Smart organizations in the business of building software need to use a mix of application testing tools to ensure their code is high-quality and secure.

With over $1 billion in annual revenue, JDA Software has been the worlds leading supply chain provider for the past 30 years. JDA enables companies to improve their ability to plan, execute, and deliver by better predicting and shaping demand, fulfilling more intelligently and quickly, and improving customer experiences and loyalty. More than 4,000 global customers use JDAs unmatched end-to-end solutions portfolio to shorten their supply chains, increase speed of execution, and profitably deliver to their customers.

As with many organizations in the business of building software, JDAs portfolio of 100+ applications contains a mix of custom-built codebases, commercial, and open source components.

Our open source management prior to Black Duck was done primarily through spreadsheets, developer honesty, and with our providing basic guidance on using permissive rather than viral licenses, says John Vrankovich, principal architect at JDA.

We have over a hundred products, with each of those having hundreds to thousands of different open source components. We recognized that we needed a solution to ensure we were tracking and managing open source and commercial components as part of our overall software security initiative.

All software development teams need a complete and balanced software development program to ensure their applications stay healthy. Every application testing tool has advantages and disadvantages, and no single solution should be expected to find and fix all code issues. Smart organizations in the business of building software like JDA Software know they need to use a mix of application testing tools to help them ensure the code they produce is high-quality and secure.

Static analysis security testing (SAST) tools such as Coverity are critical for uncovering and eliminating issues in proprietary software early in the SDLC by scanning an applications code for flaws while that code is still in a nonrunning (i.e., static) state. However, SAST tools arent effective in finding open source software vulnerabilities (CVEs) in code, or in identifying open source license types or versions.

Given that open source is an essential component of application development today, adding an effective software composition analysis (SCA) tool to application testing should be as imperative to every software development team as SAST is.

JDA first implemented Black Duck Code Center in 2015. Code Center provides JDA with software component selection, approval, and tracking of open source and other third-party software components.

All of our core products are using Code Center, says Meghan Caudill, project manager for third-party product compliance at JDA. About three years ago, we began to use Black Duck SCA when building the CI/CD process for our JDA Luminate product line, newly developed, SaaS-native products. Our goal is full migration to Black Duck SCA by the beginning of 2020.

Synopsys Black Duck SCA is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers, enabling organizations to control open source usage across the software supply chain and throughout the application life cycle. Black Duck enables JDA to set and enforce open source use and security policies, automate policy enforcement with DevOps integrations, and prioritize and track remediation activities.

With the Black Duck tools, we were able to write an open source compliance strategy that addressed our requirements and priorities, says John Vrankovich. Were now able to ensure that none of our products are released with open source license risks, quality or security issues. Any issues we discover are tracked and remediated, all license obligations are being met, and only approved open source components are used in our products. We know what were using, the licenses were using, the versions were using, and any security issues and component patch statuses.

Read the full JDA Software case study

The rest is here:
JDA Software: Extending their SDLC to remediate open source issues - Security Boulevard

Cisco has disclosed a bug in Exhibitor, a popular open source package for the Apache Zookeeper server for distributed applications in the cloud.

Exhibitor is an open source program developed by Netflix to help deal with ephemeral cloud instances within Zookeeper, which wasnt built to handle cases where hosts dont know the hostnames of other hosts within an ensemble of container engines.

As Google Cloud explains, Exhibitor is a supervisor process that coordinates the configuration and execution of Zookeeper processes across many hosts, which gives Zookeeper users backup and restore capabilities and provides a GUI for Zookeeper nodes among other things.

About three months ago Cisco researchers discovered a fairly serious security issue in the Exhibitors web UI component, which lacks any form of authentication, leaving it exposed to an exploitable command injection vulnerability.

Cisco disclosed details about the flaw because its report about the flaw was not addressed within its 90 day disclosure policy.

The bug appears not to have been addressed because the former Netflix platform engineer who created Exhibitor, Jordan Zimmerman, abandoned the software in September 2016. Zimmerman was explaining to distributed system developers what Exhibitor was in 2012.

Exactly how widely the software is still used isnt known, but Zimmerman guessed that Exhibitor will just die if there was no interest among developers to maintain it after he stopped working on it.

