The idea of a lone programmer relying on their own genius and technical acumen to create the next great piece of software was always a stretch. Today it is more of a myth than ever. Competitive market forces mean that software developers must rely on code created by an unknown number of other programmers. As a result, most software is best thought of as bricolage diverse, usually open-source components, often called dependencies, stitched together with bits of custom code into a new application.

This software engineering paradigm programmers reusing open-source software components rather than repeatedly duplicating the efforts of others has led to massive economic gains. According to the best available analysis, open-source components now comprise 90 percent of most software applications. And the list of economically important and widely used open-source components Googles deep learning framework TensorFlow or its Facebook-sponsored competitor PyTorch, the ubiquitous encryption library OpenSSL, or the container management software Kubernetes is long and growing longer. The military and intelligence community, too, are dependent on open-source software: programs like Palantir have become crucial for counter-terrorism operations, while the F-35 contains millions of lines of code.

The problem is that the open-source software supply chain can introduce unknown, possibly intentional, security weaknesses. One previous analysis of all publicly reported software supply chain compromises revealed that the majority of malicious attacks targeted open-source software. In other words, headline-grabbing software supply-chain attacks on proprietary software, like SolarWinds, actually constitute the minority of cases. As a result, stopping attacks is now difficult because of the immense complexity of the modern software dependency tree: components that depend on other components that depend on other components ad infinitum. Knowing what vulnerabilities are in your software is a full-time and nearly impossible job for software developers.

Fortunately, there is hope. We recommend three steps that software producers and government regulators can take to make open-source software more secure. First, producers and consumers should embrace software transparency, creating an auditable ecosystem where software is not simply mysterious blobs passed over a network connection. Second, software builders and consumers ought to adopt software integrity and analysis tools to enable informed supply chain risk management. Third, government reforms can help reduce the number and impact of open-source software compromises.

The Road to Dependence

Conventional accounts of the rise of reusable software components often date it to the 1960s. Software experts such as Douglas McIlroy of Bell Laboratories had noted the tremendous expense of building new software. To make the task easier, McIlroy called for the creation of a software components sub-industry for mass-producing software components that would be widely applicable across machines, users, and applications or in other words, exactly what modern open-source software delivers.

When open source started, it initially coalesced around technical communities that provided oversight, some management, and quality control. For instance, Debian, the Linux-based operating system, is supported by a global network of open-source software developers who maintain and implement standards about what software packages will and will not become part of the Debian distribution. But this relatively close oversight has given way to a more free-wheeling, arguably more innovative system of package registries largely organized by programming language. Think of these registries as app stores for software developers, allowing the developer to download no-cost open-source components from which to construct new applications. One example is the Python Package Index, a registry of packages for the programming language Python that enables anyone from an idealistic volunteer to a corporate employee to a malicious programmer to publish code on it. The number of these registries is astounding, and now every programmer is virtually required to use them.

The effectiveness of this software model makes much of society dependent on open-source software. Open-source advocates are quick to defend the current system by invoking Linuss law: Given enough eyes, all bugs are shallow. That is, because the software source code is free to inspect, software developers working and sharing code online will find problems before they affect society, and consequently, society shouldnt worry too much about its dependence on open-source software because this invisible army will protect it. That may, if you squint, have been true in 1993. But a lot has changed since then. In 2022, when there will be hundreds of millions of new lines of open-source code written, there are too few eyes and bugs will be deep. Thats why in August 2018, it took two full months to discover that a cryptocurrency-stealing code had been slipped into a piece of software downloaded over 7 million times.

Event-Stream

The story began when developer Dominic Tarr transferred the publishing rights of an open-source JavaScript package called event-stream to another party known only by the handle right9ctrl. The transfer took place on GitHub, a popular code-hosting platform frequented by tens of millions of software developers. User right9ctrl had offered to maintain event-stream, which was, at that point, being downloaded nearly two million times per week. Tarrs decision was sensible and unremarkable. He had created this piece of open-source software for free under a permissive license the software was provided as-is but no longer used it himself. He also already maintained several hundred pieces of other open-source software without compensation. So when right9ctrl, whoever that was, requested control, Tarr granted the request.

Transferring control of a piece of open-source software to another party happens all the time without consequence. But this time there was a malicious twist. After Tarr transferred control, right9ctrl added a new component that tried to steal bitcoins from the victims computer. Millions upon millions of computers downloaded this malicious software package until developer Jayden Seric noticed an abnormality in October 2018.

Event-stream was simply the canary in the code mine. In recent years, computer-security researchers have found attackers using a range of new techniques. Some are mimicking domain-name squatting: tricking software developers who misspell a package name into downloading malicious software (dajngo vs. django). Other attacks take advantage of software tool misconfigurationswhich trick developers into downloading software packages from the wrong package registry. The frequency and severity of these attacks have been increasing over the last decade. And these tallies dont even include the arguably more numerous cases of unintentional security vulnerabilities in open-source software. Most recently, the unintentional vulnerability of the widely used log4j software package led to a White House summit on open-source software security. After this vulnerability was discovered, one journalist titled an article, with only slight exaggeration, The Internet Is on Fire.

The Three-Step Plan

Thankfully, there are several steps that software producers and consumers, including the U.S. government, can take that would enable society to achieve the benefits of open-source software while minimizing these risks. The first step, which has already received support from the U.S. Department of Commerce and from industry as well, involves making software transparent so it can be evaluated and understood. This has started with efforts to encourage the use of a software bill of materials. This bill is a complete list or inventory of the components for a piece of software. With this list, software becomes easier to search for components that may be compromised.

In the long term, this bill should grow beyond simply a list of components to include information about who wrote the software and how it was built. To borrow logic from everyday life, imagine a food product with clearly specified but unknown and unanalyzed ingredients. That list is a good start, but without further analysis of these ingredients, most people will pass. Individual programmers, tech giants, and federal organizations should all take a similar approach to software components. One way to do so would be embracing Supply-chain Levels for Software Artifacts, a set of guidelines for tamper-proofing organizations software supply chains.

The next step involves software-security companies and researchers building tools that, first, sign and verify software and, second, analyze the software supply chain and allow software teams to make informed choices about components. The Sigstore project, a collaboration between the Linux Foundation, Google, and a number of other organizations, is one such effort focused on using digital signatures to make the chain of custody for open-source software transparent and auditable. These technical approaches amount to the digital equivalent of a tamper-proof seal. The Department of Defenses Platform One software team has already adopted elements of Sigstore. Additionally, a software supply chain observatory that collects, curates, and analyzes the worlds software supply chain with an eye to countering attacks could also help. An observatory, potentially run by a university consortium, could simultaneously help measure the prevalence and severity of open-source software compromises, provide the underlying data that enable detection, and quantitatively compare the effectiveness of different solutions. The Software Heritage Dataset provides the seeds of such an observatory. Governments should help support this and other similar security-focused initiatives. Tech companies can also embrace various nutrition label projects, which provide an at-a-glance overview of the health of a software projects supply chain.

