Category Archives: Stiri IT Externe

Ribbons and Tabs Give OnlyOffice Suite a Fresh Look | Reviews


By Jack M. Germain

Jul 10, 2018 9:56 AM PT

Ribbons and Tabs Give OnlyOffice Suite a Fresh Look

Ascensio System SIA recently released its free office suite upgrade —
OnlyOffice Desktop Editors — with a ribbon and tab interface plus numerous updated features. The refresh makes version 5.1 a potential alternative to Web versions of the Microsoft Office suite and Google Docs for Linux users.

The three-module set of OnlyOffice Desktop Editors has an impressive collection of tools geared toward individual consumers and small offices. It provides many of the conveniences available when using MS Word or Google G-Suite apps.

However, the real workplace benefits of collaborating on files through cloud storage come at an add-on cost once the free-trial period ends. Still, the core functionality — word processor, spreadsheet and slide presentations — remains free and installs locally as standalone apps in Linux distributions that use .DEB, .RPM and Snap software packages.


OnlyOffice Desktop Editors ribbon-style interface

The OnlyOffice Desktop Editors have a new tabbed and ribbon-style interface with numerous updated features.


The completely reorganized interface of the free version of OnlyOffice now matches that of the OnlyOffice commercial online suite. Its other benefits include a near-seamless connection to the Web-based OnlyOffice applications for collaboration tools that include two co-editing modes (fast and strict), commenting, built-in chat, tracking changes and version history. (But more later on how seamless is not always all that it seems.)

The free and the commercial versions of OnlyOffice on Linux offer a common appearance and tools organized into tabs by their purposes: File, Home, Insert, Layout, References, Collaboration and Plugins. OnlyOffice also gives users the ability to extend the fully functional office suite with ready-to-use add-ons such as macros, WordPress, Translator and YouTube.

Whether the mostly-free features will win out over the paid add-on collaboration tools depends solely on your workflow. I use the Google Doc apps only occasionally, having found over the years that the open source LibreOffice has met or exceeded my personal and professional office suite needs. I even run LibreOffice on my Windows computer instead of MS Office.

So for the purpose of this review, I used my hands-on familiarity with LibreOffice, MS Word and Google Docs as a baseline for comparisons. In most categories, OnlyOffice showed it was up to the task.

First Impressions

OnlyOffice is a free open source office suite that is well-tuned, and it reads and writes Microsoft Office file formats reliably. It also supports other mainstream file formats, making it a good contender for your computer’s hard drive.

LibreOffice developers have been slow to offer a ribbon-style user interface. So, that is a nice new feature in OnlyOffice, even though it takes some getting used to. Having open documents in tabs is a great design that is very useful.

OnlyOffice Desktop Editors use OOXML as a native format. The developer claims this offers better support for MS Office formats than any other office suite, allowing users to work with all popular formats: DOC, DOCX, ODT, RTF, TXT, PDF, HTML, EPUB, XPS, DjVu, XLS, XLSX, ODS, CSV, PPT, PPTX, ODP.

This wide range of file formats is a good mix for users who have to exchange a variety of file types created by most of the popular text and graphics creation applications. This ability is essential for using open source software for certain work tasks. While I have a few gripes about other aspects of OnlyOffice, file interoperability is not one of them.

Modern Interface Options

One of the biggest user features that sets OnlyOffice apart from other office suites is the tabbed interface. It brings the same convenience of moving among open documents that tabbed pages bring to surfing in a Web browser.

Writing and researching require that I bounce around several websites constantly. I normally use Geany IDE or gEdit text editors to take notes or write in multiple files when document formatting is not required. Those two text editors use tabs for open documents.

So I can use OnlyOffice as an all-in-one text editor and word processor. OpenOffice gives me built-in access to spreadsheets and slide shows using the same interface and other features. LibreOffice and other office suites for Linux — even MS Office on line — do not offer a tabbed interface. So pairing tabs for open documents with a ribbon style interface is a great productivity combination.

Work in the Cloud

I often work with multiple computers in several office locations. Cloud storage is more than just a convenience for my work flow. It is a necessity. My primary cloud storage solution has been Dropbox, which has nice integration with the several Linux distros that I use.

OnlyOffice blends access to its own online storage and its online office service from the OnlyOffice Desktop Editors. That cloud access and the availability of collaboration tools, even with an add-on price — give me that same degree of flexibility.

The OnlyAccess cloud server is similar to Google Docs with its automatic storage on Google Drive. When you install OnlyOffice Desktop Editors, you also are prompted to set up a free account on the OnlyOffice cloud service associated with its standalone desktop office suite.

