Open Source is here to stay in security critical environments and every place software is used
Creating Applications these days is like making a sandwich
Using the SDACK Architecture on Security Event InspectionYu-Lun Chen
The SDACK architecture stands for Spark, Docker, Akka, Cassandra, and Kafka. At TrendMicro, we adopted the SDACK architecture to implement a security event inspection platform for APT attack analysis. In this talk, we will introduce SDACK stack with Spark lambda architecture, Akka and Kafka for streaming data pipeline, Cassandra for time series data, and Docker for microservices. Specifically, we will show you how we Dockerize each SDACK component to facilitate the RD team of algorithms development, help the QA team test the product easily, and use the Docker as a Service strategy to ship our products to customers. Next, we will show you how we monitor each Docker container and adjust the resource usage based on monitoring metrics. And then, we will share our Docker security policy which ensures our products are safety before shipping to customers. After that, we'll show you how we develop an all-in-one Docker based data product and scale it out to multi-host Docker cluster to solve the big data problem. Finally, we will share some challenges we faced during the product development and some lesson learned.
Open Source Licensing: Types, Strategies and ComplianceAll Things Open
Presented by: Jeff Luszcz, ZebraCatZebra
Presented at All Things Open 2020
Abstract: Open Source powers the world, but you need to do more than use it.
In this talk we will provide background on the most common types of open source licenses, business models, security issues and the processes required to help you remain secure and in compliance. We will discuss best practices, scanning tools, remediation, customer and partner expectations around OSS compliance and how to manage OSS during events such as a product release or M&A.
Gradle is an open-source build automation tool focused on flexibility, build reproducibility and performance. Over the years, this tool has evolved and introduced new concepts and features around dependency management, publication and other aspects on build and release of artifacts for the Java platform.
Keeping up to date with all these features across several projects can be challenging. How do you make sure that all your projects can be upgraded to the latest version of Gradle? What if you have thousands of projects and hundreds of engineers? How can you abstract common tasks for them and make sure that new releases work as expected?
At Netflix, we built Nebula, a collection of Gradle plugins that helps engineers remove boilerplate in Gradle build files, and makes building software the Netflix way easy. This reduces the cognitive load on developers, allowing them to focus on writing code.
In this talk, I’ll share with you our philosophy on how to build JVM artifacts and the pieces that help us boost the productivity of engineers at Netflix. I’ll talk about:
- What is Nebula
- What are the common problems we face and try to solve
- How we distribute it to every JVM engineer
- How we ensure that Nebula/Gradle changes do not break builds so we can ship new features with confidence at Netflix.
---
About Roberto: Roberto Perez Alcolea is a Senior Software Engineer at Netflix. He is a member of the Java Platform team providing the core language and framework components that enable the Java community at Netflix. He's an active maintainer of Netflix Nebula Plugins (https://nebula-plugins.github.io/) and passionate about Gradle. Prior to that, he spent several years building high performant APIs with Ratpack and web applications using Grails.
Todays technology race is at high speed. Private companies plan trips to Mars and consumers print in 3D on their kitchen table. Joris tells his story about open hardware and what it can bring to you.
Using puppet to leverage DevOps in Large Enterprise Oracle Environments Bert Hajee
DevOps in large companies is difficult. When you add Oracle and WebLogic to the equation, it becomes even more difficult. This presentation tells the story of IT Manager John and how he use Puppet en the puppet modules from Enterprise Modules to get started with DevOps in his organization. The change was staggering. Where before a new release lasted more than a year, now they were able to implement changes within days or even hours.
Using the SDACK Architecture on Security Event InspectionYu-Lun Chen
The SDACK architecture stands for Spark, Docker, Akka, Cassandra, and Kafka. At TrendMicro, we adopted the SDACK architecture to implement a security event inspection platform for APT attack analysis. In this talk, we will introduce SDACK stack with Spark lambda architecture, Akka and Kafka for streaming data pipeline, Cassandra for time series data, and Docker for microservices. Specifically, we will show you how we Dockerize each SDACK component to facilitate the RD team of algorithms development, help the QA team test the product easily, and use the Docker as a Service strategy to ship our products to customers. Next, we will show you how we monitor each Docker container and adjust the resource usage based on monitoring metrics. And then, we will share our Docker security policy which ensures our products are safety before shipping to customers. After that, we'll show you how we develop an all-in-one Docker based data product and scale it out to multi-host Docker cluster to solve the big data problem. Finally, we will share some challenges we faced during the product development and some lesson learned.
Open Source Licensing: Types, Strategies and ComplianceAll Things Open
Presented by: Jeff Luszcz, ZebraCatZebra
Presented at All Things Open 2020
Abstract: Open Source powers the world, but you need to do more than use it.
In this talk we will provide background on the most common types of open source licenses, business models, security issues and the processes required to help you remain secure and in compliance. We will discuss best practices, scanning tools, remediation, customer and partner expectations around OSS compliance and how to manage OSS during events such as a product release or M&A.
Gradle is an open-source build automation tool focused on flexibility, build reproducibility and performance. Over the years, this tool has evolved and introduced new concepts and features around dependency management, publication and other aspects on build and release of artifacts for the Java platform.
Keeping up to date with all these features across several projects can be challenging. How do you make sure that all your projects can be upgraded to the latest version of Gradle? What if you have thousands of projects and hundreds of engineers? How can you abstract common tasks for them and make sure that new releases work as expected?
At Netflix, we built Nebula, a collection of Gradle plugins that helps engineers remove boilerplate in Gradle build files, and makes building software the Netflix way easy. This reduces the cognitive load on developers, allowing them to focus on writing code.
