Category Archives: Stiri IT Externe

The Future of Open Source | Software


By Jack M. Germain

Sep 19, 2018 5:00 AM PT

Linux and the open source business model are far different today than many of the early developers might have hoped. Neither can claim a rags-to-riches story. Rather, their growth cycles have been a series of hit-or-miss milestones.

The Linux desktop has yet to find a home on the majority of consumer and enterprise computers. However, Linux-powered technology has long ruled the Internet and conquered the cloud and Internet of Things deployments. Both Linux and free open source licensing have dominated in other ways.

Microsoft Windows 10 has experienced similar deployment struggles as proprietary developers have searched for better solutions to support consumers and enterprise users.

Meanwhile, Linux is the more rigorous operating system, but it has been beset by a growing list of open source code vulnerabilities and compatibility issues.

The Windows phone has come and gone. Apple’s iPhone has thrived in spite of stagnation and feature restrictions. Meanwhile, the Linux-based open source Android phone platform is a worldwide leader.

Innovation continues to drive demand for Chromebooks in homes, schools and offices. The Linux kernel-driven Chrome OS, with its browser-based environment, has made staggering inroads for simplicity of use and effective productivity.

Chromebooks now can run Android apps. Soon the ability to run Linux programs will further feed open source development and usability, both for personal and enterprise adoption.

One of the most successful aspects of non-proprietary software trends is the wildfire growth of container technology in the cloud, driven by Linux and open source. Those advancements have pushed Microsoft into bringing Linux elements into the Windows OS and containers into its Azure cloud environment.

“Open source is headed toward faster and faster rates of change, where the automated tests and tooling wrapped around the delivery pipeline are almost as important as the resulting shipped artifacts,” said Abraham Ingersoll, vice president of sales and solutions engineering at
Gravitational.

“The highest velocity projects will naturally win market share, and those with the best feedback loops are steadily gaining speed on the laggards,” he told LinuxInsider.

Advancement in Progress

To succeed with the challenges of open source business models, enterprises have to devise a viable way to monetize community development of reusable code. Those who succeed also have to master the formula for growing a free computing platform or its must-have applications into a profitable venture.

Based on an interesting GitLab report, 2018 is the year for open source and DevOps, remarked Kyle Bittner, business development manager at
Exit Technologies.

That forecast may be true eventually, as long as open source can dispel the security fears, he told LinuxInsider.

“With open source code fundamental to machine learning and artificial intelligence frameworks, there is a challenge ahead to convince the more traditional IT shops in automotive and oil and gas, for example, that this is not a problem,” Bittner pointed out.

The future of the open source model may be vested in the ability to curb worsening security flaws in bloated coding. That is a big “if,” given how security risks have grown as Linux-based deployments evolved from isolated systems to large multitenancy environments.

LinuxInsider asked several open source innovators to share their views on where the open source model is headed, and to recommend the best practices developers should use to leverage different OS deployment models.

Oracle’s OS Oracle

Innovative work and developer advances changed the confidence level for Oracle engineers working with hardware where containers are involved, according to Wim Coekaerts, senior vice president of operating systems and virtualization engineering at Oracle. Security of a container is critical to its reliability.

“Security should be part of how you do your application rollout and not something you consider afterward. You really need to integrate security as part of your design up front,” he told LinuxInsider.

Several procedures in packaging containers require security considerations. That security assessment starts when you package something. In building a container, you must consider the source of those files that you are packaging, Coekaerts said.

Security continues with how your image is created. For instance, do you have code scanners? Do you have best practices around the ports you are opening? When you download from third-party websites, are those images signed so you can be sure of what you are getting?

“It is common today with
Docker Hub to have access to a million different images. All of this is cool. But when you download something, all that you have is a black box,” said Coekaerts. “If that image that you run contains ‘phone home’ type stuff, you just do not know unless you dig into it.”

Yesterday Returns

Ensuring that containers are built securely is the inbound side of the technology equation. The outbound part involves running the application. The current model is to run containers in a cloud provider world inside a virtual machine to ensure that you are protected, noted Coekaerts.

