Today, use of Open Source Software is a norm to develop Commercial Software by the businesses. A critical aspect at stake for such businesses remains to ensure business continuity at all cost.

Could use of Open Source Software hamper the business continuity? We investigated a landmark security event in the history of Open Source Software to vet this question.

The Comfort or peril of using Open Source Software

Open Source Software provides unique building blocks for Software development in todays Age. The time, effort and investment, that would have been required to build similar Software from scratch using a dedicated team in-house, is unimaginable! Most companies today understand the trade-off very clearly and therefore allow theuseof Open Source Software in their Projects while greenfield development is kept focused where the core Intellectual Property of such companies lie.

Companies often frame detailed Policies to regulate the use of Open Source Software, which we will discuss in further details in later blog posts, from our experience of creating Open Source Policies for different types of Companies.

So, there is an evident Comfort in using Open Source, yet such use of Open Source is not without its own peril.

Remember Heartbleed!

Heartbleed was detected as a serious security vulnerability on1st April, 2014which led to many commentators gasp and note that this could be the worst kind of vulnerability seen right from the beginning of Internet.

Just to refresh the memory, it is suspected that while updating OpenSSL withHeartbeatextension, the vulnerability might have crept into the Source code due to a possible oversight of coding error of the developers as far back as 2012. Though often contested, it is also suspected that some busybodies might have exploited the vulnerability at least five months prior to its eventual detection and disclosure to the public.

Codenomicon, now acquired by Synopsys, maintains a page athttps://heartbleed.com/, which works as a constant remembrance of the vulnerability that had massive effect on IT Infrastructure maintainers across the Globe.

But then we ask, what happens when such a vulnerability gets detected and worse even, when a threat actor exploits such a vulnerability.

The typical response of the businesses range from

immediately stopping the access to such a Software completely and introducing a patch to rectify such a vulnerability before re-initiating the access, ...to negotiating with threat actor for recovery of lost data while tackling questions from Privacy regulators as well as the data owners in parallel.

Amid, all of this, theBusiness Continuitygets lost and further raising serious questions on the Companys readiness to ensure business continuity.

What could cause such a peril?

While facing Heartbleed, a pertinent question got asked- was it avoidable?

Through Steve Marquess, the then CEO of the OpenSSL Software Foundationsblogpost, we get to see a rare view of the inner workings of such a popular Open Source Project. Steve says, that most of the revenue collected by OpenSSL Software Foundation comes from two streams: Donations and Commercial Contract for support.

Though the project had been very popular even before Heartbleed happened, it is evident thatthe flow of money into the project had been scarce, when compared to what would be required to maintain a project of such scale. Also, it seems developers, who were mostly working part-time on the project, were driven by their passion to create, above everything else and even though highly capable, an oversight could not be ruled out.

Post Heartbleed, when the issue came to fore, financial support got extended from different quarters.

Even at the peril of hindsight bias, it could be argued that even though the incident was not entirely unavoidable or at least for the businesses that got affected, unpredictable, at least from the clear identifier that such an important project had such an informal approach towards maintenance.

What should bother most businesses is the propensity of such an error due to lack of support to most Open Source Projects, at least in their initial stages and without formal backers, is more of a rule rather than exception.

So, what do you do?

Review.The first step starts at determining the Open Source Software that matters to your business. While advising our Clients, this is the most common response that we receive- our Codes have grown organically, we arent able to distinguish Open Source Software from the codes written in-house.

Revise.Check and rectify whether there are Open Source Software with known identifiers that can cause you trouble. If need arises, plan to move towards mature and robust Open Source Software, if you intend to not move to developing inhouse, and better, contribute to the Community through Donations, Commercial support or Vulnerability rectifications. It is always a great practice to remain invested in the Community that supports your business.

Prepare to Respond.Finding a vulnerability is inevitable. The strength of business is a function of how the business responds to a crisis. So, define a response plan in case aHeartbleedstrikes your business, including who would respond to it, how would you arrest it, how would you communicate to your Clients, Partners, Regulators etc.

Remember, your comfort in using Open Source Software must not affect yourBusiness Continuity.

Go here to see the original:

Why use of Open Source must be accounted for in Business Continuity Planning of a business - Lexology

Some of us have a closet full of connected devices that at one time represented the cutting edge of smart home tech devices like the Revolv hub, the Lighthouse camera, the Jibo robot, the Petnet feeder, and the original Sonos speakers. And while most of us were able to shrug off the end of Juicero and the related loss of $400 as the inevitable cost of living the early adopter lifestyle, the perception of expensive, short-lived gadgets haunts consumer IoT.