In this talk, I’ll share with you our philosophy on how to build JVM artifacts and the pieces that help us boost the productivity of engineers at Netflix. I’ll talk about:
- What is Nebula
- What are the common problems we face and try to solve
- How we distribute it to every JVM engineer
- How we ensure that Nebula/Gradle changes do not break builds so we can ship new features with confidence at Netflix.
---
About Roberto: Roberto Perez Alcolea is a Senior Software Engineer at Netflix. He is a member of the Java Platform team providing the core language and framework components that enable the Java community at Netflix. He's an active maintainer of Netflix Nebula Plugins (https://nebula-plugins.github.io/) and passionate about Gradle. Prior to that, he spent several years building high performant APIs with Ratpack and web applications using Grails.
Todays technology race is at high speed. Private companies plan trips to Mars and consumers print in 3D on their kitchen table. Joris tells his story about open hardware and what it can bring to you.
Using puppet to leverage DevOps in Large Enterprise Oracle Environments Bert Hajee
DevOps in large companies is difficult. When you add Oracle and WebLogic to the equation, it becomes even more difficult. This presentation tells the story of IT Manager John and how he use Puppet en the puppet modules from Enterprise Modules to get started with DevOps in his organization. The change was staggering. Where before a new release lasted more than a year, now they were able to implement changes within days or even hours.
How to Open Source an Internal Project
Presented at: All Things Open RTP Meetup
Presented by: VM Brasseur
Abstract: Your company is going to release an internal project as open source. Are you ready for your new responsibilities? You could just throw the code up on a forge (like GitHub, GitLab), but it's unlikely to receive attention or provide much benefit to the company. Open sourcing an internal project requires a lot of thought & work.
Releasing a project as open source requires changes to the development/build/release workflow. This is not about the code per se; it’s about the processes & infrastructure that surround the code & that make the project successful.
This talk will introduce what you need to know & to expect before you release your internal project, including:
- Identifying company goals for the project
- Pre-release due diligence: licenses & code hygiene
- Community expectations & maintenance
- Processes which need to happen in the open
- Communication: internal & external
For more info on our Meetups: https://www.meetup.com/All-Things-Open-RTP-Meetup/
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
Join us for a webinar on how to secure your CI/CD pipeline for Kubernetes with GitOps best practices and continuous runtime protection. As modern developers and DevOps teams are embarking on a quest for speed and reliability through automated CI/CD pipelines for Kubernetes, enterprises still need to ensure security and regulatory compliance.
Together with Deepfence, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines, combined with continuous security observability, improves the overall security of your development workflow - from Git to production.
In this webinar we will demonstrate:
Deepfence container scanning
Git-to-Kubernetes using FluxCD
Deepfence continuous runtime security
How Security can be the Next Force Multiplier in DevOpsAndrew Storms
RSA 2015 Conference Presentation
DevOps is the hottest moving target when it comes to software development methodologies. Many people fear that this fast paced, barrier breaking movement will leave information security best practices in the dust. Turn the equation upside down and make security a force multiplier for DevOps. - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1540/how-security-can-be-the-next-force-multiplier-in#sthash.jg6O44Yv.dpuf
The Lie of a Benevolent Dictator; the Truth of a Working Democratic MeritocracyRandy Bias
Keynote at OpenStackSV's inaugural event. Essentially a call to arms to fix the missing "product leadership gap" that is clearly causing drag on the project(s).
The annual review session by the AMIS team on their findings, interpretations and opinions regarding news, trends, announcements and roadmaps around Oracle's product portfolio.
Red Hat OpenShift - a foundation for successful digital transformationEric D. Schabell
The usage of containers is exploding and according to a recent report Red Hat is the vendor best placed to capitalize on this. To us it is pretty simple - Containers are Linux and Red Hat is the leader on Linux. But we move beyond that, addressing the wider use-case - building a complete innovation platform, harnessing the power of the hottest open source projects on the planet, integrated into a complete end-end experience from development to production across any footprint - on-prem to cloud.
Red Hat Forum Norway, Eric D. Schabell, Global Technology Evangelist, Red Hat
(https://docs.google.com/a/redhat.com/presentation/d/1WnasL7oMoC_-TfUZd4DYY9l7_4u0TivVsnWc1mXcBiI/edit?usp=sharing)
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
The continuous delivery pipeline is the process of taking new or changed features from developers, and getting features deployed into production and delivered quickly to the customer. Gene Gotimer says testing within continuous delivery pipelines should be designed so the earliest tests are the quickest and easiest to run, giving developers the fastest feedback. Successive rounds of testing lead to increased confidence that the code is a viable candidate for production and that more expensive tests—time, effort, cost—are justified. Manual testing is performed toward the end of the pipeline, leaving computers to do as much work as possible before people get involved. Although it is tempting to arrange the delivery pipeline in phases (e.g., functional tests, then acceptance tests, then load and performance tests, then security tests), this can lead to serious problems progressing far down the pipeline before they are caught. Gene shows how to arrange your tests so each round provides just enough testing to give you confidence that the next set of tests is worth the investment. He explores how to get the right types of testing into your pipeline at the right points.
The annual review session by the AMIS team on their findings, interpretations and opinions regarding news, trends, announcements and roadmaps around Oracle's product portfolio.
