Getty Images

A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report.

The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.

Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.

"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."

Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of building and testing each code change that has been committed. For every change, the code is regularly built, tested, and merged into a shared repository. Given the level of access CI needs to work properly, the environments usually store access tokens and other secrets that provide privileged access to sensitive parts inside the cloud account.

The access tokens found by Aqua Security involved private accounts of a wide range of repositories, including Github, AWS, and Docker.

Aqua Security

Examples of access tokens that were exposed include:

The following graph shows the breakdown:

Aqua Security

A representative for Code Climate, the service shown in the chart above, said the credentials found by Aqua Security don't provide hackers with unauthorized access. "These are Test coverage tokens, used to report test coverage to Code Climates Quality product," the representative said. "Unlike the other tokens mentioned in this post, these tokens are not considered secret, and cannot be used to access any data."

Aqua Security researchers added:

We found thousands of GitHub OAuth tokens. Its safe to assume that at least 10-20% of them are live. Especially those that were found in recent logs. We simulated in our cloud lab a lateral movement scenario, which is based on this initial access scenario:

1. Extraction of a GitHub OAuth token via exposed Travis CI logs.

2. Discovery of sensitive data (i.e., AWS access keys) in private code repositories using the exposed token.

3. Lateral movement attempts with the AWS access keys in AWS S3 bucket service.

4. Cloud storage object discovery via bucket enumeration.

5. Data exfiltration from the targets S3 to attackers S3.

Aqua Security

Travis CI representatives didn't immediately respond to an email seeking comment for this post. Given the recurring nature of this exposure, developers should proactively rotate access tokens and other credentials periodically. They should also regularly scan their code artifacts to ensure they don't contain credentials. Aqua Security has additional advice in its post.

Post updated to add comment from Code Climate.

Link:
Credentials for thousands of open source projects free for the takingagain! - Ars Technica

To sign up for our daily email newsletter, CLICK HERE

A programming tool, also known as a software development tool, is a program or application that programmers use to create, debug, maintain, and support other programs and applications. The word usually refers to a set of very simple programs that may be assembled to complete a task, similar to how many hand tools can be used to repair a real object. Its difficult to tell the difference between tools and applications. Simple databases (such as a file holding a list of significant values) are frequently used by developers as tools. A full-fledged database, on the other hand, is normally considered of as a separate application or piece of software. CASE (computer-assisted software engineering) tools have been in demand for a long time.

Successful tools have been difficult to come by. In certain ways, CASE tools, such as UML, prioritized design and architecture support. IDEs, on the other hand, have been the most successful of these tools. One of the characteristics of a professional software engineer is the ability to use a number of tools effectively. A program is a sequence of instructions that instructs the computer to do a variety of tasks; often, the instruction it is to perform is dependent on what happened after it completed a previous instruction. This section outlines the two major ways in which youll provide these instructions, or commands as theyre commonly known. One method employs an interpreter, while the other uses a compiler.

Software are very useful for manipulating and interpreting the concepts. Just like the Arduino that makes our life as easy as we can design multiple applications using it. If you want to control the speed and direction of DC motor of robotics car we can implement this task using Arduino.

Best Programming tools:

The most famous and useful programming tools are:

Every day, software developers are confronted with a large amount of information to remember. New technologies, keyboard shortcuts, software requirements, and best practices are all things to be aware of. Many of us reach a limit on how much we can keep in our thoughts at some point. Evernotes free tier gives you an external brain, a place where you may store learnings, articles, information, and keyboard shortcuts or commands. Its always there when you need it because its cloud-based.

Trello is a project management app that is both simple and free. Its an app that lets you make columns or swim lanes and arrange cards in them. These cards can represent jobs that need to be performed or labor that needs to be done.

GitHub created Atom, a relatively new code editor. Its open source and free, and it looks fantastic. Its also quite simple to use. Atom is a terrific tool for hacking at scripts or working on side projects, even if you use a more feature-rich IDE for your development at work. Atoms markdown preview mode is one feature that sets it apart from other code editors. When working on Readme files and other documentation, you can enter notes in markdown and get an inline preview.

Unity is a free, end-to-end game engine that makes it easier than ever to develop professional, cross-platform games. Its usual for software developers to dismiss game development as cool but too difficult, but with an infusion of high-quality tutorials and ongoing updates to Unitys tooling, the barrier to entry has never been lower. By dabbling in a totally different sort of programming, youll obtain insights and ideas that will help you become a better programmer overall, and youll probably have a lot of fun doing it.

