The Princeton University Board of Trustees has approved the appointment of 16 faculty members, including two full professors, one associate professor and 13 assistant professors.

Laura Edwards, in history, specializes in legal history. She comes to Princeton this winter from Duke University, where she was hired as an associate professor in 2001 and appointed to full professor in 2005. Edwards previously was on the faculty of the University of California-Los Angelesfrom 1997-2001, and the University of South Florida from 1993-97.

Edwards is the author of four books on the legal history of the American South, including The People and Their Peace: Legal Culture and the Transformation of Inequality in the Post-Revolutionary South (2009), which received the Charles Sydnor Prize, awarded by the Southern Historical Association for the best book on Southern history, and the Littleton-Griswold Prize, awarded by the American Historical Association for the best book on the history of American law and society.

She holds a Ph.D. from the University of North Carolina at Chapel Hill and a B.A. from Northwestern University.

Romain Teyssier, in astrophysical sciences and the Program in Applied and Computational Mathematics, studies computational astrophysics. His appointment is effective in fall 2021.

Teyssier joined the University of Zurich as an associate professor of computational astrophysics in 2013 and was named a full professor in 2019. Teyssiers research includes performing simulations of cosmic structure in order to understand the origin of astrophysical objects, such as stars and galaxies. He is author of the RAMSES code, an open source code to model astrophysical systems.

He earned a Ph.D. from Paris Diderot University, a B.S. from Ecole Nationale Superieure des Techniques Avancees in Paris and a B.S. from Ecole Polytechnique in Palaiseau, France.

Edward Baring, in history and the University Center for Human Values, will join Princeton this winter from Drew University, where he was appointed assistant professor in 2010 and promoted to associate professor in 2015.

Baring received a Ph.D. from Harvard University and a B.A. from the University of Cambridge.

David Builes, in philosophy, joins the faculty in fall 2021.

Builes, who specializes in metaphysics, epistemology and philosophy of science, holds a Ph.D. from the Massachusetts Institute of Technology and a B.A. and B.S. from Duke University.

Michelle Chan, in molecular biology and the Lewis-Sigler Institute for Integrative Genomics, joins the faculty this fall. She is a specialist in genomics.

Chan received her Ph.D. from the Massachusetts Institute of Technology and a B.S. from the University of British Columbia.

Adji Bousso Dieng, in computer science, joins the faculty in fall 2021.

A specialist in artificial intelligence, she holds a Ph.D. from Columbia University, an M.S. from Cornell University and a Diplme d'Ingnieur from Telecom Paris.

Jaime Fernandez Fisac, in electrical engineering, began his appointment at Princeton in August. He specializes in robotics, control and artificial intelligence.

Fisac received a Ph.D. from the University of California-Berkeley, an M.Sc. from Cranfield University and a B.S./M.S. from Universidad Politecnica de Madrid.

Yasaman Ghasempour, in electrical engineering, will join the Princeton faculty this winter. Her research focuses on computing and networking.

Ghasempour earned a Ph.D. at Rice University and a B.S. at Sharif University of Technology in Tehran, Iran.

Mohamadreza Moini, in civil and environmental engineering, joins the faculty this winter.

A specialist in architectured materials and additive manufacturing, he received his Ph.D. from Purdue University, an M.S. from University of Wisconsin-Milwaukee and a B.S. from Qom University in Qom, Iran.

Andres Monroy-Hernandez, in computer science, joins Princeton in August 2021 from his position as lead research scientist for Snap Inc. Specializing in computer-human interaction, he has served as an affiliate professor at the University of Washington since 2014.

Monroy-Hernandez holds a Ph.D. from MIT Media Lab and a B.S. from Tecnologico de Monterrey in Mexico.

Cameron Amadeus Myhrvold, in molecular biology, comes to Princeton this winter. He specializes in virology.

Myhrvold earned his Ph.D. at Harvard University and an A.B. from Princeton in 2011.

Ravi Netravali, in computer science, will join the Princeton faculty in summer 2021 from the University of California-Los Angeles, where he has served as assistant professor since 2019.

