The Princeton University Board of Trustees has approved the appointment of 16 faculty members, including two full professors, one associate professor and 13 assistant professors.

Laura Edwards, in history, specializes in legal history. She comes to Princeton this winter from Duke University, where she was hired as an associate professor in 2001 and appointed to full professor in 2005. Edwards previously was on the faculty of the University of California-Los Angelesfrom 1997-2001, and the University of South Florida from 1993-97.

Edwards is the author of four books on the legal history of the American South, including The People and Their Peace: Legal Culture and the Transformation of Inequality in the Post-Revolutionary South (2009), which received the Charles Sydnor Prize, awarded by the Southern Historical Association for the best book on Southern history, and the Littleton-Griswold Prize, awarded by the American Historical Association for the best book on the history of American law and society.

She holds a Ph.D. from the University of North Carolina at Chapel Hill and a B.A. from Northwestern University.

Romain Teyssier, in astrophysical sciences and the Program in Applied and Computational Mathematics, studies computational astrophysics. His appointment is effective in fall 2021.

Teyssier joined the University of Zurich as an associate professor of computational astrophysics in 2013 and was named a full professor in 2019. Teyssiers research includes performing simulations of cosmic structure in order to understand the origin of astrophysical objects, such as stars and galaxies. He is author of the RAMSES code, an open source code to model astrophysical systems.

He earned a Ph.D. from Paris Diderot University, a B.S. from Ecole Nationale Superieure des Techniques Avancees in Paris and a B.S. from Ecole Polytechnique in Palaiseau, France.

Edward Baring, in history and the University Center for Human Values, will join Princeton this winter from Drew University, where he was appointed assistant professor in 2010 and promoted to associate professor in 2015.

Baring received a Ph.D. from Harvard University and a B.A. from the University of Cambridge.

David Builes, in philosophy, joins the faculty in fall 2021.

Builes, who specializes in metaphysics, epistemology and philosophy of science, holds a Ph.D. from the Massachusetts Institute of Technology and a B.A. and B.S. from Duke University.

Michelle Chan, in molecular biology and the Lewis-Sigler Institute for Integrative Genomics, joins the faculty this fall. She is a specialist in genomics.

Chan received her Ph.D. from the Massachusetts Institute of Technology and a B.S. from the University of British Columbia.

Adji Bousso Dieng, in computer science, joins the faculty in fall 2021.

A specialist in artificial intelligence, she holds a Ph.D. from Columbia University, an M.S. from Cornell University and a Diplme d'Ingnieur from Telecom Paris.

Jaime Fernandez Fisac, in electrical engineering, began his appointment at Princeton in August. He specializes in robotics, control and artificial intelligence.

Fisac received a Ph.D. from the University of California-Berkeley, an M.Sc. from Cranfield University and a B.S./M.S. from Universidad Politecnica de Madrid.

Yasaman Ghasempour, in electrical engineering, will join the Princeton faculty this winter. Her research focuses on computing and networking.

Ghasempour earned a Ph.D. at Rice University and a B.S. at Sharif University of Technology in Tehran, Iran.

Mohamadreza Moini, in civil and environmental engineering, joins the faculty this winter.

A specialist in architectured materials and additive manufacturing, he received his Ph.D. from Purdue University, an M.S. from University of Wisconsin-Milwaukee and a B.S. from Qom University in Qom, Iran.

Andres Monroy-Hernandez, in computer science, joins Princeton in August 2021 from his position as lead research scientist for Snap Inc. Specializing in computer-human interaction, he has served as an affiliate professor at the University of Washington since 2014.

Monroy-Hernandez holds a Ph.D. from MIT Media Lab and a B.S. from Tecnologico de Monterrey in Mexico.

Cameron Amadeus Myhrvold, in molecular biology, comes to Princeton this winter. He specializes in virology.

Myhrvold earned his Ph.D. at Harvard University and an A.B. from Princeton in 2011.

Ravi Netravali, in computer science, will join the Princeton faculty in summer 2021 from the University of California-Los Angeles, where he has served as assistant professor since 2019.

A specialist in networking and systems, he holds a Ph.D. from the Massachusetts Institute of Technology and a B.S. from Columbia University.

Yury Pritykin, in computer science and the Lewis-Sigler Institute for Integrative Genomics, joins the faculty this winter. His research concentrates on computational biology and genomics.

Pritykin received a Ph.D. from Princeton in 2014. He also holds a Ph.D. from Lomonosov Moscow State University.

Yunqing Tang, in mathematics, will join the faculty this winter after serving as an instructor at Princeton since 2017. A specialist in number theory, she was a member of the Institute for Advanced Study in 2016-17.

Tang holds a Ph.D. from Harvard University and a B.S. from Peking University.

Aartjan te Velthuis, in molecular biology, joins the faculty this winter.

A specialist in virology, he received a Ph.D. and B.S. from Leiden University in the Netherlands and a B.S. from Saxion University of Applied Sciences in the Netherlands.

Jerry Zee, in anthropology and the Princeton Environmental Institute, joined the faculty in August. He specializes in environmental humanities.

Zee earned his Ph.D. at the University of California-Berkeley and a B.A. at Stanford University.

Original post:

Board approves 16 faculty appointments - Princeton University

Fighting the security battle so our customers dont have to

IoT devices are becoming more prevalent in almost every aspect of our liveswe will rely on them in our homes, our businesses, as well as our infrastructure. In February, Microsoft announced the general availability of Azure Sphere, an integrated security solution for IoT devices and equipment. General availability means that we are ready to provide OEMs and organizations with quick and cost-effective device security at scale. However, securing those devices does not stop once we put them into the hands of our customers. It is only the start of a continual battle between the attackers and the defenders.