These relatively technical efforts would benefit, however, from broader government reforms. This should start with fixing the incentive structure for identifying and disclosing open-source vulnerabilities. For example, DeWitt clauses commonly included in software licenses require vendor approval prior to publishing certain evaluations of the softwares security. This reduces societys knowledge about which security practices work and which ones do not. Lawmakers should find a way to ban this anti-competitive practice. The Department of Homeland Security should also consider launching a non-profit fund for open-source software bug bounties, which rewards researchers for finding and fixing such bugs. Finally, as proposed by the recent Cyberspace Solarium Commission, a bureau of cyber statistics could track and assess software supply chain compromise data. This would ensure that interested parties are not stuck building duplicative, idiosyncratic datasets.

Without these reforms, modern software will come to resemble Frankensteins monster, an ungainly compilation of suspect parts that ultimately turns upon its creator. With reform, however, the U.S. economy and national security infrastructure can continue to benefit from the dynamism and efficiency created by open-source collaboration.

John Speed Meyers is a security data scientist at Chainguard. Zack Newman is a senior software engineer at Chainguard. Tom Pike is the dean of the Oettinger School of Science and Technology at the National Intelligence University. Jacqueline Kazil is an applied research engineer at Rebellion Defense. Anyone interested in national security and open-source software security can also find out more at the GitHub page of a nascent open-source software neighborhood watch. The views expressed in this publication are those of the authors and do not imply endorsement by the Office of the Director of National Intelligence or any other institution, organization, or U.S. government agency.

Image: stock photo

See the rest here:
Dependency Issues: Solving the World's Open-Source Software Security Problem - War on the Rocks

Owocki was something of a rock star at the conference. He is credited with coining the term BUIDL in 2017. Admirers approached him nonstop to talk, express their support, or ask for a copy of his book, GreenPilled: How Crypto Can Regenerate the World, which was the talk of the conference and quickly sold out of the 400 copies he had ordered. Owocki is about as far from a casino person as youll find in the crypto world. In one of several presentations he gave, Owocki told the crowd that since research shows money stops increasing happiness after about $100,000 in annual income, Web3 founders should maximize their happiness by giving their excess money to public goods that everyone gets to enjoy. Theres cypherpunk, which is all about privacy, decentralization: hardcore libertarian shit, he told me. Im more of a leftist. Im more solarpunk, which is, how do we solve our contemporary problems around sustainability and equitable economic systems? Its a different set of values.

The internet, he explained, made it possible to move information between computers. This revolutionized communication. Blockchains have made it possible to move units of value between computers. Owocki believes this can be harnessed to revolutionize how human beings interact through something he calls regenerative cryptoeconomics. Cryptoeconomics, he writes in GreenPilled, is the use of blockchain-based incentives to design new kinds of systems, applications, or networks. Regenerative cryptoeconomics means doing this in a way that makes the world a better place for everyone. The goal is to break free from the zero-sum, rich-get-richer patterns of capitalism. Owocki believes that the right cryptoeconomic structure can help solve collective action problems like climate change, misinformation, and an underfunded digital infrastructure.

The key tool for achieving this is a decentralized autonomous organization. In theory, a DAO (yes, pronounced the same as the ancient Chinese word for the way of the universe) uses cryptocurrency to boost collective action. Typically, members join by buying some amount of a custom token issued by the DAO. That entitles them to an ownership stake in the DAO itself. Member-owners vote on what the DAO doeswhich is mostly to say, what it spends money on, since a blockchain-based entity can do little besides move funds from one address to another.

The young concept already has a checkered history. The first DAO, named simply The DAO, collapsed in 2016 after someone exploited a loophole in its code to siphon off what was then worth some $50 million in Ethereum currency. Similarly colorful failures have followed. DAOs were nonetheless all the rage at ETHDenver, where attendees waxed on about their world-changing potential. Kimbal Musk, Elons photogenic brother, spoke about his Big Green DAO, a food-related charity. Giving away money via a DAO, he insisted, got rid of all the painful bureaucracy of philanthropic nonprofits. Its way better, he said, though he also granted that there are many ways to fail, and this one could fail spectacularly.

What is it about a DAO thatunlike, say, a Kickstarter pagefrees humanity from the collective action problems that threaten to doom the species? According to Owocki, its the ability to write code in ways that tinker with incentive structures. (In this sense, the first DAO was arguably Bitcoin itself.) Our weapon of choice is novel mechanism designs, based upon sound game theory, deployed to decentralized blockchain networks as transparent open source code, he writes in GreenPilled. Indeed, the book has very little to say about technology, per se, and much more to say about various game theory concepts. These range from the sort of thing youd learn in an undergrad econ classpublic goods are non-excludable and non-rivalrousto things that wouldnt be out of place in a sci-fi novel: community inclusion currencies, fractal DAO protocols, retroactive public goods funding.

Its hard enough for me to grasp how a DAO works. So while Im in Denver,I create one.

One of the most powerful incentive design techniques, according to Owocki, is something called quadratic voting. Standing near the edge of the Shill Zone, Owocki turned around to show me the back of his purple baseball jacket, which said Quadratic Lands. The Quadratic Lands, Owocki explained, are a mythical place where the laws of economics have been redesigned to produce public goods. Its just a meme, he said. I dont want to tell you it already exists. (Everyone at ETHDenver was concerned, rightly, about my ability to separate metaphorical claims from literal ones.)

In a quadratic voting system, you get a budget to allocate among various options. Lets say its dollars, though it could be any unit. The more dollars you allocate to a particular choice, the more your vote for it counts. But theres an important caveat: Each marginal dollar you pledge to the same choice is worth less than the previous one. (Technically, the cost of your vote rises quadratically, rather than linearly.) This makes it harder for the richest people in a group to dominate the vote. GitCoin uses an adaptation, quadratic funding, to award money to Web3 projects. The number of people who contribute to a given project counts more than the amount they contribute. This rewards ideas supported by the most people rather than the wealthiest: regenerative cryptonomics in action.

Here is the original post:
The Web3 Movements Quest to Build a Cant Be Evil Internet - WIRED

Fintech startup Yapily is announcing that it plans to acquire finAPI the transaction is subject to regulatory approvals before it closes. Both companies offer open banking solutions in Europe.

With this move, Yapily is consolidating its position in Europe and growing its business in Germany, more specifically. The terms of the deal are undisclosed, but the company says it is a multimillion-euro transaction.