Google posted blog Taming the herd: using Zookeeper and Exhibitor on Google Container Enginea few months before Zimmerman announced he would no longer maintain the software.

The other major issue is that prior to version 1.7.0, the Exhibitor supervisor did not have any way to specify which interfaces to listen on, according to Cisco.

Read more: Get ready for Trump fake ransomware: trump.exe and Trump Screen of Death

Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper. This could eventually allow an attacker to manipulate Exhibitor when launching ZooKeeper, explains Cisco Talos Intelligence researcher Jon Munshaw.

The command injection flaw is present in Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1, according to Munshaw.

Given the slim chances of a fix being created, anyone still using Exhibitor should probably remove the software as soon as possible.

Error: Please check your email address.

Tags Cloudopen sourcecisconetflixGoogle CloudTalos Intelligence

More about ApacheCiscoGoogleNetflix

Original post:
Cisco: there's a bad bug in open source software that a Netflix engineer abandoned in 2016 - CSO Australia

Open-source software is used in some way by organisations worldwide - and not only commercial enterprise but healthcare, charities, roads, utilities, science and more. Incentivising those developers who give their time and work away directly leads to making the whole world better, says Devon Zuegel.

In particular, global open-source lifecycle platform, GitHub, announced today its GitHub Sponsors program - in beta since May - has been extended to support teams. This announcement is good news for project teams, but for this writer, the real story is the one behind the news.

How GitHub got to this point of facilitating Patreon-like sponsorship centres around a young lady, Devon Zuegel, who fiercely embodies the open-source spirit. Zuegel reflects a movement of intelligent and articulate professionals determined to bring about global good and who see the free and open asynchronous exchange of ideas a key component. For these people, GitHub is the platform to enable this, almost incidentally a platform about software and software development.

It is Zuegel, Senior Product Manager at GitHub, and her team who put GitHub Sponsors together. Though, you may ask why fund open-source software when people give it away for free, and other causes exist?

The answer, Zuegel says, is because "the whole world would be better if open-source could be funded.

Fast forward to today where open source software is in use among all organisations of any size, whether directly or indirectly as a component of commercial software or hardware.

Some open-source developers are funded because they are employed in an organisation actively contributing to projects. Obvious examples include Red Hat and Microsoft - itself a vast transformation from demonising open source to being a major player.

Yet, many are not funded. They perform their duties, giving to society, out of their own passion and belief system. Everyone needs to eat so, understandably, these pursuits can take second stage to real-world employment.

However, when it is said to open source software is in use among all organisations this is not merely commercially-motivated technology enterprises. Charities, hospitals, power grids, research and scientific pursuits all depend on open source software also.

Zuegel has a background in Computer Science and economics, and a career in software engineering. However, she is also an activist with a deep passion for creating social good. Her work here brewed within her a strong belief incentive design is the challenge behind the challenge.

To explain what this means, Zuegel provides an example from her work in San Francisco housing policy, striving towards affordable housing to alleviate homelessness as well as attract new people to the city. On one level everyone she spoke with agreed this is necessary. However, often the sentiment was accompanied with but not in my neighbourhood - the perennial NIMBY, or not in my back yard, situation.

Or, she says, regarding climate change "everyone agrees we dont want our planet to turn into a crisp but everyone is tempted to take a longer shower or use the air conditioner for longer. These actions are only a small drop in the bucket in isolation, but if we all put drops in, it fills and overflows.

The conflict, Zuegel sees, is one of misaligned incentives between individuals, or between global and local concerns. Thus Incentive design is the most important problem to work on. Humans are good at overcoming obstacles when they have reason to do so. The word problems tend to be ones of cooperation, not technological or scientific understanding, she says.

Through Zuegel's work with San Francisco housing policy, she came to know Nat Friedman who was himself engaged in this area, and when Friedman was appointed GitHub CEO she reached out to express her opinions on what GitHub could do to incentivise developers.

"I sent Nat an email with a lot of opinions you should do this and that. He said Ok, how about you come and do it with us she said, leading to Zuegel herself making the move to GitHub as Senior Product Manager.

