This document provides an introduction to DevOps including:
- A brief history of DevOps from 2007-2011 when the term was coined and practices began emerging.
- Definitions of DevOps focusing on bridging development and operations teams and delivering software faster.
- Why DevOps is used, particularly for large distributed applications, to increase delivery speed and reduce failures.
- Key DevOps principles of automation, continuous delivery, and measuring outcomes.
- Common DevOps practices like infrastructure as code, containerization, microservices, and cloud infrastructure.
The document discusses how to derive dependency structures for legacy J2EE applications. It proposes analyzing all application tiers together using a language-independent model and parsing various artifacts. Configuration files and limited data flow analysis are used to understand dependencies. Container dependencies are explicitly codified by studying technology specifications and codifying dependency rules to apply when certain code patterns are detected in applications. This allows completing an application's dependency graph.
Security Implications for a DevOps TransformationDeborah Schalm
DevOps aims to break down silos between development and operations teams through collaboration, automation, and continuous delivery. While this provides benefits, it can also introduce security risks if security is not properly included. The presentation discusses five key aspects of a DevOps transformation and their security implications. It argues that DevOps and security are not mutually exclusive if security is incorporated through collaboration, automated testing of security requirements, and accelerating remediation of vulnerabilities.
Continuous Delivery for people who do not write code - Matthew Skelton - ConfluxMatthew Skelton
Continuous Delivery is a proven set of practices for reliable software releases through build, test, and deployment automation. Organisations around the world have adopted Continuous Delivery (CD) to increase speed and safety of software changes whilst reducing errors and problems in Production.
This talk is an overview of Continuous Delivery for people who do not write code. If you are a delivery manager, project manager, release manager, operations person, business analyst, or anyone else involved in the building, testing, releasing, and running of software systems, this talk will give you an understanding of what Continuous Delivery is about and how it feels to be part of a CD organisation.
(From a talk given in Leeds, UK on 24 Sept 2018)
Building DevOps in the enterprise: Transforming challenges into organizationa...Jonah Kowall
In the second webinar of this multi-part series, Building DevOps in the Enterprise, Jonah Kowall, VP of Market Development and Insights at AppDynamics, will present his thoughts and opinions on the current and future state of DevOps.
Join Jonah as he explores best practices, concepts, and ideas to enable your enterprise DevOps. You’ll also learn about team management areas that are key for success, like developing ownership, trust, accountability, and how that culture is managed at scale while preserving team autonomy.
Key takeaways:
Organizational patterns: How to manage teams and foster culture to scale
Legacy problems enterprises face: How to work faster despite legacy applications
Microservices — Peak Hype: Examine the cycle on this hot trend, balanced with a reality check and raised expectations
The Struggle of Bimodal IT: Which apps work best in a lower, yet more predictable and stable mode versus those which need fast iteration and experimentation
API-Driven Architectures and Microservices: Learn to solve common DevOps challenges
Organizations of all sizes using automation and agile methodologies to improve the speed and reliability of their software development initiatives. In this session we will provide an overview and demonstrations of the various ways you can integrate Black Duck Hub with your CI/CD tools to manage open source risks throughout development.
Srikanth Burra has over 3.5 years of experience in storage and software testing. He has worked on projects involving validating SAN, NAS, and virtualization technologies. Some of the projects he has worked on include testing Vormetric's proxy server, Skyera's all-flash array storage platform, and integrating VAAI functionality with LIO Target. His responsibilities have included developing and executing test cases, performance and concurrency testing, defect reporting and verification, and documentation.
Everything you need to know about your open source support contractRogue Wave Software
For us, open source support is much more than fixing systems broken in production, it’s about partnering with your team to provide world-class expertise, training, and support solutions before, during, and after your software goes live. For you, we offer complete solutions across the lifecycle, from architecture to de-commissioning, that’s faster than the community and more reliable than Google search. This presentations walkthroughs the support services included in your current support contract. We’ll review how the support process works, the types of incidents we see, the packages we support, and cover all the reviews, audits, production optimization, training, and troubleshooting services available to your team and other teams within the company.
This document provides an introduction to DevOps including:
- A brief history of DevOps from 2007-2011 when the term was coined and practices began emerging.
- Definitions of DevOps focusing on bridging development and operations teams and delivering software faster.
- Why DevOps is used, particularly for large distributed applications, to increase delivery speed and reduce failures.
- Key DevOps principles of automation, continuous delivery, and measuring outcomes.
- Common DevOps practices like infrastructure as code, containerization, microservices, and cloud infrastructure.
The document discusses how to derive dependency structures for legacy J2EE applications. It proposes analyzing all application tiers together using a language-independent model and parsing various artifacts. Configuration files and limited data flow analysis are used to understand dependencies. Container dependencies are explicitly codified by studying technology specifications and codifying dependency rules to apply when certain code patterns are detected in applications. This allows completing an application's dependency graph.
Security Implications for a DevOps TransformationDeborah Schalm
DevOps aims to break down silos between development and operations teams through collaboration, automation, and continuous delivery. While this provides benefits, it can also introduce security risks if security is not properly included. The presentation discusses five key aspects of a DevOps transformation and their security implications. It argues that DevOps and security are not mutually exclusive if security is incorporated through collaboration, automated testing of security requirements, and accelerating remediation of vulnerabilities.
Continuous Delivery for people who do not write code - Matthew Skelton - ConfluxMatthew Skelton
Continuous Delivery is a proven set of practices for reliable software releases through build, test, and deployment automation. Organisations around the world have adopted Continuous Delivery (CD) to increase speed and safety of software changes whilst reducing errors and problems in Production.
This talk is an overview of Continuous Delivery for people who do not write code. If you are a delivery manager, project manager, release manager, operations person, business analyst, or anyone else involved in the building, testing, releasing, and running of software systems, this talk will give you an understanding of what Continuous Delivery is about and how it feels to be part of a CD organisation.