Based in the U.K., Yapily offers a single, unified open banking API to interact with bank accounts. Unlike Tink or TrueLayer, Yapily offers a low-level solution without any front-end interface. Developers have to code their own bank connection flow. The result is more control and no Yapily logo.

Due to European PSD2 regulation, banks have to offer programming interfaces (APIs) so that they can work better with third-party services. Yapily has focused specifically on official API integrations and covers thousands of banks. It doesnt rely on screen scraping and private APIs.

Companies can leverage open banking to check the balance on a bank account, fetch the most recent transactions, but also initiate payments directly from a bank account.

FinAPI is also an open banking provider. Originally from Munich, Germany, the company has been around since 2008 Schufa acquired a majority stake in finAPI in 2019. It offers an API with coverage in Germany, Austria, Czech Republic, Hungary and Slovakia. Like Yapily, finAPI clients can obtain account information and initiate payments using an API.

In addition to those pure open banking products, finAPI also offers the ability to verify the age and identity of a customer. This can be useful to comply with KYC (Know Your Customer) regulation.

Yapily currently covers 16 European markets and the company says it is the leader in the U.K. But the startup isnt currently active in Czech Republic, Slovakia and Hungary. With todays acquisition, the company is expanding to these three new markets and becoming the leader in Germany.

As you can see, theres some product feature overlap between Yapily and finAPI. And the acquisition makes sense as the two companies didnt start in the same market.

Yapily works with companies like American Express, Intuit QuickBooks, Moneyfarm, Volt, Vivid and BUX. FinAPIs clients include ING, Datev, Swiss Life, ImmobilienScout24 and Finanzguru.

This is a hugely exciting milestone for Yapily on our journey from disruptive startup to ambitious scale-up. Within three years from launch, we have commercialized our platform, grown our customer base, and now have the largest open banking payments volumes in Europe. Working with finAPI, we can gain more speed, agility, and depth to accelerate innovation and shape the future of open finance in Europe and beyond, Yapily founder and CEO Stefano Vaccino said in a statement.

When it comes to payments in particular, Yapily and finAPI have processed a combined total of $39.5 billion in payment volumes over the last 12 months. Essentially, Yapily will double its customer base with this acquisition.

Follow this link:
Yapily to acquire finAPI in open banking consolidation move - TechCrunch

On May 4, GitHubs CSO Mike Hanley announced that all users who upload code to the site must enable one or more forms of two-factor authentication (2FA) by the end of 2023 or leave. Its about time!

In case youve been asleep for the last few years, software supply chain attacks have become commonplace. One of the easiest ways to protect it is to use 2FA. 2FA is simple. Besides using a username/password pair to identify yourself you also use a second factor to prove your identity.

Under the surface, 2FA gets complicated. They rely on one of three standards: HMAC-based One Time Password (HOTP). Time-based One-Time Password (TOTP), or the FIDO Alliances FIDO2 Universal 2nd Factor (U2F) standard. But, you dont need to worry about that as a developer, unless security, authentication, and identity are your thing. You just need to, as Hanley puts it, enable one or more forms of 2FA.

Its not that freaking hard. Still, today, only approximately 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA. Why are developers so stubbornly stupid?

As Mark Loveless, a GitLab senior security researcher, put it recently, The main reason for low adoption of a secondary authentication factor is that turning on any multi-factor authentication (MFA) is an extra step, as it is rarely on by default for any software package. And we do so hate to take even one extra step.

Mind you, smarter developers on bigger projects do get it. Patrick Toomey, GitHubs director of product security engineering, recently observed that Open source maintainers for well-established projects (more than 100 contributors) are three to four times more likely to make use of 2FA than the average user. That comes as no surprise because larger and more popular projects appreciate their position and responsibility in the open source software supply chain. In addition, these projects often become GitHub organizations, with the ability to manage access to their repositories using teams and set security policies, including a requirement to enable 2FA.

Another factor in people refusing to get a 2FA clue is simple ignorance. For example, a discussion on the Reddit programming subreddit on the issue showed many people assume that 2FA is either hard (Spoiler: Its not) or its not that secure because if uses a phone. True, 2FA that uses texting is relatively easy to break. Just ask Jack Dorsey, Twitters founder. Dorseys own Twitter account was hijacked thanks to a SIM swap attack.

But the important point here is you dont need to use your texting, aka Short Message Service (SMS). For 2FA, GitHub explicitly tells you that can also use:

Its not that hard, people! It really isnt. And, as for those who whine, This will kill projects! any project thats killed because its developers cant do basic 2FA security is better off dead.

For too long in open source communities, weve been too inclined to think that hackers only attack proprietary programs. As James Arlen, Aiven CISO (chief information security officer), observed, The reality of open-source software development over the last 30+ years has been based on a web of trust among developers. This was maintained through personal relationships in the early days but has grown beyond the ability of humans to know all of the other humans. With GitHub taking the step of providing deeper authentication requirements on developers, it will dramatically reduce the likelihood of a developer suffering an account takeover and the possibility of a violation of that trust. In short, Angel Borroy, a Hyland developer evangelist, told me, bad guys can see open source code too.

GitHub is giving you until 2023. Thats much too kind of them. Your GitHub accounts being hijacked is a real and present danger. Adopt 2FA today. Adopt 2FA not only on GitHub but on all your code repositories and online services. Its the best way you can protect yourself and your code from attackers today.

Featured image Ed HardieonUnsplash.

Here is the original post:
Github's 2FA Move Was Long Overdue The New Stack - thenewstack.io

Participants include industry-leading firms that have backed several of the most successful Web3 companies, such as a16z, AppWorks, Cadenza Ventures, Coatue, Coinfund, Digital Currency Group (DCG), Dispersion Capital, Fabric Ventures, Greenfield One, HashKey, L1 Digital, Mirana Ventures, OP Crypto, SkyVision Capital, Spartan Group, Union Square Ventures, and Dapper Ventures.

"We are thrilled to see such a strong vote of confidence in the Flow ecosystem from some of the world's leading investors in Web3 through their commitment to this Fund," said Roham Gharegozlou, CEO of Dapper Labs. "With their active participation and support, the Ecosystem Fund has the opportunity to become a real game-changer for the 7500+ strong and fast-growing developer community in the Flow ecosystem."

With a focus on enabling more distributed and equitable Web3 opportunities to developers around the globe, participants will focus on providing support for gaming, infrastructure, decentralized finance, content and creators. The resources are expected to be used by developers for product development, product scaling, team expansion, user acquisition and general operating expenses.

"The Ecosystem Fund is an opportunity to power the next generation of developers across the global Flow community," said Dan Rose, Chairman of Coatue Ventures. "Coatue has already backed multiple companies building in the Flow ecosystem including Dapper Labs, Crypthulu and Faze Technologies, and we are excited to play an active role in enabling more Web3 opportunities."