Zuegel put forth her incentive design philosophies. "Incentives unlock opportunity. Funding open source is a major incentive problem - the whole world would be better if we fund open source. Its behind the infrastructure we all depend on such as roads and bridges and the power grid, she said.

Thus GitHub Sponsors came to the platform in May, originally in beta across 30 countries, and now extending to more regions while also adding sponsorship support for teams.

In practice this means a person can decide they want to sponsor a project because they recognise the value it brings them - for example, Zuegel herself sponsors curl, the command-line tool to retrieve online data across various protocols, maintained for 22 years by Swedish developer Daniel Stenberg. curl has saved Zuegel plenty of time over the years, as well as countless developers with curl used across many projects.

Conversely, developers can add a 'support' button to their GitHub projects to encourage its users to consider converting their appreciation of the code into tangible financial support.

Like popular crowdfunding sites, GitHub Sponsors allows developers to list sponsorship tiers though unlike crowdfunding the end goal is not for the sponsor to receive a specific item, but purely to express their support and appreciation for the project, and to aid the developer in committing time to continue the project.

GitHub Sponsors pays sponsored developers directly into their local bank account and at this time GitHub is covering all transaction fees that apply. It is also matching sponsorships right now, meaning if you sponsor a developer for (say) $5 per month, the developer gets all of that $5, and in fact receives $10 because of the matching.

GitHub Sponsors is extending to other countries. "Expanding the opportunity, and access to opportunity is crucial. We want people all around the world to access the tools, Zuegel said.

This sponsorship can be life-changing. "There is a Romanian developer being sponsored and is receiving what would be considered a good amount of money in the USA, but which is a really good amount of money for Romania. He can now do his open-source work full-time, Zuegel said.

For companies, this is highly practical. "There are a lot of great developers in Eastern Europe, China and other countries where money goes further. The sponsor gets more bang for their buck she said.

The writer is attending GitHub Universe 2019 as a guest of the company.

Original post:
Want to make the world a better place? Fund open source developers. - iTWire

YOKOHAMA, Japan--(BUSINESS WIRE)--NTT Electronics, a leading provider of advanced components for optical communications systems including coherent optics and digital signal processors (DSPs), contributes the Goldstone Network Operating Software (NOS *1) for disaggregated coherent transponders to the Telecom Infra Projects NOS Software Project hosted by the Open Optical and Packet Transport project group. Launched in February 2016, TIP was started with the goal of accelerating the pace of innovation in the telecom industry.

Goldstone utilizes many existing open source components which have been developed in Open Compute Project (OCP *2) and Telecom Infra Project (TIP *3) including Open Network Linux (ONL *4), SONiC *5, Switch Abstraction Interface (SAI *6) and Transponder Abstraction Interface (TAI *7) to provide a full-fledged open source solution. ONL is used as the base operating system and provides a wide range of open network device support. On top of ONL, Kubernetes *8 is employed to enable containerized application management, which realizes flexible and modular software composition. SONiC/SAI is deployed as a fleet of containers when the target hardware comprises Ethernet switch ASIC, whereas TAI is used when the target hardware has coherent transponder components. Because of its modular architecture, Goldstone can be extended to support networking devices, which dont have Ethernet ASIC, but may include conventional transponders, ROADMs or amplifiers in the future.

Goldstone was originally started as a prototype NOS for Edgecores Cassini Platform by the proposal from NTT Electronics. This has led to a production deployment by mixi in Japan.More than five industry partners are using Goldstone for evaluation on the Cassini platform.It is also being incorporated in Wistrons Galileo platform.

The NOS is planned to be contributed to TIP Open Optical Packet Transport (OOPT *9) group as an open source project. Goldstone is planned to be part of a live running demonstration at the TIP Summit 2019.

Quote from mixi, Inc.

As the first operator who deployed Goldstone in production, mixi welcomes the contribution of Goldstone by NTT Electronics to foster more collaboration among the open networking industry. Goldstone brought us huge flexibility and control over our DCI connectivity which is critical for our services Tatsuma Murase, CTO, mixi, Inc.