A specialist in networking and systems, he holds a Ph.D. from the Massachusetts Institute of Technology and a B.S. from Columbia University.

Yury Pritykin, in computer science and the Lewis-Sigler Institute for Integrative Genomics, joins the faculty this winter. His research concentrates on computational biology and genomics.

Pritykin received a Ph.D. from Princeton in 2014. He also holds a Ph.D. from Lomonosov Moscow State University.

Yunqing Tang, in mathematics, will join the faculty this winter after serving as an instructor at Princeton since 2017. A specialist in number theory, she was a member of the Institute for Advanced Study in 2016-17.

Tang holds a Ph.D. from Harvard University and a B.S. from Peking University.

Aartjan te Velthuis, in molecular biology, joins the faculty this winter.

A specialist in virology, he received a Ph.D. and B.S. from Leiden University in the Netherlands and a B.S. from Saxion University of Applied Sciences in the Netherlands.

Jerry Zee, in anthropology and the Princeton Environmental Institute, joined the faculty in August. He specializes in environmental humanities.

Zee earned his Ph.D. at the University of California-Berkeley and a B.A. at Stanford University.

Original post:

Board approves 16 faculty appointments - Princeton University

Fighting the security battle so our customers dont have to

IoT devices are becoming more prevalent in almost every aspect of our liveswe will rely on them in our homes, our businesses, as well as our infrastructure. In February, Microsoft announced the general availability of Azure Sphere, an integrated security solution for IoT devices and equipment. General availability means that we are ready to provide OEMs and organizations with quick and cost-effective device security at scale. However, securing those devices does not stop once we put them into the hands of our customers. It is only the start of a continual battle between the attackers and the defenders.

Building a solution that customers can trust requires investments before and after deployment by complementing up-front technical measures with ongoing practices to find and mitigate risks. In April, we highlighted Azure Spheres approach to risk management and why securing IoT is not a one-and-done. Products improve over time, but so do hackers, as well as their skills and tools. New security threats continue to evolve, and hackers invent new ways to attack devices. So, what does it take to stay ahead?

As a Microsoft security product team, we believe in finding and fixing vulnerabilities before the bad guys do. While Azure Sphere continuously invests in code improvements, fuzzing, and other processes of quality control, it often requires the creative mindset of an attacker to expose a potential weakness that otherwise might be missed. Better than trying to think like a hacker is working with them. This is why we operate an ongoing program of red team exercises with security researchers and the hacker community: to benefit from their unique expertise and skill set. That includes being able to test our security promise not just against yesterdays and todays, but against even tomorrows attacks on IoT devices before they become known more broadly. Our recent Azure Sphere Security Research Challenge, which concluded on August 31, is a reflection of this commitment.

Our goal with the three-month Azure Sphere Security Research Challenge was twofold: to drive new high-impact security research, and to validate Azure Spheres security promise against the best challengers in their field. To do so, we partnered with the Microsoft Security Response Center (MSRC) and invited some of the worlds best researchers and security vendors to try to break our device by using the same kinds of attacks as any malicious actor might. To make sure participants had everything they needed to be successful, we provided each researcher with a dev kit, a direct line to our OS Security Engineering Team, access to weekly office hours, and email support in addition to our publicly available operating system kernel source code.

Our goal was to focus the research on the highest impact on customer security, which is why we provided six research scenarios with additional rewards of up to 20 percent on top of the Azure Bounty (up to $40,000), as well as $100,000 for two high-priority scenarios proving the ability to execute code in Microsoft Pluton or in Secure World. We received more than 3,500 applications, which is a testament to the strong interest of the research community in securing IoT. More information on the design of the challenge and our collaboration with MSRC can be found here on their blog post.

The quality of submissions from participants in the challenge far exceeded our expectations. Several participants helped us find multiple potentially high impact vulnerabilities in Azure Sphere. The quality is a testament to the expertise, determination, and the diligence of the participants. Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product. Sixteen were bounty-eligible; adding up to a total of $374,300 in bounties awarded. The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the systemsomething often referred to in the field as by design. The high ratio of valid submissions to total submissions speaks to the extremely high quality of the research demonstrated by the participants.