“While that’s great, it is a major change in direction from when we started using containers. It was a vehicle for getting away from a VM,” he said. “Now the issue has shifted to concerns about not wanting the VM overhead. So what do we do today? We run everything inside a VM. That is an interesting turn of events.”

A related issue focuses on running containers natively because there is not enough isolation between processes. So now what?

The new response is to run containers in a VM to protect them. Security is not compromised, thanks to lots of patches in Linux and the hypervisor. That ensures all the issues with the cache and side channels are patched, Coekearts said.

However, it leads to new concerns among Oracle’s developers about how they can ramp up performance and keep up that level of isolation, he added.

Are Containers the New Linux OS?

Some view today’s container technology as the first step in creating a subset of traditional Linux. Coekaerts gives that view some credence.

“Linux the kernel is Linux the kernel. What is an operating system today? If you look at a Linux distribution, that certainly is morphing a little bit,” he replied.

What is running an operating system today? Part of the model going forward, Coekaerts continued, is that instead of installing an OS and installing applications on top, you basically pull in a Docker-like structure.

“The nice thing with that model is you can run different versions on the same machine without having to worry about library conflicts and such,” he said.

Today’s container operations resemble the old mainframe model. On the mainframe, everything was a VM. Every application you started had its own VM.

“We are actually going backward in time, but at a much lighter weight model. It is a similar concept,” Coekearts noted.

Container Tech Responds Rapidly

Container technology is evolving quickly.

“Security is a central focus. As issues surface, developers are dealing with them quickly,” Coekearts said, and the security focus applies to other aspects of the Linux OS too.

“All the Linux developers have been working on these issues,” he noted. “There has been a great communication channel before the disclosure date to make sure that everyone has had time to patch their version or the kernel, and making sure that everyone shares code,” he said. “Is the process perfect? No. But everyone works together.”

Security Black Eye

Vulnerabilities in open source code have been the cause of many recent major security breaches, said Dean Weber, CTO of
Mocana.

Open source components
are present in 96 percent of commercial applications, based on a report Black Duck released last year.

The average application has 147 different open source components — 67 percent of which are used components with known vulnerabilities, according to the report.

“Using vulnerable, open source code in embedded OT (operational technology), IoT (Internet of Things) and ICS (industrial control system) environments is a bad idea for many reasons,” Weber told LinuxInsider.

He cited several examples:

  • The code is not reliable within those devices.
  • Code vulnerabilities easily can be exploited. In OT environments, you don’t always know where the code is in use or if it is up to date.
  • Systems cannot always be patched in the middle of production cycles.

“As the use of insecure open source code continues to grow in OT, IoT and ICS environments, we may see substations going down on the same day, major cities losing power, and sewers backing up into water systems, contaminating our drinking water,” Weber warned.

Good and Bad Coexist

The brutal truth for companies using open source libraries and frameworks is that open source is awesome, generally high-quality, and absolutely the best method for accelerating digital transformation, maintained Jeff Williams, CTO of
Contrast Security.

However, open source comes with a big *but,* he added.

“You are trusting your entire business to code written by people you don’t know for a purpose different than yours, and who may be hostile to you,” Williams told Linuxinsider.

Another downside to open source is that hackers have figured out that it is an easy attack vector. Dozens of new vulnerabilities in open source components are released every week, he noted.

Every business option comes with a bottom line. For open source, the user is responsible for the security of all the open source used.

“It is not a free lunch when you adopt it. You are also taking on the responsibility to think about security, keep it up to date, and establish other protections when necessary,” Williams said.

Best Practices

Developers need an efficient guideline to leverage different deployment models. Software complexity makes it almost impossible for organizations to deliver secure systems. So it is about covering the bases, according to Exit Technologies’ Bittner.

Fundamental practices, such as creating an inventory of open source components, can help devs match known vulnerabilities with installed software. That reduces the threat risk, he said.

“Of course, there is a lot of pressure on dev teams to build more software more quickly, and that has led to increased automation and the rise of DevOps,” Bittner acknowledged. “Businesses have to ensure they don’t cut corners on testing.”