Quote from Edgecore

Edgecore is pleased to be working with NTT Electronics and the broader industry community to enable disaggregated solutions with open packet transponders that will provide broader optical technology choices for network operators. George Tchaparian, President and CEO, Edgecore Networks

Quote from Wistron

Wistron is excited to have Goldstone in the open networking industry. Goldstone will accelerate the adaptation of the open disaggregated networking model and we believe it will become a viable solution together with our latest Galileo platform. Arthur Chang, Sr. Technical Director, Wistron

*1 Network Operating System (NOS) : Operating system for a network device such as a router, switch or firewall.

*2 Open Compute Project (OCP) : The Open Compute Project (OCP) is a collaborative community focused on redesigning hardware technology to efficiently support the growing demands on compute infrastructure. In 2011, Facebook shared its designs with the public and launched the Open Compute Project and incorporated the Open Compute Project Foundation along with Intel, Rackspace, Goldman Sachs and Andy Bechtolsheim. (Reference: OCP web site: https://www.opencompute.org/)

*3 Telecom Infra Project (TIP) : The Telecom Infra Project (TIP) is a collaborative telecom community founded by Facebook and partners. Launched in February 2016, TIP was started with the goal of accelerating the pace of innovation in the telecom industry. TIP members include operators, suppliers, developers, integrators, startups, and other entities that have joined TIP to build new technologies and develop innovative approaches for deploying telecom network infrastructure. (Reference: TIP web site: https://telecominfraproject.com/)

*4 Open Network Linux (ONL) : Open Network Linux(ONL) is an open-source, foundational platform software layer for next-generation, modular NOS architecture on open networking hardware. ONL is a part of the Open Compute Project and is a component in a growing number of commercial NOS stacks and open source projects like CoRD & Stratum. (Reference: ONL web site : http://opennetlinux.org/)

*5 Software for Open Networking in the Cloud (SONiC) : Open source software developed by Microsoft, etc.. It dramatically enhances operations and management of network switches. (Reference: SONiC repository: http://azure.github.io/SONiC/)

*6 Switch Abstraction Interface (SAI) : The Switch Abstraction Interface (SAI) defines the API to provide a vendor-independent way of controlling forwarding elements, such as a switching ASIC, an NPU or a software switch in a uniform manner. (Reference: SAI repository: https://github.com/opencomputeproject/SAI)

*7 Transponder Abstraction Interface (TAI) : The Transponder Abstraction Interface (TAI) is the open API to provide a vendor-independent way of controlling coherent optical components. TAI has been developed under TIP OOPT group and NTT is leading the development. https://www.ntt.co.jp/news2018/1810e/181016c.html

*8 Kubernetes : Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services. Google open-sourced the Kubernetes in 2014. (Reference: Kubernetes web site : https://kubernetes.io/)

*9 Open Optical Packet Transport (OOPT) : The Open Optical & Packet Transport project group will define Dense Wavelength Division Multiplexing (DWDM) open packet transport architecture that triggers new innovation and avoids implementation lock-ins. Open DWDM systems include open line system & control, transponder & network management and packet-switch and router technologies. (Reference: TIP web site: https://telecominfraproject.com/oopt/)

About NTT Electronics

NTT Electronics (NEL) has been developing and commercializing optical communications devices since 1995. It has complete portfolio of optical and electronics products to cover the industry needs for 100G-and-beyond link systems, ROADM components and FTTH networks. For more information about NEL, visit https://www.ntt-electronics.com/en/.

Continue reading here:
NTT Electronics Contributes Goldstone - Open Source Network OS for Disaggregated Coherent Transponders to the Telecom Infra Project - Business Wire

Now that a little time has passed since the Huawei Connect conference was held in Shanghai, it seemed like a good time to look back on a couple of the underlying trends from the event. The jumping off pointfor this is a round table Q&AwithGuo Ping, one of the companys rotating chairmen.

Three main themes emergedthat are crucial to a number of wider issues related towhat CIOs need to be thinking,particularly just how much the three main prongs of Huaweis game plan they need to be considering. The chances are growing that they will soon need to address all three.

These are the need for a new computing platform, seen by the company as a prerequisite foraddressing the other two, which are the coming of 5G communications and the combined issues and capabilities surrounding open source software. There is a fourth topic, of course, and that is on-going geo-political economic one. Until this year, itwould be an obvious 'given factor that the USA would still be the dominant player in the direction and development of technology, both hardware and software. Others China particularly might lead in the building of systems, but the technology they used would be, predominantly, of US design.