Jewell Seay, Azure Sphere Operating System Platform Security Lead, has shared detailed information of many of the cases in three recent blog posts describing the security improvements delivered in our 20.07, 20.08, and 20.09 releases. Cisco Talos and McAfee Advanced Threat Research (ATR), in particular, found several important vulnerabilities, and one particular attack chain is highlighted in Jewells 20.07 blog.

While the described attack required physical access to a device and could not be executed remotely, it exposed potential weaknesses spanning both cloud and device components of our product. The attack included a potential zero-day exploit in the Linux kernel to escape root privileges. The vulnerability was reported to the Linux kernel security team, leading to a fix for the larger open source community which was shared with the Linux community. If you would like to learn more and get an inside view of the challenge from two of our research partners, we highly recommend McAfee ATRs blog post and whitepaper, or Cisco Talos blog post.

With Azure Sphere, we provide our customers with a robust defense based on theSeven Properties of Highly Secured Devices. One of the properties, renewable security, ensures that a device can update to a more secure stateeven if it has been compromised. While this is essential, it is not sufficient on its own. An organization must be equipped with the resources, people, and processes that allow for a quick resolution before vulnerabilities impact customers. Azure Sphere customers know that they have the strong commitment of our Azure Sphere Engineering teamthat our team is searching for and addressing potential vulnerabilities, even from the most recently invented attack techniques.

We take this commitment to heart, as evidenced by all the fixes that went into our 20.07, 20.08, and 20.09 releases. In less than 30 days of McAfee reporting the attack chain to us, we shipped a fix to all of our customers, without the need for them to take any action due to how Azure Sphere manages updates. Although we received a high number of submissions throughout multiple release cycles, we prioritized analyzing every single report as soon as we received it. The success of our challenge should not just be measured by the number and quality of the reports, but also by how quickly reported vulnerabilities were fixed in the product. When it came to fixing the found vulnerabilities, there was no distinction made between the ones that were proven to be exploited or the ones that were only theoretical. Attackers get creative, and hope is not part of our risk assessment or our commitment to our customers.

On behalf of the entire team and our customers, we would like to thank all participants for their help in making Azure Sphere more secure! We were genuinely impressed by the quality and number of high impact vulnerabilities that they found. In addition, we would also like to thank the MSRC team for partnering with us on this challenge.

Our goal is to continue to engage with this community on behalf of our customers going forward, and we will continue to review every potential vulnerability report for Azure Sphere for eligibility under the Azure Bounty Program awards.

Our team learned a lot throughout this challenge, and we will explore and announce additional opportunities to collaborate with the security research community in the future. Protecting our platform and the devices our customers build and deploy on it is a key priority for us. Working with the best security researchers in the field, we will continue to invest in finding potential vulnerabilities before the bad guys doso you dont have to!

If you are interested in learning more about how Azure Sphere can help you securely unlock your next IoT innovation:

Link:

Why we invite security researchers to hack Azure Sphere - Microsoft

OAKLAND, Calif.--(BUSINESS WIRE)--In June 2020, the United Nations Technology Innovation Labs programme launched 1point5, a social distancing app aimed at helping the world get back to work safely while the COVID-19 pandemic remains an ongoing reality. As part of the project the UN tapped Kunai, a product development consultancy based in Oakland, CA, to become an institutional contributor to the project, developing the Safe Teams Feature of the social distancing app.

1point5 is a free app that promotes social distancing awareness. It detects other application users phones and alerts them when they are within socially distant ranges. Kunai contributed to build version 2.0 of the application which includes a Safe Teams Feature. This feature allows app users to create Teams by scanning a QR code on people's devices who users choose not to socially distance from. This allows Team Members like coworkers or family members to have alerts muted when they are within a social distanced range, but still receive alerts from other app users who are not included in their pool. The app is open source and available for free on Android.