Building a solution that customers can trust requires investments before and after deployment by complementing up-front technical measures with ongoing practices to find and mitigate risks. In April, we highlighted Azure Spheres approach to risk management and why securing IoT is not a one-and-done. Products improve over time, but so do hackers, as well as their skills and tools. New security threats continue to evolve, and hackers invent new ways to attack devices. So, what does it take to stay ahead?

As a Microsoft security product team, we believe in finding and fixing vulnerabilities before the bad guys do. While Azure Sphere continuously invests in code improvements, fuzzing, and other processes of quality control, it often requires the creative mindset of an attacker to expose a potential weakness that otherwise might be missed. Better than trying to think like a hacker is working with them. This is why we operate an ongoing program of red team exercises with security researchers and the hacker community: to benefit from their unique expertise and skill set. That includes being able to test our security promise not just against yesterdays and todays, but against even tomorrows attacks on IoT devices before they become known more broadly. Our recent Azure Sphere Security Research Challenge, which concluded on August 31, is a reflection of this commitment.

Our goal with the three-month Azure Sphere Security Research Challenge was twofold: to drive new high-impact security research, and to validate Azure Spheres security promise against the best challengers in their field. To do so, we partnered with the Microsoft Security Response Center (MSRC) and invited some of the worlds best researchers and security vendors to try to break our device by using the same kinds of attacks as any malicious actor might. To make sure participants had everything they needed to be successful, we provided each researcher with a dev kit, a direct line to our OS Security Engineering Team, access to weekly office hours, and email support in addition to our publicly available operating system kernel source code.

Our goal was to focus the research on the highest impact on customer security, which is why we provided six research scenarios with additional rewards of up to 20 percent on top of the Azure Bounty (up to $40,000), as well as $100,000 for two high-priority scenarios proving the ability to execute code in Microsoft Pluton or in Secure World. We received more than 3,500 applications, which is a testament to the strong interest of the research community in securing IoT. More information on the design of the challenge and our collaboration with MSRC can be found here on their blog post.

The quality of submissions from participants in the challenge far exceeded our expectations. Several participants helped us find multiple potentially high impact vulnerabilities in Azure Sphere. The quality is a testament to the expertise, determination, and the diligence of the participants. Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product. Sixteen were bounty-eligible; adding up to a total of $374,300 in bounties awarded. The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the systemsomething often referred to in the field as by design. The high ratio of valid submissions to total submissions speaks to the extremely high quality of the research demonstrated by the participants.

Jewell Seay, Azure Sphere Operating System Platform Security Lead, has shared detailed information of many of the cases in three recent blog posts describing the security improvements delivered in our 20.07, 20.08, and 20.09 releases. Cisco Talos and McAfee Advanced Threat Research (ATR), in particular, found several important vulnerabilities, and one particular attack chain is highlighted in Jewells 20.07 blog.

While the described attack required physical access to a device and could not be executed remotely, it exposed potential weaknesses spanning both cloud and device components of our product. The attack included a potential zero-day exploit in the Linux kernel to escape root privileges. The vulnerability was reported to the Linux kernel security team, leading to a fix for the larger open source community which was shared with the Linux community. If you would like to learn more and get an inside view of the challenge from two of our research partners, we highly recommend McAfee ATRs blog post and whitepaper, or Cisco Talos blog post.

With Azure Sphere, we provide our customers with a robust defense based on theSeven Properties of Highly Secured Devices. One of the properties, renewable security, ensures that a device can update to a more secure stateeven if it has been compromised. While this is essential, it is not sufficient on its own. An organization must be equipped with the resources, people, and processes that allow for a quick resolution before vulnerabilities impact customers. Azure Sphere customers know that they have the strong commitment of our Azure Sphere Engineering teamthat our team is searching for and addressing potential vulnerabilities, even from the most recently invented attack techniques.

We take this commitment to heart, as evidenced by all the fixes that went into our 20.07, 20.08, and 20.09 releases. In less than 30 days of McAfee reporting the attack chain to us, we shipped a fix to all of our customers, without the need for them to take any action due to how Azure Sphere manages updates. Although we received a high number of submissions throughout multiple release cycles, we prioritized analyzing every single report as soon as we received it. The success of our challenge should not just be measured by the number and quality of the reports, but also by how quickly reported vulnerabilities were fixed in the product. When it came to fixing the found vulnerabilities, there was no distinction made between the ones that were proven to be exploited or the ones that were only theoretical. Attackers get creative, and hope is not part of our risk assessment or our commitment to our customers.

On behalf of the entire team and our customers, we would like to thank all participants for their help in making Azure Sphere more secure! We were genuinely impressed by the quality and number of high impact vulnerabilities that they found. In addition, we would also like to thank the MSRC team for partnering with us on this challenge.

Our goal is to continue to engage with this community on behalf of our customers going forward, and we will continue to review every potential vulnerability report for Azure Sphere for eligibility under the Azure Bounty Program awards.

Our team learned a lot throughout this challenge, and we will explore and announce additional opportunities to collaborate with the security research community in the future. Protecting our platform and the devices our customers build and deploy on it is a key priority for us. Working with the best security researchers in the field, we will continue to invest in finding potential vulnerabilities before the bad guys doso you dont have to!

If you are interested in learning more about how Azure Sphere can help you securely unlock your next IoT innovation:

Link:

Why we invite security researchers to hack Azure Sphere - Microsoft

OAKLAND, Calif.--(BUSINESS WIRE)--In June 2020, the United Nations Technology Innovation Labs programme launched 1point5, a social distancing app aimed at helping the world get back to work safely while the COVID-19 pandemic remains an ongoing reality. As part of the project the UN tapped Kunai, a product development consultancy based in Oakland, CA, to become an institutional contributor to the project, developing the Safe Teams Feature of the social distancing app.

