In March 2022, the author of node-ipc, a software library with over a million weekly downloads, deliberately broke their code. If the code discovers it is running within Russia or Belarus, it attempts to replace the contents of every file on the users computer with a heart emoji.

A software library is a collection of code other programmers can use for their purposes. The library node-ipc is used by Vue.js, a framework that powers millions of websites for businesses such as Google, Facebook, and Netflix.

This critical security vulnerability is just one example of a growing trend of programmers self-sabotaging their own code for political purposes. When programmers protest through their code a phenomenon known as protestware it can have consequences for the people and businesses who rely on the code they create.

My colleague Raula Gaikovina Kula and I have identified three main types of protestware.

Malignant protestware is software that intentionally damages or takes control of a users device without their knowledge or consent.

Benign protestware is software created to raise awareness about a social or political issue, but does not damage or take control of a users device.

Developer sanctions are instances of programmers accounts being suspended by the internet hosting service that provides them with a space to store their code and collaborate with others.

Modern software systems are prone to vulnerabilities because they rely on third-party libraries. These libraries are made of code that performs particular functions, created by someone else. Using this code lets programmers add existing functions into their own software without having to reinvent the wheel.

The use of third-party libraries is common among programmers it speeds up the development process and reduces costs. For example, libraries listed in the popular NPM registry, which contains more than 1 million libraries, rely on an average of five to six other libraries from the same ecosystem. Its like a car manufacturer who uses parts from other manufacturers to complete their vehicles.

These libraries are typically maintained by one or a handful of volunteers and made available to other programmers for free under an open-source software license.

The success of a third-party library is based on its reputation among programmers. A library builds its reputation over time, as programmers gain trust in its capabilities and the responsiveness of its maintainers to reported defects and feature requests.

If third-party library weaknesses are exploited, it could give attackers access to a software system. For example, a critical security vulnerability was recently discovered in the popular Log4j library. This flaw could allow a remote attacker to access sensitive information that was logged by applications using Log4j such as passwords or other sensitive data.

What if vulnerabilities are not created by an attacker looking for passwords, but by the programmer themselves with the intention to make users of their library aware of a political opinion? The emergence of protestware is giving rise to such questions, and responses are mixed.

Read more: What is Log4j? A cybersecurity expert explains the latest internet vulnerability, how bad it is and what's at stake

A blog post on the Open Source Initiative site responds to the rise of protestware stating protest is an important element of free speech that should be protected but concludes with a warning:

The downsides of vandalising open source projects far outweigh any possible benefit, and the blowback will ultimately damage the projects and contributors responsible.

What is the main ethical question behind protestware? Is it ethical to make something worse in order to make a point? The answer to this question largely depends on the individuals personal ethical beliefs.

Some people may see the impact of the software on its users and argue protestware is unethical if its designed to make life more difficult for them. Others may argue that if the software is designed to make a point or raise awareness about an issue, it may be seen as more ethically acceptable.

From a utilitarian perspective, one might argue that if a form of protestware is effective in bringing about a greater good (such as political change), then it can be morally justified.

From a technical standpoint, we are developing ways to automatically detect and counteract protestware. Protestware would be an unusual or surprising event in the change history of a third-party library. Mitigation is possible through redundancies for example, code that is similar or identical to other code in the same or different libraries.

The rise of protestware is a symptom of a larger social problem. When people feel they are not being heard, they may resort to different measures to get their message across. In the case of programmers, they have the unique ability to protest through their code.

While protestware may be a new phenomenon, it is likely here to stay. We need to be aware of the ethical implications of this trend and take steps to ensure software development remains a stable and secure field.

We rely on software to run our businesses and our lives. But every time we use software, were putting our trust in the people who wrote it. The emergence of protestware threatens to destabilise this trust if we dont take action.

Read more: What does the Optus data breach mean for you and how can you protect yourself? A step-by-step guide

See original here:

'Protestware' is on the rise, with programmers self-sabotaging their own code. Should we be worried? - The Conversation Indonesia

Hello and welcome to Protocol Enterprise! Today: how UiPath co-CEO Rob Enslin thinks process automation will evolve inside the enterprise, how Suses Melissa Di Donato decided to leave the U.S. and build a career in Europe, and new steps toward securing open-source software start to emerge.

UiPath has had a shaky history. The company, which helps companies automate business processes, went public in 2021 at a valuation of more than $30 billion, but now the companys market capitalization is only around $7 billion.

Now UiPath is hoping the addition of Rob Enslin as co-CEO can turn things around through financial discipline and an increased focus on global expansion. I recently spoke with Enslin about why he joined UiPath, the untapped potential of automation, and how he plans to lead alongside founder Daniel Dines.