Developers should follow the Unix philosophy of minimalist, modular deployment models, suggested Gravitational’s Ingersoll. The Unix approach involves progressive layering of small tools to form end-to-end continuous integration pipelines. That produces code running in a real target environment without manual intervention.

Another solution for developers is an approach that can standardize with a common build for their specific use that considers third-party dependencies, security and licenses, suggested Bart Copeland, CEO of
ActiveState. Also, best practices for OS deployment models need to consider dependency management and environment configuration.

“This will reduce problems when integrating code from different departments, decrease friction, increase speed, and reduce attack surface area. It will eliminate painful retrofitting open source languages for dependency management, security, licenses and more,” he told LinuxInsider.

Where Is the Open Source Model Headed?

Open source has been becoming more and more enterprise led. That has been accompanied by an increased rise in distributed applications composed from container-based services, such as Kubernetes, according to Copeland.

Application security is at odds with the goals of development: speed, agility and leveraging open source. These two paths need to converge in order to facilitate development and enterprise innovation.

“Open source has won. It is the way everyone — including the U.S. government — now builds applications. Unfortunately, open source remains chronically underfunded,” said Copeland.

That will lead to open source becoming more and more enterprise-led. Enterprises will donate their employee time to creating and maintaining open source.

Open source will continue to dominate the cloud and most server estates, predicted Howard Green, vice president of marketing for
Azul Systems. That influence starts with the Linux OS and extends through much of the data management, monitoring and development stack in enterprises of all sizes.

It is inevitable that open source will continue to grow, said Contrast Security’s Williams. It is inextricably bound with modern software.

“Every website, every API, every desktop application, every mobile app, and every other kind of software almost invariably includes a large amount of open source libraries and frameworks,” he observed. “It is simply unavoidable and would be fiscally imprudent to try to develop all that code yourself.”


Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.





Source link

Linus Torvalds Takes a Break, Apologizes » Linux Magazine


In an unexpected move, Linus Torvalds, the creator of the Linux kernel, is going to take a break from the kernel as he reflects on his behavior on the Linux Kernel Mailing List (LKML).

He made this announcement on LKML, “I am going to take time off and get some assistance on how to understand people’s emotions and respond appropriately.”

Torvalds admitted, “I need to change some of my behavior, and I want to apologize to the people that my personal behavior hurt and possibly drove away from kernel development entirely.”

Although Torvalds is generally very friendly towards users, he is known for using strong language and sometimes insulting comments when discussing technical issues with Linux kernel maintainers and developers.

It’s true that, unlike other managers, Torvalds doesn’t have the power to encourage or discourage his team members by demoting them or taking away their bonuses. His choices are limited. However, his frustration towards his team needs a different kind of venting; personal attacks have proved to be demotivating. Many talented developers have quit the kernel.

The kernel community has been vocal about it and admitted that there is no place for this behavior. It will be interesting to see a changed Torvalds when he returns from his break.

The announcement by Linus accompanied accompanied the release of a newly revamped Code of Conduct to support a positive work environment for all kernel participants.



Source link

NextCloud 14 Arrives » Linux Magazine


Nextcloud Gmbh has announced the release of Nextcloud 14, a fully open source enterprise file sync and storage (EFSS) solution. The new release brings many new features, including an even tighter focus on security.

Unlike its closest competitor Dropbox, Nextcloud is more of a platform than just a sync and storage solution. Nextcloud comes with online collaborative software, secure web chat, secure voice and video conferencing, calendering, contacts, and more.

Now Nextcloud is using a combination of its services to offer tighter security. It’s now using ‘video verification’ for sharing sensitive data. While sending a document, a user can choose to add a ‘Talk’ verification feature (Talk is the name of the video chat service of Nextcloud).

The recipient would have to appear online via video chat and confirm their identity in order for the file to be transferred. The sender would send a password for the file and the receiver would receive the password verbally through the video chat.