Every time these stories hit the tech press or the mainstream media, a much larger group of people congratulate themselves for not buying into the latest hype around connected devices and smart homes. They recognize that this tech is new, unproven, and likely not as convenient or necessary as its creators claim. Which is why even more than the lack of standards that we in the smart home world constantly bemoan the lack of faith in the life of a connected product hurts the IoT. After all, if you cant convince someone to buy a connected product in the first place, theyll never reach the point where theyll want it to interoperate with other devices.

So whats the industry to do? The common demand after a product fails and the companies that make them tell their customers theyre turning off the servers (if they do, in fact, tell customers that) is to open-source the device code so the tech-savvy early adopters can keep the device operational. But while this sounds great, its akin to cryonically freezing your head in the hopes of coming back to life after death.

Getting the code running on a connected device without having access to the backend cloud code and the application code may allow the device to run, but the overall experience will suffer. The device may work, but it wont have a good interface (or youll have to build and maintain it) and it wont have a cloud component for remote access and other functionality (unless you build and maintain it). Just like your newly thawed head will need a body, the open-source device code needs someone to build and maintain a cloud backend and a mobile application.

There are third-party companies such asDigital Dream Labs, which raised funds to take over the support and development of the Anki Vector robot, that are attempting to take device code and build infrastructure around it. But doing so requires expertise, time, and money.Are customers willing to pay someone a second time just to keep their devices running?

So when asking a company to open up its source code for a connected device, ask yourself if your frozen brain is successfully revived, if that would be enough for you.

Such partial resurrection was the plan all the way back in 2015 when we starting seriously discussing what happens when connected products fail. Some companies put code in escrow so people could have it later and maintain it. In the meantime, I encouraged venture firms, entrepreneurs, and development shops to think about failure and how their product might gracefully degrade to give the consumer time to come to terms with the loss.

Now I realize that keeping code in escrow and thinking about failure are only part of the solution. Granted, because people crazy enough to build a connected pet feeder are often stupidly optimistic, its still good advice. Please do think about what happens if your business fails so you can build a decent experience for the end consumer. Also, set milestones that indicate failure so you can warn your customers in time and perhaps allocate some of the diminished cash on hand to ensuring a graceful shutdown.

By far the greatest challenge for connected device companies is the ongoing cost of operating those devices. An investor in Mellow, the maker of a connected sous vide machine that recently told customers they needed to pay a subscription fee or see certain features vanish, explained the issue. He told me that the company has roughly $4,000 in monthly costs associated with the device and those costs go up the more people use it. And that doesnt include the ongoing costs associated with having a developer update the Android and iOS apps.

Some of those monthly bills might be lowered by choosing a different cloud architecture or security platform, but every connected device company has to account for ongoing maintenance costs. And the more features a company adds and the more customers it has, the higher those costs tend to go. At an event I hosted in August, Matt Van Horn, CEO of June Life, said that his companys cloud bill continues to rise, and he doesnt have the resources or cloud infrastructure that Amazon or Google do.

So one option might be to only buy gadgets made by those companies, since I doubt AWS is going to shut Alexa down if that business unit stops paying its cloud bills. But thats a really limiting option for consumers and for innovation in the sector overall. Nate Williams, a former employee at August and now an investor at Union Labs Ventures, says he thinks some kind of model built around an independent organization that companies pay into, and that will operate and support a device and the supporting server code going forward, might help.

He initially likened it to a homeowners association for smart home devices, but given the negative connotations around HOAs then clarified that he was seeking a sense of shared responsibility as opposed to something punitive. But I think having a little enforcement might actually be good. We could see companies pay into an organization that ensures a product has a year or 6 months of cloud and developer costs in escrow to at least ensure a failed company can keep a product running for a little while longer after giving customers notice that it will die.

That organization should also have some sort of provision for getting the remaining stock of a defunct product off the shelves. Indeed, Id love to see retailers like Best Buy or Amazon get involved. Kickstarter or Indiegogo might also be good members of such an organization to add a little more credibility to the products launched on their platform.

This sort of upfront cash that would be held in escrow to cover six months of cloud and developer costs would be a burden for smaller startups or folks trying to build something in their garage. It would be great to see scholarships or other models arise that could pay those costs for a company that cant otherwise afford it. It could be kind of like a pension plan for IoT devices.

This may not be the right solution, but failed consumer IoT devices or abrupt changes in the business model for connected devices are a very real problem that holds back adoption. Id love to see us set aside optimism so we could focus on what to do if the companies behind these products fail.

Related

Continued here:

Consumer IoT is broken and our stupid optimism is to blame - Stacey on IoT

New software from BlackHat makes reverse-engineering malware faster and easier for software engineers.