Suddenly that is no longer the case, and 5G plus the devices that will exploit it is the key driver. As Guo Ping pointed out, the number of countries developing local applications for 5G isgrowing, and countries like Japan, South Korea, France, Russiaand of course China itselfnot only provide a substantial and already energetic 5G market, but that marketis happening in both consumer and business/industrial sectors. Recent evidence now suggests that the UK will also be amongst those players.

The key thing here, of course, is that 5G is about much more than even smarter smart phones for trendy millennials and GenX-ers. Indeed, that market is likely to be pretty secondary. It is the many different business sectors that are going to drive the growth and development, and this is where CIOs need to be paying particular attention. With 5G communications providing the possibility of flexible, movable, and above all very fat pipes working with data where it is most needed becomes not just possible but essential to business.

Data centers will dissolve and become virtualized across corporate networks, including public cloud operations, and the volume and quality of data will be such that existing systems and processorarchitectures are likely to be stretched to and possibly beyond - breaking point. This is particularly the case when the rapid growth in new AI applications is thrown into the pot. Apart from anything else these are best run on processors with a fundamentally different architecture from the venerable and rightly venerated general purpose x86 processor family. That, as Guo Ping made clear, is one of the key targets that Huawei has in its sights.

With a global marketplace he reckons as worth $2 trillion, he is understandably keen that as many customers as possible can get to build their computing capabilities on top of that primary connectivity business. To help that happen, it is therefore being quite specific and controlled in choosing which elements it needs to provide and which to leave to the cjustomeers. For example, it intends to focus on the processor cards and associated components based on its Kunpeng and Ascend processors and help system providers develop services and solutions for its customers.

Guo Ping was particularly keen to point out that Huawei now sees an opportunity for these processors as alternatives to the established device families, not least because of the perceived weakness of of the latter at running AI applications, particularly as they become more complex:

We aspire to provide a processor cards computing platform as an alternative for the world. I think this is an important solution that the businesses from the UK and other countries can look to as they seek business continuity and a plan B for heterogeneous computing. And before we officially put the computing platform on the market, we had already been using it on more than 100,000 of our servers within our company. So, it's already a mature technology.

One of the interesting undercurrents here is the companys commitment to open source software, both as a user and a contributor. Even when it does set out to develop significantly new lines of software, as it did earlier this year with the introduction of HamornyOS, open source contributions from many others play an important part.

For example, though Hauweis primry contribution to 5G development is in the communications infrastructure, it is well aware that much of the reason for anyone using it will come from the applications that are developed as a consequence of its existence. Those applications will come from around the world, and some will certainly have global impact over time. Being as open as possible with the software infrastructure, therefore, gives those developers the best possible chance to flourish.

Guo turned to software history to make this point for him:

Essentially, open source is just one of the business models that leads to business success. A case in point is the competition between Apple II and IBM's PC. IBM chose the open-source model, which resulted in the wide-spread success of today's PCs. In its competition with iOS, Android also opted for an open-source model, which has allowed more vendors to come on-board. As a result, Android has captured nearly 85% of the market share.

The reason why we adopted an open-source approach for our computing platform is that we hope we can attract more vendors and users, and this way, they can benefit more and achieve business success as they deploy AI and computing platforms. Huawei is willing to make more contributions for this reason.

And of course the goal here is not just to create more opportunities to sell 5G switches, antenna and other infrastructure components. With its new ARM-based processor families and server systems that run on them, the company is now moving up the 5G applications food chain, particularly where Artificial Intelligence and Machine Learning applications are concerned. These are most certainly going to be based on open source contributions from around the world, and it is reasonable to guess that many of the developments and breakthroughs in these fields will come from non-western sources, including nations where China in general and Huawei in particular already have a strong foothold:

We have made our systems open source, because we believe open-source systems are the most competitive. I'm very pleased to see that many open-source organisations have moved their headquarters to permanently neutral states like Switzerland. I believe this is a trend that will spread to more open-source organisations, as they want their systems to be widely used by the world's seven billion people.