Social distancing saves lives, and the 1point5 app is a clever piece of technology that allows people to know when theyre too close, said Maurizio Maria Gazzola, UN-OICT Chief, Strategic Solutions. Our vision is to #MakeTechInclusive and to demonstrate how brilliant technologists can quickly address pivotal issues related to health and safety during COVID-19 with ensuring the strictest privacy standards.

As private sector tech-companies, developers, and like-minded companies to find solutions and tackle current and future crises, Kunais effort is a clear example of using tech for good to keep people safe and solve problems at scale. Because the 1point5 app does not collect or store any personally identifiable information, it gives individuals the piece of mind that they are not being tracked or their information is being shared.

We are excited to partner with the United Nations Technology Innovation Lab to develop 1point5, a timely, groundbreaking social distancing application. It is an example of how public and private organizations can come together to solve large scale issues during this pandemic, while still protecting individuals' privacy, said Sandeep Sood, CEO of Six15. We hope this app is able to give people the piece of mind to return to a more normal life in times of extraordinary change.

About Kunai

If you would like to contact Kunai for more information please email info@kun.ai

See the original post:

Kunai Selected by United Nations Technology Innovation Lab to Become Institutional Contributor of OpenSource Project 1point5 - Business Wire

Hacktoberfest is a promotion run by DigitalOcean that runs every October in order to encourage developers to contribute to open-source projects on GitHub. By doing so, DigitalOcean will send a free T-shirt for fourpull requests sent to any repository on GitHub. From the description:

Hacktoberfest is open to everyone in our global community. Whether youre a developer, student learning to code, event host, or company of any size, you can help drive growth of open source and make positive contributions to an ever-growing community. All backgrounds and skill levels are encouraged to complete the challenge.Hacktoberfest is a celebration open to everyone in our global community.Pull requests can be made in any GitHub-hosted repositories/projects.You can sign up anytime between October 1 and October 31.

While well-intentioned, and certainly a means to promote DigitalOcean, this year has seen more problems than in previous years. According to an update published by DigitalOcean, a social media promotion has resulted in much higher volumes of low-quality PRs being generated across multiple GitHub repositories. They have tweeted an apology but are still running the competion, encouraging those to make changes.

As the encouragement from DigitalOcean is valid for any GitHub hosted repository, there is no way forindividual GitHub users or organisations to declineto be part of this challenge. The fact that it's an opt-out, rather than opt-in (like Google Summer of Code) has caused some resentment, with one disgruntled user claiming that:

For the last couple of years, DigitalOcean has run Hacktoberfest, which purports to support open source by giving free t-shirts to people who send pull requests to open source repositories.

In reality, Hacktoberfest is a corporate-sponsored distributed denial of service attack against the open source maintainer community.So far today, on a single repository, myself and fellow maintainers have closed 11 spam pull requests. Each of these generates notifications, often email, to the 485 watchers of the repository. And each of them requires maintainer time to visit the pull request page, evaluate its spamminess, close it, tag it as spam, lock the thread to prevent further spam comments, and then report the spammer to GitHub in the hopes of stopping their time-wasting rampage.

A new twitter account, @s**toberfest,has been sending out messages from disgruntled open-source maintainers who are having their pull requests spammed with trivial changes.

Open-source maintainers have taken to fixing the problems themselves; a new GitHub action has been created to block known Hacktoberfest spammers, and GitHub themselves have announced temporary workaround to limit non-existing contributors from creating PRs or Issues, in a message entitled "Hacktoberfest: Help for Maintainers:"

Need to take a break, or limit which people can send a pull request to your repo?

You can now limit interactions for a period of time. Find it in your project settings moderation settings interaction limits.

You can set interaction limits for all public repositories in an organisation, or for a single repository.

This has obviously been implemented in a very short space of time, and its main purpose seems to be to try and defeat the Hacktoberfest spammers from polluting repositories. Unfortunately, since it needs to be done on each repository, spammers are more likely to find less well-known repositories to achieve their aims rather than stemming the flow completely.

