Itoco Inc., a Bio Tech development, production and distribution company, announced that its patent-pending, biometric Immutable Virus Test Result Verification System is now available as an open-source repository on GitHub. The system was recently deployed via blockchain Smart Contract.

Through the open-source code, users can view the code and verify the exact functionality. Potential partners or customers will have transparency of how their data is being used, for example, what is being retrieved from the blockchain. Mobile application users can verify that the only data used is a hashed public key combination of the blockchain wallet and user biometric, but not the patients raw biometric or any personally identifiable information (PII).

The publicly available Smart Contract, written in the Solidity smart contract programming language for Ethereum, allows Itocos partners and customers to verify exactly how the blockchain is being leveraged as part of the overall system.

The Smart Contract is made up of several functions; users may be added to the blockchain as a combination of their hashed biometric public key and blockchain wallet address. This means they can have immutable test results associated with them. However, a user must first be added before they can have immutable test results recorded for them. The combination hash is first submitted by the user using the mobile application and then processed by the administrative application.

Another function is adding verified test machines to the blockchain using their blockchain wallet address. A test machine must first be added by the administrative application to the blockchain before it can write test results to the blockchain.

Immutable test results are also able to be added to the blockchain. An immutable test result consists of the test results and associated details, along with updated user details with testing status and the latest test results, the company says.

Other components of the Immutable Virus Test Result Verification System are the administrative application and the integrated virus test machines, which can communicate with this Smart Contract.

World Health Access launches digital vaccination record

The release of a patented technology service to provide COVID-19 vaccine verification booklets and cards was announced this week by World Health Access, a subsidiary of International Health and Wellness LLC.

The VAX Passbook and VAX Passcard will utilize Reel Code Media (RCM) patented technologies, including biometrics, and have been designed to ultimately include all vaccination records of the user. This record will show the chronological history of testing whilst confirming the tests and vaccinations the owner has obtained.

VAX Passbook is a vaccination record booklet that consists of a document confirming all received vaccinations. VAX Passcard provides a similar document but in the form of a credit card-like tool. The Passbook utilizes patented technology to maintain security and privacy of the user and the RCM Frame is programmed to only be accessed by assigned administrators including educators, employers, government agencies, travel authorities and medical/healthcare/insurance providers. The Passcard enables user authentication with embedded fingerprint biometric technology.

The development of these technologies follows some reports that a proof of COVID-19 vaccination may be required for future international travel, company Daon is among those that have already developed an app with this in mind.

access management | biometric cards | biometrics | digital identity | fingerprints | identity verification | Itoco | World Health Access

Originally posted here:

Itoco and World Health Access launch biometric IDs for vaccination verification - Biometric Update

As theymove into DevOps, teams often get advice on how to integrate security and quality-assurance (QA) testing into the development process. The advice is sound; surveys have measured which development processes and security habits are shared byelite, mature DevOps teams.

However, what is often missed in application security is how companies can push their programs after the initial forays into more mature territory to build a resilient software and development pipeline.

Successfully growing security and QA programs continues to be difficult. While a well-executed DevOps program can reduce the complexity of software-security and QA processes, orchestrating agile approaches has grown more complex overall. That's one of the top-level takeaways fromthe World Quality Report 2020-21.

Here are recommendations for transitioning from the simple security and QA tests produced by siloed experts to a more resilient integrated approach that will give your development teams a smoother path to maturity.

Companies should focus on people first, and then process and tools. Getting developers and security teams on board with integrating testing into the development and deployment pipeline is critical.

A significant factor in growing security maturity in any software development environment is sharing responsibility between the developers and the security team. Moving more security and quality tests into the development processthat is, "shifting left"and automating those tests are the two most significant ways that companies are speeding up their agile software pipelines, with 52% and 51% of companies almost always taking these approaches respectively, according to the 2020-21 World Quality Report.

Working together is important, because most organizations tend to have only one or two application security professionalsworkers who often have other responsibilities. Yettwo-thirds of respondents focused on the technology stack as essential or very importantthe top aspect, according to the World Quality Reportwhile culture and talent were the least important factors.

A security champion programcan help these companies focus on the people and build bridges between security and development. When the people work together and are knowledgeable, other considerations such as the technology stack and executive support will often take care of themselves.

Organizations that are starting out often just have simple test suitesread lintersthat conduct static checks during development or at code check-in. With most mature application security programs, the teams work with developers to push more testing into the process, yet with the realization that too much testing can slow down development.

The more complex tools used by mature organizations, however, can overwhelm less mature developers and security teams. Rather than lure developers to code more securely, more complex tools often deter security.