(From a talk given in Leeds, UK on 24 Sept 2018)
Building DevOps in the enterprise: Transforming challenges into organizationa...Jonah Kowall
In the second webinar of this multi-part series, Building DevOps in the Enterprise, Jonah Kowall, VP of Market Development and Insights at AppDynamics, will present his thoughts and opinions on the current and future state of DevOps.
Join Jonah as he explores best practices, concepts, and ideas to enable your enterprise DevOps. You’ll also learn about team management areas that are key for success, like developing ownership, trust, accountability, and how that culture is managed at scale while preserving team autonomy.
Key takeaways:
Organizational patterns: How to manage teams and foster culture to scale
Legacy problems enterprises face: How to work faster despite legacy applications
Microservices — Peak Hype: Examine the cycle on this hot trend, balanced with a reality check and raised expectations
The Struggle of Bimodal IT: Which apps work best in a lower, yet more predictable and stable mode versus those which need fast iteration and experimentation
API-Driven Architectures and Microservices: Learn to solve common DevOps challenges
Organizations of all sizes using automation and agile methodologies to improve the speed and reliability of their software development initiatives. In this session we will provide an overview and demonstrations of the various ways you can integrate Black Duck Hub with your CI/CD tools to manage open source risks throughout development.
Srikanth Burra has over 3.5 years of experience in storage and software testing. He has worked on projects involving validating SAN, NAS, and virtualization technologies. Some of the projects he has worked on include testing Vormetric's proxy server, Skyera's all-flash array storage platform, and integrating VAAI functionality with LIO Target. His responsibilities have included developing and executing test cases, performance and concurrency testing, defect reporting and verification, and documentation.
Everything you need to know about your open source support contractRogue Wave Software
For us, open source support is much more than fixing systems broken in production, it’s about partnering with your team to provide world-class expertise, training, and support solutions before, during, and after your software goes live. For you, we offer complete solutions across the lifecycle, from architecture to de-commissioning, that’s faster than the community and more reliable than Google search. This presentations walkthroughs the support services included in your current support contract. We’ll review how the support process works, the types of incidents we see, the packages we support, and cover all the reviews, audits, production optimization, training, and troubleshooting services available to your team and other teams within the company.
GitLab is a popular DevOps platform that provides an ecosystem for code management, release management, and continuous integration and delivery (CI/CD) pipelines. This document discusses implementing DevOps using the GitLab ecosystem, including its tools, branching strategies, and designing a GitLab-based DevOps implementation. It provides an overview of the key GitLab tools and interfaces for users, and describes best practices for areas like source code management, continuous integration, monitoring, and security.
DevOps is a software development approach that emphasizes collaboration between development and operations teams throughout the development lifecycle. Central to DevOps is continuous delivery, which involves frequent software releases through an automated testing pipeline. This pipeline incorporates various types of testing at different stages to catch issues early. Automated deployment is key to continuous delivery, allowing for more testing opportunities like automated functional and security testing. Implementing practices like continuous integration, unit testing, code coverage, mutation testing, static analysis, and automated deployment verification can improve software quality by enabling more testing and fearless refactoring.
Vincent Partington, CTO at XebiaLabs, and Amy Johnston, Product Manager, give a combined presentation on the deployment challenges of containers and cloud technology at the DevOps Leadership Summit in Boston MA.
Strategies for agile software test automationEliane Collins
The document discusses strategies for agile software test automation based on an industrial experience. It describes three strategies used: 1) testers automating unit and system tests, 2) developers automating unit tests and testers automating system tests, and 3) a collaborative strategy where automation tasks are shared. The collaborative strategy was found to have the most benefits, including improved test automation, early security and load testing, intense team collaboration, and knowledge sharing. Lessons learned are that collaboration supports agile test automation success and automation should be layered, simple, reusable and maintainable.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
This document outlines a research plan to collect and identify microservices patterns and anti-patterns. The plan involves extracting patterns from literature and existing software, categorizing the patterns, and creating an automated tool to identify patterns by analyzing deployment scripts and source code. The contributions will be an exhaustive catalog of microservices patterns and anti-patterns, and a fully automated tool to identify them. Challenges include the newness of microservices and lack of open source projects. The goal is to support microservices development and maintenance.
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
The continuous delivery pipeline is the process of taking new or changed features from developers, and getting features deployed into production and delivered quickly to the customer. Gene Gotimer says testing within continuous delivery pipelines should be designed so the earliest tests are the quickest and easiest to run, giving developers the fastest feedback. Successive rounds of testing lead to increased confidence that the code is a viable candidate for production and that more expensive tests—time, effort, cost—are justified. Manual testing is performed toward the end of the pipeline, leaving computers to do as much work as possible before people get involved. Although it is tempting to arrange the delivery pipeline in phases (e.g., functional tests, then acceptance tests, then load and performance tests, then security tests), this can lead to serious problems progressing far down the pipeline before they are caught. Gene shows how to arrange your tests so each round provides just enough testing to give you confidence that the next set of tests is worth the investment. He explores how to get the right types of testing into your pipeline at the right points.
As presented by Mike Pittenger, VP of Security Strategy, at a lunch and learn on September 13, 2016.
Learn how your organization can:
* Know what's inside your code by identifying the open source you're using
* Map against known vulnerabilities and accelerate remediation efforts
* Take action to effectively secure and manage open source without impacting your agile SDLC
This document provides information on top DevOps solution providers. It discusses the services offered by CloudBees, CloudHesive, Plutora, XenonStack, OpenMake Software, Cloudmunch, and Shippable. The services include continuous integration, continuous delivery, infrastructure automation, release management, and DevOps consulting. Pricing models vary between free trials, pay-per-use, and monthly subscriptions. The document aims to help users choose a DevOps solution that best fits their needs and budget.
The Hub builds on all the great technology developed in the Black Duck Suite over the past 10 years combined with a revamped UI and an integrated set of features. It's much easier than you would think to make the move from the Suite to the Hub. Learn how in this revealing session.
Scott M. Johnson, Lead PM - Technical Compliance presented, "How Docusign uses Black Duck for DevOps, AppSec and Compliance." For more information, visit our website at www.blackducksoftware.com.