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
Many free security testing tools are available, but finding ones that meet your needs and work in your environment can involve substantial time and effort. Especially when you are just starting out with security testing, finding reputable tools that do what you need is not easy. And installing them correctly just to evaluate them can be prohibitively time consuming. Kali Linux is a free Linux distribution with hundreds of security testing and auditing tools installed. Gene Gotimer gives an overview of Kali Linux, ways to effectively use it, and a survey of the tools available. Although Kali Linux is primarily intended for professional penetration testers, it provides great convenience and value to developers and software testers who may be getting started in security testing. Gene demonstrates some of the simplest tools to help jumpstart your web application security testing practices.
Network Automation Journey, A systems engineer NetOps perspectiveWalid Shaari
Network devices play a crucial role; they are not just in the Data Center. It's the Wifi, VOIP, WAN and recently underlays and overlays. Network teams are essential for operations. It's about time we highlight to the configuration management community the importance of Network teams and include them in our discussions. This talk describes the personal experience of systems engineer on how to kickstart a network team into automation. Most importantly, how and where to start, challenges faced, and progress made. The network team in question uses multi-vendor network devices in a large traditional enterprise.
NetDevOps, we do not hear that term as frequent as we should. Every time we hear about automation, or configuration management, it is usually the application, if not, it is the systems that host the applications. How about the network systems and devices that interconnect and protects our services? This talk aims to describe the journey a systems engineer had as part of an automation assignment with the network management team. Building from lessons learned and challenges faced with system automation, how one can kickstart an automation project and gain small wins quickly. Where and how to start the journey? What to avoid? What to prioritise? How to overcome the lack of network skills for the automation engineer and lack of automation and Linux/Unix skills for network engineers. What challenges were faced and how to overcome them? What fights to give up? Where do I see network automation and configuration management as a systems engineer? What are the status quo and future expectations?
As the world of system and application deployment continues to change, the sys admin and security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional sys admin and security processes just don’t work. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. Rackspace has been developing a tool to help them design, deploy and security assess complex configurations for customers called Checkmate. This talk will cover the concepts behind and the architecture of Checkmate and how it helps minimize the time to deploy systems and verify they have been created to spec and in a secure state. A discussion of how Checkmate has inspired the concept of Test Driven Security based on the Test Driven Development model familiar to the development world.
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Breaking the 2 Pizza Paradox with your Platform as an ApplicationMark Rendell
In my experience many large enterprises would love the adoption of DevOps to be as simple as bringing Development closer to Operations. In practice they need to consider many development teams, multiple suppliers, multiple service providers, not to mention multiple business divisions. I describe my experiences of implementing Continuous Delivery in large enterprises with heterogeneous technology stacks and share my belief that Platform Applications will be the saviour of enterprise DevOps.
How to Open Source an Internal Project
Presented at: All Things Open RTP Meetup
Presented by: VM Brasseur
Abstract: Your company is going to release an internal project as open source. Are you ready for your new responsibilities? You could just throw the code up on a forge (like GitHub, GitLab), but it's unlikely to receive attention or provide much benefit to the company. Open sourcing an internal project requires a lot of thought & work.
Releasing a project as open source requires changes to the development/build/release workflow. This is not about the code per se; it’s about the processes & infrastructure that surround the code & that make the project successful.
This talk will introduce what you need to know & to expect before you release your internal project, including:
- Identifying company goals for the project
- Pre-release due diligence: licenses & code hygiene
- Community expectations & maintenance
- Processes which need to happen in the open
- Communication: internal & external
For more info on our Meetups: https://www.meetup.com/All-Things-Open-RTP-Meetup/
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
Join us for a webinar on how to secure your CI/CD pipeline for Kubernetes with GitOps best practices and continuous runtime protection. As modern developers and DevOps teams are embarking on a quest for speed and reliability through automated CI/CD pipelines for Kubernetes, enterprises still need to ensure security and regulatory compliance.
Together with Deepfence, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines, combined with continuous security observability, improves the overall security of your development workflow - from Git to production.
In this webinar we will demonstrate:
Deepfence container scanning
Git-to-Kubernetes using FluxCD
Deepfence continuous runtime security
How Security can be the Next Force Multiplier in DevOpsAndrew Storms
RSA 2015 Conference Presentation
DevOps is the hottest moving target when it comes to software development methodologies. Many people fear that this fast paced, barrier breaking movement will leave information security best practices in the dust. Turn the equation upside down and make security a force multiplier for DevOps. - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1540/how-security-can-be-the-next-force-multiplier-in#sthash.jg6O44Yv.dpuf
The Lie of a Benevolent Dictator; the Truth of a Working Democratic MeritocracyRandy Bias
Keynote at OpenStackSV's inaugural event. Essentially a call to arms to fix the missing "product leadership gap" that is clearly causing drag on the project(s).
The annual review session by the AMIS team on their findings, interpretations and opinions regarding news, trends, announcements and roadmaps around Oracle's product portfolio.
Red Hat OpenShift - a foundation for successful digital transformationEric D. Schabell
The usage of containers is exploding and according to a recent report Red Hat is the vendor best placed to capitalize on this. To us it is pretty simple - Containers are Linux and Red Hat is the leader on Linux. But we move beyond that, addressing the wider use-case - building a complete innovation platform, harnessing the power of the hottest open source projects on the planet, integrated into a complete end-end experience from development to production across any footprint - on-prem to cloud.