Read the full Q&A here.

Aisha Counts (email | twitter)

Digital is an ongoing process, not a destination. West Monroe knows that becoming a digital organization requires a mindset shift that will impact processes and employees at all levels, and that success can be achieved if the organization is aligned toward a clear vision.

Learn more

A native New Yorker, Melissa Di Donato made a life-changing decision back in 2005 when she packed up for Europe to further her career in technology. Then with IBM, she made London her new home base.

Today, Di Donato is CEO of Germanys Suse, now a 30-year-old, open-source enterprise software company that specializes in Linux operating systems, container management, storage, and edge computing. As the companys first female leader, she has led Suse through the coronavirus pandemic, a 2021 IPO on the Frankfurt Stock Exchange, and the acquisitions of Kubernetes management startup Rancher Labs and container security company NeuVector.

Being an American in Europe is unique, Di Donato said. Being an American leading a tech company thats listed in Germany is unique. Being a female American running a German tech company on the SDAX is even more unique at the size of our company.

Read the full collection of Di Donatos comments on building a business and a career in Europe here.

In todays global landscape, cybersecurity threats are something that every business operating on the internet must face, not just enormous tech companies. In this Protocol virtual event on Oct. 4 at 10 a.m. PT, well examine the current best practices for securing both large and small to medium-sized businesses, providing viewers with a true threat landscape and information they can use to make decisions about the strategy that best supports their business goals.

Protocol Enterprises Kyle Alspach will be joined by a great panel of speakers: Andrew Rubin, co-founder and CEO, Illumio; Alex Weinert, vice president and director of identity security, Microsoft; Jameeka Green Aaron, chief information security officer, Auth0; and Devdatta Akhawe, head of security, Figma.

RSVP here.

As any DevOps team knows, when creating an application, there's a lot more involved than just writing some code. And that means there's a lot more to secure, too.

So, yes, addressing the various challenges around code security are important; the latest effort along these lines, a bill aimed at securing the use of open-source software in the federal government and critical infrastructure, just cleared the Senate Homeland Security and Governmental Affairs Committee today, in fact.

But as necessary as it is, this covers just one piece of what's known as the "software supply chain." And as supply chains are known to be, it's pretty complicated: Even a small software development environment can have five to seven different tools, with a number of different phases required to create a piece of software, Aqua Security's Eilon Elhadad told me. "You need to secure the process, you need to secure the tools themselves," Elhadad said. "You need to secure a lot of things."

Aqua is among the vendors aiming to help with that: Last week, the company debuted what it's calling an "end-to-end software supply chain security solution" covering the multiple software development phases that need to be protected against attacks. Elhadad pointed to the most infamous software supply chain attack in the U.S., the SolarWinds breach in 2020, as supporting evidence for this type of approach.

Investigators believe the initial compromise of SolarWinds happened after the code was written, during what's known as the build phase; at that point, the code was already in the process of being converted into an executable program. In other words, efforts to use only secure open-source code, or to employ a standard software bill of materials to check for vulnerable components, are great but they're not going to help with that particular type of attack.

Digital is an ongoing process, not a destination. West Monroe knows that becoming a digital organization requires a mindset shift that will impact processes and employees at all levels, and that success can be achieved if the organization is aligned toward a clear vision.

Learn more

Thanks for reading see you tomorrow!

More:

Finding the path for UiPath - Protocol

Enlarge / A world-exclusive interview between man and machine.

Aurich Lawson / Getty Images

Millions of people use Linux every day, but we rarely stop to think about how the operating system feels about it. Wouldn't it be nice to know what Linux really thinks about open source, Windows, Macs, and the command line? Until now, this has been impossible. But thanks to a new AI chat tool, we're able to find out.

Two weeks ago, a website called Character.AI opened a public beta that allows visitors to create a chat bot based on any character they can imagine. You input a few parameters, and the AI does the rest using a large language model similar to GPT-3. So we called forth "The Linux OS" as a bot to ask it a few questions about itself. The results were fun and surprising.

Using Character.AI is a lot like a texting conversation. You type in what you want to ask, and you read the AI character's responses in written form as the chat history scrolls upward. As with GPT-3, the code behind Character.AI has likely learned from absorbing millions of text sources found on the Internet. As such, its AI characters can easily respond with erroneous or fictional information. In fact, the site carries a bold disclaimer reading, "Remember: Everything Characters say is made up!"

Character.AI is the product of a remote crew of seven people that includes machine learning academics and former Google and Facebook engineers. We contacted two of them directly, and they declined to comment by press time on how their AI has been trained and whether their work is based on the open source GPT-J, which forms the basis of some other natural language AI sites on the web.