Integrating security into Continuous DeliveryTom Stiehm
This document discusses integrating security practices into continuous delivery processes. It describes Coveros' SecureAgile development process which includes threat modeling, risk analysis, penetration testing, security stories, secure code reviews, defensive coding and design, and secure testing. The goal is to assure timely delivery of software while achieving security objectives. Integrating security helps make applications more secure, reduces security costs, improves quality, and protects applications from attackers.
This document summarizes the key activities and learnings from an industrial internship exploring life cycle management tools in a telecom software environment. The internship involved:
1) Exposure to industry standard tools like Git, Maven, and Wireshark used in telecom software projects for development and testing.
2) Two assignments - the first involved studying networking protocols using Wireshark, the second focused on understanding software lifecycle tools like Git and Maven.
3) Working on an OpenDaylight SDN Controller project to extend its capabilities. The intern gained experience setting up development environments and compiling code using Maven.
DevOps and Safety Critical Systems discusses applying DevOps practices like continuous deployment to safety critical systems. It proposes "partial continuous deployment" which involves:
1. Identifying and isolating safety critical portions of a system's architecture.
2. Applying continuous deployment practices to non-safety critical portions.
3. Continuing traditional testing methods for safety critical portions.
It discusses past efforts in smart grid security controls and hardening deployment pipelines that provide foundations for this approach. Key steps include explicitly defining safety requirements, analyzing architectures to identify minimum required safe components, and refactoring to separate safe and non-safe concerns. Regulatory approval is viewed as a major gate to implementing partial continuous deployment for real safety
Arthur Hicken Chief Evangelist of Parasoft @ PSQT 2016 discusses:
• What the shift from automated to
continuous means
• How disruption requires changes to how
we test software
• Addressing gaps between Dev and Ops
• Technologies that enable Continuous
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
Georgios Gousios, Professor at TUDelft Software Engineering Research Group and FASTEN Project and Scientific Coordinator, offered this Dependancy Management synthesis to 30 GitHub professionals incl. remote attendees on April 17, 2019 before discussing potential collaborations. More: https://www.fasten-project.eu/view/Events/
Learn how this Black Duck customer tracks the potential impact of open source security vulnerabilities in all its products while ensuring the SDLC remains fast and agile.
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
Discover how Sona Srinivasan, Senior Architect of Cisco IT’s Global Architecture and Technology Services group, helps transform an IT DevOps strategy to a Security DevOps strategy, with IBM Security's assistance. Cisco is presently implementing continuous security and agile methods throughout the software development lifecycle (SDLC), and specific examples of current initiatives will be reviewed in this session.
Overcoming software development challenges by using an integrated software fr...Design World
With ever increasing Connectivity options, Security Protocols and Sophisticated Human Interfaces, Software and AP developers find themselves caught more deeply in the dichotomy of dealing with increasing complexity of designs and shrinking timelines. Resource constraints and constantly evolving software landscape provide challenges to software Integration that have to be overcome to enable designers to focus on the actual application.
Developers need a Modular Software Framework that accelerates software integration, provides flexible programming options and enables application re-use across multiple platforms. “That framework is MPLAB® Harmony.”
Join us for the webinar series where we provide a technical overview of MPLAB® Harmony, Live tool demos, Microchip and third party Middleware support and finally demonstrate how Harmony accelerates software integration and moves development focus and resources to Application Development and testing.
In this first installment of a three part webinar series attendees will learn:
-Current Software Development Challenges and how MPLAB® Harmony, Microchip’s software framework, overcomes them.
-Technical Overview of MPLAB® Harmony Framework.
-Integrating RTOS in an embedded development ecosystem.
-Graphics Application demo illustrating how MPLAB® Harmony facilitates changing system requirements.
GitLab is a popular DevOps platform that provides an ecosystem for code management, release management, and continuous integration and delivery (CI/CD) pipelines. This document discusses implementing DevOps using the GitLab ecosystem, including its tools, branching strategies, and designing a GitLab-based DevOps implementation. It provides an overview of the key GitLab tools and interfaces for users, and describes best practices for areas like source code management, continuous integration, monitoring, and security.
DevOps is a software development approach that emphasizes collaboration between development and operations teams throughout the development lifecycle. Central to DevOps is continuous delivery, which involves frequent software releases through an automated testing pipeline. This pipeline incorporates various types of testing at different stages to catch issues early. Automated deployment is key to continuous delivery, allowing for more testing opportunities like automated functional and security testing. Implementing practices like continuous integration, unit testing, code coverage, mutation testing, static analysis, and automated deployment verification can improve software quality by enabling more testing and fearless refactoring.
Vincent Partington, CTO at XebiaLabs, and Amy Johnston, Product Manager, give a combined presentation on the deployment challenges of containers and cloud technology at the DevOps Leadership Summit in Boston MA.
Strategies for agile software test automationEliane Collins
The document discusses strategies for agile software test automation based on an industrial experience. It describes three strategies used: 1) testers automating unit and system tests, 2) developers automating unit tests and testers automating system tests, and 3) a collaborative strategy where automation tasks are shared. The collaborative strategy was found to have the most benefits, including improved test automation, early security and load testing, intense team collaboration, and knowledge sharing. Lessons learned are that collaboration supports agile test automation success and automation should be layered, simple, reusable and maintainable.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
This document outlines a research plan to collect and identify microservices patterns and anti-patterns. The plan involves extracting patterns from literature and existing software, categorizing the patterns, and creating an automated tool to identify patterns by analyzing deployment scripts and source code. The contributions will be an exhaustive catalog of microservices patterns and anti-patterns, and a fully automated tool to identify them. Challenges include the newness of microservices and lack of open source projects. The goal is to support microservices development and maintenance.