1point5 is a free app that promotes social distancing awareness. It detects other application users phones and alerts them when they are within socially distant ranges. Kunai contributed to build version 2.0 of the application which includes a Safe Teams Feature. This feature allows app users to create Teams by scanning a QR code on people's devices who users choose not to socially distance from. This allows Team Members like coworkers or family members to have alerts muted when they are within a social distanced range, but still receive alerts from other app users who are not included in their pool. The app is open source and available for free on Android.

Social distancing saves lives, and the 1point5 app is a clever piece of technology that allows people to know when theyre too close, said Maurizio Maria Gazzola, UN-OICT Chief, Strategic Solutions. Our vision is to #MakeTechInclusive and to demonstrate how brilliant technologists can quickly address pivotal issues related to health and safety during COVID-19 with ensuring the strictest privacy standards.

As private sector tech-companies, developers, and like-minded companies to find solutions and tackle current and future crises, Kunais effort is a clear example of using tech for good to keep people safe and solve problems at scale. Because the 1point5 app does not collect or store any personally identifiable information, it gives individuals the piece of mind that they are not being tracked or their information is being shared.

We are excited to partner with the United Nations Technology Innovation Lab to develop 1point5, a timely, groundbreaking social distancing application. It is an example of how public and private organizations can come together to solve large scale issues during this pandemic, while still protecting individuals' privacy, said Sandeep Sood, CEO of Six15. We hope this app is able to give people the piece of mind to return to a more normal life in times of extraordinary change.

About Kunai

If you would like to contact Kunai for more information please email info@kun.ai

See the original post:

Kunai Selected by United Nations Technology Innovation Lab to Become Institutional Contributor of OpenSource Project 1point5 - Business Wire

Hacktoberfest is a promotion run by DigitalOcean that runs every October in order to encourage developers to contribute to open-source projects on GitHub. By doing so, DigitalOcean will send a free T-shirt for fourpull requests sent to any repository on GitHub. From the description:

Hacktoberfest is open to everyone in our global community. Whether youre a developer, student learning to code, event host, or company of any size, you can help drive growth of open source and make positive contributions to an ever-growing community. All backgrounds and skill levels are encouraged to complete the challenge.Hacktoberfest is a celebration open to everyone in our global community.Pull requests can be made in any GitHub-hosted repositories/projects.You can sign up anytime between October 1 and October 31.

While well-intentioned, and certainly a means to promote DigitalOcean, this year has seen more problems than in previous years. According to an update published by DigitalOcean, a social media promotion has resulted in much higher volumes of low-quality PRs being generated across multiple GitHub repositories. They have tweeted an apology but are still running the competion, encouraging those to make changes.

As the encouragement from DigitalOcean is valid for any GitHub hosted repository, there is no way forindividual GitHub users or organisations to declineto be part of this challenge. The fact that it's an opt-out, rather than opt-in (like Google Summer of Code) has caused some resentment, with one disgruntled user claiming that:

For the last couple of years, DigitalOcean has run Hacktoberfest, which purports to support open source by giving free t-shirts to people who send pull requests to open source repositories.

In reality, Hacktoberfest is a corporate-sponsored distributed denial of service attack against the open source maintainer community.So far today, on a single repository, myself and fellow maintainers have closed 11 spam pull requests. Each of these generates notifications, often email, to the 485 watchers of the repository. And each of them requires maintainer time to visit the pull request page, evaluate its spamminess, close it, tag it as spam, lock the thread to prevent further spam comments, and then report the spammer to GitHub in the hopes of stopping their time-wasting rampage.

A new twitter account, @s**toberfest,has been sending out messages from disgruntled open-source maintainers who are having their pull requests spammed with trivial changes.

Open-source maintainers have taken to fixing the problems themselves; a new GitHub action has been created to block known Hacktoberfest spammers, and GitHub themselves have announced temporary workaround to limit non-existing contributors from creating PRs or Issues, in a message entitled "Hacktoberfest: Help for Maintainers:"

Need to take a break, or limit which people can send a pull request to your repo?

You can now limit interactions for a period of time. Find it in your project settings moderation settings interaction limits.

You can set interaction limits for all public repositories in an organisation, or for a single repository.

This has obviously been implemented in a very short space of time, and its main purpose seems to be to try and defeat the Hacktoberfest spammers from polluting repositories. Unfortunately, since it needs to be done on each repository, spammers are more likely to find less well-known repositories to achieve their aims rather than stemming the flow completely.

For its part, DigitalOcean are aware of the problem (as they've noted) but are continuing to run the promotion. However, with the negative backlash that it has caused, you have to wonder whether their advertising promotion will do more harm than good.

InfoQ has reached out to DigitalOcean and will update this post upon response.

See original here:

Hacked off with Hacktoberfest - InfoQ.com

For the first six months of the pandemic, the US lagged behind dozens of other countries in rolling out apps to alert citizens when theyve come in contact with someone who has tested positive for Covid-19. But states are finally rolling out a wave of apps based on open-source software that has made their proliferation faster and cheaper.

Now people just need to download them.

The most recent additions to the canon are New York and New Jersey, which each launched apps on Oct. 1. By the next day, iPhone and Android users had installed the New York app about 250,000 times, and New Jerseys app about 65,000 times.