In addition to financial support, the developers in the Flow ecosystem will be able to leverage expertise via informational events, office hours, accelerators & incubators, subsidized office space and similar initiatives. For example, investors will provide Flow teams office space in cities such as Berlin (Greenfield One) and Asia (for AppWorks Accelerator program), and Liberty City Ventures will be providing two scholarships for college students to work on Flow-related projects. As a Venture Partner for Bybit and BitDAO, Mirana Ventures will also help catalyze strategic collaboration opportunities for Flow projects.

"As web3 accelerates and sophisticated app developers search for the best platforms, Flow is perhaps the best decentralized blockchain built for the scale, security, and ease of use most modern startups need to succeed." said David Pakman, Managing Partner at CoinFund. "The Flow Ecosystem Fund will be a huge accelerator of innovation and growth on the platform and we at CoinFund are excited to work with this talented community to help drive innovation and growth."

Originally developed by Dapper Labs to create more efficient, secure and scalable proof-of-stake blockchain experiences, Flow is an open-source, developer-friendly and energy efficient blockchain built for consumer applications. With global partners including the NBA, NFL, UFC and Dr. Seuss; unicorn developers such as Animoca and PlayCo; and emerging projects such as Genies, Fancraze and Cryptoys, Flow has seen daily transactions triple since September 2021 as it has grown into the leading blockchain for nonfungible token (NFT) sales by number of NFT transactions.

To learn more about Flow and the Flow Ecosystem Fund, please visitwww.flow.com/ecosystemsupport.

About Flow

Flow is the blockchain designed to be the foundation of Web3 and the open metaverse, supporting consumer-scale decentralized applications, NFTs, DeFi, DAOs, and more. Powered by Cadence, an original programming language built specifically for digital assets, Flow empowers developers to innovate and push the limits that will bring the next billion to Web3. Created by a team that has consistently delivered industry-leading consumer-scale Web3 experiences including CryptoKitties, Dapper, and NBA Top Shot, Flow is an open, decentralized platform with a thriving ecosystem ofcreators from top brands, development studios, venture-backed startups, crypto leaders, and more. For more information, visitwww.flow.com.

SOURCE Flow

Read more here:
FLOW LAUNCHES $725 MILLION ECOSYSTEM FUND TO DRIVE INNOVATION ACROSS THE FLOW ECOSYSTEM - PR Newswire

Kubernetes has standardised on the Linux Foundations free software signing service, sigstore, to protect against supply chain attacks. sigstore, first released in March 2021, includes a number of signing, verification and provenance techniques that let developers securely sign software artifacts such as release files, container images and binaries with signatures stored in a tamper-proof public log. The service is free to use and designed to help prevent what are increasingly regular and sophisticated upstream software supply chain attacks.

sigstores founders include Red Hat, Google and Purdue University. Its adoption by Kubernetes one of the worlds most active open source communities, with close to six million developers (a huge number given that CNCF data from December 2021 suggests that there are 6.8 million cloud native developers in total) is a significant vote of trust in the standard for verifying software components. (nb The Linux Foundation hosts both sigstore and Kubernetes, as well as Linux, Node.js and a host of other ubiquitous critical software projects.)

Kubernetes 1.24 released May 3 and all future releases will now include cryptographically signed sigstore certificates, giving its developer community the ability to verify signatures and have greater confidence in the origin of each and every deployed Kubernetes binary, source code bundle and container image.

Few open source projects currently cryptographically sign software release artifacts, something largely due, the Linux Foundation suggested on sigstores launch back in March 2021, to the challenges software maintainers face on key management, key compromise / revocation and the distribution of public keys and artifact digests.

The move by Kubernetes maintainers comes as supply chain attacks escalated 650% in 2021. The Kubernetes team in early 2021 began exploring SLSA compliance to improve Kubernetes software supply chain security, explaining that sigstore was a key project in achieving SLSA level 2 status and getting a head start towards achieving SLSA level 3 compliance, which the Kubernetes community expects to reach this August [2022]

(SLSA is a set of standards and technical controls that provide a a step-by-step guide to preventing software artifacts being tampered with, tampered artifacts from being used, and at the higher levels, hardening up the platforms that make up a supply chain. It was introduced by Google as a standard in June 2021.)

Dan Lorenc, originalco-creator of sigstorewhile at Google (and presently CEO / co-founder ofChainguard) told The Stack that the sigstore General Availability (GA) production release is due out this Summer.

This means enterprises and open source communities will benefit from stable APIs and production grade stable services for artifact signing and verification. This is being made possible thanks to the dedicated sigstore open source community, which has fixed major bugs and added key features in both services over the past few months. Sponsors like Google, RedHat, HPE and Chainguard provided funding that allowed us to stabilize infrastructure and perform a third-party security audit he said, adding: Many programming language communities are working towards Sigstore adoption and the Sigstore community is working closely with them. We just announced a new Python client for PyPI and are hoping to extend this to other ecosystems like Maven Central and RubyGems.

In terms of broader enterprise adoption (likely to accelerate when it is GA) he said in an emailed Q&A that a number of enterprises have already adopted Sigstore and are using it for signing and verifying both open and closed software. Notably the Department of Defense Platform One team has implemented Sigstore signatures into the IronBank container hardening platform which means they can verify container images, SBOMS and attestations.

sigstores keyless signing has raised some concernst that it could make revocation harder but thats not the case, he added, telling The Stack: No, in fact the opposite is true! While it is true that the signatures on software are stored forever, software verification using Sigstore does support artifact revocation. Further, Sigstore allows after-the-fact auditing to help organizations understand the extent of a compromise, and Sigstore makes discovering compromises in the first place easier by posting signatures on a transparency log. The Sigstore community recently published Dont Panic: A Playbook for Handling Account Compromise with Sigstore with more details on this

In terms of policy automation or vendor services support for sigstore, Lorenc as a co-creator had understandably got in early. His companys Chainguard Enforce, announced last week, is the first tool with native support for modern keyless software signing using the Sigstore open source standard he said, adding that the product will give CISOs the ability to audit and enforce policies around software signing for the code they use.

sigstores release had met with genuine appreciation across the community in 2021, with Santiago Torres-Arias, Assistant Professor of Electrical and Computer Engineering, University of Purdue noting that the software ecosystem is in dire need of something like it to report the state of the supply chain. I envision that, with sigstore answering all the questions about software sources and ownership, we can start asking the questions regarding software destinations, consumers, compliance (legal and otherwise), to identify criminal networks and secure critical software infrastructure. This will set a new tone in the software supply chain security conversation.