Red Hat Forum Norway, Eric D. Schabell, Global Technology Evangelist, Red Hat
(https://docs.google.com/a/redhat.com/presentation/d/1WnasL7oMoC_-TfUZd4DYY9l7_4u0TivVsnWc1mXcBiI/edit?usp=sharing)
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
The continuous delivery pipeline is the process of taking new or changed features from developers, and getting features deployed into production and delivered quickly to the customer. Gene Gotimer says testing within continuous delivery pipelines should be designed so the earliest tests are the quickest and easiest to run, giving developers the fastest feedback. Successive rounds of testing lead to increased confidence that the code is a viable candidate for production and that more expensive tests—time, effort, cost—are justified. Manual testing is performed toward the end of the pipeline, leaving computers to do as much work as possible before people get involved. Although it is tempting to arrange the delivery pipeline in phases (e.g., functional tests, then acceptance tests, then load and performance tests, then security tests), this can lead to serious problems progressing far down the pipeline before they are caught. Gene shows how to arrange your tests so each round provides just enough testing to give you confidence that the next set of tests is worth the investment. He explores how to get the right types of testing into your pipeline at the right points.
The annual review session by the AMIS team on their findings, interpretations and opinions regarding news, trends, announcements and roadmaps around Oracle's product portfolio.
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
Many free security testing tools are available, but finding ones that meet your needs and work in your environment can involve substantial time and effort. Especially when you are just starting out with security testing, finding reputable tools that do what you need is not easy. And installing them correctly just to evaluate them can be prohibitively time consuming. Kali Linux is a free Linux distribution with hundreds of security testing and auditing tools installed. Gene Gotimer gives an overview of Kali Linux, ways to effectively use it, and a survey of the tools available. Although Kali Linux is primarily intended for professional penetration testers, it provides great convenience and value to developers and software testers who may be getting started in security testing. Gene demonstrates some of the simplest tools to help jumpstart your web application security testing practices.
Network Automation Journey, A systems engineer NetOps perspectiveWalid Shaari
Network devices play a crucial role; they are not just in the Data Center. It's the Wifi, VOIP, WAN and recently underlays and overlays. Network teams are essential for operations. It's about time we highlight to the configuration management community the importance of Network teams and include them in our discussions. This talk describes the personal experience of systems engineer on how to kickstart a network team into automation. Most importantly, how and where to start, challenges faced, and progress made. The network team in question uses multi-vendor network devices in a large traditional enterprise.
NetDevOps, we do not hear that term as frequent as we should. Every time we hear about automation, or configuration management, it is usually the application, if not, it is the systems that host the applications. How about the network systems and devices that interconnect and protects our services? This talk aims to describe the journey a systems engineer had as part of an automation assignment with the network management team. Building from lessons learned and challenges faced with system automation, how one can kickstart an automation project and gain small wins quickly. Where and how to start the journey? What to avoid? What to prioritise? How to overcome the lack of network skills for the automation engineer and lack of automation and Linux/Unix skills for network engineers. What challenges were faced and how to overcome them? What fights to give up? Where do I see network automation and configuration management as a systems engineer? What are the status quo and future expectations?
As the world of system and application deployment continues to change, the sys admin and security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional sys admin and security processes just don’t work. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. Rackspace has been developing a tool to help them design, deploy and security assess complex configurations for customers called Checkmate. This talk will cover the concepts behind and the architecture of Checkmate and how it helps minimize the time to deploy systems and verify they have been created to spec and in a secure state. A discussion of how Checkmate has inspired the concept of Test Driven Security based on the Test Driven Development model familiar to the development world.
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Breaking the 2 Pizza Paradox with your Platform as an ApplicationMark Rendell
In my experience many large enterprises would love the adoption of DevOps to be as simple as bringing Development closer to Operations. In practice they need to consider many development teams, multiple suppliers, multiple service providers, not to mention multiple business divisions. I describe my experiences of implementing Continuous Delivery in large enterprises with heterogeneous technology stacks and share my belief that Platform Applications will be the saviour of enterprise DevOps.
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
Living BeyondCorp comes with its own challenges. This talk will dive into how Duo gets our hands around difficult problems regarding the security and management of cloud services and endpoints internally. This session will cover technical details of our security orchestration and automation approach, cloud service monitoring, and chatops-driven endpoint application whitelisting strategies.
(Source: RSA Conference USA 2018)
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...PROIDEA
During this presentation, you will learn about the 10 changes that might reshape the developer tools market in the next 10 years. Jarek will discuss containers, serverless functions, and how it all supports an agile and CI/CD experience. The move to a polyglot development world means most applications will be written in a mix of languages, with developers favoring tools that help them navigate easily between languages. Jarek will also walk us through the evolution away from stand-alone developer workstations toward cloud-and-container based development environments offered as a service.
What's new in the latest source{d} releases!source{d}
We recently announce source{d} 0.11, 0.12 and 0.13, two releases with lots of new features and performance improvements. From windows support, to port management, C# language support and new SQL querying, there is a lot for you to get excited about. We also discussed why you should care about Engineering Observability and what are some of the top use cases for source{d} in enterprises.
Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...Siva Rama Krishna Chunduru
Understand DevOps and it's fitment to various types of applications.
Understand various Organization Roles after Org-restructure.
Understand the way to measure the success.
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Solutions (Formerly Automic) and CA Privileged Access Manager
For more information on DevSecOps, please visit: http://ow.ly/u2pN50g63tN
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...Rackspace
At Rackspace::Solve NYC, Jon Hyman, CIO of Appboy and Prashanth Chandrasekar, GM of DevOps at Rackspace, discuss the role of DevOps in helping to solve the technical challenges that come with rapid growth.