Since August, seven other US states and Guam have launched exposure notification apps. Four of themNew York, New Jersey, Delaware, and Pennsylvaniawere built using open-source code from the Linux Foundation Public Health (LFPH) initiative, which is freely available to any government that wants to crib from it to develop its own app. In September, Apple and Google announced an exposure notification express program to allow states to launch apps without doing any in-house coding at all.

Jenny Wanger, who works with LFPH to help US states get their coronavirus apps off the ground, says eight more state apps are likely to launch by the end of October. Theyre going to be able to do it at this point quite quickly and easily and cheaply, she said, noting that states no longer need to hire developers to build new apps from scratch. I would hope by the end of the year to see the majority of US states with exposure notification technology.

All US state apps operate using the Google Apple Exposure Notification APIwhich is a procedure for iPhones and Android devices to talk to each other via bluetooth signals. If you download one of the state apps, and you stand within six feet of someone else who has the app downloaded, your phones will exchange secret codes, which are encrypted to protect your identities.

If you test positive for Covid-19, you can tell your phone to send a list of all the secret codes it has generated to a central database. All app users phones periodically check that database to see if theyve come across those codes. If so, they send an alert to let their owners know they may have been exposed to the virus. Six state apps use the same database run by the Association of Public Health Laboratories, which means no matter which of the six you download, you can exchange codes with any of the others.

Wanger said it took a long time to build up all these core enabling technologies: the API for Apple and Google devices to talk to each other, the database of encrypted codes that all states share, and the open-source software states can copy to make their own apps. But now that theyre all in place, it typically only takes four to six weeks for a state to get an app off the ground.

The key question now is how many people will download the apps. Researchers found that if just 15% of the population uses an exposure notification app, it can cut Covid-19 infections by 8% and deaths by 6%.

Correction: Not all US state apps use the Association of Public Health Laboratories databasethe apps from Alabama, Virginia, Nevada, and Guam do not. Additionally, phones send a list of all the codes theyvegenerated to a central database, not all the codes theyvereceived.

This story has been updated with estimated downloads of the New York and New Jersey exposure notification apps.

Read this article:

Covid-19 exposure notification apps are coming to US states Quartz - Quartz

Python holds a solitary position in the market compared to traditional languages like PHP, Java, and C++. It has emerged as a prominent choice for many companies like Google, Netflix, Dropbox, Instagram, Spotify, and many more. According to TIOBE Index, Python has made its way up the ladder by usurping C++ from the third position.

Python is one of the fastest-growing programming languages in the world. According to Slashdata, there are 8.2 million active python users in the world. Python is mostly used by Software Engineers but also by Mathematicians, Data Analysts, and students for various purposes like automation, artificial intelligence, big data analysis, and for investment schemes by the fintech companies. Due to its versatile nature, the demand for skilled developers has increased globally. It opens career opportunities like python developer, DevOps developer, data scientist, data analyst, programmer, and many more.

What is Python?Python is an easy-to-use powerful object-oriented programming language for beginners as well as experts. It is a high level and dynamically interpreted language that helps in easy debugging hence reducing errors to support the rapid development of applications. It provides a wide range of libraries that helps the developer to write fewer lines of codes, thus increasing productivity and saving time as well as money.

Python can help companies store, track, and manage a huge amount of data. The exponential increase in data has made it the most preferred language for organizations like Dropbox, YouTube, Amazon, Cisco, and IBM to name a few. Learning Python Programming online can help meet the increasing gap of python developers for beginners to kick start their career.

Python is a top-notch programming language for aspirants with a technical and non-technical background. They can immediately start coding as it is like learning how to read and write.

Python developers have the highest paid salaries in the IT industry. The average Python Developer salary in the United States is approximately $79,395 per year. Python can be effective in a myriad of areas, a few of which are:

Python provides frameworks for creating web applications along with many libraries that can help integrate protocols like HTTPS, FTP, and SSL, along with the processing of JSON, XML, e-mail, and much more.

Python is used for the development of interactive games. Games like VegaStrike and Civilization IV are built using python libraries like PyGame and PySoy.

With data being available in abundance, it has become important to extract relevant information using libraries like Pandas and Numpy. It helps formulate the data according to our convenience and then represents it using Matplotlib, Seaborn, in a graphical representation.

Python is widely used by companies to build web applications, analyze data, automate business operations using DevOps features and create reliable, scalable enterprise applications. Libraries like Odoo is an all-in-one suite of management software, and Tryton is used to make general-purpose applications.

Python helps the computer learn algorithms that replicate a human brain that can think, analyze, and make decisions. Libraries like Pandas, Scikit-Learn, and NumPy help build solution models according to the problem. AI, followed by ML, is used for predictions that can help people create strong strategies and look for more effective solutions with less time.

Python can handle an enormous amount of data. It can also be used along with Hadoop for parallel computing. Using the library Pydoop, one can write a MapReduce to process data present in the HDFS cluster.

Python can be used to program a desktop interface to develop user-friendly interfaces using the Tkinter library. There are many useful toolkits such as the wxWidgets, Kivy, PYQT that can help in building simple applications like to-do lists, calculators, and more.

Due to Pythons competence, its not only used in the areas mentioned above but also in web-scraping applications, audio and video applications, cad applications, embedded applications, testing frameworks, and automating tasks. Python is extensively used in the field of cybersecurity. It has become important to secure your network and data with the increase in data breaches regularly.

The EC-Councils Python Security Microdegree program teaches you Python programming, such as data structures, string operations, OOPS concepts, file interaction, and database management. It also covers advanced programming like parallel processing, decorators, and generating cross-platform programs. This course will also teach you about cybersecurity applications like socket programming, packet capturing, parsing and integrating other languages for Python cryptography, metadata analysis, and password cracking.