Another security-centric feature of Nextcloud 14 is a new 2-factor authentication. The feature allows users to use third party messaging apps like Signal, Telegram and SMS as second factor to secure their authentication.

Hypothetically, Nextcloud can take it to the next level by introducing a 3-factor authentication, by asking the recipient to verify the QR code sent via SMS during the video chat.

Nextcloud 14 is available for free download.



Source link

NextCloud 14 Arrives » Linux Magazine


Nextcloud Gmbh has announced the release of Nextcloud 14, a fully open source enterprise file sync and storage (EFSS) solution. The new release brings many new features, including an even tighter focus on security.

Unlike its closest competitor Dropbox, Nextcloud is more of a platform than just a sync and storage solution. Nextcloud comes with online collaborative software, secure web chat, secure voice and video conferencing, calendering, contacts, and more.

Now Nextcloud is using a combination of its services to offer tighter security. It’s now using ‘video verification’ for sharing sensitive data. While sending a document, a user can choose to add a ‘Talk’ verification feature (Talk is the name of the video chat service of Nextcloud).

The recipient would have to appear online via video chat and confirm their identity in order for the file to be transferred. The sender would send a password for the file and the receiver would receive the password verbally through the video chat.

Another security-centric feature of Nextcloud 14 is a new 2-factor authentication. The feature allows users to use third party messaging apps like Signal, Telegram and SMS as second factor to secure their authentication.

Hypothetically, Nextcloud can take it to the next level by introducing a 3-factor authentication, by asking the recipient to verify the QR code sent via SMS during the video chat.

Nextcloud 14 is available for free download.



Source link

Android Apps Riskier Than Ever: Report | Mobile


By Jack M. Germain

Sep 12, 2018 12:08 PM PT

Widespread use of unpatched open source code in the most popular Android apps distributed by Google Play has caused significant security vulnerabilities, suggests an
American Consumer Institute report released Wednesday.

Thirty-two percent — or 105 apps out of 330 of the most popular apps in 16 categories sampled — averaged 19 vulnerabilities per app, according to the
report, titled “How Safe Are Popular Apps? A Study of Critical Vulnerabilities and Why Consumers Should Care.”

Researchers found critical vulnerabilities in many common applications, including some of the most popular banking, event ticket purchasing, sports and travel apps.


Chart: Distribution of Vulnerabilities Based on Security Risk Severity

Distribution of Vulnerabilities Based on Security Risk Severity


ACI, a nonprofit consumer education and research organization, released the report to spearhead a public education campaign to encourage app vendors and developers to address the worsening security crisis before government regulations impose controls over Android and open source code development, said Steve Pociask, CEO of the institute.

The ACI will present the report in Washington D.C. on Wednesday, at a public panel attended by congressional committee members and staff. The session is open to the public.

“There were 40,000 known open source vulnerabilities in the last 17 years, and one-third of them came last year,” ACI’s Pociask told LinuxInsider. That is a significant cause for concern, given that 90 percent of all software in use today contains open source software components.

Pushing the Standards

ACI decided the public panel would be a good venue to start educating consumers and the industry about security failings that infect Android apps, said Pociask. The report is meant to be a starting point to determine whether developers and app vendors are keeping up with disclosed vulnerabilities.

“We know that hackers certainly are,” Pociask remarked. “In a way, we are giving … a road map to hackers to get in.”

The goal is to ward off the need for eventual government controls on software by creating a public dialog that addresses several essential questions. Given the study’s results, consumers and legislators need to know if app vendors and developers are slow to update because of the expense, or merely complacent about security.

Other essential unanswered questions, according to Pociask, include the following: Do the vendors notify users of the need to update apps? To what extent are customers updating apps?

Not everyone relies on auto update on the Android platform, he noted.

“Some vendors outsource their software development to fit their budget and don’t follow up on vulnerabilities,” Pociask said.

Having the government step in can produce detrimental consequences, he warned. Sometimes the solutions imposed are not flexible, and they can discourage innovation.

“It is important for the industry to get itself in order regarding privacy requirements, spoofing phone numbers and security issues,” said Pociask.