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
The continuous delivery pipeline is the process of taking new or changed features from developers, and getting features deployed into production and delivered quickly to the customer. Gene Gotimer says testing within continuous delivery pipelines should be designed so the earliest tests are the quickest and easiest to run, giving developers the fastest feedback. Successive rounds of testing lead to increased confidence that the code is a viable candidate for production and that more expensive tests—time, effort, cost—are justified. Manual testing is performed toward the end of the pipeline, leaving computers to do as much work as possible before people get involved. Although it is tempting to arrange the delivery pipeline in phases (e.g., functional tests, then acceptance tests, then load and performance tests, then security tests), this can lead to serious problems progressing far down the pipeline before they are caught. Gene shows how to arrange your tests so each round provides just enough testing to give you confidence that the next set of tests is worth the investment. He explores how to get the right types of testing into your pipeline at the right points.
As presented by Mike Pittenger, VP of Security Strategy, at a lunch and learn on September 13, 2016.
Learn how your organization can:
* Know what's inside your code by identifying the open source you're using
* Map against known vulnerabilities and accelerate remediation efforts
* Take action to effectively secure and manage open source without impacting your agile SDLC
This document provides information on top DevOps solution providers. It discusses the services offered by CloudBees, CloudHesive, Plutora, XenonStack, OpenMake Software, Cloudmunch, and Shippable. The services include continuous integration, continuous delivery, infrastructure automation, release management, and DevOps consulting. Pricing models vary between free trials, pay-per-use, and monthly subscriptions. The document aims to help users choose a DevOps solution that best fits their needs and budget.
The Hub builds on all the great technology developed in the Black Duck Suite over the past 10 years combined with a revamped UI and an integrated set of features. It's much easier than you would think to make the move from the Suite to the Hub. Learn how in this revealing session.
Scott M. Johnson, Lead PM - Technical Compliance presented, "How Docusign uses Black Duck for DevOps, AppSec and Compliance." For more information, visit our website at www.blackducksoftware.com.
Integrating security into Continuous DeliveryTom Stiehm
This document discusses integrating security practices into continuous delivery processes. It describes Coveros' SecureAgile development process which includes threat modeling, risk analysis, penetration testing, security stories, secure code reviews, defensive coding and design, and secure testing. The goal is to assure timely delivery of software while achieving security objectives. Integrating security helps make applications more secure, reduces security costs, improves quality, and protects applications from attackers.
This document summarizes the key activities and learnings from an industrial internship exploring life cycle management tools in a telecom software environment. The internship involved:
1) Exposure to industry standard tools like Git, Maven, and Wireshark used in telecom software projects for development and testing.
2) Two assignments - the first involved studying networking protocols using Wireshark, the second focused on understanding software lifecycle tools like Git and Maven.
3) Working on an OpenDaylight SDN Controller project to extend its capabilities. The intern gained experience setting up development environments and compiling code using Maven.
DevOps and Safety Critical Systems discusses applying DevOps practices like continuous deployment to safety critical systems. It proposes "partial continuous deployment" which involves:
1. Identifying and isolating safety critical portions of a system's architecture.
2. Applying continuous deployment practices to non-safety critical portions.
3. Continuing traditional testing methods for safety critical portions.
It discusses past efforts in smart grid security controls and hardening deployment pipelines that provide foundations for this approach. Key steps include explicitly defining safety requirements, analyzing architectures to identify minimum required safe components, and refactoring to separate safe and non-safe concerns. Regulatory approval is viewed as a major gate to implementing partial continuous deployment for real safety
Arthur Hicken Chief Evangelist of Parasoft @ PSQT 2016 discusses:
• What the shift from automated to
continuous means
• How disruption requires changes to how
we test software
• Addressing gaps between Dev and Ops
• Technologies that enable Continuous
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
Georgios Gousios, Professor at TUDelft Software Engineering Research Group and FASTEN Project and Scientific Coordinator, offered this Dependancy Management synthesis to 30 GitHub professionals incl. remote attendees on April 17, 2019 before discussing potential collaborations. More: https://www.fasten-project.eu/view/Events/
Learn how this Black Duck customer tracks the potential impact of open source security vulnerabilities in all its products while ensuring the SDLC remains fast and agile.
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
Discover how Sona Srinivasan, Senior Architect of Cisco IT’s Global Architecture and Technology Services group, helps transform an IT DevOps strategy to a Security DevOps strategy, with IBM Security's assistance. Cisco is presently implementing continuous security and agile methods throughout the software development lifecycle (SDLC), and specific examples of current initiatives will be reviewed in this session.
Overcoming software development challenges by using an integrated software fr...Design World
With ever increasing Connectivity options, Security Protocols and Sophisticated Human Interfaces, Software and AP developers find themselves caught more deeply in the dichotomy of dealing with increasing complexity of designs and shrinking timelines. Resource constraints and constantly evolving software landscape provide challenges to software Integration that have to be overcome to enable designers to focus on the actual application.
Developers need a Modular Software Framework that accelerates software integration, provides flexible programming options and enables application re-use across multiple platforms. “That framework is MPLAB® Harmony.”
Join us for the webinar series where we provide a technical overview of MPLAB® Harmony, Live tool demos, Microchip and third party Middleware support and finally demonstrate how Harmony accelerates software integration and moves development focus and resources to Application Development and testing.
In this first installment of a three part webinar series attendees will learn:
-Current Software Development Challenges and how MPLAB® Harmony, Microchip’s software framework, overcomes them.
-Technical Overview of MPLAB® Harmony Framework.
-Integrating RTOS in an embedded development ecosystem.
-Graphics Application demo illustrating how MPLAB® Harmony facilitates changing system requirements.
This document describes OWASP Dependency-Track, a tool for continuous component analysis to reduce open source risk. It integrates with vulnerability databases and monitors applications to identify vulnerabilities. Dependency-Track is designed for automated DevOps environments to accelerate development while monitoring component usage and risk. It supports ingesting software bills of materials during CI/CD to analyze components continuously and provide notifications.
Bridging the Gap: from Data Science to ProductionFlorian Wilhelm
A recent but quite common observation in industry is that although there is an overall high adoption of data science, many companies struggle to get it into production. Huge teams of well-payed data scientists often present one fancy model after the other to their managers but their proof of concepts never manifest into something business relevant. The frustration grows on both sides, managers and data scientists.