The benefit of this Microdegree program is that you will be taught by world-class industry experts, in a self-paced, video-based training that comes with an option to perform hands-on live exercises via our Cyber Range, iLabs with 55+ hands-on virtual labs and assessment to help you establish as a secure programmer

Learn more about the EC-Councils CodeRed Microdegree programs

If you are a fresher, or want to enhance your skills, or looking for a successful career transition. Python can help you skyrocket your career by getting you your dream job. Learn Python Programming now.

To learn more, visit our CodeRed course page.

FAQs

1. Where is Python mostly used?

Python is popular and widely used in various industry sectors like insurance, finance and fintech companies, healthcare, entertainment, startups, and many more. Python is extensively being used in Data Science and Machine Learning domain. It is highly being considered as one of the most demanded career paths.

2. What can you do with Python code?

Due to the simplicity of the language, it can be used in any scenario. As Python is a scripting language for web applications, it can be used in automating tasks boring things thus making them more efficient. One can learn to create games according to their preference. You can also learn to build stunning things like fingerprint identification scanner, predicting stocks, and spam detection. You can also learn to build futuristic robots.

Original post:

7 ways to use Python in the real world | EC-Council CodeRed Blog - EC-Council Blog

NEW YORK, Oct. 06, 2020 (GLOBE NEWSWIRE) -- DigitalOcean, the cloud for developing modern apps, today announced DigitalOcean App Platform, a new platform as a service (PaaS) offering that automates infrastructure management so developers can deploy their code to production in just a few clicks. The new offering advances the companys managed services strategy to simplify cloud computing so developers as well as small- and medium-sized businesses (SMBs) can focus more time creating software that changes the world.

"With millions of businesses started in the cloud each year, developers need a simple, fast and scalable way to ship the apps that power their ideas," said Apurva Joshi, VP of Product, DigitalOcean. "With App Platform, we built upon DigitalOceans proven technology and signature simplicity to provide a fully managed experience that allows developers to stop worrying about infrastructure and get their apps to market faster. And, since it runs entirely on DigitalOcean, App Platform makes it easy for businesses to keep costs low and optimize their resources as they grow.

App Platform maximizes productivity by letting developers deploy code directly from their GitHub repositories. Developers also can choose to re-deploy automatically when updates are pushed to the source repo.

Built on DigitalOcean Kubernetes, App Platform brings the power, scale, and flexibility of Kubernetes to customers without exposing them to any of its complexity. Additionally, since it is built on open standards, App Platform provides customers with more visibility into the underlying infrastructure than in a typical closed PaaS environment. This affords customers the choice of how they want to scale their apps; either through the fully managed, in-built scaling mechanism of App Platform or by taking more control of their infrastructure set-up.

According to DigitalOcean Currents, 65 percent of founders cite technical know-how around maintaining infrastructure as a top barrier of entry for new businesses. By handling common infrastructure tasks like provisioning and managing servers, databases, operating systems, application runtimes, and other dependencies, App Platform makes DigitalOceans cloud accessible to startups and SMBs that lack the time or expertise required to manage their infrastructure.

To fast-track the application development lifecycle more developers are embracing modern application platforms built on open standards, said Larry Carvalho, Research Director, IDC. Cloud native technologies powered by open source Kubernetes is now the first choice for developers at companies of all sizes. For startups and small to medium sized businesses with skills shortage, price, simplicity of experience and reliability are all key considerations, especially for those organizations that prefer a completely abstracted and automated infrastructure environment.

App Platform currently supports many popular languages and frameworks, including: Python, Node.js, Go, PHP, Ruby, Hugo and static sites. The product is available now with a free tier for static sites and additional tiers to meet businesses growing needs. More details around pricing and regional availability can be found here: https://www.digitalocean.com/pricing/#app-platform.

Learn more about App Platform at deploy, DigitalOceans virtual user conference on Nov. 10, 2020. To pre-register visit: https://www.digitalocean.com/deploy/

Additional Resources

ABOUT DIGITALOCEAN

DigitalOcean and its Developer Cloud simplify modern app creation for new generations of developers from individual developers to entrepreneurs at startups and SMBs. Its infrastructure and platform-as-a-service (IaaS and PaaS) solutions allow developers to focus their energy on creating innovative software. By combining the power of simplicity, love for the developer community, an obsession for customer service, and the advantages of open source, DigitalOcean brings software development within technical and economic reach of anyone around the world. For more information, visit digitalocean.com or follow @digitalocean on Twitter.

Media ContactAngela Maglionepress@digitalocean.com

See the original post:

DigitalOcean Launches App Platform to Simplify Application Development in the Cloud - GlobeNewswire

The BSIMM is an annual study of the real-world software security initiatives SSIs in the report across the software industry drawing from data and experience from 130 organizations. Rather than repeat the aim of the study, this quote sums it up best:

The BSIMM is a measuring stick for software security. The best way to use it is to compare and contrast your own initiative with the data about what other organizations are doing. You can identify your own goals and objectives, then refer to the BSIMM to determine which additional activities make sense for you.

In the rapidly changing software security field, understanding what most, some, and few other organizations are doing in their SSIs can directly inform your own strategy.

Executive Summary, BSIMM11.

Measuring stick is the key term here. BSIMM is a way to measure where you stand and make a plan as to where you want to go. It is a way for software organizations to compare how they are doing in comparison to peer companies and to discuss, implement, measure, report and improve.