Reverse-engineering of malware is an extremely time- and labour-intensive process, which can involve hours of disassembling and sometimes deconstructing a software programme. The BlackBerry Research and Intelligence team initially developed this open-source tool for internal use, and is now making it available to the malware reverse-engineering community.

PE Tree is developed in Python and supports Windows, Linux and Mac operating systems. It can be installed and run as either a standalone application. Aimed at the reverse engineering community, PE Tree also integrates with HexRays IDA Pro decompiler to allow for easy navigation of PE structures, as well as dumping in-memory PE files and performing import reconstruction.

Image credit: Tom Bonner, Distinguished Threat Researcher, BlackBerry

The cyber-security threat landscape continues to evolve and cyber-attacks are getting more sophisticated with potential to cause greater damage, said Eric Milam, Vice President of Research Operations, BlackBerry. As cyber-criminals up their game, the cyber-security community needs new tools in their arsenal to defend and protect organisations and people. Weve created this solution to help the cyber-security community in this fight, where there are now more than one billion pieces of malware with that number continuing to grow by upwards of 100 million pieces each year.

PE Tree enables reverse-engineers to view Portable Executable (PE) files in a tree-view, using pefile and PyQt5, thereby lowering the bar for dumping and reconstructing malware from memory while providing an open-source PE viewer code-base that the community can build upon. The tool also integrates with Hex-Rays IDA Pro decompiler to allow for easy navigation of PE structures, as well as dumping in-memory PE files and performing import reconstruction which are critical in the fight to identify and stop various strains of malware.

To learn more and to access the PE Tree source code, please visit theBlackBerry GitHub account.

To read more, please visit the blog post here.

by Tom Bonner, Distinguished Threat Researcher, BlackBerry

Read the rest here:

How a new open-source tool can help businesses in the fight against malware - TEISS

Unlike some of its competitors, Google Cloud has recently started emphasizing how its large lineup of different services can be combined to solve common business problems. Instead of trying to sell individual services, Google is focusing on solutions and the latest effort here is what it calls its Business Application Platform, which combines the API management capabilities of Apigee with the no-code application development platform of AppSheet, which Google acquired earlier this year.

As part of this process, Google is also launching a number of new features for both services today. The company is launching the beta of a new API Gateway, built on top of the open-source Envoy project, for example. This is a fully managed service that is meant to make it easier for developers to secure and manage their API across Googles cloud computing services and serverless offerings like Cloud Functions and Cloud Run. The new gateway, which has been in alpha for a while now, offers all the standard features youd expect, including authentication, key validation and rate limiting.

As for its low-code service AppSheet, the Google Cloud team is now making it easier to bring in data from third-party applications thanks to the general availability to Apigee as a data source for the service. AppSheet already supported standard sources like MySQL, Salesforce and G Suite, but this new feature adds a lot of flexibility to the service.

With more data comes more complexity, so AppSheet is also launching new tools for automating processes inside the service today, thanks to the early access launch of AppSheet Automation. Like the rest of AppSheet, the promise here is that developers wont have to write any code. Instead, AppSheet Automation provides a visual interface, that, according to Google, provides contextual suggestions based on natural language inputs.

We are confident the new category of business application platforms will help empower both technical and line of business developers with the core ability to create and extend applications, build and automate workflows, and connect and modernize applications, Google notes in todays announcement. And indeed, this looks like a smart way to combine the no-code environment of AppSheet with the power of Apigee .

Continued here:

Google Cloud launches its Business Application Platform based on Apigee and AppSheet - TechCrunch

Despite the clarity of the rules, Djokovic pleaded his case for several minutes, saying that the line judge would not need to go to a hospital. Friemel responded to him that the consequences might have been different had the line judge not collapsed to the ground and stayed there for a prolonged time in clear distress.

Djokovic also asked Friemel why he could not simply receive a point penalty or game penalty instead of being defaulted. Friemel did not, in fact, have an intermediate option. The code of conduct is an escalating scale in tennis with clearly defined steps: a warning followed by a point penalty followed by a game penalty, followed by a default. But the rules also allow officials the option of proceeding straight to a default after any rule violation if it is deemed sufficiently egregious.

As Djokovic had not yet received a warning during the match, Friemels only options were to warn him or default him: a part of the rule that Djokovic did not appear to be aware of. But after investigating on court, Friemel did not consider a warning because he concluded that the incident clearly warranted a default.