Rackspace (NYSE: RAX) is the #1 managed cloud company. Our technical expertise and Fanatical Support® allow companies to tap the power of the cloud without the pain of hiring experts in dozens of complex technologies. Rackspace is also the leader in hybrid cloud, giving each customer the best fit for its unique needs — whether on single- or multi-tenant servers, or a combination of those platforms. Rackspace is the founder of OpenStack®, the open-source operating system for the cloud. Headquartered in San Antonio, we serve more than 200,000 business customers from data centers on four continents. We rank 29th on Fortune’s list of 100 Best Companies to Work For. For more information, visit www.rackspace.com.
Help students get familiar with the basic concepts of DevOps processes and technologies and the challenges facing companies who are looking to embrace scalable software deployment.
[This workshop was given to TAU CS students over the years 2015-2016]
Collaborative security : Securing open source softwarePriyanka Aash
There’s no guarantee that software will ever be free from vulnerabilities, whether it is open source or proprietary, but there is still plenty we can do. The Linux Foundation CTO Nicko van Someren will discuss new tools and techniques that help improve the security and quality of open source projects, presenting data from various open source projects including pre- and post-Heartbleed OpenSSL.
(Source : RSA Conference USA 2017)
Organizations are intrigued and excited by the ability to reduce costs, gain new insights and expand their data playground with Hadoop. However, when it comes time to design and execute their strategy, they face two fundamental challenges: “Where do I start?” followed by, “Now that I’ve started, how do I keep up?”
The ecosystem of Hadoop tools is constantly expanding to keep up as demands (real-time, self-service, etc.) and data growth (more sources, larger volumes) increase. Innovation is good, but added complexity, uncertainty and risk is not.
If you’re committed to realizing the benefits of Hadoop, but are taken aback by the complexities and pace of change in the Big Data landscape, watch this webcast to learn about:
Finding the right use case – Successful companies realize the fastest time to value and create a foundation for big data analytics by starting with familiar use cases such as offloading enterprise data warehouses and mainframes to Hadoop.
Exploring the landscape of Big Data tools -- Learn about common tools used in Hadoop implementations as illustrated by real-world use cases.
Shielding your organization from the complexities of Hadoop while staying current as Big Data technologies evolve – Solutions like Syncsort DMX-h allow users to visually design data transformations once and deploy them anywhere—across Hadoop MapReduce, Apache Spark, or whatever framework becomes popular next.
Developers use Question and Answer (Q&A) websites to exchange knowledge and expertise. Stack Overflow is a popular Q&A website where developers discuss coding problems and share code examples. Although all Stack Overflow posts are free to access, code examples on Stack Overflow are governed by the Creative Commons Attribute-ShareAlike 3.0 Unported license that developers should obey when reusing code from Stack Overflow or posting code to Stack Overflow. In this talk, I will present the results of our recent study that investigated whether developers respect license terms when reusing code from Stack Overflow posts (and the other way around). We found 232 code snippets in 62 Android apps from a dataset of 399 Android apps, that were potentially reused from Stack Overflow, and 1,226 Stack Overflow posts containing code examples that are clones of code released in 68 Android apps, suggesting that developers may have copied the code of these apps to answer Stack Overflow questions. We investigated the licenses of these pieces of code and observed 1,279 cases of potential license violations (related to code posting to Stack overflow or code reuse from Stack overflow). These findings suggest that developers do not pay enough attention to copyright terms when reusing code from Stack Overflow or sharing code on Stack Overflow.
The AI Index is an independent initiative at the Stanford Institute for Human-Centered Artificial Intelligence (HAI), led by the AI Index Steering Committee, an interdisciplinary group of experts from across academia and industry. The annual report tracks, collates, distills, and visualizes data relating to artificial intelligence, enabling decision-makers to take meaningful action to advance AI responsibly and ethically with humans in mind.
Intel Blockscale ASICs are built for the demanding environment of cryptocurrency mining. Each ASIC has built-in temperature and voltage sensor capabilities. The accelerator can be operated across a range of frequencies, enabling system designers to balance performance and efficiency.
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsDESMOND YUEN
Cryptographic operations are amongst the most compute intensive and critical operations applied to data as it is stored, moved, and processed. Comprehending Intel's cryptography processing acceleration is essential to optimizing overall platform workload, and service performance.
At Intel, security comes first both in the way we work and in what we work on. Our culture and practices guide everything we build, with the goal of delivering the highest performance and optimal protections. As with previous reports, the 2021 Intel Product Security Report demonstrates our Security First Pledge and our endless efforts to proactively seek out and mitigate security issues.
How can regulation keep up as transformation races ahead? 2022 Global regulat...DESMOND YUEN
As the pandemic drags into its third year, financial services firms face a range of challenges, from increased operational complexity and an evolving regulatory directive to address environmental and social issues to new forms of competition
and evolving technologies, such as digital assets and cryptocurrencies. Banks, insurers, asset managers and other financial services firms (collectively referred to as “firms” in
the rest of this document) must innovate more effectively — and rapidly — to keep up with the pace of change while still identifying emerging risks and building appropriate governance and controls.
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, MoreDESMOND YUEN
NASA's mission of exploration requires new technologies, software, and research – which show up in daily life. The agency’s Spinoff 2022 publication tells the stories of companies, start-ups, and entrepreneurs transforming these innovations into cutting-edge products and services that boost the economy, protect the planet, and save lives.
“The value of NASA is not confined to the cosmos but realized throughout our country – from hundreds of thousands of well-paying jobs to world-leading climate science, understanding the universe and our place within it, to technology transfers that make life easier for folks around the world,” NASA Administrator Bill Nelson said. “As we combat the coronavirus pandemic and promote environmental justice and sustainability, NASA technology is essential to address humanity’s greatest challenges.”