The BSIMM is organized into domains and security practices which encompass numerous activities that make up the security framework. This is illustrated below:

Source: BSIMM11 Part Two The BSIMM11 Framework

The maturity model aspect of BSIMM implies improvement and optimization and, in this case, it outlines key areas of practice that an SSI would fall under and as companies move from an ad-hoc approach to a more strategic one, they move along the maturity scale. In BSIMM these are defined as emerging, maturing and optimizing which, the study points out, isnt necessarily linear and may not end up in the optimizing state.

For this post, Im not going to delve into detail on all of these but there are clearly practices where SAST (static application security testing) and SCA (software composition analysis) has a role and then, only briefly standards and requirements (SR), code review (CR) and security testing (ST).

Recommendations in BSIMM, make it clear that tools and automation play an important supporting role in security and practice maturity includes more sophisticated use of them. Looking at the Governance-led Getting Started Checklist, it includes number 2, inventory software, an important role for SCA, 5, do defect discovery which implies detecting and discovering existing vulnerabilities, of which, SAST, SCA and other discovery tools play an important role. Number 6 is Select security controls which includes setting secure coding standards and prioritisation on detection and prevention of high-risk security vulnerabilities. Number 7 is Repeat which implies automation (including tools), cyclical processes and adoption of DevSecOps, for example, something that all modern tools need to integrate with. Although these are guidelines beyond the use of tools, its clear theres an important role in security practice maturity.

In the standards and requirements (SR) practice, emerging practices include security standards which might imply certain constraints on developed software to reduce vulnerabilities. Maturing practices identify open source usage to determine their risk and exposure. Optimizing companies are using and enforcing secure coding standards, controlling open source risk, and securing their software supply chain.

Consider also the code review (CR) touchpoint: BSIMM notes that the emerging practice is the adoption of SAST to work alongside manual reviews. The maturing practice is the use of tailored rules and organizing target vulnerabilities into a Top N list (like their own OWASP or CWE list.) At the optimizing stage, organizations pursue the eradication of critical vulnerability types, automate malicious code detection and enforce coding standards (all of which SAST plays an important role.) As you can see, maturity in practice coincides with maturity of tool usage.

Inventory of software assets is highlighted in several locations (as above, in the getting started guidelines) as is monitoring and enforcing policies on the software supply chain. For example, third party software including open source should be accounted for as a possible attack surface (AM 1.3). SCA plays an important part in creating a software bill of materials and exposure to known vulnerabilities in the supply chain.

Its clear that tools play a part in security practice maturity and although its really about organizational improvement, the optimal use of tools where they make sense is an important part of this. These companies are effective in increasing the value of their tools and the ROI they receive as their practices mature. The BSIMM points out some themes from companies that are moving towards optimizing their practices and achieving maturity in their software practices. Not surprisingly, there is a role for SAST and SCA in each of these categories (among other tools, of course.)

Obviously, as an organization matures in terms of the security practices, their tools use and sophistication increase. They also increasingly use the data from these tools to drive decisions which increase productivity since resources are focused in the right place.

The BSIMM11 report provides interesting insights into the state-of-the-art security practices in place in the software industry. It also outlines a framework, based on observing companies at each stage of maturity, for organization to follow who are looking to mature their practices. Automation and tools play an important part in supporting more mature processes and companies use tools in a more advanced fashion.

SAST and SCA tools play an important role in software security improvement and the BSIMM shows that increasing tool integration into the security practices as organizations mature. In terms of advanced static analysis, detecting and preventing security vulnerabilities shift-left security improvement right to the developers desktop. SCA tools help inventory the software stack and identify areas of risk in the supply chain. Increasing integration and customization of these tools into existing workflows indicates more mature usage.

Recent Articles By Author

*** This is a Security Bloggers Network syndicated blog from Blog authored by Mark Hermeling. Read the original post at: https://blogs.grammatech.com/what-the-building-in-security-maturity-model-bsimm-says-about-the-role-of-sast-and-sca

See more here:

What the Building In Security Maturity Model (BSIMM) Says About the Role of SAST and SCA - Security Boulevard

Automated application security testing tools are critical as software applications come with a broad attack surface for cybercriminals to potentially exploit. With over a quarter of them having one or more serious vulnerabilities, applications are easy targets. The consequences of an attack can be devasting for both the application owner and its users, exposing both to financial loss and reputational damage. Even when security is built into the design and development stages of an application, vulnerabilities can still creep in. However, in modern continuous integration and continuous delivery (CI/CD) environments, where time is critical and manual code reviews and traditional test plans are time-consuming, IT admins often struggle to comprehensively oversee large, complex applications.

Automated application security testing tools can help developers identify software defects early in the CI/CD pipeline -- when they are easiest to detect, cheaper to resolve and overall less likely to disrupt the next development cycle.

Various laws and standards, such as PCI DSS, HIPAA and NIST 800-53, mandate or require the use of application security testing tools to address risk management requirements. The recent GDPR and California Consumer Privacy Act have also dramatically increased the amount of potential fines for organizations that don't take the appropriate steps to safeguard data.

The latest crop of application security testing tools enables software development teams to regularly check their code base to catch and fix bugs and vulnerabilities throughout the development, deployment, upgrade and maintenance of an application, greatly reducing the risk of a security incident. Commercial and open source application security testing tools and services are widely available, and although they will incur some initial costs, companies will ultimately spend fewer resources to remediate vulnerabilities and possible security incidents.

Application security testing tools can also free developers from tedious work, improving overall productivity. Modern tools incorporated into a developer's integrated development environment (IDE) enable the option to scan smaller sections of code more frequently, providing immediate feedback on potential issues. Application security testing tools not only find vulnerabilities, but also potential weaknesses in the code and its execution, halting the build process, if necessary, until admins remediate the problem and verify resolution. These tools offer repeatable tests that scale well and generate metrics to show how many issues admins detect and fix; track improvements in each developer's code; and track security issues so they don't get overlooked or ignored.