Code Climate is a code analysis tool that rates your software based on test coverage, complexity, duplication, security, style, and other factors. It comes with a two-week trial period. Even if youre not willing to pay, Code Climate can provide you with a wealth of information on the code quality of your most recent personal project, orif your team is on boardthe product or service youre developing. You definitely have a sense for code smells as a software developer: things that could be better. When you have a lot of things wrong with your code, it might be difficult to know where to start.

See original here:
What are the Most Famous Programming Tools and Techniques? - Programming Insider

Snowflake has announced plans to bring Python "to the forefront of its Data Cloud platform with upgrades that extend support for the programming language.

At its annual user conference, Snowflake Summit, the database company announced an expansion of its Snowpark developer framework that will give users easy access to a bounty of open source Python packages and libraries.

Now moving from private beta to public preview, Snowpark for Python promises to "improve programmability for data scientists, data engineers and app developers", Snowflake says.

Snowflake first introduced Snowpark in preview back in January 2021, before pushing the service to general availability earlier this year. Broadly, the objective was to give developers a simple and efficient way to program data in their language of choice.

"Our goal was to eliminate inefficient data pipelines and optimize processes and tasks that companies may be using just to get everyone on the same (data) page, said the firm, at the time of the launch.

Ultimately, Snowpark enables teams with different skill sets to collaborate and work on the same data, process data faster and more easily, and make data security and governance a top priority.

When it first went live, the Snowpark sandbox offered support for Java and Scala only, but the latest update now brings another of the world's most popular programming languages into the fray.

To supplement the rollout of Snowpark for Python, Snowflake also lifted the lid on a series of related upgrades that are currently under development. These include a native integration with Streamlit and other facilities designed to support the development and deployment of machine learning products written in Python.

Separately, the firm announced a private preview for a new service that will allow customers to access data stored in on-premise servers from within the Snowflake ecosystem, affording organizations the benefits of the cloud-based platform without the hassle of data migration.

"We are investing in Python to make it easier for data scientists, data engineers and application developers to build even more in the Data Cloud, without governance trade-offs," said Christian Kleinerman, SVP Product at Snowflake.

"Our latest innovations extend the value of our customers' data-driven ecosystems, enabling them with more access to data and new watts to develop with it in Snowflake. [These capabilities] are changing the way teams experiment, iterate and collaborate with data to drive value."

Disclaimer: Our flights and accommodation for Snowflake Summit 2022 were funded by Snowflake, but the organization had no editorial control over the content of this article.

See more here:
Snowflake is going big on one of the world's most popular programming languages - TechRadar

What's the most important programming language to learn in 2022? That's an open question, but one way to answer it is to look at languages that are currently trending.

Some of them are well-established coding languages that have long been popular. Others are newer languages that are just now entering their heyday. Either way, they're languages worth familiarizing yourself with.

Related: Is PHP Dying? No, but It Has an Image Problem

Here's a roundup of what are arguably the trendiest programming languages in 2022.

1. Python: When talking about hot programming languages in 2022, the list must start with Python. Probably no language is having a better year than Python, which recently slid into first place to become the very most popular language of all. You could argue that Python doesn't quite deserve that status, but the fact is that it enjoys it.

Related: COBOL Language Still in Demand as Application Modernization Efforts Take Hold

2. Go: Go (or Golang, as it's formally known) has long been a "cool" programming language partly because it traces its roots to Google (which is a hotbed of coolness, technologically speaking) and partly because it's fast to write, fast to compile, and fast to run.

3. OPA: Open Policy Agent, or OPA, isn't technically a programming language. It's a policy language that lets you define resources using code. That makes it a hot language, however, in a world increasingly obsessed with doing "everything as code."

4. Swift: If you develop anything for the world of Apple whether on macOS, iOS, or any other *OS platform Swift is a language you absolutely need to know today. It's also a relatively easy language to code in, by many accounts.

5. C: C, which turns 50 this year, may be old, but it remains relevant as ever and is still a hot programming language in 2022. It's messy, it's fast, and it's essential for a wide variety of programming tasks.

6. Java: It's arguably hard to get excited about Java a language that is tedious to code in and whose code is relatively slow. But the fact is that Java was the most popular programming language for years, and tons of stuff are still written in it. Whether you actually enjoy coding in Java or not, it remains an important language as of 2022.