Spinoff 2022 features more than 45 companies using NASA technology to advance manufacturing techniques, detoxify polluted soil, improve weather forecasting, and even clean the air to slow the spread of viruses, including coronavirus.
"NASA's technology portfolio contains many innovations that not only enable exploration but also address challenges and improve life here at home," said Jim Reuter, associate administrator of the agency’s Space Technology Mission Directorate (STMD) in Washington. "We’ve captured these examples of successful commercialization of NASA technology and research, not only to share the benefits of the space program with the public, but to inspire the next generation of entrepreneurs."
This year in Spinoff, readers will learn more about:
How companies use information from NASA’s vertical farm to sustainably grow fresh produce
New ways that technology developed for insulation in space keeps people warm in the great outdoors
How a system created for growing plants in space now helps improve indoor air quality and reduces the spread of airborne viruses like coronavirus
How phase-change materials – originally developed to help astronauts wearing spacesuits – absorb, hold, and release heat to help keep race car drivers cool
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...DESMOND YUEN
Internet of Things (IoT) is an innovative paradigm
envisioned to provide massive applications that are now part of
our daily lives. Millions of smart devices are deployed within
complex networks to provide vibrant functionalities including
communications, monitoring, and controlling of critical infrastructures. However, this massive growth of IoT devices and the corresponding huge data traffic generated at the edge of the network created additional burdens on the state-of-the-art
centralized cloud computing paradigm due to the bandwidth and
resources scarcity. Hence, edge computing (EC) is emerging as
an innovative strategy that brings data processing and storage
near to the end users, leading to what is called EC-assisted IoT.
Although this paradigm provides unique features and enhanced
quality of service (QoS), it also introduces huge risks in data security and privacy aspects. This paper conducts a comprehensive survey on security and privacy issues in the context of EC-assisted IoT. In particular, we first present an overview of EC-assisted IoT including definitions, applications, architecture, advantages, and challenges. Second, we define security and privacy in the context of EC-assisted IoT. Then, we extensively discuss the major classifications of attacks in EC-assisted IoT and provide possible solutions and countermeasures along with the related research efforts. After that, we further classify some security and privacy issues as discussed in the literature based on security services and based on security objectives and functions. Finally, several open challenges and future research directions for secure EC-assisted IoT paradigm are also extensively provided.
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIESDESMOND YUEN
The report covers the benefits, goals, challenges, and success factors associated with smart cities and communities and gives a glimpse of a path forward.
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPEDESMOND YUEN
Five companies—Deutsche Telekom, Orange, Telecom Italia, Telefónica, and Vodafone—published a report outlining why they feel Europe as a whole is lagging behind other regions such as the U.S. and Japan in developing Open RAN. The companies point to both a lack of companies developing key components, notably silicon chips, for Open RAN technologies, as well as the need to get incumbent equipment vendors Ericsson and Nokia on board with Open RAN development.
An Introduction to Semiconductors and IntelDESMOND YUEN
Did you know that...
The average American adult spends over 12 hours a day engaged with electronics — computers, mobile devices, TVs, cars, to name just a few — powered by semiconductors.
A common chip the size of your smallest fingernail is only about 1-millimeter thick but contains roughly 30 different layers of components and wires (called interconnects) that make up its complex circuitry.
Intel owns nearly 70,000 active patents worldwide. Its first — “Resistor for Integrated Circuit,” #3,631,313 — was granted to Gordon Moore on Dec. 28, 1971.
Those are a few fun facts in a high-level presentation that provides an easy-to-understand look at the world of semiconductors, why they matter and the role Intel plays in their creation.
Changing demographics and economic growth bloomDESMOND YUEN
Demography is destiny” is an oft-cited phrase that suggests the size, growth, and structure of a nation’s population deter mines its long-term social, economic, andpolitical fabric. The phrase highlights the role of
demographics in shaping many complex challenges
and opportunities societies face, including several
pertinent to economic growth and development.
Nevertheless, it is an overstatement to say that
demography determines all, as it downplays the
fact that both demographic trajectories and their
development implications are responsive to economic
incentives; to policy and institutional reforms; and to
changes in technology, cultural norms, and behavior.
The world is undergoing a major demographic
upheaval with three key components: population
growth, changes in fertility and mortality, and
associated changes in population age structure.
Intel Corporation (“Intel”) designs and manufactures
advanced integrated digital technology platforms that power
an increasingly connected world. A platform consists of
a microprocessor and chipset, and may be enhanced by
additional hardware, software, and services. The platforms
are used in a wide range of applications, such as PCs, laptops,
servers, tablets, smartphones, automobiles, automated
factory systems, and medical devices. Intel is also in the midst
of a corporate transformation that has seen its data-centric
businesses capture an increasing share of its revenue.
This report provides economic impact estimates for Intel in terms of employment, labor income, and gross domestic product (“GDP”) for the most recent historical year, 2019.1
Discover how private 5G networks can give enterprises options to enhance services and deliver new use cases with the level of control and investment they want.
Tackle more data science challenges than ever before without the need for discrete acceleration with the 3rd Gen Intel® Xeon® Scalable processors. Learn about the built-in AI acceleration and performance optimizations for popular AI libraries, tools and models.
The document describes how the latest Intel® Advanced Vector Extensions 512 (Intel® AVX-512) instructions and Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) enabled in the latest Intel® 3rd Generation Xeon® Scalable Processor are used to significantly increase and achieve 1 Tb of IPsec throughput.