For its part, DigitalOcean are aware of the problem (as they've noted) but are continuing to run the promotion. However, with the negative backlash that it has caused, you have to wonder whether their advertising promotion will do more harm than good.

InfoQ has reached out to DigitalOcean and will update this post upon response.

See original here:

Hacked off with Hacktoberfest - InfoQ.com

For the first six months of the pandemic, the US lagged behind dozens of other countries in rolling out apps to alert citizens when theyve come in contact with someone who has tested positive for Covid-19. But states are finally rolling out a wave of apps based on open-source software that has made their proliferation faster and cheaper.

Now people just need to download them.

The most recent additions to the canon are New York and New Jersey, which each launched apps on Oct. 1. By the next day, iPhone and Android users had installed the New York app about 250,000 times, and New Jerseys app about 65,000 times.

Since August, seven other US states and Guam have launched exposure notification apps. Four of themNew York, New Jersey, Delaware, and Pennsylvaniawere built using open-source code from the Linux Foundation Public Health (LFPH) initiative, which is freely available to any government that wants to crib from it to develop its own app. In September, Apple and Google announced an exposure notification express program to allow states to launch apps without doing any in-house coding at all.

Jenny Wanger, who works with LFPH to help US states get their coronavirus apps off the ground, says eight more state apps are likely to launch by the end of October. Theyre going to be able to do it at this point quite quickly and easily and cheaply, she said, noting that states no longer need to hire developers to build new apps from scratch. I would hope by the end of the year to see the majority of US states with exposure notification technology.

All US state apps operate using the Google Apple Exposure Notification APIwhich is a procedure for iPhones and Android devices to talk to each other via bluetooth signals. If you download one of the state apps, and you stand within six feet of someone else who has the app downloaded, your phones will exchange secret codes, which are encrypted to protect your identities.

If you test positive for Covid-19, you can tell your phone to send a list of all the secret codes it has generated to a central database. All app users phones periodically check that database to see if theyve come across those codes. If so, they send an alert to let their owners know they may have been exposed to the virus. Six state apps use the same database run by the Association of Public Health Laboratories, which means no matter which of the six you download, you can exchange codes with any of the others.

Wanger said it took a long time to build up all these core enabling technologies: the API for Apple and Google devices to talk to each other, the database of encrypted codes that all states share, and the open-source software states can copy to make their own apps. But now that theyre all in place, it typically only takes four to six weeks for a state to get an app off the ground.

The key question now is how many people will download the apps. Researchers found that if just 15% of the population uses an exposure notification app, it can cut Covid-19 infections by 8% and deaths by 6%.

Correction: Not all US state apps use the Association of Public Health Laboratories databasethe apps from Alabama, Virginia, Nevada, and Guam do not. Additionally, phones send a list of all the codes theyvegenerated to a central database, not all the codes theyvereceived.

This story has been updated with estimated downloads of the New York and New Jersey exposure notification apps.

Read this article:

Covid-19 exposure notification apps are coming to US states Quartz - Quartz

Python holds a solitary position in the market compared to traditional languages like PHP, Java, and C++. It has emerged as a prominent choice for many companies like Google, Netflix, Dropbox, Instagram, Spotify, and many more. According to TIOBE Index, Python has made its way up the ladder by usurping C++ from the third position.

Python is one of the fastest-growing programming languages in the world. According to Slashdata, there are 8.2 million active python users in the world. Python is mostly used by Software Engineers but also by Mathematicians, Data Analysts, and students for various purposes like automation, artificial intelligence, big data analysis, and for investment schemes by the fintech companies. Due to its versatile nature, the demand for skilled developers has increased globally. It opens career opportunities like python developer, DevOps developer, data scientist, data analyst, programmer, and many more.

What is Python?Python is an easy-to-use powerful object-oriented programming language for beginners as well as experts. It is a high level and dynamically interpreted language that helps in easy debugging hence reducing errors to support the rapid development of applications. It provides a wide range of libraries that helps the developer to write fewer lines of codes, thus increasing productivity and saving time as well as money.