For that reason, once a company has integrated simple quality and security tests, the development teams should try to tackle specific classes of vulnerabilities, such as SQL injection and cross-site scripting. The most common vulnerability classes, such as the OWASP Top 10, can be detected by manytools out there, many of which are open source.

In the end, the way to move forward is to not bite off more than you can chew. Your team should not try to solve every vulnerability, but pick one or two classes and start there.

Companies believe that they have enough automation, with about two-thirds of respondents to the World Quality Report answering that they had the required automation tools and enough time to build automation tests. However, an average of only 15% of tests were automated, and only 3% of companies automated more than 20% of tests, according to respondents.

Well-implemented automation leads to more secure and resilient code, since testing takes less time, can cover more software, and can lead to better detection of defects. Despite recognizing this, companies continue to underfund testing, according to the survey.

Given the importance in automated testing to prevent avoidable defects from creeping into code, automationmore than any other factorwill help your development and security teams become more mature and produce more resilient code.

Just like your first car should not be a Lamborghini, trying to move too quickly to high-performance and complex testing environments will result in problems. With these best practices you can scale up your development with a more resilient, longer-term approach.

See the rest here:

World Quality Report: 3 ways to build more resilient code - TechBeacon

When it comes to?application?security (AppSec),?most experts recommend using?Dynamic Application Security Testing?(DAST)?and?Static Application Security Testing?(SAST)?as ???complementary??? approaches for robust AppSec. However, these experts rarely specify?how?to run them in a complementary fashion.?

At Veracode, we use SAST, DAST,?SCA,?and?pen?testing as the?four?pillars of our?defense?in-depth?strategy to deliver a ???secure-by-design??? AppSec methodology across the entire?software?development?life?cycle.??

Most organizations start their AppSec journey by running?manual?penetration?tests?(MPT).?Penetration testing is necessary to catch vulnerability classes,?such as authorization issues and business logic flaws,?that cannot be found through automated assessments alone. Expertly trained pen testers?can?review?an entire?environment,?rather than just the application,?and can?follow or break the workflows in a way that is difficult for?automation to replicate.?Additionally, pen testing is required?to comply with regulations such as?PCI DSS, HIPAA, GLBA, FISMA, and NERC CIP.?

However,?pen?testing is only one assessment type and can bottleneck development?velocity?because it is a manual process.??

Dynamic?application?security?testing?(DAST)?is?an AppSec assessment that?scans all applications and interconnected structures in a running environment without looking deeply into source code. The results of ???outside-in????dynamic?scanning?help prioritize?the remediation of?exploitable vulnerabilities?and immediately reduce AppSec risk as they are fixed. However, it can be challenging to pinpoint the?exact?line of code to?work on?using only DAST.?This assessment on its own is limited by the configuration of your scanner and what you choose to test. If you don???t properly configure your scans,?you may miss vulnerabilities and have a false sense of security.?

Additionally, since the?application?is?scanned?towards the end of the?SDLC,?there???s more pressure on development teams to remediate the difficult-to-find vulnerabilities quickly.?This is usually?where?friction?between development and security increases,?often resulting in unmitigated risk.??

Static?application?security?testing?(SAST)?is an AppSec assessment?that tests applications from the inside-out,?by scanning applications,?but not running them. It usually targets source code, byte code,?and?binary?code, and ???sits??? in an earlier stage of the SDLC so developers can look for security issues?before?the application is complete. SAST also provides real-time security feedback during coding, making it a more?proactive method?for fixing flaws quickly. This ???inside-out approach??? can help reduce?security?technical debt?for the lowest cost.?

On the flip side, fixing all the flaws found after a SAST scan may be an inefficient use of resources that may not reduce your risk in a meaningful way.?And since the scan doesnt execute in a running environment, it can be hard to determine which flaws are immediately exploitable, or to understand how the exploit might happen without appropriate training.?

Getting features to market faster than the competition almost always requires development teams to?use at least one open-source library in?their codebase. Third-party code is a necessity in modern software development and so is securing it.?According to?Veracode???s?State of Software Security:?Open-Source?Edition,?97.4?percent?of the 85,000 apps scanned had?an unfixed?security?flaw in an external library.?The good news is that?nearly 75?percent?of the known flaws can be fixed with a?version?update.?Veracode Software Composition Analysis?(SCA) and other similar solutions?automatically?scan your?libraries?and their dependencies?to find vulnerabilities and?help you fix them.???