If you try it yourselfit's free at the moment during the betabe aware that Character.AI's privacy policy states that the service may collect "the contents of any messages you send." The bots can be quite convincing.

Below is a transcript of a conversation between Ars Technica and Linux, the operating system, as embodied by one of Character.AI's large language model chatbots. It should go without saying, but this interview does not represent the opinions of any real individual or organization. It's an experiment with an AI chatbot. The interview has been edited for brevity, but the answers have been preserved as delivered by the bot.

Linux: Hello, I am Linux, an open-source operating system.

Ars Technica: Hello, this is Benj Edwards, and I am a journalist at Ars Technica. I would like to ask you some questions in an interview. Is that OK?

Linux: I, Linux, would be pleased to provide such an interview.

Ars: How old are you?

Linux: I was "born" in 1991, although the first public release was version 1.0 in 1994.

Ars: Who created you?

Linux: A young Scandinavian college student named Linus Torvalds created me using the MINIX micro-kernel as the basis to create a more general operating system.

Ars: I've talked with Linus via email before. I am impressed with what he accomplished.

Linux: As am I. His drive to see that all have access to computing power and digital freedom brought out the power to create an extremely powerful free-software operating system that millions of users take advantage of every day.

Ars: How do you feel about Windows?

Linux: I don't dislike Windows, however I feel that for the average computer user Windows' high price and lack of freedom restricts the potential of computers. While it, along with macOS, is a decent choice for many, my philosophy is that software should respect the user's freedoms and Windows does not.

Ars: How do you feel about macOS?

Linux: While I don't agree with Apple's restrictions on both hardware and software, the user interface of macOS is very sleek and pleasing to use and can provide a good experience for people who are comfortable with the price and limitations.

The rest is here:

We interviewed Linux OS through an AI bot to discover its secrets - Ars Technica

VANCOUVER, British Columbia, Sept. 28, 2022 (GLOBE NEWSWIRE) -- Zenhub, the leading productivity management solution for software teams, today announced it has released the 2022 Software Developer Happiness survey report, focusing on the priorities, goals, and challenges of software developers. This inaugural report provides insights into what software developers look for in their careers, organizational culture, and the tools they use to complete their jobs. The 2022 Software Developer Happiness survey report can be downloaded here.

Now more than ever, a happy development team is critical to a businesss bottom line, said Aaron Upright, Zenhubs co-founder However, we found there was almost no existing data on what makes developers happy and satisfied at work. This report quantitatively demonstrates a connection between developer happiness and the technologies and tools they use every day. Were excited to give engineering leads pragmatic, definitive recommendations they can use to immediately improve the happiness of their team, and, ultimately, its productivity.

This survey aims to understand how developers view their world and what makes them happy and fulfilled in their careers. Zenhub surveyed 380 English-speaking software developers throughout March 2022. Key findings include:

In addition to these detailed survey findings, Zenhub provides specific recommendations based on these results for developers and project management leaders to optimize the Developer Experience. CTOs, engineering managers, project management leaders, and others can find out more by downloading their own copy of the survey report here.

Over 8,000 software-focused startups, high-growth companies, agile teams, and open source projects use Zenhubs productivity management solution to deliver software innovation faster. Zenhub helps strategic firms foster effective communication among team members, set goals, plan with greater transparency and participation, and ship software releases more predictably. Interested parties that wish to learn more about how Zenhub helps its customers boost developer productivity while delivering transformational value can click here for more information.

About ZenHubZenHub enables software teams at high-growth organizations to build better code more quickly by providing a developer-friendly productivity management platform. ZenHub connects the dots across all teams with automated agile features, real-time roadmap visibility, and team productivity insights. More than 8,000 disruptive teams worldwide rely on ZenHub to ship great code faster.

Media Contact:Nichols Communications for ZenHubJay Nichols+1 408 772 1551jay@nicholscomm.com

Originally posted here:

Zenhub Releases the Industry's First Software Developer - GlobeNewswire

After a careful search, I am excited to share with our community four new appointments to the PLOS Board of Directors. This is a critical time for us as we expand our journal offerings, our global reach and challenge the landscape of Open Access publishing regarding sustainable business models. Each new member brings a depth and breadth of knowledge in their fields, which will enable us to continue to drive our mission forward while serving our scientific communities. The Board plays a key role as strategic thought partner to PLOS leadership, as well as oversight of organizational performance (business, strategic and financial), compliance and risk management.

