successful cloud. For most organizations, without careful planning the hype of a cloud solution can quickly overcome its capabilities and pre-existing best practices can combine to create the worst possible cloud scenario -- a cloud which isn't economical to operate, and which is more cumbersome to manage than a traditional virtualization farm.
Key topics covered include:
- Successful transition of operational and management paradigm
- How the VM density of clouds change Ops
- What it means to monitor the network in a cloud environment, at hyper-dense virtualization levels
- Preventing storage costs from outpacing delivery costs
Using Packer to Migrate XenServer Infrastructure to CloudStackTim Mackey
When adopting IaaS cloud solutions, one of the biggest challenges will be template management. Creating that first template can easily be more challenging that deploying the cloud software itself. In this presentation two options are presented for template creation, using a kickstart file or cloning a running VM with Packer from packer.io as the core framework.
This presentation was delivered at CloudStack Days 2015 in Austin Texas. Two demos were given. The first demo used an existing XenServer environment to create a golden master from ISO and kickstart file, then automatically upload it to a CloudStack management server for deployment. The second demo cloned a running VM and created a template which was then uploaded to CloudStack. In the case of the running VM, migration occurred without any user interruption. The VM in question was a CentOS 7 image, and the hypervisor for both source infrastructure and CloudStack compute was XenServer based
Hypervisor Selection in Apache CloudStack 4.4Tim Mackey
Building an infrastructure as a service cloud involves a number of technology decisions, many of which could have unforeseen impact. Hypervisors form the core of an IaaS cloud, and whether you are a fan of Microsoft Hyper-V, VMware vSphere, KVM in any Linux variant or XenServer from Citrix, each of these hypervisors provide unique capabilities within an Apache CloudStack 4.4 based cloud.
OSCON2014: Understanding Hypervisor Selection in Apache CloudStackTim Mackey
A presented at OSCON 2014, this deck covers the matrix of capabilities each supported hypervisor brings to the Apache CloudStack table when building a cloud.
Make your first CloudStack Cloud successfulTim Mackey
As presented at the 2014 CloudStack Collaboration Conference in Denver (CCCNA14), this deck covers some of the decision points impacting a successful deployment of CloudStack within your organization. Critical elements such as storage and networking are discussed to create a blueprint which seeks to remove some of the learning curve associated with the transition from data center management to cloud management.
Decisions behind hypervisor selection in CloudStack 4.3Tim Mackey
As presented at the 2014 CloudStack Collaboration Conference in Denver (CCCNA14), this deck covers the matrix of functions and features within each supported hypervisor in CloudStack 4.3. This deck forms an excellent reference document for those seeking to provide multi-hypervisor support within their Apache CloudStack based cloud, and for those seeking to determine which feature elements are supported by a given hypervisor.
Hypervisor Selection in CloudStack and OpenStackTim Mackey
Deploying a successful cloud is a function of the capabilities of both the virtualization layer and the cloud orchestration platform. In this deck, presented at the annual Deep Dive Day hosted by the Boston Virtualization User Group (virtg.com), I covered CloudStack 4.3 and OpenStack Havana. The deck doesn't seek to define a "best" option, but to provide the information data center architects and system administrators require regardless of preference for KVM, XenServer, vSphere or Hyper-V.
Hypervisor Capabilities in Apache CloudStack 4.3Tim Mackey
Apache CloudStack 4.3 adds support for clouds built using Microsoft Hyper-V, in addition to supporting VMware vSphere, Citrix XenServer, KVM, Oracle VM, Linux Containers and bare metal options. This deck covers the decision points impacting the design of CloudStack 4.3 clouds, and their relationship with hypervisor choices.
Presented at Build a Cloud Day co-located with SCaLE 12x in February 2014.
CloudStack is one of many cloud orchestration platforms which can deliver IaaS clouds. One of the key capabilities of CloudStack is its ability to support multiple hypervisors in a CloudStack cloud. So whether your virtualization preference is VMware vSphere, KVM, Citrix XenServer or Linux Containers (LXC), you can build highly scalable clouds. While basic functionality is common across all hypervisors, many features are implemented differently on each. This paper presents the capabilities of CloudStack which can be enabled based on your hypervisor selection
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Leading Change strategies and insights for effective change management pdf 1.pdf
A question of trust - understanding Open Source risks
1. A Question of Trust –
Understanding Open Source
Security Risks –
A Container Story
By Tim Mackey – Black Duck Software
Bay Area Cyber Security Meetup – January 2018
2. #whoami – Tim Mackey
Current roles: Senior Technical Evangelist; Occasional coder
• Former XenServer Community Manager in Citrix Open Source Business Office
Cool things I’ve done
• Designed laser communication systems
• Early designer of retail self-checkout machines
• Embedded special relativity algorithms into industrial control system
Find me
• Twitter: @TimInTech ( https://twitter.com/TimInTech )
• SlideShare: slideshare.net/TimMackey
• LinkedIn: www.linkedin.com/in/mackeytim
3. Security Driven Development and Deployment
Developers are empowered with security information
Clear security driven release policies exist
Trusted components are used as dependencies
CI processes incorporate security testing
Binary artifacts are only created when release policies are met
Releasable binaries are digitally signed
Container images are built from trusted base images
Produced images are stored in trusted container registries
Containers are only deployed from trusted registries
4. Data Breaches are Serious Business
• Average cost of data breach: $7.35 Million
• Lost business: $4.03 Million
• Average time to identify and contain a breach: 206 days
Source: 2017 Cost of Data Breach Study – Ponemon Insitute
5. Question Everything and Continually Evaluate Trust
Where does your base image actually come from?
What is the health of that base image?
You’re updating it at build time, but from what cache?