Report Parameters

Businesses struggle to provide adequate protection for consumer personal information and privacy. Governments in California and the European Union have been putting more aggressive consumer privacy laws in place. Americans have become more aware of how vulnerable to theft their data is, according to the report.

One seemingly indispensable device that most consumers and businesses use is a smartphone. However, the apps on it may be one of the most serious data and privacy security risks, the report notes.

Researchers tested 330 of the most popular Android apps on the Google Play Store during the first week in August. ACI’s research team used a binary code scanner — Clarity, developed by Insignary — to examine the APK files.

Rather than focus on a random sampling of Google Play Store apps, ACI researchers reported on the largest or most popular apps in categories. Most of the apps are distributed within the United States. Researchers picked 10 top apps in each of the 33 categories in the Play store.

Factoring the Results

Results were charted as critical, high, medium and low vulnerability scores. Of 330 tested apps, 105 — or 32 percent — contained vulnerabilities. Of those identified, 43 percent either were critical or high risk, based on the national vulnerability database, according to the report.

“We based our study on the most popular apps in each category. Who knows how much worse the untested apps are in terms of vulnerabilities?” Pociask asked.

In the apps sampled, 1,978 vulnerabilities were found across all severity levels, and 43 percent of the discovered vulnerabilities were deemed high-risk or critical. Approximately 19 vulnerabilities existed per app.

The report provides the names of some apps as examples of the various ways vendors deal with vulnerabilities. Critical vulnerabilities were found in many common applications, including some of the most popular banking, event ticket purchasing, sports and travel apps.

For example, Bank of America had 34 critical vulnerabilities, and Wells Fargo had 35 critical vulnerabilities. Vivid Seats had 19 critical and five high vulnerabilities.

A few weeks later, researchers retested some of the apps that initially tested way out of range. They found that the two banking apps had been cleaned up with updates. However, the Vivid Seats app still had vulnerabilities, said Pociask.

Indications for Remedies

More effective governance is critical to addressing “threats such as compromised consumer devices, stolen data, and other malicious activity including identity theft, fraud or corporate espionage,” states the report.

These results increasingly have been taking center stage, noted the researchers.

The ACI study recommends that Android app developers scan their binary files to ensure that they catch and address all known security vulnerabilities. The study also stresses the urgency and need for apps providers to develop best practices now, in order to reduce risks and prevent a backlash from the public and policymakers.

The researchers highlighted the complacency that many app providers have exhibited in failing to keep their software adequately protected against known open source vulnerabilities that leave consumers, businesses and governments open to hacker attacks, with potentially disastrous results.

Note: Google routinely scans apps for malware, but it does not oversee the vulnerabilities that could allow them.

“We want to create a lot more awareness for the need to update the vulnerabilities quickly and diligently. There is a need to push out the updates and notify consumers. The industries should get involved in defining best practices with some sort of recognizable safety seal or rating or certification,” Pociask said.

App Maker or User Problem?

This current ACI report, along with others providing
similar indications about software vulnerabilities, concerns an area many app users and vendors seem to ignore. That situation is exacerbated by hackers finding new ways to trick users into allowing them access to their devices and networks.

“Posing as real apps on an accredited platform like the Google Play Store makes this type of malicious activity all the more harmful to unsuspecting users,” said Timur Kovalev, chief technology officer at
Untangle.

It is critical for app users to be aware that hackers do not care who becomes their next victim, he told LinuxInsider.

Everyone has data and private information that can be stolen and sold. App users must realize that while hackers want to gain access and control of their devices, most also will try to infiltrate a network that the device connects to. Once this happens, any device connected to that network is at risk, Kovalev explained.

Even if an app maker is conscientious about security and follows best practices, other vulnerable apps or malware on Android devices can put users at risk, noted Sam Bakken, senior product marketing manager at
OneSpan.

“App makers need to protect their apps’ runtime against external threats over which they don’t have control, such as malware or other benign but vulnerable apps,” he told LinuxInsider.