Its great to see adoption of sigstore, especially with a project such as Kubernetes which runs many critical workloads that need the utmost protection, said Luke Hinds, Security Engineering Lead at Red Hat, CTO & Member of the Kubernetes Security Response Team & Founder of the sigstore Project in a May 3 release.

Kubernetes is a well known and widely adopted open source project and can inspire other open source projects to improve their software supply chain security by following SLSA levels and signing with sigstore, added Bob Callaway, Staff Software Engineer at Google, sigstore TSC member and project founder.

He noted: We built sigstore to be easy, free and seamless so that it would be massively adopted and protect us all from supply chain attacks. Kubernetes choice to use sigstore is a testament to that work.

Security firm BlueVoyant earlier in 2021 noted after a survey of 1,500 CISOs, CIOs, and CPOs from the US, UK, Singapore, Switzerland and Mexico) that 77% had limited visibility around their third-party vendors (let alone the components they were using) and 80% having suffered a third-party related breach.

Users can find out how sigstore works in more detail here.

Original post:
Kubernetes has standardised on sigstore in a landmark move - The Stack

Terry Angelos, Visa's global head of fintech and crypto.

DriveWealth

One of Visa's top executives is leaving the payments giant for a brokerage technology start-up, CNBC has learned.

Terry Angelos, Visa's global head of fintech and crypto, will take over as chief executive officer of start-up DriveWealth next week. Angelos joined Visa seven years ago as part of its acquisition of TrialPay, which he founded and led as CEO.

DriveWealth lets consumer finance apps like Block's Cash App and Revolut offer stock trading by providing necessary behind-the-scenes infrastructure. The Jersey City-based broker-dealer was one of the first to allow fractional investing, or buying stocks in smaller dollar amounts vs. whole shares.

While retail trading boomed during the pandemic, Angelos said the long-term opportunity is in taking U.S. equities international. He estimated roughly a billion people across the world, outside of China, access financial services from a digital wallet or a fintech app and are looking for exposure to blue-chip stocks.

"If you were to think about the single, most reliable long-term asset that people around the world want to own, it's equity in U.S. companies," Angelos said. "Traditionally, people outside the U.S. don't have the ability to open up a brokerage account. That's something that we think we can help solve."

U.S. companies have been less of a safe haven this week with the Dow hitting its lowest level of the year on Monday. Still, over the past six decades, U.S. stocks have seen a roughly 10% annual return.

DriveWealth was last valued at $2.8 billion and is backed by Softbank, Fidelity's venture capital arm and Citi Ventures among others. The company operates as a licensed broker-dealer, providing clearing and settlement on behalf of its fintech customers, which handle the consumer experience and apps.

DriveWealth also provides custody for individual accounts and stocks. To connect to these apps, it uses software known as an API, or Application Programming Interface. The company said it doubled its customer base year over year, with 140% growth in international partners. While it's starting with stocks, DriveWealth also offers crypto investing infrastructure.

Individual investor activity has slowed significantly from its 2021 peak at the time of the GameStop frenzy. The retail participation rate, measured by retail volume as a percentage of total trading volume, recently fell to its lowest level since the pandemic began, according to Rich Repetto, managing director and senior research analyst at Piper Sandler.

That pullback has hurt shares of Robinhood, which recently said it was cutting 9% of its workforce after ramping up hiring to keep up with demand, and other publicly traded brokerage firms.

Still, Angelos said DriveWealth has seen increased participation and account growth during the recent downturn, and pointed to the long-term value of U.S. stocks.

"We're still in the growth cycle of making equities available to people who otherwise wouldn't have had access and will continue to see growth, even though there may be volatility or pullbacks among more active traders," he said.

As for an initial public offering, Angelos said it's "potentially on the road map." But for now, he said he's focused on increasing its footprint and returning to the chief executive role after almost a decade at Visa.

See the original post here:
Visa's top crypto executive Terry Angelos leaves for Softbank-backed brokerage start-up DriveWealth - CNBC

Times Square Arts Presents ZERO NUKES, a Large-Scale Sculpture by Artist Pedro Reyes and Call to Action to Eliminate Nuclear Weapons

New York, NY May 10, 2022 This May, Times Square Arts presents Amnesia Atmica NYC, a public exposition centered around artist Pedro Reyess ZERO NUKES, a 30-foot-tall inflatable sculpture that will function as a beacon to bring experts, political leaders, and engaged citizens together to address nuclear threat. On view in Times Square from May 17 May 24, 2022, the sculpture will serve as a central platform for a series of public programs and events designed to spotlight the voices of activists, artists, scientists, and community organizations in the anti-nuclear field, and drive conversations around non-proliferation and disarmament. Amnesia Atmica is curated by Pedro Alonzo, who specializes in ambitious artworks in public spaces.

ZERO NUKES is the centerpiece of Amnesia Atmica, commissioned by the Bulletin of the Atomic Scientists, which focuses on three main areasnuclear risk, climate change, and disruptive technologiesand equips the public, policymakers, and scientists with the information needed to reduce man-made threats to our existence. ZERO NUKES focuses on the zero as a graphic, visual, and conceptual element common to all languages. The structure stands as a symbol of global unity for a single non-controversial cause: to avoid the destruction of life on earth.

We commissioned Pedro Reyes to create an artwork that engages with the growing threat of nuclear conflict. Amnesia Atmica is his response, says Rachel Bronson, President and CEO of the Bulletin of the Atomic Scientists. Events in Ukraine are a stark reminder that nuclear weapons continue to threaten humanity on a daily basis. ZERO NUKES is Pedros latest contribution to this collection.

Amnesia Atmica holds a topical urgency and warning as nuclear weapons states around the world are investing in ways that are making these weapons more rather than less usable. The project will feature a two-day expo on May 19 and 20 showcasing artists, organizers, and organizations offering hands-on activities, a VR experience, information booths, and merchandise to engage the hundreds of thousands of visitors who pass through Times Square weekly. Public programs will be led by the Bulletin of the Atomic Scientists, and will include experts from organizations in the field, such as the International Campaign to Abolish Nuclear Weapons, a global coalition focused on mobilizing civil society around the world to support the specific objective of prohibiting and eliminating nuclear weapons; The Tank, a Manhattan-based non-profit arts presenter and producer serving emerging artists; Games of Change, an organization that supports using games for social change; Global Zero an international movement dedicated to stopping the spread of nuclear weapons; and Union of Concerned Scientists, a science advocacy group dedicated to solving the worlds most pressing problems.

There is no better public platform than Times Square to host a diversity of viewpoints and in turn, open minds and encourage a better understanding of the complexities around the most pressing issues of our day, says Tom Harris, Times Square Alliance President.

Times Square has a rich cultural history as an epicenter of protest and a platform that elevates a chorus of voices of our era, says Times Square Arts Director Jean Cooney. We are thrilled to turn this platform over to a range of artists confronting the most important topics of our times, such as Pedro Reyes and the issue of nuclear disarmament.