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."DESMOND YUEN
The former secretary of state George Shultz passed away last weekend. He is one of the most influential secretaries of state in US history. Around the time of his hundredth birthday this past December, he published a short book on Trust and Effective Relationships
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...DESMOND YUEN
This whitepaper is a blueprint for developing an Open RAN solution. It provides an overview of the main
technology elements that Telefónica is developing
in collaboration with selected partners in the Open
RAN ecosystem.
It describes the architectural elements, design
criteria, technology choices, and key chipsets
employed to build a complete portfolio of radio
units and baseband equipment capable of a full
4G/5G RAN rollout in any market of interest.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
2. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Open Source is here to stay in security critical
environments and every place software is used
3. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Linux has grown into the most important open source
project in the world
100%
Supercomputer
Market
62%
Embedded
Systems Market
90%
Mainframe
Customers
90%
Public Cloud
Workload
Every market Linux has entered it eventually dominates
82%
Smartphone
Market Share
2nd
To Windows
in Enterprise
#1
Internet
Client
4. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Linux Evolves Faster Than Ever
4,300
Contributors From
450 Organizations
10,000
Lines of Code
Added Daily
2,000
Lines of Code
Modified Daily
2,500
Lines of Code
Removed Daily
8.5
Changes Per
Hour
5. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Open Source Development is Accelerating
23M+
Open Source
Developers
78M+
Repositories on
Github
41B+
Lines of Code
1,100
New Projects a
Day
10,000+
New Versions
per day
Sources: Sourceclear, Sonatype, Github
6. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
It’s actually open source software
that’s eating the world.
- Venturebeat 2015
7. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Creating Applications these days is like
making a sandwich
9. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Code Club (Sandwich)
Choose a Framework
10. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Code Club (Sandwich)
Choose a Framework
Write Custom Code
11. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Code Club (Sandwich)
Choose a Framework
Write Custom Code
Use Open Source
Libraries to Solve Problems
12. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Code Club (Sandwich)
Choose a Framework
Open Source Code (~20%)
Write Custom Code
Custom Code (~10%)
Use Open Source
Libraries to Solve Problems
Open Source Code (~70%)
Open Source Code = ~ 90%
13. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
So much code – so little time
23M+
Open Source
Developers
78M+
Repositories on
Github
41B+
Lines of Code
1,100
New Projects a
Day
10,000+
New Versions
per day
Sources: Sourceclear, Sonatype, Github
14. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Open source isn’t slowing down any time soon
15. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
All this abundance has created anxiety
16. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
The real question is which projects matter?
Criticalityofsoftware
Number of Open Source Projects
17. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
How do we make important projects sustainable?
Successful Projects
depend on
members,
developers,
standards and
infrastructure to
develop products
that the market will
adopt.
PROJECTS
PROFITS PRODUCTS
DEVELOPER
COMMUNITY
19. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
ValueofofIndividualProject
Number of Open Source Projects – Millions on Github
Major Problem Collective Action Results - 2018
• How to accelerate cloud native
computing: devops,
containers, microservices
• How to create a portability
layer for cloud
• 2015 Google created CNCF with
The Linux Foundation
• Project seeded with Kubernetes
• CNCF founded with 28 members
• Kubernetes de facto standard
for container management
• 179 members, including all
major public clouds and
enterprise software vendors
• Home to 14 additional
projects beyond Kubernetes
• 49 Kubernetes certified
vendors
• Kubernetes surpasses
OpenStack on Google trends
22. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Questions to ask
What is the most important and security critical shared software in the
world?
Who is creating and maintaining that software?
Why are the creating and maintaining that software?
Is it secure, reliable, and healthy?
23. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Core Infrastructure Initiative Census Project
Lists of Projects to
Analyze
Analysis Results
Ranked By Risk Index
Expert Selection from
Highest-Risk Projects
Most Concerning
Projects
Projects Popularity
Project Data From
Debian
Project From
openhub.net
Project Recent CVE
Vulnerability Counts
Analysis Program
24. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Core Infrastructure Initiative Census Project
2
na ys s Pro ram
sts o Proe ts
to nay e
Proe ts
Pop ar ty
Proe t ata
rom e an
Proe t rom
open net
Proe t
e ent C
nera ty
Co nts
nays s es ts
an e y s n e
pert ee t on rom
est s Proe ts
ost Con ern n Proe ts
25. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Current Algorithm
▪ Project has website (1 if no)
▪ Written in C or C++ (2 if yes)
▪ CVE vulnerability reports: 3 points if
4+ , 2 points for 2-3, 1 point for 1.
▪ 12 month contributor count: 5 points
for 0 contributors, 4 points for 1-3
contributors, 2 points if the number is
unknown.
▪ Top 10% most popular Debian
package: 1 if yes
Exposure values: 2 points if directly
exposed to the network (as server
or client), 1 point if it is often used
to process data provided by a
network, and 1 point if it could be
used for local privilege escalation.
Application data only: Subtract 3
points if the Debian database
reports that it is “Application Data”
or “Standalone Data” (not an
application)
26. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Tremendous Systemic Risks to the Internet Still
Unaddressed
Binary Package Name Source Package Name (If Different) CII 2016 Census Risk Score
ftp netkit-ftp 11
netcat-traditional netcat 11
tcpd tcp-wrappers 11
whois 11
at 10
libwrap0 tcp-wrappers 10
traceroute 10
xauth 10
bzip2 9
hostname 9
libacl1 acl 9
libaudit0 audit 9
libbz2-1.0 bzip2 9
libept1.4.12 libept 9
libreadline6 readline6 9
libtasn1-3 9
linux-base 9
telnet netkit-telnet 9
The Big Risk:
Commonly used open source
code and libraries are among
the most at risk to cyber
attacks or other potential
threats that could bring down
the global Internet.