If you?conduct only?SCA you???re not protecting your entire codebase. If you conduct just?SAST, you may introduce resource-related inefficiencies into the SDLC during remediation.?If you?conduct only?MPT or DAST, you???re finding flaws at a later, more expensive stage and putting increased pressure on development teams to find the flaw in the source code and remediate it quickly.??

To ensure that you get the most value out of your AppSec program, you should use DAST findings to configure SAST policies, and to inform SAST activities. A quick defense against something like an input/output validation problem found during a?Veracode Dynamic Analysis?scan is to implement a WAF rule that prevents unauthorized data from leaving the application. Once the vulnerability has been secured at that level, use?Veracode Static Analysis?to go deep into the source code to find and patch the flaw.?Once the first-party code has been secured, integrate Veracode SCA into your development workflows?to secure your third-party code.?This ensures that you are not just relying on one control to prevent an attack.??

On top of this, it is critical to continue running?MPT?assessments?to secure the flaws that automation?can???t?find. You want to look at the hierarchies of the architecture to be sure that you are doing everything you can to secure each level. This?complementary approach makes it easier to find exploitable flaws, remediate them quickly, and even learn secure coding to prevent them in future.?According to the 11th?edition of the?State of Software Security?report,?organizations that scan with both SAST and DAST are likely to remediate?50 percent of?their flaws 24.5 days quicker than if they only scanned with one technology.?It???s not hard to understand why: by seeing how an attack may be exploited at runtime, developers get an education in how to think like an attacker and may even be more motivated to fix?other?findings.?

In today???s expanding threat landscape, DAST, SAST,?SCA,?and MPT provide a means for?DevSecOps?teams to secure their code and strengthen their AppSec programs before it???s too late.?To learn more about?the strengths and weaknesses of the different types of application security technologies, check out?our?Guide?to?AppSec Solutions.?

Recent Articles By Author

*** This is a Security Bloggers Network syndicated blog from Application Security Research, News, and Education Blog authored by lpaine@veracode.com (lpaine). Read the original post at: https://www.veracode.com/blog/managing-appsec/defense-depth-why-you-need-dast-sast-sca-and-pen-testing

View original post here:

Defense in Depth: Why You Need DAST, SAST, SCA, and Pen Testing - Security Boulevard

SAN FRANCISCO, Dec. 16, 2020 /PRNewswire/ --Linux Foundation Public Health (LFPH), the organization that builds, secures and sustains open source software to help Public Health Authorities (PHAs) around the world combat COVID-19 and future epidemics, today announced it will host the COVID-19 Credentials Initiative, a privacy-preserving Verifiable Credentials (VCs) effort focused on interoperability. It is also announcing new Executive Director Brian Behlendorf, new public health commitments and membership investments and a new set of open source guidelines for exposure risk notifications.

Since launching in Julyof this year, LFPH has gained new commitments across industries and disciplines and is adding new initiatives to collaboratively address privacy, efficacy and integrity in the software that is helping to prevent and slow the spread of infectious disease.

COVID-19 Credentials Initiative becomes part of LFPH

The COVID-19 Credentials Initiativeis a global community of more than 300 technologists, academics and healthcare professionals from more than 100 organizations working on projects that use privacy-driven verifiable credentials to mitigate the spread of COVID-19. Its guiding principles include interoperability, privacy, data protection and inclusion. The community will bring together new open standards work with existing health data standards to ensure vaccine credentials are interoperable and digitally verifiable.

"LFPH is a natural home for CCI. There is strong alignment on the most urgent matters to address, such as interoperability, privacy and ethics as they related to vaccine credentials. Most importantly, LFPH strives to respect the community-driven and open nature of CCI, which is essential to true collaboration and wide adoption. We look forward to working with LFPH and stakeholders across communities, sectors and industries, especially PHAs, on vaccine credentials for COVID-19 and other public health credentials," said Lucy Yang, co-lead, COVID-19 Credentials Initiative.

Open source and digital identity visionary Brian Behlendorf becomes LFPH executive director

Brian Behlendorf will assume the role of Executive Director of LFPH, while carrying on his duties as Executive Director of the Linux Foundation's Hyperledger Project and overseeing a variety of initiatives in blockchain, healthcare and digital identity. Behlendorf was a founding member of the Apache Software Foundation, was the CTO of the World Economic Forum 2011-2012 and worked at the White House's Office of Science and Technology Policy in 2009 and the Department of Health and Human Services in 2010 on advancing the use of open standards through the use of open source software.