Times Square Arts will unveil Pedro Reyes ZERO NUKES, on Tuesday, May 17th at 1:30pm. If you are interested in covering or attending the unveiling, please email Ali Rigo ([emailprotected]).

Download a copy of this press release here.

PUBLIC PROGRAMMING

Public Unveiling, Tuesday May 17th at 1:30pm (Duffy Square)

1:30pm Remarks from Times Square Alliance

1:45pm Remarks from Mitchie Takeuchi, Producer The Vow From Hiroshima, Not Just A Survivor Film LLC. Mitchie will share her experiences as a second-generation Hiroshima survivor, her father having served the Red Cross in Hiroshima before and after the bombing.

1:50pm Beatrice Finn, who received the Nobel Peace Prize on behalf of ICAN, will speak about the immediacy of nuclear threats. ICAN NYC will be part of the Mobilization Expo, hosted by the Bulletin of the Atomic Scientists on Thursday and Friday to share what New Yorkers can do.

1:55pm Remarks from Pedro Reyes, artist of Zero Nukes

2:00pm Adjourn; Performance produced by The Tank

Mobilization ExpoPartner organizations dedicated to reducing nuclear weapons will host information sessions, public displays, and hands-on activities to encourage public engagement and mobilization. Participating organizations include: B(L)OOM; Bulletin of the Atomic Scientists; Das Bombe; Games for Change; Global Zeros Bomb Squad; Horizon 2045; ICAN; NYCAN; PATH Collective; Reverse the Trend; #StopInvestingInDestruction; Union of Concerned Scientists; among others.

Expo Schedule:Thursday, May 19, 12pm-8pmFriday, May 20, 12pm-8pm

ZERO NUKES: Performance SeriesZERO NUKES is a series of anti-nuclear performances curated and produced by Meghan Finn, Artistic Director of The Tank, a Manhattan-based non-profit arts presenter and producer serving emerging artists. The series is part of The Tanks outdoor series, Open Air Tank. Emerging artists will perform storytelling, hip hop and spoken word in Times Square beneath the mushroom cloud. Musical performers include Miriam Pultro, Questa Music, Elyse Durand, Baba Israel and Grace Galu of Soul Inscribed, Sarah Cagianese of Frances Rose, and Doll Parts. Performance and spoken word artists include Gabriel G Torres, Paige Cowen, David Trevor Lawson, Kev Berry, Carol Maz, Ben Firke, Emma Gomez, and Hunter Gause.

Performance Schedule:Tuesday, May 17, 2-4 pm- following the unveilingWednesday, May 18, 2-4pmThursday, May 19, 2-4pmFriday, May 20, 2-4pmMonday, May 23, 2-4pm

Artists Against the BombA collection of urgent messages calling for universal nuclear disarmament. The campaign is an international effort by artists, writers and activists who, through words and pictures, call for a reduction of the worlds nuclear weapons down to zero. The effort is designed to support disarmament organizations across the globe.

StockpileA new participatory work by Pedro Reyes where 12,075 rocket shaped balloonsequivalent to the total estimated number of global nuclear weaponswill be handed out to the public throughout the event. The balloons are a limited edition artwork that will be given to participants upon posting an image of ZERO NUKES on social media with the hashtags #ZERONUKES and #AmnesiaAtmica or upon following a participating organization such as the Bulletin.

Stockpile Schedule: Daily Handout, 4pm

Virtual Reality: On the Morning You Wake (to the end of the world)Games for Change will showcase On the Morning You Wake (to the End of the World), a virtual reality experience that uses innovative documentary storytelling and virtual production techniques to viscerally recreate the lived experiences of people of Hawaii, who, for 38 minutes, had to react during a false alert in January 2018. Learn more about the project here.

On the Morning You Wake (to the End of the World) Schedule:

Time: 12pm-8pm, May 19 and 20

Address:1560 Broadway, Suite 901New York, NY 10036Due to construction, entrance at 165 W. 46th Street

Take ActionThe project will consist of a QR code leading to information that guides the public in how to get involved, including clear ideas on how to take action, reach your representative, and find organizations to follow. Join local and international efforts to reduce nuclear dangers, discuss current events with experts, connect with various education and advocacy organizations, and post your concerns to social media. You can even cast your vote to share what time you think it should be on the Bulletins iconic Doomsday Clock. Also, feel free to tag and follow Times Square Arts Instagram account (@tsqarts) to get involved.

Merchandise KioskThe kiosk operated by public art ambassadors will feature an assortment of information as well as merchandise available for the public to buy such as shirts, hats, and buttons. The graphics on the kiosk designed by Pedro Reyes will prominently display the ZERO NUKES imagery. Any net proceeds will go towards traveling the cloud in support of other disarmament-based events.

Frieze New York Art FairAmnesia Atmica will be presented in collaboration with Frieze New York from May 18-22. Frieze will feature two booths dedicated to Amnesia Atmica, one designated for a historical archive featuring contributions to the disarmament movement by artists and activists in the 20th century; and the other an installation of imagery and merchandise from the ZERO NUKES campaign. One of the two booths will also feature Pedro Reyes limited edition interactive artwork Stockpile.

ABOUT AMNESIA ATMICAAmnesia Atmica opened in Mexico City in 2020 to raise public awareness, revitalize the once vibrant anti-nuclear community, and most importantly, put pressure on political leaders, policymakers, and global citizens by informing them of the consequences of inaction. It included an early version of ZERO NUKES, a locally curated dance performance, and presentations by leading dignitaries. The artist aims to draw attention to the issues of nuclear threat and the failure of experts and leaders to contain it. The title, Amnesia Atmica, urges visitors to not forget or ignore the global issues at hand and engage first-hand with solutions-oriented thinking and strategies. Inspiration for Amnesia Atmica was sparked at an incubator created by N Square, a network of innovators committed to ending the nuclear threat.

It is exactly because of what we are confronting around the world today that I created this piece. Im hoping to provide an invitation for people who want to get engaged, learn from others, connect and create a safer future. Im trying to provide a megaphone for the disparate voices committed to abolishing nuclear weapons. Im trying to provide answers for those asking what can I do?, says Pedro Reyes.

Artists like Pedro Reyes can play an important role in revitalizing the disarmament community. While ZERO NUKES sends a clear multilingual message in support of the disarmament movement, Amnesia Atmica is a symbol of the consequences of inaction, says curator Pedro Alonzo.

Reyes has garnered international acclaim for large-scale projects that explore current social and political issues, through the use of mediums like sculpture, performance, video, and activism. His work tends to investigate the power of individual and collective organization to incite change through communication, creativity, happiness, and humor, making Times Square an ideal locale for his project, as an epicenter of both protest and kitsch. New York City was also the center of the 1982 Rally for Nuclear Disarmament, making a return to the city generations later a fitting representation of the timelessness of nuclear instability.