Python can help companies store, track, and manage a huge amount of data. The exponential increase in data has made it the most preferred language for organizations like Dropbox, YouTube, Amazon, Cisco, and IBM to name a few. Learning Python Programming online can help meet the increasing gap of python developers for beginners to kick start their career.

Python is a top-notch programming language for aspirants with a technical and non-technical background. They can immediately start coding as it is like learning how to read and write.

Python developers have the highest paid salaries in the IT industry. The average Python Developer salary in the United States is approximately $79,395 per year. Python can be effective in a myriad of areas, a few of which are:

Python provides frameworks for creating web applications along with many libraries that can help integrate protocols like HTTPS, FTP, and SSL, along with the processing of JSON, XML, e-mail, and much more.

Python is used for the development of interactive games. Games like VegaStrike and Civilization IV are built using python libraries like PyGame and PySoy.

With data being available in abundance, it has become important to extract relevant information using libraries like Pandas and Numpy. It helps formulate the data according to our convenience and then represents it using Matplotlib, Seaborn, in a graphical representation.

Python is widely used by companies to build web applications, analyze data, automate business operations using DevOps features and create reliable, scalable enterprise applications. Libraries like Odoo is an all-in-one suite of management software, and Tryton is used to make general-purpose applications.

Python helps the computer learn algorithms that replicate a human brain that can think, analyze, and make decisions. Libraries like Pandas, Scikit-Learn, and NumPy help build solution models according to the problem. AI, followed by ML, is used for predictions that can help people create strong strategies and look for more effective solutions with less time.

Python can handle an enormous amount of data. It can also be used along with Hadoop for parallel computing. Using the library Pydoop, one can write a MapReduce to process data present in the HDFS cluster.

Python can be used to program a desktop interface to develop user-friendly interfaces using the Tkinter library. There are many useful toolkits such as the wxWidgets, Kivy, PYQT that can help in building simple applications like to-do lists, calculators, and more.

Due to Pythons competence, its not only used in the areas mentioned above but also in web-scraping applications, audio and video applications, cad applications, embedded applications, testing frameworks, and automating tasks. Python is extensively used in the field of cybersecurity. It has become important to secure your network and data with the increase in data breaches regularly.

The EC-Councils Python Security Microdegree program teaches you Python programming, such as data structures, string operations, OOPS concepts, file interaction, and database management. It also covers advanced programming like parallel processing, decorators, and generating cross-platform programs. This course will also teach you about cybersecurity applications like socket programming, packet capturing, parsing and integrating other languages for Python cryptography, metadata analysis, and password cracking.

The benefit of this Microdegree program is that you will be taught by world-class industry experts, in a self-paced, video-based training that comes with an option to perform hands-on live exercises via our Cyber Range, iLabs with 55+ hands-on virtual labs and assessment to help you establish as a secure programmer

Learn more about the EC-Councils CodeRed Microdegree programs

If you are a fresher, or want to enhance your skills, or looking for a successful career transition. Python can help you skyrocket your career by getting you your dream job. Learn Python Programming now.

To learn more, visit our CodeRed course page.

FAQs

1. Where is Python mostly used?

Python is popular and widely used in various industry sectors like insurance, finance and fintech companies, healthcare, entertainment, startups, and many more. Python is extensively being used in Data Science and Machine Learning domain. It is highly being considered as one of the most demanded career paths.

2. What can you do with Python code?

Due to the simplicity of the language, it can be used in any scenario. As Python is a scripting language for web applications, it can be used in automating tasks boring things thus making them more efficient. One can learn to create games according to their preference. You can also learn to build stunning things like fingerprint identification scanner, predicting stocks, and spam detection. You can also learn to build futuristic robots.

Original post:

7 ways to use Python in the real world | EC-Council CodeRed Blog - EC-Council Blog

The BSIMM is an annual study of the real-world software security initiatives SSIs in the report across the software industry drawing from data and experience from 130 organizations. Rather than repeat the aim of the study, this quote sums it up best:

The BSIMM is a measuring stick for software security. The best way to use it is to compare and contrast your own initiative with the data about what other organizations are doing. You can identify your own goals and objectives, then refer to the BSIMM to determine which additional activities make sense for you.