One of the inevitabilities with 'the natural order of things is that the order always ends up getting disrupted. One of the key natural orders in the computer industry and wider IT domains has been that the key developments come out of Europe and the USA (with the latter being largely European by proxy). But over the last 10 years or so (much longer if one wants to include the development of semiconductor technologies used to make the essential computer chips) the lead has changed hands. Many of the leading companies, though still based in the dominant IT marketplace of the USA, are the product of Indian, Korean and Chinese minds.

With Huawei being one of the dominant developers and providers of the infrastructure underpinning the next developments 5G, AI, ML and computing out to the edge and Korean SK Telecom becoming a leader in 5G systems implementations there are signs that the centre of gravity for computing and IT is moving eastwards.

Here is the original post:
Look east as the IT center of gravity shifts - Diginomica

Written by Tajha Chappellet-Lanier Nov 12, 2019 | FEDSCOOP

Want to collaborate on government open source code projects? Dont forget aboutcode.gov.

Technologists who want to support the various missions of the federal government need not take on a full-time role to contribute. The General Services Administrations lead for code.gov,Karen Trebon, gave a shoutout to the sites open tasks tab during a panel at the Red Hat Government Summit on Tuesday.

You can even, in your spare time, help an agency with a code problem that theyre having and maybe pick up some new skills, she said.

Code.gov currently lists 48 open tasksat agencies as divergent as the Consumer Financial Protection Bureau, Department of Defense, GSA and more. They range from updating code to tweaking a webpage layout to designing a new logo and beyond. Tasks generally list the skill level required (beginner, intermediate or advanced) and the amount of time required (small, medium or large).

The code.gov site first launched in November 2016 as a repository for open source government code.Federal agencies, and their industry partners, use the site to share and exchange open source software a key goal of theFederal Source Code Policywhich set the goal of agencies sharing at least 20% of custom-developed code. But its not just about whole companies and agencies as Trebon pointed out individual developers can get in on the activity too.

Code.gov is just one way that the federal government is working to involve a broader base of stakeholders in its science and technology developments. Citizen science projects posted to challenge.gov and bug bounty programs, which have been especially popular at DOD, are two others.

Read more:
Big believer in government open source? Help with an open task on code.gov - FedScoop

Windwos 10 includes a Windows Sandbox tool that allows you to run untrusted applications in a protected environment so that they cannot harm your operating system. But it requires Windows 10 Pro or Enterprise and relies on virtualization in a way that could cause some apps to run slowly.

Sandboxie, meanwhile, is a tool thats doesnt require virtualization, works on just about any computer running Windows 7 r later, and which is now freeware.

While Sandboxie was shareware until recently, in September the company that owns the software announced that the latest version is freeware and that eventually the goal is to make Sandboxie open source software.

Sandboxie has been around since 2004, and its an application I used pretty regularly when testing software for my job at the now-defunct Download Squad.

The software allows you to run applications in an isolated environment so that they cannot affect system files or other applications running on your computer. That was invaluable at a time when I was regularly testing new software on a daily basis and didnt want to end up unintentionally installing unwanted browser toolbars, spyware, or other malware on my computer.

I havent used or even thought about Sandboxie much in recent years. But a recent post to Hacker News reminded me that it still exists and that the license has changed.

Originally developed by Ronent Tzur, Sandboxie was acquired by Invincea in 2013, which was then acquired by security company Sophos in 2017. This year, Sophos announced that while Sandboxie never made much money for the company, rather than shut it down entirely the company would transition the software to open source.

Once that transition is complete, Sandboxie will become a community-supported project which means it could live on indefinitely but which also means that Sophos will not be offering official support.

The good news is that the price is right ahead of the open sourcing of Sandboxie, Sophos has begun offering the current version of the software (Sandboxie 5.31.6) free of charge. You can download it from the Sandboxie website.

The bad news is that if youre still rocking Windows XP, youre out of luck. The latest version of Sandboxie to support that operating system is version 5.22, and Sophos has no plans to offer a free version for Windows XP.