Source: CII 2016 Census
27. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
A little love goes a long way
• Three new releases
• 3889 commits
• 481 GitHub users
• Thousands of forks.
• 1052 pull requests closed
• 47 CVEs reported and handled
2014 - OpenSSL was maintained by two people and moribund
2016 – Recorded more activity than in the entire previous
history of the project, including:
29. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
We must secure the most critical open source software
projects that power the world’s infrastructure, and to
promote a culture of secure coding.
30. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
100 Projects Granted CII Best Practice Badge
Initiative launched in May 2016 to raise
awareness of development processes and
governance steps for better security
outcomes
The badge makes it easier for users of open
source projects to see which projects take
security seriously, it isn’t a “rubber stamp”
process
1,000 projects registered for the badge
31. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Education
One of the largest causes of security vulnerabilities is developers being
unaware of security best practices
We need courses for open source developers for Security and Auditing
Organizations like SAFECode provide curriculum and training but we
need more
32. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
We need to be able to pass information about software
bill of materials across the tech value chain in a simple
and reliable way. You can’t fix bugs for code you don’t
event know you have.
33. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Software Tracking: The Challenge
3rd party
SW
Outsource
SW
OSS
Package
OSS
Package
Your code
Creating an accurate bill
of materials and notices
requires effort & research
Software Bill of
Materials (BOM)
?
Companies combine
Open Source Software
with other software
34. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Supplier 1
Supplier 2
Customers
The effort is repeated
at each step in the
supply chain
Software BOM: The Challenge
35. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
“Open Source”-scape
Upstream Projects
Useful “Collections” of Open Source
Added-value Software
Products
36. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Software Package Data eXchange
Open Standard:
• A standard format for communicating the licenses and copyrights and
identity associated with software packages
Vision:
• To help reduce redundant work in determining software BOM
information and facilitate compliance
Guiding principles:
• Human and machine readable
• Focus on capturing facts; avoid interpretations
37. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Package Information
SPDX v2.1 Document contains:
Document Creation Information
Package Information
Other Licensing InformationOther Licensing Information
Other Licensing InformationFile Information
Other Licensing Information
Annotations
Other Licensing InformationRelationships
What makes up an SPDX Document?
Other Licensing InformationSnippet Information
38. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Emerging “Between Organization” Trust Models
Software Parts Ledger - utilizes Blockchain to manage open source across the supply chain.
Utililzes Hyperledger Sawtooth Platform & SPDX based BOM to conform to OpenChain best
practices.
See: https://github.com/Wind-River/sparts
Accepted 2018/3 into Hyperledger Labs - https://github.com/hyperledger-labs/hyperledger-
labs.github.io/blob/master/labs/SParts.md
ClearlyDefined - Announced 2018/3 - calls for participation in currating the metadata to
summarize projects. See ClearlyDefined.io for more information.
39. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Sharing software bill of materials is critical part
of security process
OpenChain builds trust in open
source by making sharing of
software BOM simpler and more
consistent
Adobe, Arm, Cisco, Harmen,
Hitachi, HPE, GitHub, Qualcomm,
Siemens, Toyota, Wind River and
Western Digital
42. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
We need to invest in tools that test upstream code
43. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Frama-C False-Positive-Free Checking
Frama-C is a highly respected static checker
When used with test cases and modified Unix standard functions, it is
able to detect bugs without false positives
Proposal is to modify several standard Unix functions to support false-
positive-free operation on OpenSSL
In addition, the proposal is to use the American Fuzzy Lop fuzzer to
automatically generate test cases from which Frama-C can detect bugs
44. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Fuzzing
https://fuzzing-project.org/ is Hanno Böck’s project
Uses zzuf, Address Sanitizer and american fuzzy lop to find bugs in open source
projects
Discovered numerous GnuPG bugs in Feb 2015
He and others have found numerous bugs in many projects:
http://lcamtuf.coredump.cx/afl/#bugs
His main activity is to convert the fuzzer output into reproducible test cases and file bugs
for them
He is also doing great work training new developers to become expert fuzzers
CII is also reaching out to fuzzing toolkit authors
45. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Reproducible Builds
Debian and Fedora rely on package maintainers to compile source code
from the upstream authors
Because the resulting binaries depend on machine configuration (like
timestamps and file ordering), these binaries are not reproducible
That makes it impossible to independently verify that the binaries have
not been tampered with
Binary reproducibility should become an expected attribute of free
software distros
46. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
We need to invest in audit of upstream open source
code for critical shared infrastructure
47. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Auditing
Auditing: Many critical open source projects do
not have resources to audit
Auditing finds critical bugs that won’t be
found any other way
Auditing is expensive, time consuming and
only finds a subset of the bugs so it can’t be
the only tool
OpenSSL audit underway
49. Presenter’s Company
Logo – replace or
delete on master slide
#RSACFollow up material
• See Linux Foundation-sponsored Institute for Defense Analysis (IDA report, "Open Source
Software Projects Needing Security Investments”
• Some of the projects we're most concerned about (because they are ubiquitously
deployed and could result in Heartbleed-style vulnerabilities) include compression libraries
(bzip2, gzip, unzip, zlib) and format libraries (libjpeg, libpng, and expat)
• Unlike before Heartbleed, there is actually a group focused on these issues. Two major
programs we’re undertaking with IDA:
• CII is not only reactively looking for broken projects (i.e., fighting fires) through our
Census Project
• We are also developing the building codes (in terms of security best practices) to
avoid fires in the future