There are three main types of app security testing tools:

Mobile application security testing tools for mobile apps and application security testing as a service (ASTaaS) are two other options teams should consider depending on the nature of their environment. Also, as every project will include some third-party and open source components, a software composition analysis (SCA) tool is important in order to meet compliance regulations as it identifies components and libraries used in an application and checks for vulnerabilities.

No single application security testing tool will uncover every type of security issue. So, admins must plan for a combination of tools in the long run but should attempt to integrate tools as early as possible into the software development process. By automating the search for coding flaws, fixing security defects can become a routine, everyday task similar to fixing functional defects. SAST, along with an SCA tool, is the most common starting point for initial code analysis and will help fix the most common weaknesses and ensure code adheres to coding standards, particularly when the application is written in-house or the team has access to the source code.

Not all security issues are detectable during the software development phase, however, particularly if the source code is unavailable. Many issues only come to light when the application is in use, hence the need for DAST scanners, which crawl a running application before scanning it. This lets the scanner find all exposed input and access points within the application, which are then subsequently tested for a range of vulnerabilities by the scanner. Assessing how the interaction of different components affects security is an important part of reducing an application's attack surface.

The drawback with DAST is that admins must run the tests at a later stage in the software development lifecycle (SDLC), making it more costly to fix the vulnerabilities they discover. IAST tools generally run on the application server, functioning as an agent providing real-time detection of security issues by analyzing traffic and execution flow from within the application. The results can usually feed directly into an issue tracking tool.

The big advantages IAST has over SAST is that its false positive rate is normally a lot lower and it can handle third-party vulnerability detection to identify problems caused by external or open source components. IAST tools can operate during development, quality assurance and even in production as there is little effect on overall performance.

A team's development philosophy will also influence the choice of tools. SAST tools fit well into a Waterfall SDLC, as do DAST tools, whereas an Agile or CI/CD environment is better suited to IAST tools as they have a smaller time effect on the development cycle. One important, but often overlooked, feature is reporting. Tools that produce reports that all stakeholders can sufficiently comprehend will help project managers communicate risk and overall security posture. If resources and skill limitations make on-premises options a challenge, buyers should consider ASTaaS to hand off testing to a cloud service.

Any application security testing tool obviously needs to support whatever coding languages an application uses and integrate into the development pipeline, into the target platform -- such as mobile or web -- and with existing IDEs. If the development team doesn't include a security specialist or have the support of a dedicated security team, then they must pay extra attention to a potential tool's ease of setup and configuration as developers won't want to lose time in the setup process.

The size and geographic distribution of the development team, along with budget, will determine which features are necessary in an application security testing tool. Large teams located in different offices or countries will need a tool that can coordinate the management and reporting of all the different application security testing tools running in each location. If the team has less-experienced developers or if past projects contained a high number of bugs and weak coding practices, then e-learning functionality can improve the quality of code going forward.

Buyers should always ask to see a demo and take advantage of free trials to compare them against open source products and to ensure the features and capabilities are worth the investment. It's always possible to complement commercial tools with open source tools if the budget is limited.

Checkmarx provides a full range of tools from SAST, IAST, SCA and just-in-time training to educate developers on specific challenges. It comes with a range of implementation options, from private cloud to on-premises systems, all on a centralized platform to manage each tool. According to company case studies, customers have found setup to be straightforward, particularly combining automated scans with code collaboration tools, such as GitHub, GitLab, Bitbucket and Azure DevOps. Its mobile application security testing platform supports more than 22 coding and scripting languages and their frameworks, with zero configuration necessary to scan any language.

Companies choose Checkmarx over other options because of its ease of integration and ability to run automated scans on more than 100 different applications. One particular banking client also utilized its integration with Jira to assign vulnerability remediation to the relevant developer. Another client reduced development cycle times by scanning only new or altered code instead of running a full scan of the entire database, no longer requiring a dedicated engineer to write rules to automate the false positive elimination process.

Synopsys offers a full range of tools from SAST to IAST, including a plugin that integrates security analysis into IDEs, such as IntelliJ, Eclipse or Visual Studio. This plugin enables developers to correct security flaws in their code as they write without having to switch back and forth between tools. It also provides remediation guidance with context-sensitive e-learning lessons specific to any common weakness enumerations identified in a developer's code, helping avoid similar mistakes in the future. This is a great way to improve security awareness and coding skills of a development team.

The Synopsys Black Duck SCA tool maps open source and third-party components to known vulnerabilities, monitors for new vulnerabilities, and enforces component use and security policies. Its IAST tool, Seeker, monitors web application interactions in the background during normal testing, reporting any vulnerabilities, as well as the relevant code. According to Gartner Peer Insights, users say it requires little configuration, making it easy for developers and testers to run checks on a regular basis. One company, according to a Flowbird case study, required to meet PCI DSS Section 6 regulations turned to Seeker to understand how data flows through its payment systems and identify vulnerabilities in relation to their impact on sensitive data, resulting in improved security, less time spent on security testing, and improved communication between security and R&D.

Veracode provides a scalable, cloud-based service for application security and software testing. Its platforms enable end-to-end automated web testing and mobile app testing. As an on-demand SaaS system, it enables teams to more easily control costs, with users only paying for services needed. Veracode also offers penetration testing to manually test web, mobile, desktop, back-end and IoT applications to identify vulnerabilities automated testing can't find.

Veracode also offers Security Labs, which teaches secure coding practices through interactive web apps based on modern threats that developers often exploit and patch. The labs-based approach to developer enablement can speed up flaw resolution and help developers avoid flaws altogether, improving skills and overall awareness of secure coding practices. A free version, Security Labs Community Edition, is also available to any developer worldwide.