7. JavaScript: JavaScript is not the same as Java, but they're similar in that tons of stuff are written in JavaScript, too. If you are creating web apps in particular, JavaScript is probably the most important language for you to learn today.

About the author

Read more:
Top 7 'Hot' Programming Languages of 2022 - ITPro Today

(Washington, DC) Today, Mayor Muriel Bowser and community members broke ground on the Stead Park Recreation Center in the Dupont Circle Historic District. The $15.4 million project will preserve the history of Stead Park while modernizing the grounds and expanding the facility to create more accessible, integrated spaces for exercise, play, and community engagement. The project will also deliver the first Net Zero Energy-Ready recreation space within the Department of Parks and Recreation (DPR) portfolio, project-managed by the Department of General Services (DGS). Families in DC love our parks and open spaces, and we love delivering spaces and facilities that meet the needs of our communities which is what we will do right here at Stead Park, said Mayor Bowser. These continued investments and improvements are why the District, for the past two years, has been recognized for having the best park system in the nation. The project consists of a 1.5-acre park and an existing historic carriage house named for Mary Force Stead as the primary building entry. Upon completion in 2023, the project will offer additional indoor recreational spaces, improved playgrounds and outdoor gathering spaces, and improved lighting. The recreation center will also have a solar canopy that includes a high-performing renewable energy system to offset all or most of its annual energy consumption, operating with a net zero energy consumption to save tax dollars.Starting in 2017 we have been engaged with the community on what the future of Stead Park will become, said DGS Director Keith A. Anderson. I am pleased that we are breaking ground on a project that has recreational elements for everyone and that will save on energy costs for the District.The Stead Park modernization will honor Mary Force Steads wish that the space be maintained for the perpetual use of the children of Washington, as noted from the carriage house plaque honoring her memory. The Friends of Stead Park donated $500,000 to support this project.We at DPR are incredibly excited about the modernization of the existing carriage house at Stead and the construction of an addition to the recreation center that will help foster community engagement and provide quality recreational programming in this vibrant neighborhood of Dupont Circle, said DPR Director Delano Hunter.Mayor Bowsers Fiscal Year 2023 Fair Shot Budget invests over $365 million over the next six years to improve parks and recreation facilities across the District. Additionally, the Mayor invested $13.5 million for Recreation for A.L.L. a new DPR initiative to expand recreation offerings and ensure all District residents, particularly young people, have access to high-quality recreational programming.To learn more, visit https://dgs.dc.gov/page/stead-park-recreation-center-project.

Social Media:Mayor Bowser Twitter:@MayorBowserMayor Bowser Instagram:@Mayor_BowserMayor Bowser Facebook:facebook.com/MayorMurielBowserMayor Bowser YouTube:https://www.bit.ly/eomvideos

Continue reading here:
Mayor Bowser Breaks Ground on Modernization of Stead Park Recreation Center | mayormb - Executive Office of the Mayor

SAN FRANCISCO--(BUSINESS WIRE)--Iterative, the MLOps company dedicated to streamlining the workflow of data scientists and machine learning (ML) engineers, today announced a free extension to Visual Studio Code (VS Code), a source-code editor made by Microsoft, for experiment tracking and machine learning model development.

VS Code is a coding editor that helps users to start coding quickly in any programming language. The DVC Extension for Visual Studio Code allows users of all technical backgrounds to create, compare, visualize, and reproduce machine learning experiments. Through Git and Iteratives DVC, the extension makes experiments easily reproducible, unlike traditional experiment tracking tools that just stream metrics.

This is an open source VS Code extension for machine learning practitioners looking to accelerate their model development experience, said Ivan Shcheklein, co-founder and CTO of Iterative. It simplifies data scientists' machine learning model development workflows and meets ML modelers where they work. This extension eliminates the need for costly SaaS solutions for experiment tracking, turning VS Code into a native ML experimentation tool, built for developers.

The extension complements the existing VS Code UX with features using the Command Palette, Source Control view, File Tree explorer, and even custom in-editor webviews, to aid data scientists in their model development and experimentation workflows. Users can pull and push versioned data, run and reproduce experiments, and view tables and metrics.

"Beyond the tracking of ML models, metrics, and hyperparameters, this extension also makes ML experiments reproducible by tracking source code and data changes," said Dmitry Petrov, CEO of Iterative. Iteratives experiment versioning technology that was implemented in DVC last year makes this reproducibility possible."