In my talk I elaborate on the many reasons why data science to production is such a hard nut to crack. I start with a taxonomy of data use cases in order to easier assess technical requirements. Based thereon, my focus lies on overcoming the two-language-problem which is Python/R loved by data scientists vs. the enterprise-established Java/Scala. From my project experiences I present three different solutions, namely 1) migrating to a single language, 2) reimplementation and 3) usage of a framework. The advantages and disadvantages of each approach is presented and general advices based on the introduced taxonomy is given.
Additionally, my talk also addresses organisational as well as problems in quality assurance and deployment. Best practices and further references are presented on a high-level in order to cover all facets of data science to production.
With my talk I hope to convey the message that breakdowns on the road from data science to production are rather the rule than the exception, so you are not alone. At the end of my talk, you will have a better understanding of why your team and you are struggling and what to do about it.
1) The document discusses DevOps practices presented at India Agile Week 2013. It describes challenges of manual development and operations processes, including delays, failures, and finger pointing between teams.
2) DevOps aims to streamline the software development lifecycle by involving operations throughout the process. This is achieved by establishing a collaborative culture, adding operations stories to the product backlog, and having operations participate in sprints.
3) Automating tools and workflows provides visibility across the entire release and deployment pipeline. This allows for traceability, continuous integration and deployment, and standardized environments and processes.
How Azure DevOps can boost your organization's productivityIvan Porta
Azure DevOps can boost productivity through collaboration and automation. DevOps aims to continuously deliver value to users through practices like continuous integration, delivery, and deployment. Microsoft tools like Azure Boards, Pipelines, and Repos support the DevOps process. Azure Pipelines automates building, testing, and deploying code. Branching workflows and pull requests enable collaboration. Automation reduces errors and speeds up the release process. DevOps has helped organizations like Fidelity and Amica reduce costs and deployment times.
GreenSocs virtual platforms allow designing, developing, and testing embedded applications as a whole system by modeling both hardware and software together. This enables sizing hardware to match software needs, integrating development, and efficiently debugging and verifying designs. GreenSocs provides integrated virtual platform solutions using open standards like SystemC TLM 2.0. They have expertise in CPU modeling through contributions to QEMU and Gem5, and provide infrastructure libraries, models, and services to help customers develop virtual prototypes.
Intro to GitOps with Weave GitOps, Flagger and LinkerdWeaveworks
This document provides an overview of GitOps, service meshes, Linkerd, Flux, Weave GitOps and progressive delivery. It introduces the speakers and outlines the agenda which includes explanations of GitOps, service meshes, Linkerd and Weave GitOps. It then demonstrates how Weave GitOps and Linkerd can be used together for progressive delivery and provides a Q&A section at the end.
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
The document discusses various topics related to data security and privacy including:
1. International standards for data de-identification techniques and privacy models such as ISO 20889.
2. A comparison of different data de-identification techniques in terms of their ability to reduce risks like singling out, linking, and inference.
3. Examples of mapping de-identification techniques like tokenization and encryption to different data deployment models including centralized/distributed data warehouses and public/private/on-premises clouds.
This document discusses DevSecOps principles for banks and financial institutions. It introduces DevSecOps as an evolution from DevOps that incorporates security practices like risk assessments, security testing, and compliance monitoring directly into the development lifecycle. The presentation outlines key DevSecOps principles like establishing security requirements upfront, implementing controls like access management and logging, and conducting continuous security testing. It provides an example of a Swiss bank that uses Kubernetes, Docker, and security tools from VSHN to operationalize DevSecOps and improve governance.
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
This presentation looks at the problem of selecting the best programming language and tools to ensure IoT software is secure, robust, and safe. By taking a look at industry best practices and decades of knowledge from other industries (such as automotive and aerospace), you will learn the criteria necessary to choose the right language, how to overcome gaps in developers’ skills, and techniques to ensure your team delivers bulletproof IoT applications.
OGh Oracle Fusion Middleware Experience 2016 bij FIGI Zeist
Door Maarten Smeets and Robbrecht van Amerongen, 16-02-2016
Ogh fmw experience 16 februari 2016
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarWhiteSource
In our latest webinar, we learned about our latest product updates here at WhiteSource. We unveiled our new, revolutionary technology as well as highlighting other cool releases and enhancements.
Open Source evaluation: A comprehensive guide on what you are usingAll Things Open
Presented at All Things Open 2023
Presented by Viral Chhasatia & Karan Marjara - Amazon
Title: Open Source evaluation: A comprehensive guide on what you are using
Abstract: What happens if an open source package your service relies on changes direction or shuts down? This talk provides a step-by-step approach that enables users to thoroughly assess open source software risks and rewards before making a final decision to use it in your product or service.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
This candidate has over 10 years of experience in manual and automation testing. They have expertise in test management, test automation using Selenium and TestNG, and agile methodologies. Some of their roles and responsibilities included defining the software testing life cycle, conducting testing for various browsers and platforms, implementing test automation frameworks, and providing guidance to testing teams.
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
This document discusses securing the software development lifecycle (SDLC) when using containers. It begins with an introduction to SDLC models like waterfall and agile. It then covers challenges in applying application security with containers, including unclear boundaries and responsibilities. The main body details how to apply security practices at each phase of the SDLC for containers: requirements, design, implementation, testing, and operations. Key practices include threat modeling, secure coding, image validation, and monitoring. It concludes with emphasizing the importance of involving security champions throughout the process.
Cypress Automation Training Course | Cypress Tool Online Trainingudayvisualpath45
Cypress Training Institutes in Hyderabad, India. Visualpath provides the Best Cypress Automation Training Course by IT 5-10+ yr in industrial real-time experts. Call on +91-9989971070.
Telegram: https://t.me/visualpathsoftwarecourses
WhatsApp: https://www.whatsapp.com/catalog/919989971070/
Visit: https://www.visualpath.in/cypress-online-training-in-hyderabad.html
Learn how Github analytics can help you gauge the health of your DevOps release cycle, gain visibility into team productivity, and secure your intellectual property.