In the end, in any code violation there is a part of discretion to it, but in this instance, I dont think there was any chance of any opportunity of any other decision other than defaulting Novak, because the facts were so clear, so obvious, Friemel said on Sunday night. The line umpire was clearly hurt and Novak was angry, he hit the ball recklessly, angrily back and taking everything into consideration, there was no discretion involved.

Djokovic had earned $250,000 for reaching the fourth round of the U.S. Open.

Heres a quick look at the various rules at play:

Players shall not violently, dangerously or with anger hit, kick or throw a tennis ball within the precincts of the tournament site except in the reasonable pursuit of a point during a match (including warm-up). Violation of this Section shall subject a player to fine up to $20,000 for each violation. In addition, if such violation occurs during a match (including the warmup) the player shall be penalised in accordance with the Point Penalty Schedule hereinafter set forth. For the purposes of this Rule, abuse of balls is defined as intentionally hitting a ball out of the enclosure of the court, hitting a ball dangerously or recklessly within the court or hitting a ball with negligent disregard of the consequences.

Players shall at all times conduct themselves in a sportsmanlike manner and give due regard to the authority of officials and the rights of opponents, spectators and others. Violation of this Section shall subject a player to a fine up to $20,000 for each violation. In addition, if such violation occurs during a match (including the warmup), the player shall be penalised in accordance with the Point Penalty Schedule hereinafter set forth. In circumstances that are flagrant and particularly injurious to the success of a tournament, or are singularly egregious, a single violation of this Section shall also constitute the Major Offence of Aggravated Behaviour and shall be subject to the additional penalties hereinafter set forth.

Incidents of tennis players striking officials are rare, but not unprecedented. There were two high-profile incidents of similar defaults in mens tennis, though none as significant as the disqualification of a top-seeded player at a Grand Slam event.

Link:

Why Novak Djokovic Was Disqualified From the U.S. Open - The New York Times

MINNEAPOLIS, Sept. 8, 2020 /PRNewswire/ --Perforce Software, a provider of solutions to enterprise teams requiring productivity, visibility, and scale along the development lifecycle, today announced the launch of DevOps Next, a virtual conference by and for DevOps industry experts. The half-day of sessions will examine AI and ML's impact on DevOps productivity, coding, testing, and more.

"DevOps has matured significantly. But, we've reached a point where traditional tools often fall short when it comes to large amounts of data," says Perfecto Chief Evangelist and Product Manager Eran Kinsbruner.

"AI and ML offer a wide range of abilities throughout the entire software development lifecycle. DevOps Next will explore how these technologies can enable us to make more data-driven decisions, automate more processes, and deliver higher quality software faster."

DevOps Next is an entirely virtual and free event that will take place on Wednesday, September 30. The event is ideal for practitioners, execs, management, as well as other industry professionals that work within the testing and dev space. Attendees can select from sessions across three tracks, connect with presenters through live chats, and participate in important discussions with peers.

Keynotes and sessions will cover topics including:

The virtual event coincides with the release of Kinsbruner's highly-anticipated third book, "Accelerating Software Quality: Machine Learning & Artificial Intelligence in the Age of DevOps." The book, spearheaded by Perforce, was written collaboratively by 20 DevOps industry experts and positions readers to make informed, strategic decisions as they adopt AI/ML technologies as part of their DevOps journey.

To register, see the agenda, and to learn more about DevOps next, click here.To preorder "Accelerating Software Quality", click here.

About PerforcePerforce powers innovation at unrivaled scale. With a portfolio of scalable DevOps solutions, we help modern enterprises overcome complex product development challenges by improving productivity, visibility, and security throughout the product lifecycle. Our portfolio includes solutions for Agile planning & ALM, API management,automated mobile & web testing,embeddable analytics, open source support, repository management, static & dynamic code analysis, version control, and more.With over 15,000 customers, Perforce is trusted by the world's leading brands to drive their business critical technology development. For more information, visitwww.perforce.com.

Media Contacts

PERFORCE GLOBALColleen KulhanekPerforce SoftwarePh: +1 612 517 2069ckulhanek@perforce.com

PERFORCE UK/EMEAMaxine AmbroseAmbrose CommunicationsPh: +44 118 328 0180perforcepr@ambrosecomms.com

PERFORCE USMichael DrazninWaters CommunicationsPh:+1 917 921 1039perforcepr@waterscomms.com

View original post here:

Perforce Launches Virtual Event on the Future of Intelligent and Data-Driven DevOps - Southernminn.com

By IANS 1h ago

Share this article:

New York - A team of US researchers has developed a tool that can find cryptocurrency bugs in Android apps. Using the tool, they discovered crypto bugs in 306 popular Android applications.

Named 'CRYLOGGER', the custom tool was used to test 1,780 Android apps across 33 different Google Play Store categories, ZDNet reported on Tuesday.