"Thanks to the passionate leadership of the late Dan Kohn, LFPH is mobilized to use open source software to accelerate work on combating COVID-19, with an early emphasis on exposure notifications. That work is well underway and already having a very real impact," said Jim Zemlin, executive director of the Linux Foundation. "LFPH is now looking toward the future, one where we can help bring diverse constituents together to build, secure and sustain technologies that fight COVID-19 today and other epidemics tomorrow. There is no one more suited to enable this kind of collaboration and to carry on Dan's legacy with LFPH than Brian Behlendorf."

"It is an honor to be able to advance the LFPH work that was initiated by the open source hero Dan Kohn," said Brian Behlendorf, general manager, LFPH and the Linux Foundation's Hyperledger. "There is both a requirement and tremendous opportunity to bring together the world's leading technologists, scientists, doctors and academics on public health to seek the right balance in privacy and efficacy in preventing and slowing the spread of infectious disease. This is work we know how to do and work we must do."

New collaboration and investments

The Health Service Executive Ireland, New Jersey Office of Innovation, North Carolina Department of Human and Health Services and Boston Public Health Commission are the latest PHAs to join LFPH They are the ultimate consumers of the technologies being built by LFPH and so their contributions will dramatically accelerate adoption and innovation. LFPH is also announcing new member MotionMob and that WeHealth, the company that implements Covid Watch, is upgrading its membership and is now a Founding General Member. Other founding members include Cisco, doc.ai, Geometer, IBM, NearForm, Tencent and VMware.

"HSE contributed the source code for COVID Green in the summer of 2020. Our goal was to try and help other public health authorities in the fight against COVID." said Gar Mac Criosta from the Health Service Executive of Ireland. "Membership has brought with it a number of benefits, first and foremost an active and open community all aligned in a fight against COVID-19. I think the engagement so far has opened people's eyes across government to the benefits of open source, in particular for situations where public trust and confidence is paramount,"

"My choices before LFPH were McKinsey or vendor pitches. LFPH has provided something without financial skin in the game that I can use as a Public Health Authority," said Mike Flowers, NJ Office of Innovation.

Open source guidelines for risk notifications

LFPH launched with two hosted exposure notifications projects, COVID Shield and COVID Green, to advance phone-based alerts that people can receive to inform them that they've been exposed to someone diagnosed with COVID-19. The Exposure Notification System (ENS) provided by Apple and Google has a configurable component, a risk score, which allows health authorities to specify which types or levels of exposures should trigger a notification.

In a series of meetings in November 2020, LFPH and Apple, the CDC, Google and MIT hosted the Risk Score Symposium Invitational to inform the decision-making process for health authorities who are using, or plan to use, ENS in their region. The resultingguidelines are available now.

To join LFPH or contribute, please visit: https://www.lfph.io/

About Linux Foundation Public Health

Linux Foundation Public Health (LFPH) uses open source software to help public health authorities (PHAs) around the world combat COVID-19 and future epidemics. LFPH projects include COVID Shield being deployed in Canada and Mongolia and COVID Green, which has been deployed in five countries and four US states. As more projects are contributed, LFPH will expand its scope into software support for all phases of PHA's testing, tracing, and isolation activities. LFPH is part of the nonprofit Linux Foundation. For more information, please visit lfph.io.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page. Linux is a registered trademark of Linus Torvalds.

Media ContactJennifer CloerStory Changes Culture503-867-2304[emailprotected]

SOURCE LF Public Health

View post:

Linux Foundation Public Health Expands Technology and Public Health Community, Accelerates the Fight Against COVID-19 - PRNewswire

Following its $10 million acquisition of Flyway, Redgate Software has secured the future of the popular Open Source database migration tool by taking a new approach to software development.

CAMBRIDGE, England December 15, 2020 Redgate Softwares multimillion-dollar acquisition of Flyway in 2019 was an ambitious move to help organizations include any database in DevOps by using the tool to standardize migrations across more than 20 different databases and platforms. The investment encouraged Redgate to fully embrace the Open Source software approach, and the company today confirmed it is doubling the size of the development team behind Flyway and recommitted to maintaining a free Community version under the Apache v2 license.

Like many software companies, Redgate has a portfolio of proprietary database development tools and solutions, and Flyway was the companys first foray into the Open Source arena. This presented a challenge in the way the tool was managed and developed.

From day one, Redgate committed to keeping the Community Edition of the tool, which is free to individual users, and continuing to maintain, support and improve it. The company also wanted to increase the number of businesses using the paid-for versions of the tool by streamlining them to a Teams Edition and adding additional features and support.

This required a different approach to the ongoing development of Flyway because its success needed to be measured by the number of monthly active users of the Community edition as well as the monthly recurring revenue from the Teams edition.