Part of the Problem Cycle

The issue of unpatched vulnerabilities makes the ongoing situation of malicious apps more troublesome. Malicious apps have been a consistent problem for the Google Play Store, said Chris Morales, head of security analytics at
Vectra.

Unlike Apple, Google does not maintain strict control over the applications developed using the Android software development kit.

“Google used to perform basic checks to validate an app is safe for distribution in the Google Play Store, but the scale of apps that exists today and are submitted on a daily basis means it has become very difficult for Google to keep up,” Morales told LinuxInsider.

Google has implemented new machine learning models and techniques within the past year, he pointed out, in an effort to improve the company’s ability to detect abuse — such as impersonation, inappropriate content or malware.

“While these techniques have proven effective at reducing the total number of malicious apps in the Google Play Store, there will always be vulnerabilities in application code that get by Google’s validation,” noted Morales.

Developers still need to address the problem of malicious or vulnerable apps that could be exploited after being installed on a mobile device. That would be handled by applying machine learning models and techniques on the device and on the network. That would help to identify malicious behaviors that would occur after an app is already installed and bypassed the Google security checks, Morales explained.

Time for Big Brother?

Having government agencies step in to impose solutions may lead to further problems. Rather than a one-size-fits-all solution, ACI’s Pociask prefers a system of priorities.

“Let’s see if the industry can come up with something before government regulations are imposed. Getting a knee-jerk reaction right now would be the wrong thing to do in terms of imposing a solution,” he cautioned.

Still, personal devices are the user’s responsibility. Users need to take more accountability with regards to what apps they are allowing on their devices, insisted Untangle’s Kovalev.

“Government intervention at this time is likely not needed, as both users and Google can take additional actions to protect themselves against malicious apps,” he said.

Frameworks Exist

Dealing with unpatched Android apps may not need massive efforts to reinvent the wheel. Two potential starting points already are available, according to OneSpan’s Bakken.

One is the U.S. National Institute of Standards and Technology, or NIST. It has guidelines for vetting mobile apps, which lay out a process for ensuring that mobile apps comply with an organization’s mobile security requirement.

“This can help an enterprise, for example, to keep some vulnerable mobile apps out of their environment, but instituting such a program is no small feat. It’s also simply guidance at this point,” said Bakken.

The other starting point could be the Federal Institutions Examination Council, or FFIEC, which provides some guidance for examiners to evaluate a financial institution’s management of mobile financial services risk. It also provides some safeguards an institution should implement to secure the mobile financial services they offer, including mobile apps.

“In the end, the effectiveness of any government intervention really depends on enforcement. It’s likely that any intervention would focus on a specific industry or industries, meaning not all mobile app genres would be in scope,” Bakken said. “That means that developers of some mobile apps for consumers would not necessarily have any incentive to secure their apps.”

What Needs to Happen?

One major solution focuses on patching the Google Play platform. Joining the platform is straightforward, according to Kovalev. Developers complete four basic steps and pay a fee.

Once joined, developers can upload their apps. Google processes them through a basic code check. Often, malicious apps do not appear to be malicious, as they have been programmed with a time-delay for malicious code to be executed, he noted.

“To combat these malicious apps, Google has begun to implement better vetting techniques — like AI learning and providing rewards to white hat pros who hunt down and surface these malicious apps,” Kovalev said.

While these techniques have helped to pinpoint malicious apps, the apps should be vetted more thoroughly prior to being publicly available to unsuspecting users, he stressed.

Final Solution

The ultimate fix for broken Android apps rests with app makers themselves, OneSpan’s Bakken said. They are in the best position to lead the charge.

He offered this checklist for mobile app developers:

  • Do threat modeling and include security in product requirements.
  • Provide secure code training to Android developers.
  • Do security testing of their apps on a regular basis as part of the development cycle.
  • Fix identified vulnerabilities as they go.
  • Submit their apps to penetration testing prior to release.

“And then, finally, they should proactively strengthen their app with app-shielding technology that includes runtime protection,” Baken said, “so the app itself is protected, even in untrusted and potentially insecure mobile environments, to mitigate external threats from malware and other vulnerable apps.”


Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.





Source link