The VS Code extension offers data scientists the ability to view, run, and instantly reproduce experiments with parameters, metrics, and plots all in a single place, as well as manage and version data sets and models. The extension also provides resource tracking so that data scientists can see which data sets and models have changed and allows exploration of all files of a project or model. Other features include live tracking to see how metrics change in real-time, cloud-agnostic data versioning and management, and native plot visualization.

The VS Code extension helps organizations:

DVC, the underlying open-source technology behind the extension, brings agility, reproducibility, and collaboration into the existing data science workflow. It provides users with a Git-like interface for versioning data and models, bringing version control to machine learning and solving the challenges of reproducibility. DVC is built on top of Git and creates lightweight metafiles, which enable the data science and ML teams to efficiently handle large files that otherwise cant be stored.

To learn more about the VS Code extension, check out the blog and get started today.

About Iterative

Iterative.ai, the company behind Iterative Studio and popular open-source tools DVC, CML, and MLEM, enables data science teams to build models faster and collaborate better with data-centric machine learning tools. Iteratives developer-first approach to MLOps delivers model reproducibility, governance, and automation across the ML lifecycle, all integrated tightly with software development workflows. Iterative is a remote-first company, backed by True Ventures, Afore Capital, and 468 Capital. For more information, visit Iterative.ai.

Link:
Iterative Introduces First Machine Learning Experiment Tracking Extension for Microsoft Visual Studio Code - Business Wire

CINCINNATI and BERLIN, June 16, 2022 /PRNewswire/ -- Pre-seed round tech startup Anomaly Scienceannounced its patent-pending business proposal for "Particles" - a method for the management and fiscal sponsorship of open-source projects, Web3 initiatives, decentralized projects, and tokenization of intellectual property rights through the creation and utilization of smart contracts and blockchain technologies.

"Anomaly Science is headquartered in Cincinnati, Ohio," explained 19-year-old CEO Jacob Haap, "But I knew we needed to be ready to do business in multiple countries. That's why I moved to the European Union."

Haap's vision is to lower the entry-level to computer programming, and potentially other types of business, for people who have ideas but no corporate structure for support.

"(Jacob Haap) is going to make it so that everybody, anybody, can create any kind of breakthrough software with a variety of different programmers who are all going to work independently, and together, at the same time,"said American venture capitalist Tim Draper. "And it's going to be really awesome because all of those programmers (won't) have to deal with the SEC and all that other stuff because they are all under one corporate roof, but they can operate as entrepreneurs. They can have ownership in what they do. I think if you're a programmer, you should talk to Jacob."

Haap is a 2021 graduate of Draper's Hero Training program through Draper University, one of the top pre-accelerator programs in the world.

"I didn't know what to expect when I enrolled forDraper's Hero program," says Haap. This year's cohortfeatured over 80 entrepreneurs from an original applicant pool of over 2,000. The average age of the participants was 29. "As someone who just graduated from high school, I originally felt different from people who had been actively working in the business for years. But very quickly, I realized I was onto an idea with real potential."

During an event called Demo Day, over 80 entrepreneursgathered in San Mateo, California to give pitches to an audience of investors. A panel of judges ranked Haap's presentation third place, adding even more traction to his startup. Since then, Haap took his initial investment, continued to develop his business plan, and built proof-of-concept interfaces for linking crypto walletswith his hybrid source-code repository. "We are ready to take the next step with an investor who sees the amazing potential in the model we have built around Particles," explained Haap.

"Particles open a new door," continued Haap, "enabling greater collaboration and sharing of work, creating knowledge pools and hybrid-source codebases, and a means to do business in our growingly decentralized world that can function across international borders nearly seamlessly."

Anomaly Science is currently trying to start seed round funding with a goal of 500k. This is an opportunity for investors to become part of a transformational approach to doing business.

About Anomaly Science

Anomaly Science is a company building the bridge to Web3, making it easier for decentralized projects to take flight, lowering the level of entry to software development, and giving power back to software developers.

To learn more about Anomaly Science, you can reach us via email:[emailprotected]or visit our websiteanomsci.comto join the waitlist.

Media ContactJacob Haap[emailprotected]+49 175 2954140

SOURCE Anomaly Science

See original here:
Particles: The Beginning of a New Age in Decentralization - PR Newswire