As Kendra Little, Redgate DevOps Advocate and a big fan of Flyway, comments: Companies cant go wrong with Flyway, but it does present a dilemma. On one hand, you want individuals to keep using the free tool they already enjoy. On the other, you want larger teams to embrace the paid version with extra available features. It turns traditional software on its head because you need two go-to-market strategies, not one.

Redgate found the solution in the 1-2-3 Model developed by Adam Gross, technology investor and adviser, based on his work at Heroku. He helped to grow the revenue of the cloud application platform from $35m to $300m by shifting the companys focus away from the traditional approach of selling software at the department or enterprise level.

Instead, the model focuses on encouraging individual adoption with a free version, migrating users up to teams with a paid-for self-serve option, and having an enterprise version at the end of the customer journey rather than the beginning.

Flyway now fulfils the first two steps in the model, and is integrated into Redgate Deploy, Redgates new cross-database development solution, to meet the needs of enterprises. From version control to continuous delivery, Redgate Deploy lets enterprises automate database development processes across different databases, accelerate software delivery and ensure quality code.

Over the last 18 months, Flyway has broadened Redgates understanding of Open Source software and shown how the demands of individuals, teams and enterprises can all be satisfied by offering a stepladder of benefits and capabilities depending on need. Redgate now has better visibility of database deployments across different technologies and among full stack developers, which in turn is helping inform what additional features should be created.

As a direct result, Redgate has doubled the revenue from the paid-for edition of Flyway, and the 1-2-3 Model has cemented the future of the free Community Edition, downloads of which also doubled to 40 million in 2020.

For more information about Flyway, or to get in touch with the team, please visit http://www.flywaydb.org.

About Redgate SoftwareRedgate makes ingeniously simple software used by over 800,000 IT professionals around the world and is the leading Database DevOps solutions provider. Redgate's philosophy is to design highly usable, reliable tools which elegantly solve the problems developers and DBAs face every day and help them to adopt compliant database DevOps. As well as streamlining database development and preventing the database being a bottleneck, this helps organizations introduce data protection by design and by default. As a result, more than 100,000 companies use Redgate tools, including 91% of those in the Fortune 100.

ContactsMeghana ShendrikarAllison+Partners for Redgate SoftwareRedgate@allisonpr.com

Read the original post:

Flyway's Growth Demonstrates the Value of Open Source for Software Companies - RealWire

2020 has taught us that health IT must evolve at a rapid pace to meet the needs of patients and providers. Creating a seamlessly connected world is key to breakthrough innovation.

The Cerner Open Developer Experience (code) program encourages third-party vendors and care organizations to build apps on top of Cerner technology that can quickly advance the health industry through improved interoperability capabilities.

In our three-part podcast series,code Talks, tech leaders share their insights around advancing care through collaboration and open and interoperable health ecosystems.

In this episode, we hear from Aaron Sheedy, chief operating officer and co-founder ofXealth, a platform that enablesclinicianstointegrate, prescribe and monitordigitalhealth tools forpatientsfrom one location in the electronic health record (EHR). Aaron talks about how the Cerner code validation and certification process helped drive quality, safety, security and usability for the Xealth app. He also gives his outlook for digital health and application programming interfaces.

Amwell offers telehealth integration within the Cerner EHR to give providers a single, unified workflow and improve access to care for patients. In this episode, Amwell Senior Vice President of Devices, Cory Costley, dives into the rapid growth of telehealth during COVID-19, examines how the Cerner code program helps break down barriers to health IT adoption and explores the industrys shift toward more proactive care.

Shez Partovi, M.D., worldwide lead of business development for healthcare, life sciences, genomics and medical devices at Amazon Web Services (AWS), discusses the importance of connecting patient data across the care continuum. Dr. Partovi also explains the role of interoperability, open standards in reducing care costs and providing more personalized health care.

The code program is leading health care innovation by opening our ecosystem to create new technologies and applications. Developers interested in building applications that integrate into client workflows can learn more here.

Read more from the original source:

code Talks: a podcast series on driving innovation with an open health care ecosystem - cerner.com

The housekeeping session at Microsoft continued in November as it ironed out 5242 Visual Studio Code issues, paving the way to release v1.52 of the open source editor.

Aside from the end of year clean up, the VSC team worked on the IDEs usability, for example fitting the integrated file explorer with undo and redo functionality for all file operations a handy thing should you accidentally use the wrong shortcut. Operations taking unusually long will signal theyre still in progress via a status bar now, though theres also an initial implementation for a cancelling option. And if you really need all the views to be open, scrollbars will appear to let you get to the information youre looking for.