You trust your build servers, but who controls them?
Is there any way a foreign container can start in your environment?
Who has rights to modify container images?
What happens if base image registry goes away?
What happens if base image tag goes away?
What happens if an update mirror goes down?
When a security disclosure happens what’s the process to determine impact?
How are images being updated and deployed in the face of new security disclosures?
6. CLOSED SOURCE COMMERCIAL CODE
• TRADITIONAL PROCUREMENT PROCESS
• ALERTING AND NOTIFICATION INFRASTRUCTURE
• SUPPORT AVAILABLE THROUGH EOL
• STAFFED WITH SECURITY RESEARCHERS
• REGULAR PATCH UPDATES
• DEDICATED SUPPORT TEAM WITH SLA
OPEN SOURCE CODE
• AD-HOC ADOPTION MODEL
• MONITOR NEWSFEEDS YOURSELF
• EOL MAY CREATE DEADEND
• “COMMUNITY”-BASED CODE ANALYSIS
• NO STANDARD PATCHING MECHANISM
• ULTIMATELY, YOU ARE RESPONSIBLE
Commercial Software Rules Don’t Apply
8. Patches Available
Media
Coverage
Embargo
Expires
Oct 21 2016
Git://id
Upstream
Patch
Vuln: CVE-2016-5195 –
AKA “Dirty Cow”
Oct 18 2016
National
Vulnerability
Database
Vuln
Published
Nov 10 2016
Highest Security Risk
Timing is Opportunity
9. Security Analysis Isn't Only SAST/IAST/DAST
All possible security vulnerabilities
Vulnerability Analysis
- Identifies vulnerable dependencies
- 3000+ disclosures in 2015
- 4000+ disclosures in 2016
- 13,000+ disclosures through Nov 2017
- Most vulnerabilities found by researchers
Static, Interactive and Dynamic Analysis
- Discover common security patterns
- Challenged by nuanced bugs
- Focuses on your code; not upstream
10. Heartbleed: Why in 2017?
Don’t Give Attackers Opportunities
OpenSSH (CVE-2004-1653): AllowTCPForwarding creates open IoT
proxy
Apache Struts (CVE-2017-5638): Vulnerability response time
matters
11. 1649 Days 144 Days7 Days
The Tale of CVE-2017-5638 and Equifax
Code Bug
Introduced
August
2012
Struts 2.3
Released
November
2012
Struts 2.5
Released
May
2016
Patches
Available
March 6
2017
March 7
2017
Disclosure
Published
NVD
Details
March 14
2017
Hacks
Successful
May 13
2017
Hacks
Discovered
July 29
2017
12. Focus on Factors Impacting Risk
Use of vulnerable open source components
• What are my dependencies and where are they coming from?
• Is component a fork or dependency?
• How is component linked?
Impact of Point in Time Decisions
• Can you differentiate between “stable” and “dead”?
• Is there a significant change set in your future?
• API versioning
• Security response process for project
• Commit velocity and contributors
14. We’re all Researchers – Report What You Find
Distributed Weakness Filing
• Open Source specific CNA
• Designed for Open Source
projects without an existing CNA
Increasing vulnerability awareness
• Reinforce security collaboration
• Reduce islands of knowledge https://iwantacve.org
https://github.com/distributedweaknessfiling/
16. LEVEL 1 – BLISSFUL IGNORANCE
No policies in place to manage open
source security and licensing risks.
Unknown versions and dependencies.
No documentation of intent.
17. LEVEL 2 – AWAKENING
Inconsistent manual processes to
identify and report on open source
usage. Conceptual awareness of
license requirements. Unaware of
security implications of open
source usage.
18. LEVEL 3 – UNDERSTANDING
Manual review processes, and basic
tooling. Primary focus on license
compliance. Accuracy is difficult to
maintain. Provides limited insight into
security vulnerabilities.
Tools: Spreadsheets, low cost tools,
sporadic security scans
19. LEVEL 4 – ENLIGHTENMENT
Automatic identification of open
source components and
versions. Direct mapping to
licenses and disclosed
vulnerabilities. Integration with
developer, issue management,
CI/CD and deployment tools.
20. Open Source Security Requires End-End Visibility
INVENTORY
Open Source
Components
MAP
To Known
Vulnerabilities
IDENTIFY
Open Source
Risks
MANAGE
Open Source
Governance
Policies
ALERT
For New
Vulnerabilities
Automation and workflow
Integration with DevOps tools and processes
https://www.cesg.gov.uk/guidance/open-source-software-%E2%80%93-exploring-risk-good-practice-guide-38
If you’re using commercial software, the vendor is responsible for best practice deployment guidance, the notification of any security vulnerabilities and ultimately patches and workarounds for disclosed vulnerabilities. This is part of the deliverable they provide in return for their license fee.
If you’re using open source software, that process becomes partly your responsibility. To illustrate the level of information you have to work with, let’s look at a media-wiki maintenance release from December 2015.
“various special pages resulted in fata errors” – this clearly is something which needs resolution, but which pages? How do you test?
“1.24.6 marks the end of support for 1.24.x” – this is good to know, but I hope it was published elsewhere.
“However, 1.24.5 had issues (along with other versions) so it was thought fair to fix them” – This is a good thing, but can we expect this treatment in the future? From the title, we also have a fix for 1.23.x, but what other versions?
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT)
http://cve.mitre.org/cve/cna.html
https://openclipart.org/detail/200681/primary-patch
https://www.youtube.com/watch?v=hkryI6eapOA
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT)
http://cve.mitre.org/cve/cna.html
https://openclipart.org/detail/200681/primary-patch
https://www.youtube.com/watch?v=hkryI6eapOA