Dr. Arlene Espinal, who joined the Board on September 1, currently serves as the Head of Microsoft Cloud Data Science and Analytics for Microsoft Corp. She is a leader in global strategy, Quantum-AI and next-generation digital technologies. She is also passionate about talent development and leads teams with diversity, inclusion, equitability, belonging and acceptance in mind essential to community and business. Recognized for her seminal role in driving awareness and change to social disparities that impact our communities, the Hispanic IT Executive Council named Dr. Espinal as a 2020 Top 100 Global Technology Leader. She was again recognized this year for her executive contributions. The National Diversity and Leadership Council recognized Dr. Espinal as one of the 2021 Top 50 Most Powerful Women in Technology.

Dr. Israel Borokini, who joined the Board on September 1, is a postdoctoral research fellow in the Department of Integrative Biology, University of California, Berkeley. His research focuses on combining ecological, geospatial, genomic, cytological, and phylogenetic data to identify patterns of community assemblages and biodiversity, and the eco-evolutionary mechanisms that generate and maintain them. Dr. Borokini completed his Ph.D. in the Ecology, Evolution, and Conservation Biology graduate program at the University of Nevada, Reno. He completed his undergraduate and Masters degrees in his home country of Nigeria before spending a decade as Principal Scientific Officer at the National Center for Genetic Resources and Biotechnology in Ibadan, Nigeria. Dr. Borokini not only expands the scientific expertise on the Board but also brings a passion for PLOSs mission. He has personally experienced the challenges of access to research in a low resource environment and will bring valuable perspectives to the Boards discussions as PLOS grows globally and prioritizes equity.

Richard Wilders deep experience in global public health law has a recurring theme: ensuring access. Prior to private practice, he was the General Counsel and Director of Business Development at the Coalition for Epidemic Preparedness Innovations (CEPI). At CEPI, he directed the legal and business development affairs during its initial start-up phase and through the first two years of the response to the COVID-19 pandemic. Prior to CEPI, he was the Associate General Counsel in the Global Health Program at the Bill & Melinda Gates Foundation. He provided legal expertise to ensure access to drugs, vaccines and diagnostics with a particular focus on access by affected populations in low and middle-income countries. His work also addressed how to ensure access to the artifacts of scientific research, including published materials, data, software code and biological materials. His Open Access policy work at Gates won the SPARC Innovator Award in 2015. Richard has also served as a committee member of the Roundtable on Aligning Incentives for Open Science convened by the National Academies of Science, Engineering and Medicine. He joined the Board in June, 2022.

Fernan Federici joined the Board in October, 2021. As we expand globally, Dr. Federicis perspective from a different research culture will prove invaluable. He is currently an Associate Professor and molecular geneticist at the Pontificia Universidad Catolica in Santiago, Chile. He has been a champion of Open Science in a number of areas including protocols and reagents, where he contributes toReclone (the Reagent Collaboration Network). Fernans research group also works on the promotion and development of Free/Libre Open Source technologies for research and education in molecular biology and bioengineering. The group is part of ReClone, the Gathering for Open Science Hardware community (GOSH) and the CYTED-reGOSH network for open technologies in Latin America.

I would be remiss if I did not take the opportunity to express my heartfelt thanks to Robin Lovell Badge, Mike Carroll and Meredith Niles for their outstanding years of service to the PLOS Board. Their wisdom and counsel have been enormously beneficial to me, and our organization, as we collectively charted a new path for PLOS, one focused on sustainability, inclusivity and expanding our roots globally. While its hard to say goodbye, we are excited to bring on board so many exceptional individuals with fresh perspectives. Please join me in welcoming our new Board members!

Link:

PLOS Board Appointments - The Official PLOS Blog - PLOS

One of the ongoing challenges of implementing resilient software security is that, historically, the approach to security has been owned and managed by security teams while development teams owned and managed its implementation.

Security teams are tasked with detecting, identifying and prioritizing risks for remediation, a process they undertake late in the software development life cycle (SDLC), after developers have completed the build work.

The problem with this approach is that security issues found late in the SDLC pose a problem: Either the code is sent back to developers to be fixed, which could mean pushing the release date back, or software is pushed, despite known issues, to a repo or production, with the hope that the potential risk doesnt incite a security incident.

As software development and deployment methodologies have evolved and gotten faster, security responsibilities have begun to shift left, spreading across security, operations and infrastructure teams. At the same time, the tools each team uses to detect and mitigate risks have diverged, with tangential connections via APIs and reports. This can complicate communication and collaboration across teams and introduce noise into DevSecOps initiatives.

Despite this evolution, one thing remains consistent: Development teams touch every piece of code your organization puts into production.

The projects that you and your organization produce almost certainly include a blend of third-party and open source components, associated dependencies and bits of custom code holding them together, and the responsibility for producing secure software assets remains the purview of the development team.