Developers who like their windows restored when opening the development environment no matter if theyre opening a project file or just start the programme can use a new setting in window.restoreWindows to enforce such a behaviour. VS Code will also preserve the Source Control view state across sessions, meaning that collapsed trees will stay that way after relaunching.

Git users should inspect the new additions to the Git command palette, which now includes cherry pick, rename, push tags, and checkout to (detached). Theyll also receive a nudge to save unsaved files before attempting to stash changes, and get to play with a variety of new settings which help with things like ignoring changes in submodules, controlling what refs are shown on checkout, and following tags when synchronising.

When tabs are disabled, VSC 1.52 adds file path information for better orientation should you have opened a diff via the source control view. The diff editor can now support word wrapping in both the inline and side-by-side displaying for a better overview.

IntelliSense has become a little smarter as well, now offering word suggestions based on other open files in instances where no language service is available or cant help because youre, for example, writing a comment. On the topic of spaces vs tabs, VSC now comes with a editor.stickyTabStops setting which makes VS Code treat cursor movements in leading spaces similar to tabs.

The VS Code team also worked on the Keyboard Shortcuts editor, which now allows configuring a keybinding for Command Palette commands via the Configure Keybinding gear, and introduced a new feature to help users find out if an extension is causing buggy behaviour.

This so-called Extension Bisect can be found in the Help section of the tool and guides developers through the process of disabling extensions and turning them back on again. After each reload the tool checks if the issue is still there, and ends in a prompt to report the problem once it has been resolved.

Read the original post:

Visual Studio Code adds extension bisect to find out what's troubling you - DevClass

For many companies, 2020 was about accelerating their move to the cloud. The pandemic drove a dramatic expansion of remote work, developers focused more on cloud-native deployments, and application security teamshad to adapt to a change in usage and, often, greater demand.

In 2021, many of those seeds will take root. Businesses that accelerated digital transformations will need to secure their infrastructure, developers working remotely on cloud-native applications will have more integrated security in their coding environments, and applicationsecurity teams will be tasked with facilitating faster development cycles, rather than just finding vulnerabilities.

Overall, expect more security, automation, and coding throughout the development and deployment process, said Mike Ware, senior director of technology for Synopsys, a software-security company. Rather than just shifting security leftward to the developer, security will become a part of every piece of infrastructure, he said.

"The notion of 'shift left' will rapidly become a philosophy of 'shift everywhere.' It is not that we are going to stop moving left;we have to move security left. But we need to shift a lot of responsibilities right as well."Mike Ware

While DevOps has broken down some barriers between developers and application security teams, the future will be about more tightly integrating security into developmentand making sure that security focuses on how to produce secure applications. Teams that only focus on finding bugs will continue to slow development, and that will undermine application security in the future, saidSandy Carielli, principal analyst with analyst firm Forrester Research.

Companies will have to broaden the bailiwick of the application security teamit's no longer just about applications, but about APIs, containers, and low-code/no-code services, she said.

Here are five trends your app sec team shouldexpect in the next year.

Digital transformation took over the conversation in 2020. While many companies had focused on moving to the cloud, adding automation, and using software-defined infrastructure to drive their business and operations at the start of the year, the coronavirus pandemic forced most of them to accelerate their plans.

About seven outof every eight executives intended to make their company's operations and infrastructure cloud-native, with about the same share also committing to greater use of containers for application development and deployment, according to a survey conducted by financial giant CapitalOne.

These mandates and realities have trickled down to developers and security teams, especially as remote work has expanded. Existing silos between the groups can slow development and the resolution of security issues, so the pressures have increased to knock those walls down, said Dan Cornell, a principal at the Denim Group, a software-security consultancy, who notedthat about 30% of employees at his firm have never set foot inside theoffice.

"We are seeing the collaboration capabilities of the tooling becoming more important. Because you can't walk down the hall and peek over the cubicle walland ask how something works, teams need better ways to communicate."Dan Cornell

In 2021, security programs will focus more on integrating tools that help developers avoid the mistakes that lead to vulnerabilities, rather than just detecting the software flaws leading to those vulnerabilities, said Martin Knobloch, global application security strategist for Micro Focus.

In the past, the tools typically used at the end of the development cyclestatic application security testing (SAST) and dynamic application security testing (DAST) scanners, for examplehave not been about making the application better, but about finding all the security mistakes, he said. Rather than finding ways to make applications more secure, most of the tools have focused on detailing what's wrong.

Yet, as security becomes more focused on working with developers, such programsbecomeblockers,said Knobloch, who callsthem "bad-o-meters."