Reyes is working with experts in the nuclear realm on the project, including the Bulletin of the Atomic Scientists and the International Campaign to Abolish Nuclear Weapons, among others.

Supporters of the project include the Bancel Foundation, the Carnegie Corporation of New York, N Square, Abakanowicz Arts and Culture Charitable Foundation, David Rockefeller Fund, The Prospect Hill Foundation, Lisa Tung and Spencer Glendon, Miner / Nagy Family.

ABOUT PEDRO REYESReyes (b. 1972, Mexico City) lives and works in Mexico City. He has won international attention for large-scale projects that address current social and political issues. Through a varied practice utilizing sculpture, performance, video, and activism, Reyes explores the power of individual and collective organization to incite change through communication, creativity, happiness, and humor.He studied architecture at the Ibero-American University in Mexico City. Solo exhibitions have been held with Museum Tinguely, Basel, Switzerland (2020); SCAD, Georgia, USA (2019); Creative Time, New York, USA (2016); Dallas Contemporary, TX, USA (2016); La Tallera, Cuernavaca, Mexico (2016); Hammer Museum, Los Angeles, CA, USA (2015); ICA, Miami, FL, USA (2014); The Power Plant, Toronto, Canada (2014); Walker Art Center, Minneapolis, MN, USA (2011); Guggenheim Museum, New York, NY, USA (2011); CCA Kitakyushu, Japan (2009); Bass Museum, Miami, FL, USA (2008;) and San Francisco Art Institute, CA, USA (2008). Reyes has participated in group exhibitions at the 21st Century Museum of Contemporary Art, Kanazawa, Japan (2015); The National Museum of XXI Century Arts (MAXXI), Rome (2015); Beijing Biennale, China (2014); Whitechapel Gallery, London, UK (2013); dOCUMENTA (13), Kassel, Germany (2012); Liverpool Biennial, UK (2012); Gwangju Biennial, South Korea (2012); Lyon Biennale, France (2009); and the 50th Venice Biennale, Italy (2003). In Fall 2016, Reyes served as the inaugural Dasha Zhukova Distinguished Visiting Artist at MIT Center for Art, Science & Technology (CAST) at Massachusetts Institute of Technology in Cambridge, Massachusetts.

ABOUT PEDRO ALONZOPedro Alonzo is a Boston-based independent curator. He is currently an Adjunct Curator at Dallas Contemporary. Since 2006 he has specialized in producing exhibitions that transcend the boundaries of museum walls and spill out into the urban landscape, addressing audiences beyond the traditional museum public. In 2017 he formalized his practice by establishing A&C. At the ICA Boston, he curated Shepard Faireys 20-year survey, Supply, and Demand. For the MCA San Diego, he organized the group exhibition Viva la Revolucin: A Dialogue with the Urban Landscape, which featured site-specific works inside the museum and throughout downtown San Diego. In 2015 Alonzo began to develop exhibitions designed to engage the public, starting with a citywide exhibition in Philadelphia, Open Source: Engaging Audiences in Public Space, followed by working with JR to place a gigantic image of a Mexican child named Kikito, overlooking the US/Mxico border wall in Tecate. Since 2016 Alonzo has worked with The Trustees, Massachusettss largest conservation and preservation non-profit, to launch and curate the organizations first Art and the Landscape initiative, resulting in site-specific commissions created by the artists: Sam Durant (2016), Jeppe Hein (2016), Alicja Kwade (2018), and Doug Aitken (2019). In 2019, Pedro Alonzo worked with Now + There as guest curator for Oscar Tuazons Growth Rings and in 2020 for Jose Dvilas To Each Era Its Art. To Art, Its Freedom. for Central Wharf Park in Boston. The most recent project he developed at Dallas Contemporary was a major exhibition that brought together rarely seen works by Japanese artist Yoshitomo Nara.

ABOUT THE BULLETIN OF THE ATOMIC SCIENTISTSThe Bulletin equips the public, policy makers and scientists with the information needed to reduce man-made threats to our existence. At its core, it is a media organization, publishing a free-access website and a bimonthly magazine. But it is much more. The Bulletins website, iconic Doomsday Clock, and regular events draw attention to three main areas: nuclear risk, climate change, and disruptive technologies. What connects these is a driving belief that because humans created them, we can control them. The Bulletin is an independent, nonprofit 501 c (3) organization founded by Manhattan Project scientists nearly 75 years ago. It gathers the most informed and influential thought leaders tracking man-made threats and brings innovative thinking to a global audience. The Bulletin applies intellectual rigor to the conversation and does not shrink from alarming truths.

The Bulletins iconic Doomsday Clock uses the imagery of apocalypse (midnight) and the idiom of nuclear explosion (countdown to zero) to convey threats to humanity and the planet. It is currently set at 100 seconds to midnight, the closest its ever been to midnight. The Clock is set every year by the Bulletins Science and Security Board in consultation with its Board of Sponsors, which includes 11 Nobel laureates. The Clock has become a universally recognized indicator of the worlds vulnerability to catastrophe from nuclear weapons, climate change, and disruptive technologies.

ABOUT TIMES SQUARE ARTSTimes Square Arts, the public art program of the Times Square Alliance, collaborates with contemporary artists and cultural institutions to experiment and engage with one of the worlds most iconic urban places. Through the Squares electronic billboards, public plazas, vacant areas and popular venues, and the Alliances own online landscape, Times Square Arts invites leading contemporary creators, such as Mel Chin, Tracey Emin, Jeffrey Gibson, Ryan McGinley, Yoko Ono, and Kehinde Wiley, to help the public see Times Square in new ways. Times Square has always been a place of risk, innovation and creativity, and the Arts Program ensures these qualities remain central to the districts unique identity.

CONNECT WITH AMNESIA ATOMICA@tsqarts@zeronukes@_pedro_reyes_ @bulletinoftheatomicscientists@trucatriche #ZeroNukes

PRESS CONTACTSAli RigoSenior Account Executive, Cultural Counsel[emailprotected]

Lauren GagnonAccount Coordinator, Cultural Counsel[emailprotected]

Download a copy of this press release here.

Read more:
PRESS RELEASEAmnesia Atmica NYC Opens in Times Square this May - Bulletin of the Atomic Scientists

Low-Code/No-Code solutions are not new they have existed in some way, shape, or form for more than thirty years. Microsoft Excel was probably the earliest LCNC solution of its kind it enabled workflows in various ways for billions of people, most of which are still using it. As a developer, I remember my world changing when Microsoft released Visual Basic. Its graphical user interface (GUI) allowed developers to modify code by simply dragging and droppingobjectsand defining their behavior and appearance through the creation of an abstraction layer that hid complexities and automated routine tasks.