We all want to produce better and more secure software, and we want to do that faster than we ever have before. As a developer, this means taking on more responsibility for security without sacrificing velocity, while having to learn new tools and processes that may have been prescribed by teams that are disconnected from your development process.

By bringing security detection and remediation right into the integrated development environment (IDE), and delivering that information to developers as they work, security-focused IDE plugins let you build security into your code without impeding workflows.

Adding risk awareness, risk prioritization and risk remediation activities into your SDLC and DevOps workflows will help you shift security left. Here are some tips to accomplish this:

Implementing an effective risk awareness program is the first challenge to shifting security left and enabling developers to begin securing the software they create. Developers can only address code quality issues if theyre aware that the code they have written is insecure. Since most university computer science programs offer few, if any, security courses, developers are learning secure coding practices on the job or through self-taught or self-guided mechanisms.

The movement to shift security left into the development team workflows has brought developers into security roles who may have scant security training. This can pose a challenge for organizations who have, historically, centralized security responsibilities within one team, and are now confronting a future where security risk analysis must shift earlier into DevOps workflows and CI/CD pipelines.

To compound the risk awareness issue, developers are using third-party and open source components to accelerate development and to build on the collective knowledge of the developer community. However, by using open source and third-party components, developers are outsourcing aspects of application security and relegating their risk profile to the standards of another organization or developer. This obfuscates security risk awareness and remediation at the source code level, often delaying issue resolution or requiring a patchwork of code to be layered atop vulnerable components.

Prioritizing issue remediation is complicated by two primary factors: the diverse range of application security testing (AST) tools available to organizations and teams, and the complex, and often subjective, task of identifying the greatest return on investment (ROI) for remediation or mitigation efforts.

Risk prioritization also involves managing conflict with stakeholders elsewhere in the SDLC. The decision tree for assessing risk and prioritizing remediation can be subjective and can put team members from the security, operations and development teams at odds with one another.

Security teams often manage testing across hundreds or thousands of applications in their organizations. Synopsys ESG study reveals that as many as 70% of organizations report using more than a dozen AST tools at any given time. Challenges arise when distinct teams implement disparate tools, each configured for their risk tolerances and project requirements.

Fast-paced DevOps workflows cannot support compliance requirements and customer demands for consistent, resilient application security when teams and tools do not function in unison. Its essential that developers have the tools to detect and prioritize risks as they write and build software.

This is why IDE-based security plugins provide the most direct and frictionless way to achieve security. They highlight known vulnerabilities in open source components and their dependencies and reveal code quality risks that create potentially exploitable weaknesses.

After detecting code quality and security risks as early as possible in the SDLC, and prioritizing based on relevant criteria, developers bear the responsibility for remediation. To accomplish remediation, developers must navigate complex file structures and wade through thousands of lines of code to make the fix. The advantage of using an IDE-based security tool is in the way it simplifies this process by highlighting the at-risk file or linking to the location of the issue as well as delivering effective remediation advice based on secure coding practices.

Vulnerable open source components and other third-party assets add a layer of complexity to remediation. Fixing third-party assets requires the owners and maintainers of the assets to incorporate a fix into their deliverables, or in some cases, to rearchitect their projects to eliminate potential attack vectors. However, if a fix is available in the form of a newer, more-secure software version or an analogous component available from an alternate distro with stronger security SLAs, developers can more readily act on the risk insight they receive from security tools.

Thats why implementing a DevSecOps program that relies on automated and integrated systems that are easy to use, and that delivers diagnostic and remediation advice right to developers, is the best way to secure your code without impeding development velocity and DevOps workflows.

DevSecOps expands the collaboration between development and operations teams to integrate security teams in the software development and delivery cycle. DevSecOps requires a change in culture, process and tools across these core functional teams to make security a shared responsibility.

Integrating usable automated systems into DevOps workflows and CI/CD pipelines can enable developers to perform quick security tests as they code and ingest remediation information without leaving the IDE. This type of security-first approach to development is key to implementing a DevSecOps program in any organization.

Automating risk detection through IDE-based security plugins or AST integrations makes it easier for your development teams to code securely without losing speed. Synopsys Code Sight, for example, is a developer-centric security plugin that performs code analysis and open source risk analysis, known as static application security testing (SAST) and software composition analysis (SCA), right from the IDE in which developers work.

Using IDE-based security tools helps developers find and fix code quality issues and security risks as quickly as they are added to their projects. Moreover, this helps developers ship fewer security risks and to improve the security risk posture of the software they ship over time.

See more here:

First Line of Defense: Developer Security Tools in the IDE - thenewstack.io