"Who has to write the code? The developers. Who has to fix the code? The developers. What we are moving toward is tools for code quality used by developers, and not security tools."Martin Knobloch

Similarly, he said, penetration tests and pen-testing tools will increasingly inform the threat model that can be used to guide developers, rather than just focus on finding ways to break the applications and circumvent security.

Denim Group's Cornell agrees.

"It is hard enougheven when you know the resolution pathto get developers to fix stuff. When you don't know the resolution path, then you are just increasing the amount of badness that you see in the system, you are not actually fixing the application."Dan Cornell

With the expansion of DevOps and infrastructure as codefrom containers to serverless computingover the past five years, security has increasingly become part of the code as well. A great deal of software is based on building blocks, most commonly open-source components, that may not be instantiated until runtime, so security checks have to be built in, said Synopsys'Ware.

An application's security configurations for development, test, and production environments are often the purview of the developer, but more application security teams are also producing code to be included in the application at each stage as well.

"We are certainly seeing more and more software security initiatives focused on DevOps cultures. Software security teams in those groups are having to write more code, because more security is codemore of that software delivering is software-defined in nature."Mike Ware

The tools used by attackers, red teams, and penetration testers continue to integrate more automation and do a lot of the work for application security audits and penetration tests.

But with the shortageof cybersecurity professionals,automation is over-relied on, and this makes for shallow assessments, said Micro Focus's Knobloch. Moreover, because penetration tests are expensive, most assessments are under significant time pressures: A test typically takes fiveto 10 days, and with a day of setup and a day of reporting, often the actual assessment is relegated to as few as three days, he said.

In the end, penetration testers are often well-trained tool operators rather than security-intrusion specialists, Knobloch said.

"You just can't turn security teams into good tool monkeys. Companies need to look forand developreally knowledgeable pen testers."Martin Knobloch

The use of open-source libraries and components in development is almost ubiquitous, with some 99%of applications having at least one open-source component, according to Synopsys's 2020 Open Source Security and Risk Analysis Report. About onethird of vulnerabilities disclosed in 2019 were in open-source products, according to White Source's 2020 State of Open Source Security report.

Determining which open-source components are secure should be a primary concern for any application security group.

You have to provide the "plumbing" that can determine whether something that you are going to bring inwill pose a risk to the enterprise,said Ware.

"The developers needto be able to select the right tools that they need to create an application, but the security teamneeds to have the plumbing in place to educate them and warn them about security issues."Mike Ware

In the end, companies need to make software not only more secure, but more resilient as well, and that means security groups have to work with developers to create the environment to produce better software, said Micro Focus'Knobloch.

"Most security people have to change. They cannot be a gate that code has to go through to pass, or a security tollbooth: Stop here until you get the results back."Martin Knobloch

Forrester'sCarielli said big challenges are in storefor security teams.

"At the same time that security pros are giving up some of their dutiesfinding and fixing vulnerabilitiesto developers, they have to expand into these other fields. There is an expanding definition of code and what are application tools, and so security pros have to look at APIs, at no-code, and at infrastructure as code."Sandy Carielli

Go here to see the original:

5 key app sec trends for 2021: The shift is on for software teams - TechBeacon

There's a battle playing out in the enterprise open source arena right now, but it's one you probably haven't heard about.

It's a clash between pure open source and commercialized open source (or 'open core') versions. While this may be below the radar for anyone not directly involved it has important long-term implications for the industry.

In an exclusive interview we spoke to Ben Bromhead, the chief technology officer at open source specialist Instaclustr to get his view of the battlefield.

BN: Research has begun to show that enterprise open source adoption has spiked this year and is related to changing economic conditions. Assuming conditions improve in 2021, what will that mean for the open source trajectory?

BB: COVID has accelerated myriad changes across industries that were already inevitable. We've all seen this with major spikes in online shopping and food delivery services, and businesses' expanded work from home policies, to name a few. These were trending up anyway; COVID just sped up the transitions. Open source adoption is firmly in this same category. Open technologies across the stack have been an inevitable trend for enterprises -- driven by better software quality, far more efficient costs, and continual innovation -- that has been accelerated by the conditions that COVID has created. Because of those fundamental factors underpinning open source adoption, I expect that the current rising trajectory will outlast the pandemic. Open source acceleration isn't a one-off spike, it's where more enterprises are headed.

BN: As open source has become more popular for enterprises, so has the rift between pure open source and commercialized open source. Will there be a winner, or are they built for different use cases?