In the rapidly changing software security field, understanding what most, some, and few other organizations are doing in their SSIs can directly inform your own strategy.

Executive Summary, BSIMM11.

Measuring stick is the key term here. BSIMM is a way to measure where you stand and make a plan as to where you want to go. It is a way for software organizations to compare how they are doing in comparison to peer companies and to discuss, implement, measure, report and improve.

The BSIMM is organized into domains and security practices which encompass numerous activities that make up the security framework. This is illustrated below:

Source: BSIMM11 Part Two The BSIMM11 Framework

The maturity model aspect of BSIMM implies improvement and optimization and, in this case, it outlines key areas of practice that an SSI would fall under and as companies move from an ad-hoc approach to a more strategic one, they move along the maturity scale. In BSIMM these are defined as emerging, maturing and optimizing which, the study points out, isnt necessarily linear and may not end up in the optimizing state.

For this post, Im not going to delve into detail on all of these but there are clearly practices where SAST (static application security testing) and SCA (software composition analysis) has a role and then, only briefly standards and requirements (SR), code review (CR) and security testing (ST).

Recommendations in BSIMM, make it clear that tools and automation play an important supporting role in security and practice maturity includes more sophisticated use of them. Looking at the Governance-led Getting Started Checklist, it includes number 2, inventory software, an important role for SCA, 5, do defect discovery which implies detecting and discovering existing vulnerabilities, of which, SAST, SCA and other discovery tools play an important role. Number 6 is Select security controls which includes setting secure coding standards and prioritisation on detection and prevention of high-risk security vulnerabilities. Number 7 is Repeat which implies automation (including tools), cyclical processes and adoption of DevSecOps, for example, something that all modern tools need to integrate with. Although these are guidelines beyond the use of tools, its clear theres an important role in security practice maturity.

In the standards and requirements (SR) practice, emerging practices include security standards which might imply certain constraints on developed software to reduce vulnerabilities. Maturing practices identify open source usage to determine their risk and exposure. Optimizing companies are using and enforcing secure coding standards, controlling open source risk, and securing their software supply chain.

Consider also the code review (CR) touchpoint: BSIMM notes that the emerging practice is the adoption of SAST to work alongside manual reviews. The maturing practice is the use of tailored rules and organizing target vulnerabilities into a Top N list (like their own OWASP or CWE list.) At the optimizing stage, organizations pursue the eradication of critical vulnerability types, automate malicious code detection and enforce coding standards (all of which SAST plays an important role.) As you can see, maturity in practice coincides with maturity of tool usage.

Inventory of software assets is highlighted in several locations (as above, in the getting started guidelines) as is monitoring and enforcing policies on the software supply chain. For example, third party software including open source should be accounted for as a possible attack surface (AM 1.3). SCA plays an important part in creating a software bill of materials and exposure to known vulnerabilities in the supply chain.

Its clear that tools play a part in security practice maturity and although its really about organizational improvement, the optimal use of tools where they make sense is an important part of this. These companies are effective in increasing the value of their tools and the ROI they receive as their practices mature. The BSIMM points out some themes from companies that are moving towards optimizing their practices and achieving maturity in their software practices. Not surprisingly, there is a role for SAST and SCA in each of these categories (among other tools, of course.)

Obviously, as an organization matures in terms of the security practices, their tools use and sophistication increase. They also increasingly use the data from these tools to drive decisions which increase productivity since resources are focused in the right place.

The BSIMM11 report provides interesting insights into the state-of-the-art security practices in place in the software industry. It also outlines a framework, based on observing companies at each stage of maturity, for organization to follow who are looking to mature their practices. Automation and tools play an important part in supporting more mature processes and companies use tools in a more advanced fashion.