Similar to Evaluating Open Source Security Software (20)
Information security and digital payments; thoughts about current trendsJohn ILIADIS
1) Digital payments and information security have undergone significant changes due to COVID-19, including increased adoption of contactless and digital payments out of health concerns, and new vulnerabilities from remote work.
2) Emerging threats from cloud computing, social engineering during the pandemic, and the use of biometrics in government payments programs have also impacted security.
3) Competition in the payments industry is increasing as large technology companies move into financial services seeking customer data and retention, challenging regulations.
This document discusses security and privacy challenges in the emerging field of RegTech. It begins by providing background on information security certification bodies like (ISC)2. It then notes that security, privacy, compliance and audit pose both tensions and opportunities for collaboration in RegTech. The document outlines recent privacy laws and regulations globally. It argues that privacy and security are not a zero-sum game and that regulation can lead them to mutually reinforce one another. The document then discusses how COVID-19 is accelerating digital transformation and the related security challenges. It provides an overview of the goals and applications of RegTech in financial compliance and risk management. Finally, it acknowledges some risks and obstacles that may hinder RegTech's potential.
Accompanying slides for Chapter 8 "Malicious Software" of the book "Information Systems Security" (http://www.papasotiriou.gr/product/asfaleia-pliroforiakon-sistimaton-237775), March 2004
PKI : The role of TTPs for the Development of secure Transaction SystemsJohn ILIADIS
This document discusses the role of trusted third parties (TTPs) in securing electronic transactions through public key infrastructure (PKI). It identifies common security threats to electronic transactions like monitoring, modification, spoofing, and unauthorized access. PKI addresses these threats through encryption, digital signatures, and certificate exchange verified by a TTP. The document presents TTPs as the cornerstone of PKI, providing impartial validation of transactions over insecure networks. A TTP offers services like registration, key generation, certificate management, and auditing to enable secure electronic transactions.
Fifth European Intensive Programme on Information and Communication Technologies Security (IPICS 2002), organised by the University of the Aegean, Greece and IFIP. July 2002, Samos island, Greece
Certificate Revocation: What Is It And What Should It BeJohn ILIADIS
This document presents an alternative mechanism for disseminating certificate status information called ADoCSI (Alternative Dissemination of Certificate Status Information). ADoCSI uses software agents to retrieve and validate certificate status information on behalf of dependent entities in a transparent manner. The document outlines some of the problems that need to be addressed when using agents for certificate status information, such as how to protect agents and the information they carry from unauthorized modification. It also provides an overview of the components involved in ADoCSI, including agent meeting places, certificate authority agents, and an interface agent.
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...John ILIADIS
The document discusses mechanisms for disseminating certificate status information (CSI) and proposes an alternative called ADoCSI that uses software agents. ADoCSI aims to provide transparency in locating, retrieving, and validating CSI by using agents that can locate CSI from various sources and validate it for dependent entities. The document also identifies problems with existing CSI mechanisms and areas that need solutions for ADoCSI to work effectively, such as protecting agents and the information they carry.
This document provides an overview of e-commerce security through a 70 slide presentation. The presentation covers: an introduction to e-commerce and how it enables new forms of business and communication; how security is needed to enable e-commerce through enabling trust; a primer on information security concepts like confidentiality, integrity and availability; common e-commerce threats and how cryptography can address them; and types of malicious software. The goal is to provide a high-level introduction to considerations around securing e-commerce transactions and systems.
PKI: Overpromising and UnderdeliveringJohn ILIADIS
John Iliadis provides an overview of public key infrastructure (PKI) in three parts:
1. The document begins by introducing PKI as a promising security solution but notes it is still underdelivering.
2. It then provides a quick overview of information security, cryptography, digital signatures, and PKI outside of an ideal scenario and in the real world.
3. The document concludes by summing up some of the challenges with PKI implementation.
Invited lecture, 2nd Annual Scientific Symposium of the Students of Information and Communication Systems Department, University of the Aegean, Samos, Greece, November 2007
Addressing security issues in programming languages for mobile code - Confere...John ILIADIS
The services offered to the Internet community have been constantly increasing the last few years. This is mainly due to the fact that mobile code has matured enough in order to provide the Internet users with high quality applications that can be executed remotely. When a user downloads and executes code from various Internet sources, security issues arise. In this paper, we are addressing the latter and we present a comparative evaluation of the methods used by Java, Safe-Tcl and ActiveX in order to confront with these issues, based on current security functions and implementations as well as on future adjustments and extensions.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
20 Comprehensive Checklist of Designing and Developing a Website
Evaluating Open Source Security Software
1. Evaluating Open Source Security Software
SECRETS Project
(IST-2000-29289)
John Iliadis
R&D Unit
Intrasoft International
Slide 1 of 37
2. Summary
SECRETS project aims at evaluating the use of open source
security protocols, with respect to the efficiency and performance
of the services they offer, by means of conducting specific
experiments.
Protocols:
•
•
OpenSSL (SSL)
FreeS/WAN (IPsec)
Experiments drawn from:
•
•
•
•
ECommerce
Mobile Communications
Network Monitoring
Intelligent Networks
Slide 2 of 37
3. General Approach
Adapt selected applications to operate with open source
security software
Experiment with the use of open source security software
in the selected applications, according to an evaluation
methodology
Produce an evaluation report on the use of OpenSSL and
FreeS/WAN
Slide 3 of 37
4. SECRETS Evaluation Framework
Evaluation of the developing organisations
•
•
•
Capability and Stability of the organisations
Support services for the products
Ability to feed requirements into the developing process
Product evaluation
•
Product Capability
•
•
Product Stability
Product Maintainability
• Conformity verification
• Interoperability
Application experiments
•
•
•
•
E-Tender experiment (Intrasoft International)
GPRS experiment (Motorola)
Network monitoring experiment (Solinet)
Intelligent network experiment (Alcatel)
Slide 4 of 37
5. Evaluation of the developing organisations
(1)
Capability and Stability of the organisations
•
•
•
•
•
The prehistory of the organisation, which will provide an insight on its
quality,
The official start of the Open Source project, and the work performed since
then, in order to examine how active the organisation is,
Licensing scheme under which the software package is distributed,
The number of members and identity of the development team that
contributes to the organisation.