The idea ofcreating high-quality solutions at speed and scale without deep coding capabilities or an expensive development team is what most businesses want. Momentum around these Low-Code/No-Code solutions started ramping up in the early 2000s with companies like Smartsheet, which focuses on breaking down silos and creating a dynamic work environment. But that momentum has begun to increase significantly over thelast decade and even more so in the last five years. We saw the launch of AirTable for workflows, Coda for in-doc collaboration, Microsoft Power Apps and Appsheet, which was acquired by Google, for creating apps, Unqork with its visual development platform, and Plus Docs for real-timedata capture and sharing. All of this has the singular focus of democratizing technology to empower creators and builders in the modern world.

Low-Code/No-Code is a visual and hassle-free approach to software development. Low-Code/No-Code democratizes software application development. Users without deep programming knowledge are able to build enterprise-level applications that are deployable to teams and across enterprises.

In its simplest construct, you can think of Low-Code/No-Code as a visual and hassle-free approach to software development. Low-Code/No-Code platforms abstract, automate and optimize every step of a process and enable rapid delivery of any software solution. Low-Code/No-Code democratizes software application development users without deep programming knowledge are able to build enterprise-level applications that are deployable to teams and across enterprises.

Developers utilize Low-Code for rapid software delivery and workflow automation. Other professionals or knowledge workers are able to develop simple apps or expand app functions with minimal visual programming, automatic code generation, and model-driven design.

On the other hand, No-Code takes a more visual approach to creating apps or solutions without the need to know any programming languages. Users can drag and drop components to create a complete solution. Its critical to know that in reality, No-Code is never truly without code there is code involved, but it is abstracted behind an easy-to-use visual user interface.

Many factors are contributing to the acceleration of the creation and use of Low-Code/No-Code solutions.

Weve seen communities of makers grow faster over these last two years: sharing bread baking recipes on TikTok, DIY home improvement projects on YouTube. Just as were seeing people outside technology getting really excited about building stuff again, were seeing it in no code as well: people are posting challenges, like One Hundred Days of No Code on Twitter and creating maker communities supporting their building journeys. The no-code building blocks have been around for a decade, but these open maker communities are quickly on the rise. Coda Head of Solution Services John Scrugham

As the barrier to entry to participate in what was previously a highly technical field keeps getting lower, were seeing the number of people who want to change how things have always been done spike. People are more comfortable with technology, and as John Scrugham, Codas Head of Solution Services, said during Madronas annual meeting, all anyone needs is a $200 device with basic capabilities, and they can pull up everything they need to start building a solution to a productivity issue theyre having. That mindset is not limited to the workplace. John said he thinks that the recent growth in the creator/maker mindset spurred by the pandemic is inspiring people to try it in all aspects of life.

Weve seen communities of makers grow faster over these last two years: sharing bread baking recipes on TikTok, DIY home improvement projects on YouTube. Just as were seeing people outside technology getting really excited about building stuff again, were seeing it in no code as well: people are posting challenges, like One Hundred Days of No Code on Twitter and creating maker communities supporting their building journeys, said Coda Head of Solution Services John Scrugham. The no-code building blocks have been around for a decade, but these open maker communities are quickly on the rise.

It is really important for product growth and viral adoption of these types of products that people arent just using them at work. If that were the case, you wouldnt be able to share them with other people, which is pretty important. Plus Docs CEO Daniel Li

Another important observation thatPlus Docs CEO Daniel Li made was that people are now using Low-Code/No-Code tools not just in their work lives but also outside of work because there is so much low-hanging fruit to improve cumbersome workflows and processes anywhere.

As an example, we at Madrona use Plus Docs to track the performance of some of our portfolio companies and have also built a set of dashboards to track the ski conditions at Whistler for the avid skiers we have on the team.

It is really important for product growth and viral adoption of these types of products that people arent just using them at work, said Plus Docs CEO Daniel Li. If that were the case, you wouldnt be able to share them with other people, which is pretty important.

Low-Code/No-Code platforms put the power of application development into everyones hands. Users can range from knowledge workers all the way to field specialists, including those that run x-ops functions. The primary goal is to do things faster and cheaper in a more repeatable and systematic way using software and automation versus manual tooling.

If once a week you have to provide a status report, and youre comfortable going through your emails, pulling out information, going to spreadsheets, cutting out information, and building that deck for that status meeting, and you think that is the best you can do. Youre probably not the target user of this technology. But if you think theres got to be a better way to get information right from the source and present it through a live dashboard, so you never have to rebuild this deck that is the mindset. You have to be somebody who wants to change the status quo. Smartsheet Chief Product Officer & EVP of Engineering Praerit Garg

Having spent years building Smartsheet, Chief Product Officer & EVP of Engineering Praerit Garg explained the typical Low-Code/No-Code user well during Madronas annual meeting: Someone who looks at problems differently and thinks there are better ways to solve them.

He further added: If once a week you have to provide a status report, and youre comfortable going through your emails, pulling out information, going to spreadsheets, cutting out information, and building that deck for that status meeting, and you think that is the best you can do. Youre probably not the target user of this technology. But if you think theres got to be a better way to get information right from the source and present it through a live dashboard, so you never have to rebuild this deck that is the mindset. You have to be somebody who wants to change the status quo.

The consumerization of technology is back! The user is and wants to be more in control of their ability to build, deploy and manage at scale. With the advent of the creator economy, builders want solutions deployed in seconds without having to go through a cumbersome development process. The underlying framework that makes this possible is truly intelligent software with not just analytical but decision-making capabilities. There will always be work that requires the skills of what you can call professional programmers but there are only so many of them coming out of college.

We are excited to see what sort of new ideas the millions of other people that are no longer constrained by the requirements of deep coding knowledge and now have the capacity to innovate around technology in a way they never have before. At Madrona, we want to meet the next great founders who are innovating in the Low-Code/No-Code space. My contact info is linked in the byline!

July 14, 2020

This is the third in our series describing our investment themes for 2020 and beyond. Software is eating the world, but today, most organizations have a limit on how quickly they can build software. While

December 17, 2020

Today we are excited to announce our investment in Rec Room, an online universe where people can play and create games with their friends. We first met Nick Fajt and the founding Rec Room team

October 25, 2017

Today we are pleased to announce that Ted Kummert is rejoining Madrona as Venture Partner. Ted spent the last four years at Apptio as EVP of Engineering and Cloud Operations. While at Apptio (NASDAQ:APTI), Ted

Original post:
The Progress of Low-Code/No-Code and an Update to our Thesis - Madrona Venture Group