Follow this link:
Sandboxie goes freeware (on its way to open source) - Liliputing

Software security has been shifting left in recent years. Thanks to movements like Agile and Dev(Sec)Ops, software developers are finding that they have to take more responsibility for the security of their code. By moving performance and security testing earlier in the development lifecycle its much easier to identify and capture defects and issues.

The reasons for this are largely rooted in the utter dominance of open source software and the increasingly distributed nature of the systems were building. To put it bluntly, if our software is open, and loosely connected, the opportunity for systems to be exploited by malignant actors grows vastly.

To tackle this were starting to see a wealth of platforms and tools emerge that are trying to support developers embrace security as a fundamental part of the development process. One such platform is Semmle, a code analysis platform designed to help developers and engineers identify issues quickly.

To find out more about Semmle and the wider DevSecOps movement we spoke to Chief Security Officer Fermin Serna in an edition of the Packt Podcast. He explained how Semmle works, what its trying to achieve, and placed it in the broader context of this shift left thats quickly becoming a new reality for many engineers.

Listen to the episode:

To learn more about Semmle, visit its website here. You can also follow Fermin Serna on Twitter: @fjserna.

Read next:

5 reasons poor communication can sink DevSecOps

How Chaos Engineering can help predict and prevent cyber-attacks preemptively

Go here to see the original:
DevSecOps and the shift left in security: how Semmle is supporting software developers [Podcast] - Packt Hub

RALEIGH, N.C.--(BUSINESS WIRE)--Red Hat, Inc., the world's leading provider of open source solutions, today announced that the Department of Defense (DoD) worked with Red Hat to help improve aircraft and pilot scheduling for United States Marine Corps (USMC), United States Navy (USN) and United States Air Force (USAF) aircrews. Using modern development practices and processes from Red Hat Open Innovation Labs that prioritized end user needs, the project team identified unaddressed roadblocks and gained new skills to build the right solution, a digital Puckboard application, for their unique scheduling challenge.

Taking on the puckboard

The problem facing squadrons was seemingly straightforward: how to improve and digitize the management of flight training operations. The existing process was entirely manual, each representing pertinent information like a pilots name, associated with their training syllabus, location and time of flights. Simple at a glance, the number of cognitive variables contained within this undertaking made it stressful for the operator and difficult to scale across squadrons and bases.

For more than a decade, various project teams within the DoD had tried to improve the system via custom built applications, aircraft scheduling software and hybrid solutions. None of these deployments withstood the test of time or could be replicated if the operator took a new role elsewhere. The Defense Innovation Unit (DIU), an organization tasked with accelerating commercial technologies into the military, took on this challenge.

Process and power from open innovation

To help understand the holistic problem and not just discrete elements, a cross-functional team from DIU, USMC, USN and USAF engaged with Red Hat Open Innovation Labs, a DevOps and open source residency program guided by Red Hats Global Services experts. During the immersive, human-centered design engagement, Red Hat experts worked alongside the project team to evaluate and validate the problem space and develop a strategic approach for creating a new flight scheduling system. What became clear was that with the variety of planes and pilots facing each operator, each with their own requirements, any ultimate solution would need to address all of these variables, not just a handful.

Beyond helping the team identify the core underlying problem for end users, Red Hat Open Innovation Labs helped provide guidance and strategies for more effective application development within the associated USAF, USN and USMC groups. This led to the replacement of the traditional waterfall approach with an agile methodology, lean product development and DevOps practices that are more adaptive.

Building an internal, open pipeline

The skills and tools gained from the Red Hat Open Innovation Labs engagement has enabled the project team to lay the groundwork for a flight scheduling solution that isnt tied to a single person or unscalable technology. But perhaps most importantly, the team is now able to share their knowledge and processes across their organizations with the intent to build an internal open source pipeline of not just technology, but also open practices that can help shorten development cycles and bring usable applications to end users faster.

With the digital Puckboard application in development, the project team now hopes to be able to more effectively capture data that was previously disparate or not captured at all (like on a puck or whiteboard). By enabling a digital transformation of the manual flight scheduling process, the USMC, USN and USAF hope to add artificial intelligence (AI) and machine learning (ML) predictive capabilities to the solution, providing even more efficiency to the process.