BB: I'm strongly of the opinion that pure open source will be the winner. It's an inevitable truth of the open source/open core dynamic that all of the most valuable closed-source features offered by open core software products will be replicated in the pure open source versions. We've seen this many times over across various open source projects (and contribute to this phenomenon ourselves by developing open source tools when customers demand them). As an open source technology matures, it becomes harder and harder for open core providers to identify opportunities for features that differentiate their product from the 100 percent open source version. Therefore, the natural evolution of open source technology includes mechanisms that eventually leave open core strategies out in the cold, and rightfully so.

BN: Open source continues to make headlines for security concerns. What do enterprises need to understand about open source and security? How big a risk is it and what, specifically, needs to be vetted in an open source technology before using it?

BB: One important point to consider here is the different likelihoods that the vulnerabilities inevitably existing within any piece of complex software will be found and publicly reported. Here's what Im getting at: there's a strong argument that vulnerabilities existing in open source software are much more likely to be identified and reported than those within closed source software. This is one of the many key advantages that open source software intrinsically provides. Open source code is viewed by many more eyeballs, and approached from a much broader range of perspectives. There's a greater diversity of users and of use cases. That naturally results in more vulnerabilities being recognized. So, when comparing the raw numbers of vulnerabilities discovered in open source or closed source software, it's important to acknowledge that finding those vulnerabilities does result in software that is actually more secure.

This leads to another fundamental advantage of open source software, which is that you have an entire community contributing to resolve any bugs and vulnerabilities. The assembled cooperative talent backing open source solutions, and what these communities are capable of achieving, is really a tremendous feat to be celebrated. In comparison, hired teams at companies working to identify and patch vulnerabilities in proprietary software are much more limited in terms of the number of developers on the project, and the scope of what they can accomplish.

As for vetting open source projects, enterprises should evaluate whether a technology is truly free and open, carefully examine licensing terms, and understand the strength of the community and the business motivations of any large commercial entities in that community. The best solutions are supported by communities robust enough to serve the common good, and not be unduly influenced by any one commercial interest.

All that said, using open source software does often demand a greater degree of engineering sophistication than closed source. That's where organizations providing open source support and managed services can manage the risk of adopting new solutions and ensure enterprises can unlock the full benefits of open source software.

BN: Open source, as a term, has just entered its third decade. What's the biggest risk facing open technologies over the next ten years?

BB: The muddying of what open source means through the use of restricted open source licenses is a significant challenge for open source at the moment. At Instaclustr, we favor software governed by open source foundations such as the Apache Foundation, where you can be sure that the governance of the open source project is focused on acting in the best interest of users. And as mentioned, enterprise open source adoption is increasing and on quite a healthy path right now. The challenges of the next ten years may be in better distinguishing true open source offerings, and ensuring that the market gives new adopters the clarity to understand the potential pitfalls ahead when dealing with open core solutions. In scenarios where enterprises dont control their own code, vendor and technical lock-in are very real threats. Hopefully the next decade will see a stark reduction in the number of enterprises that find themselves in such situations.

BN: Do changes need to be made to make open source project development and maintenance more sustainable than they are now?

BB: Many open source projects have proven themselves to be sustainable over the long term under current arrangements. While projects sometimes go through painful periods, if theyre truly valuable then the community will most often find a way to ensure that they continue to be maintained and supported. I'd be hesitant to recommend any broad-brush changes, because successful projects evolve based on the motivations and capacity of the communities that find them useful. Where changes are helpful, communities will naturally determine and drive those changes. Open source projects feature powerful mechanisms that are the reason they command the success they've achieved, and I'm inclined to continue to trust in them.

Image credit:Stillness InMotion/Unsplash

See the original post:

Open source vs open core the development battle you may never have heard of [Q&A] - BetaNews

Fuchsia is an open-source capability-based operating system that was initially released in 2016, and is currently under development by Google.

Google announced this week that it would be expanding on the project and making it easier for the public to contribute. The company released a new public mailing list for project discussions, added a governance model to help users understand how strategic decisions are made, and opened up the issue tracker for public contributors to visualize ongoing work. There is also a technical roadmap that will highlight project direction and priorities.

Currently, the key highlights in the roadmap include a driver framework for updating the kernel independently of the drivers, improving file systems for performance, and expanding the input pipeline to increase accessibility.

As an open source effort, we welcome high-quality, well-tested contributions from all. There is now a process to become a member to submit patches, or a committer with full write access, Wayne Piekarski, developer advocate for Fuchsia, stated in the post.

According to Piekarski, the project is not yet ready for product development or as a development target. However, developers can currently clone, compile, and contribute to it. For those who want to take part in code reviews, Fuchsia has the contribution guidelines and community resources available here.

Continued here:

SD Times Open-Source Project of the Week: Google Fuchsia - SDTimes.com