The commercial or not applications that use the product – in conjunction
with the companies/organisations that interact with the specific
organisation.
Slide 5 of 37
6. Evaluation of the developing organisations
(2)
Support services for the products
•
•
•
•
Maintenance and continuous update of a central Web site which is the
reference for all the users of the product
Documentation of the source code
Installation support
Releasing of support packages - Patches
Ability to feed requirements into the developing process
Slide 6 of 37
7. Product Evaluation (1)
Product Capability
•
Conformity verification
the conformity of OpenSSL and FreeS/WAN to Netscape’s SSL and IETF
IPSec, respectively
•
Interoperability
the ability of OpenSSL and FreeS/Wan to successfully interoperate with other
software implementations of the SSL and IPSec protocols
Slide 7 of 37
8. Product Evaluation (2)
Product Stability
•
a measure of how often a software changes and to what degree
Product Maintainability
the ability of a user of OpenSSL or FreeS/Wan to understand, maintain, use,
and upgrade the software. Evaluation criteria:
• Available documentation,
• quality of the code,
• adherence of the code development to standards adopted by the developing
organisation (if any).
Slide 8 of 37
9. Test Cases (1)
Intrasoft International: E-Tender – OpenSSL
•
•
•
•
Installation and Configuration
Identification, Authentication, Authorisation
Integrity
Confidentiality
Motorola: GPRS – FreeS/WAN
•
•
•
•
•
Installation and Configuration
Functional verification
CPU utilisation (10 Mbps: up to 240% in peer, up to 900% in
gateway)
Endtoend delay (10 Mbps: up to 140%)
Interoperability (Cisco IPsec)
Slide 9 of 37
10. Test Cases – Evaluation Metrics
(2)
Alcatel: Intelligent Networks – OpenSSL
•
•
•
•
•
Installation and Configuration
Functionality
Security
Performance (3.5% overhead)
Time critical parts
Solinet: Network Monitoring – OpenSSL
•
•
•
Installation and Configuration
Conformity verification
Performance (40% overhead)
Slide 10 of 37
11. OpenSSL – FreeS/WAN Evaluation
OpenSSL Evaluation
•
•
•
Evaluation of the OpenSSL organisation
OpenSSL Product Evaluation
Conclusions
FreeS/WAN Evaluation
•
•
•
Slide 11 of 37
Evaluation of the FreeS/WAN organisation
FreeS/WAN Product Evaluation
Conclusions
13. Evaluation of the
OpenSSL organisation (1)
Capability and stability of the organisation = good
•
•
•
Number of members and software releases indicate the
organisation is actively promoting the use of OpenSSL
Licensing scheme allows unrestricted and free use in
commercial products.
A high number of open source and commercial products
already use OpenSSL
Slide 13 of 37
14. Evaluation of the
OpenSSL organisation (2)
Support services for the products = fair
•
•
•
User friendly navigation in OpenSSL web site
Straightforward and documented OpenSSL installation
procedure
Structured documentation, but
• Incomplete
• Overlapping (documentation for old and new versions of the
same functionality coexist)
•
Poor patch installation guidelines. Expertise required.
Slide 14 of 37
15. Evaluation of the
OpenSSL organisation (3)
Ability to feed requirements into the developing process =
good
•
User support channels: Internet mailing lists
• Rapid response to posted questions, within the open source
community practices.
• Rapid inclusion of reported bugs in the developing process,
within the open source community practices.
•
Replies posted in mailing lists provide accurate information
Slide 15 of 37
17. OpenSSL
software module evaluation (2)
Software module capability: Conformity verification (2)
A8619 has been configured with
• IEEE 802.3 MAC protocol disassembly profile
• IP protocol disassembly profile
• TCP protocol disassembly profile
• SSL/TLS protocol disassembly profile
• X.509 certificate decoding profile
Slide 17 of 37
18. OpenSSL
software module evaluation (3)
Software module capability: Conformity verification (3) The
OpenSSL protocol negotiation has been decoded properly using
the relevant A8619 protocol disassembly profiles, verifying the
conformity of the OpenSSL protocol to the relevant standards
Slide 18 of 37
19. OpenSSL
software module evaluation (4)
Software module capability: Interoperability
•
Interoperability with Microsoft Internet Explorer and Netscape
Navigator
•
Experimenting with Apache Web Server
• Apache uses OpenSSL for SSL support, through the modSSL interface
module
• Apache used extensively (60% of Web Servers worldwide, Netcraft
survey, November 2002)
• modSSL backwards compatible to other OpenSSL interface modules
Slide 19 of 37
20. OpenSSL
software module evaluation (5)
Software module capability: Interoperability (2)
• Interoperability problems located:
• OpenSSL supports a Password Based Encryption method for
private keys, that is not supported by all Web browsers (PBEMD5-DES)
solution: use other OpenSSL PBE methods for encrypting
private keys to be used by Web browsers
• Minor encoding ASN.1 errors, resulting in malformed
certificates being parsed incorrectly
solution: update OpenSSL, when ASN.1 encoding errors are
fixed
Slide 20 of 37
21. OpenSSL
software module evaluation (6)
Software module stability
OpenSSL product stability factor : 0,51
According to established software engineering practices, a product
stability factor of 0,5 is considered to be adequate, for commercial
software. Therefore, the open source OpenSSL software package is
considered stable.
Slide 21 of 37
22. OpenSSL
software module evaluation (7)
Software module maintainability (1)
•
•
•
•
Few patches: patch factor 0,022 the influence of patches in
maintainability is minor.
‘Makefiles’ available for automatic compilation and installation of
the OpenSSL software package in a variety of operating systems.