Supporting Quotes

Michael Walker, global senior director, Red Hat Open Innovation Labs, Red HatApplication development for mission-critical processes, like United States Armed Forces flight scheduling, needs to start at a fundamental level by understanding and addressing the real problem. The USMC, USN and USAF, along with the DIU, knew the reality of the challenge facing them and, with the help of Red Hat Open Innovation Labs, now have not only the technological skills but also the development and organizational processes in place to build a solution that can scale across organizations and teams.

Additional Resources

Connect with Red Hat

About Red Hat, Inc.

Red Hat is the worlds leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies. Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.

Forward-Looking Statements

Certain statements contained in this press release may constitute "forward-looking statements" within the meaning of the Private Securities Litigation Reform Act of 1995. Forward-looking statements provide current expectations of future events based on certain assumptions and include any statement that does not directly relate to any historical or current fact. Actual results may differ materially from those indicated by such forward-looking statements as a result of various important factors, including: risks related to the ability of the Company to compete effectively; the ability to deliver and stimulate demand for new products and technological innovations on a timely basis; delays or reductions in information technology spending; the integration of acquisitions and the ability to market successfully acquired technologies and products; risks related to errors or defects in our offerings and third-party products upon which our offerings depend; risks related to the security of our offerings and other data security vulnerabilities; fluctuations in exchange rates; changes in and a dependence on key personnel; the effects of industry consolidation; uncertainty and adverse results in litigation and related settlements; the inability to adequately protect Company intellectual property and the potential for infringement or breach of license claims of or relating to third party intellectual property; the ability to meet financial and operational challenges encountered in our international operations; and ineffective management of, and control over, the Company's growth and international operations, as well as other factors. In addition to these factors, actual future performance, outcomes, and results may differ materially because of more general factors including (without limitation) general industry and market conditions and growth rates, economic and political conditions, governmental and public policy changes and the impact of natural disasters such as earthquakes and floods. The forward-looking statements included in this press release represent the Company's views as of the date of this press release and these views could change. However, while the Company may elect to update these forward-looking statements at some point in the future, the Company specifically disclaims any obligation to do so. These forward-looking statements should not be relied upon as representing the Company's views as of any date subsequent to the date of this press release.

Red Hat and the Red Hat logo are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the U.S. and other countries. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

See more here:
Department of Defense Enlists Red Hat to Help Improve Squadron Operations and Flight Training - Business Wire

Following the Barnes Foundationswork using technology to help Philadelphians connect to art in new ways, visitors who bring along their smart phone to the museum can now access extra information or stories about the artwork via its new online guide, Barnes Focus.

No app download required: The tool is accessible to anyone with camera access and a web browser via barnesfoc.us. Users hold their camera up to a piece of work, and the guide uses image-recognition technology to send information about it.

For example, focusing on aRenoir painting may prompt a story about [founder] Dr. Barnes love of the artists work and how he amassed the largest Renoir collection in the world, the foundation said in its announcement.

Other stories highlight themes like music or dance, or historical connections between paintings and objects. The guide will also use visitors interest in a particular piece as a starting point and introduce other works in the room, and browsing history is automatically saved when users enter their email addresses. Information about the works can be consumed in Spanish, French, German, Italian, Russian, Chinese, Japanese and Korean.

This is a particularly crucial step for the Barnes, as founder Dr. Albert C. Barnes unconventional arrangements do not include interpretive content on the gallery walls, the foundation said.

The tool is the result of a collaboration between the Barnes curatorial, education and technology teams and was supported by the John S. and James L. Knight Foundationas part of theKnight Center for Digital Innovation in Audience Engagement at the Barnes.

Barnes Focus was developed as open source software by HappyFunCorp, a software engineering firm in Brookly. Its code repository available on the Barnes GitHub.

Barnes Focus is an example of the exciting ways museums can use technology to inspire, delight and educate visitors, said Thom Collins, the foundations executive director and president. We are committed to thoughtfully and strategically leveraging technology combined with the expertise of our educators, curators, visitor engagement team and technologists to stimulate curiosity, social engagement and personal connections with art.

See the original post here:
The Barnes created an 'interpretive guide' you can use on any smartphone - Technical.ly