Other notable vendors include the following:

The right application security testing tools can decrease time to market, while cutting the costs of development, maintenance and remediation. While monitoring and protecting the production environment are still essential, by preventing vulnerabilities from making it through to the end product, application security testing tools greatly reduce the chances of a security breach -- and the often dire consequences that follow.

Go here to see the original:

Oversee apps with these 3 application security testing tools - TechTarget

Software tools are constantly offering new ways of working which enable organisations to compete. Patrick Carey, Director of Product Marketing at Synopsys, says that as the shape of software development continues to evolve, so too must the mechanisms to secure it.

The first software development team I worked on operated on the follow mantra:

Meaning, dont worry about performance optimisations until your code actually does what its supposed to do, and dont worry about code maintainability until after you know it both works and performs well. Users generally have no idea how maintainable the code is, but theydoknow if the application is broken or slow. So more often than not, wed never get around to refactoring the code at least not until the code debt started to impact application reliability and performance.

Today, that developer mantra has two additional lines:

As with application performance and reliability, delivering an application on time is easily quantified and observed. Everybody knows when you miss a deadline something thats easy to do when your release cycles are measured in weeks, days, or even hours the security of an application isnt so easily observed or quantified, at least not until theres a security breach.

It should come as no surprise, then, that nearly half of the respondents to themodern application development security survey, conducted by Enterprise Strategy Group (ESG), state that their organisations regularly push vulnerable code to production. Its also not surprising that for over half of those teams, tight delivery schedules and critical deadlines are the main contributing factor. In the presence of a deadline, what can be measured is whats going to get done, and what cant be (or at least isnt) measured often doesnt get done.

However, we dont have time to do it doesnt really cut it when it comes to application security. This is demonstrated by the 60% of respondents who reported that their applications have sufferedOWASP Top 10exploits during the past 12 months. The competing demands of short release cycles and improved application security are a real challenge for development and security teams.

It doesnt have to be this way, and other findings in the survey point to opportunities that teams have to both maintain development velocityandimprove application security. Here are just a few:

Reject silver bullets

Gone are the days of security teams simply running DAST andpenetration testsat the end of development. A consistent trend shown in the report is that teams are leveraging multiple types of security testing tools across theSDLCto address different forms of risk in both proprietary and open source code.

Integrate and automate

Software development is increasingly automated andapplication security testingneeds to be too. Over half the respondents indicated that their security controls are highly integrated into their DevOps processes, with another 38% saying they are heading down that same path.

Train the team

Most developers lack sufficient application security knowledge to ensure their code isnt vulnerable. Survey respondents indicated that developer knowledge is a challenge, as is consistent training. Without sufficient software security training, developers struggle to address the findings of application security tests. An effective way to remedy this is to provide just-in-time security training delivered through the integrated development environment (IDE).

Keep score

If what gets measured gets done, then its important to measure the progress of both your AppSec testing and security training programmes. This includes tracking the introduction and mitigation of security bugs as well as improvements to both of these metrics over time, i.e. who is writing secure code and who isnt and are they improving?

We must also recognise that there can be too much of a good thing in terms of security tooling. ESG reported over a year ago that organisations, on average run 25 to 49 security tools from up to 10 different vendors. Some of these are monitoring tools for IT infrastructure, such as network, endpoint, wireless, identities and so on. But it applies to software development as well.

Analysts likeForresterand451 Researchhave reported on security tool sprawl in the past year, noting that as many as 40% of organisations admit that their development teams are so overwhelmed by security alerts that they cant respond to at least 25% of them. Indeed, when security alerts are so constant, they become background noise and are ignored the exact opposite of the intent.

It shouldnt be this way. The right combination of tools that run the right tests at the right time can help security keep pace with development, which has moved into hyperdrive over the past few years. And still, there is a persistent perception that if some tools improve your security, more will improve it even more. Unfortunately, it could be just the opposite. If you pile too many tools on your development team, especially if you cant coordinate them on a single platform, your developers are more likely to ignore critical alerts.

Too many tools can even expand your attack surface if they dont communicate securely or arent updated regularly. So what can you do?

Take an inventory of your security tools

Eliminate tool sprawl by taking a rigorous inventory and evaluating it. Know what you have and what its intended to do. Its of great importance also to make sure your tools are properly configured, deployed and are up to date.And then evaluate: are they doing what theyre supposed to? Is any tool doing the same thing that another tool might be doing better? If a security tool is inferior or redundant, get rid of it. Security clutter is the last thing you want.

Make sure tools complement one another

Be sure your tools can work together. It doesnt matter that a single tool is considered best in class if it cant play nice with all the others. Your tools need to integrate with one other and into your workflow, which makes it easier to embed security into the SDLC from start to finish. As the experts say, the best way to encourage developers to add Sec to DevOps is to make the secure way the easier way.

Integrate tools into your workflow

The way to make security easier, and combat security tool overload in the process, is to integrate your security tools into a single platform with a dashboard that flags bugs and other potential defects as you go. Its far better than forcing developers to return to code they wrote weeks ago to deal with problems you discovered today.

High velocity development is the future, theres no denying it. And while security must keep up with methodologies such as DevOps, it must be carried out in a way that enables development teams to build security into their existing processes. As the shape of software development continues to evolve, so too must the mechanisms to secure it and that doesnt simply mean an overabundance of security tooling.

Facebook Twitter LinkedInEmailWhatsApp

Read the original here:

Managing competing demands of development velocity and application security - Intelligent CIO ME