Distributions contain a text file where all changes, since the
previous version, are described
Online documentation available, comprising of:
• Contributions by code authors,
• Contributions by third parties,
• Lately (Aug 2002), a book.
Slide 22 of 37
23. OpenSSL
software module evaluation (8)
Software module maintainability (2)
Available documentation
•
•
•
lack of consistency
lack of an integrated Table of Contents, or Master Document
semantic overlaps
• two or more authors covering the same subject
• documentation is available, covering older and newer versions of the
source code
•
No documentation on the code structure
Slide 23 of 37
24. Conclusions on OpenSSL
OpenSSL Organisation
•
•
•
Capability and stability of the organisation = good
Support services for the product = fair
Feeding requirements to the developing process = good
OpenSSL Product
•
•
•
•
Conformity verification = good
Interoperability = good
Stability = good
Maintainability = fair (for open source community practices)
Slide 24 of 37
25. Evaluation of the
FreeS/WAN organisation (1)
Capability and stability of the organisation = fair
•
•
The FreeS/WAN development team consists of experienced
software developers and engineers.
The FreeS/WAN software package is already widely used.
Slide 25 of 37
26. Evaluation of the
FreeS/WAN organisation (2)
Support services for the products = poor
•
•
•
Navigation in the FreeS/WAN web site is not user friendly
Documentation provided is not structured and requires
advanced experience on several issues (e.g Linux,
configuration files etc.)
Documentation provided does not contain
• configuration examples
• detailed installation guidelines
• patch installation guidelines
Slide 26 of 37
27. Evaluation of the
FreeS/WAN organisation (3)
Ability to feed requirements into the developing process =
poor
•
Communication channel with users and developers: Internet
mailing lists
• response time is not adequate, for a commercial organisation
• difficult to track related postings
Slide 27 of 37
28. FreeS/WAN
software module evaluation (1)
Ethernet link
IPsec protocol
Ethernet link
IPsec protocol
Traffic Generator
GGSN HW platform
Redhat Linux v7.2
FreeS/WAN ported
Linux Test Station
Redhat Linux v7.2
FreeS/WAN ported
tcpdump enabled
Software module capability: Functional Verification
•
•
•
Use of the tcpdump and ethereal tools
Verification of the ISAKMP negotiation
Verification of the FreeS/WAN encryption
Slide 28 of 37
29. FreeS/WAN
software module evaluation (2)
Software module capability: Interoperability (1)
•
FreeS/WAN does not implement single DES and Diffie-Helman
group 1 (768-bit) because they are insecure.
• Solution: Avoid configuration related to single DES and Diffie-Hellman
group 1
•
RFCs define two modes for IKE negotiations including the main
mode and the aggressive mode. FreeS/WAN does not implement
aggressive mode.
• Solution: If the default option of the other peers is the aggressive mode
the user should configure them for main mode
Slide 29 of 37
30. FreeS/WAN
software module evaluation (3)
Software module capability: Interoperability (2)
•
FreeS/WAN provides perfect forward secrecy (PFS) by default,
which is more secure and cost effective. However, some other
implementations turn PFS off by default.
• Solution: Users should either disable PFS in FreeS/WAN, or enable
PFS in the other peers
•
The IKE protocol allows several types of optional messages.
FreeS/WAN ignores optional messages. Problems may arise if the
other end relies on the use of optional messages.
• Solution: Modifications to the source code of FreeS/WAN
Slide 30 of 37
31. FreeS/WAN
software module evaluation (4)
Software module capability: Interoperability (3)
•
Concerning FreeS/WAN interoperability with Windows 2000 IPSec,
a problem with respect to IKE was reported.
• Solution : FreeS/WAN has changed (from version 1.92 and on) the
handling of this.
•
General rule for interoperate with FreeS/WAN
•
•
•
•
Slide 31 of 37
main mode for IKE negotiation
triple DES encryption
Diffie-Hellman Group 2 (1024-bit) or Group 5 (1536-bit)
Perfect Forward Secrecy enabled
32. FreeS/WAN
software module evaluation (5)
Software module capability: Interoperability (4)
•
Discrepancies in IPSec terminology used in IPSec implementations
• Solution: Developers should be aware of the discrepancies in
terminology, and interpret the terms they meet, depending on the IPSec
implementation they are using.
•
IPSec is a peer to peer protocol. IPSec clients cannot provide
IPSec services for subnets residing behind them, only IPSec
gateways can.
• Solution: If there is a need to support a subnet behind an IPSec
implementation, use an IPSec gateway instead of an IPSec client
Slide 32 of 37
33. FreeS/WAN
software module evaluation (6)
Software module stability
•
•
•
•
•
Unexpected communication problems may emerge with VPN
clients that use DHCP and NAT.
FreeS/WAN has restricted functionality concerning shared secret
authentication. The FreeS/WAN organisation counter proposes
RSA for authentication purposes. However, no IPSec standard has
yet been implemented for user authentication.
No support for X.509 or other certificates
No support for single DES encryption
No support for AES encryption
Slide 33 of 37
34. FreeS/WAN
software module evaluation (7)
Software module maintainability
•
•
•
•
FreeS/WAN does not provide any documentation regarding the
architecture of the software module.
A source code walk-through is required, to understand the
functionality of the FreeS/WAN software subsystems.
An initial source code walk-through we performed, indicated that
the source code is not well structured, and that comments are not
used throughout the code, thus reducing its maintainability.
Although the size of the FreeS/WAN patches is not too big, their
number is quite big (more than 15) during the FreeS/WAN project
period having a detrimental effect on software maintainability.
Slide 34 of 37
35. Conclusions on FreeS/WAN
FreeS/WAN Organisation
•
•
•
Capability and stability of the organisation = fair
Support services for the product = poor
Feeding requirements to the developing process = poor
FreeS/WAN Product
•
•
•
•
Functional verification = good
Interoperability = fair
Stability = fair
Maintainability = fair
Slide 35 of 37
36. …for more info
For more info, visit
http://laplace.intrasoft-intl.com/secrets/
Slide 36 of 37