SAST and SCA tools play an important role in software security improvement and the BSIMM shows that increasing tool integration into the security practices as organizations mature. In terms of advanced static analysis, detecting and preventing security vulnerabilities shift-left security improvement right to the developers desktop. SCA tools help inventory the software stack and identify areas of risk in the supply chain. Increasing integration and customization of these tools into existing workflows indicates more mature usage.

Recent Articles By Author

*** This is a Security Bloggers Network syndicated blog from Blog authored by Mark Hermeling. Read the original post at: https://blogs.grammatech.com/what-the-building-in-security-maturity-model-bsimm-says-about-the-role-of-sast-and-sca

See more here:

What the Building In Security Maturity Model (BSIMM) Says About the Role of SAST and SCA - Security Boulevard

NEW YORK, Oct. 06, 2020 (GLOBE NEWSWIRE) -- DigitalOcean, the cloud for developing modern apps, today announced DigitalOcean App Platform, a new platform as a service (PaaS) offering that automates infrastructure management so developers can deploy their code to production in just a few clicks. The new offering advances the companys managed services strategy to simplify cloud computing so developers as well as small- and medium-sized businesses (SMBs) can focus more time creating software that changes the world.

"With millions of businesses started in the cloud each year, developers need a simple, fast and scalable way to ship the apps that power their ideas," said Apurva Joshi, VP of Product, DigitalOcean. "With App Platform, we built upon DigitalOceans proven technology and signature simplicity to provide a fully managed experience that allows developers to stop worrying about infrastructure and get their apps to market faster. And, since it runs entirely on DigitalOcean, App Platform makes it easy for businesses to keep costs low and optimize their resources as they grow.

App Platform maximizes productivity by letting developers deploy code directly from their GitHub repositories. Developers also can choose to re-deploy automatically when updates are pushed to the source repo.

Built on DigitalOcean Kubernetes, App Platform brings the power, scale, and flexibility of Kubernetes to customers without exposing them to any of its complexity. Additionally, since it is built on open standards, App Platform provides customers with more visibility into the underlying infrastructure than in a typical closed PaaS environment. This affords customers the choice of how they want to scale their apps; either through the fully managed, in-built scaling mechanism of App Platform or by taking more control of their infrastructure set-up.

According to DigitalOcean Currents, 65 percent of founders cite technical know-how around maintaining infrastructure as a top barrier of entry for new businesses. By handling common infrastructure tasks like provisioning and managing servers, databases, operating systems, application runtimes, and other dependencies, App Platform makes DigitalOceans cloud accessible to startups and SMBs that lack the time or expertise required to manage their infrastructure.

To fast-track the application development lifecycle more developers are embracing modern application platforms built on open standards, said Larry Carvalho, Research Director, IDC. Cloud native technologies powered by open source Kubernetes is now the first choice for developers at companies of all sizes. For startups and small to medium sized businesses with skills shortage, price, simplicity of experience and reliability are all key considerations, especially for those organizations that prefer a completely abstracted and automated infrastructure environment.

App Platform currently supports many popular languages and frameworks, including: Python, Node.js, Go, PHP, Ruby, Hugo and static sites. The product is available now with a free tier for static sites and additional tiers to meet businesses growing needs. More details around pricing and regional availability can be found here: https://www.digitalocean.com/pricing/#app-platform.

Learn more about App Platform at deploy, DigitalOceans virtual user conference on Nov. 10, 2020. To pre-register visit: https://www.digitalocean.com/deploy/

Additional Resources

ABOUT DIGITALOCEAN

DigitalOcean and its Developer Cloud simplify modern app creation for new generations of developers from individual developers to entrepreneurs at startups and SMBs. Its infrastructure and platform-as-a-service (IaaS and PaaS) solutions allow developers to focus their energy on creating innovative software. By combining the power of simplicity, love for the developer community, an obsession for customer service, and the advantages of open source, DigitalOcean brings software development within technical and economic reach of anyone around the world. For more information, visit digitalocean.com or follow @digitalocean on Twitter.

Media ContactAngela Maglionepress@digitalocean.com

See the original post:

DigitalOcean Launches App Platform to Simplify Application Development in the Cloud - GlobeNewswire