The research team from Columbia University found crypto bugs in 306 popular Android apps and none was patched.

"Only 18 of 306 app developers replied to the research team and only eight engaged with the team after the first email," the report said, quoting the researchers.

"All the apps are popular: they have from hundreds of thousands of downloads to more than 100 million," the research team was quoted as saying.

While some crypto bugs were in the app's code, some common vulnerabilities were introduced as part of Java libraries used as part of the apps.

"Since none of the developers fixed their apps and libraries, researchers refrained from publishing the names of the vulnerable apps and libraries, citing possible exploitation attempts against the apps' users".

The new tool, said the researchers, can be used by Android developers as a complementary utility to CryptoGuard.

Just like CryptoGuard, CRYLOGGER's code is also available on open source repository GitHub.

--IANS

Read more:

Researchers find crypto bugs in over 300 popular Android apps - IOL

Today, we have two popular solutions for cross-platform software development of mobile apps: React Native and Flutter. Both tools are superb solutions that allow programmers to create a single code base for Android and iOS-based devices. Moreover, both solutions reduce the time required for building the app. Therefore, a new mobile app can hit the market faster and on a smaller budget. Thats why Flutter and React Native became widely used by modern developers. Furthermore, their adoption rate is gradually growing. But which one is better? In this post, well review Flutter vs React Native 2020 and try to define what framework has more benefits. Well review both tools according to different characteristics.

First, lets analyze the architecture of both frameworks. React Native is a more complicated tool in this case. For executing the source code from JavaScript to the native environment on this framework, a bridge is required. The main goal of the bridge is to exchange data between two environments. However, this bridge is an additional agent that needs some time and resources for processing.

When it comes to Flutter, everything is more comfortable in this case. This framework can easily access native options of the mobile device without the use of additional interlayers. The tool runs quicker and needs fewer resources to execute the code. All this means that developers can release the app faster. Moreover, this tool guarantees faster performance and the ability to use complex animations that load more quickly.

However, you shouldnt think that React cant process too complex algorithms, but Flutter can do this Faster.

Both frameworks have superb graphical options, but they use absolutely different approaches to show user interface. When React Native is used, all visual elements such as buttons, menus, or others will look slightly different on iOS and Android.

The main benefit of Flutter is that this framework guarantees a consistent experience. The application will look the same on all devices (no matter what operating system you are using). Flutter uses C++ graphics that broadcast the image to the screen. As a result, it is easier to make animations.

Both frameworks have cross-platform nature that allows them to save the time of developers. Simply put, they allow programmers to reuse code if necessary (theres no need to write separate apps for Android and iOS). As a result, investment in hiring more developers with different skills is also not needed. Lets take a look at both frameworks.

React Native hit the market earlier, and thats why it has a more significant community and more useful libraries and packages. However, theres one disadvantage the majority of these packages were not updated for a long time. Therefore, some of them cant be used today. Besides, React is contingent on the support of its community.

Flutter was launched only three years ago. But this tool is supported by Google programmers from the beginning. This means that this framework has more pre-set host packages that are updated on an ongoing basis. In some instances, React needs the use of third-party libraries. Flutter is more reliable in this case and has more cool options that run smoothly. As a result, Flutter offers better functionality and needs less time to build the application.

React Native was created by Facebook, Flutter was developed by Google. But both solutions are open-source. Users need to buy a license to start using the tool. Today, both IT giants are used by millions of developers from all over the globe. Thats why both are much concerned with the reliability of the frameworks.

React is contingent on native elements of a particular device and requires additional efforts to build iOS and Android supported apps. Unfortunately, some firmware updates can make changes to the application. Though this doesnt happen frequently, but each update of the firmware results in some bugs. To fix all of them, programmers need to do lots of QA tests and also update the mobile app. Programmers that use this tool know about these issues and usually provide the tech support for their mobile apps. We cant tell that this is a significant disadvantage of this framework, but still, professional programmers should know this.

In this case, Flutter is more reliable. This tool is resistant to changes and the updates of the operating system. Besides, this framework has lots of sophisticated and powerful testing tools that can help easily solve the issue. Flutter vs React is better because theres no need to use third-party software to test the mobile app.

Overall, we can see that in terms of performance, reliability, and productivity, Flutter is much better. But sometimes, it is hard to find a developer that knows how to work with this framework. When it comes to finding a professional developer, React Native is much better. But for some software development companies, it is still the question of major concern when it comes to choosing between these two frameworks.

See the article here:

Flutter or React Native: Which One to Choose? - Techiexpert.com - TechiExpert.com