The Downside

OnlyOffice Desktop Editors give you solid performance and several reasons to switch from your current Linux office software — but it is not a perfect solution yet. This application has several quirks.

The spell check feature is active by default. You do not have to add anything. However, you can not add words to a personal dictionary. Your only option is to ignore words flagged as errors.

OnlyOffice is missing two critical components for any office software suite. It has no thesaurus or option to add one. Ditto for a grammar-checking feature.

Another big weakness in OnlyOffice Desktop Editors is the absence of significant settings to personalize or adapt it to your user preferences. There are no application-wide user preference settings. In an open file, however, under the File/Advanced Settings menu, is a skimpy check list for very minimal user options for that file. There is nothing “advanced” about these settings choices.


OnlyOffice File/Advanced Settings menu

In OnlyOffice no application-wide settings exist, but you can make slight adjustments to default settings in an open file using the File/Advanced Settings menu.


More Feature Flameouts

Each of these feature missteps might be minor to some users. However, regular professional users will suffer from OnlyOffice’s shortcomings:

  • You can auto recover a file, but you cannot set an auto save interval;
  • There is no save all option; if multiple document tabs are open, each must be saved manually;
  • You can not modify the tool bar or create special quick access icons. You must click through the ribbon categories;
  • There is no ability to get a word count of highlighted text;
  • You can hide/unhide the toolbar, but you can’t configure it — only a save icon, a print icon, and undo/redo arrows are available.

Two more bothersome quirks involve file conversion and spell checker glitches. I opened an MS Word document that had large bullets in the text. OnlyOffice replaced the bullets with small question marks in a box.

The spell checker did not always replace the selected correction from the options list. I had to redo the spell check correction several times for it to replace the typos.

Usage Fail Issues

I did discover one potentially serious flaw in the otherwise impressive ability of the OnlyOffice Desk Editors to read and write so many file formats. The seamless functionality the developer touts may have limitations. If you save your documents only to a hard drive or the OnlyOffice cloud, the process works reasonably well.

However, two quirks in the way OnlyOffice manages documents may force you to develop workarounds for the way *you* work. One, the OnlyOffice Desktop Editors insist on converting file formats from older to most-current versions. Two, it seems to have its own mind about where it places the file.

It took me a while to figure out what was happening. I would open an existing file created with another office application. After editing the file, I would click the Save File icon. A Save File As dialogue box would appear on the screen. At first, I didn’t pay close attention to its content. I merely clicked the OK button and closed the application.

In subsequent work sessions, I would open the file to resume editing by clicking on the file name in File Manager or from the recent files list within OnlyOffice. The file that loaded was not the last file saved. The content I added or edited was missing. This happened regularly if I used a different workstation or mobile device to access the file.

Remember what I said earlier about my cloud storage setup? Each of my computers has a Dropbox folder with subfolders. These instantly sync with my master files stored in the Dropbox cloud. The key to this file management process is having the same folder and subfolder tree on each device and in the cloud storage system.

Problem Exposed

This was a major usability issue for me. When I clicked the Save File Button in OnlyOffice, the Save As dialogue box displayed two things that caused the problem.

One was the file location. It did not keep the path location of the opened file. It always defaulted to the main folder location, not the designated subfolder.

Two, OnlyOffice converts the existing file type when a document is first opened to a different file type. This is a problem with files created in another office application that were saved in an older format version. If you create a new file, on first saving you select the file type. However, OnlyOffice uses the latest file version for new file creations.

For example, when I first began testing OnlyOffice, I created a new file to write my observations and first draft of this review. I then used OnlyOffice to continue work projects on existing files. That is when I noticed the content was different.

Why Stuff Happens

OnlyOffice has a menu option to open local files. There is no auto save feature, so the first save pops up the Save As dialogue box. It defaults to username/documents/filename and adds the latest file format. Older format options are not available. Therein lies the problem for reliable file interoperability.

For example, I opened a work document saved as “ARTICLE1.DOC” created in MS Word stored in the /Dropbox/documents/Freelance/Client A subdirectory. OnlyOffice saved the file as “ARTICLE1.DOCX” in the /Dropbox/Documents directory.

When I thought I was resuming work on that file in a subsequent editing session, the recent documents list in the menu loaded an earlier file without the latest changes in it. The same wrong file loaded when accessed from my other devices.

A similar scenario occurred when I loaded a spreadsheet file in OnlyOffice created with LibreOffice Calc. OnlyOffice saved the original “SPREADSHEET2.xls”
as “SPREADSHEET2.xlxs” in the /Dropbox/documents/ directory.

Another usability issue involves default application status. OnlyOffice automatically appoints itself the default application after installation. In order to stop this default status, right-click on a file name in File Manager and select the file as the default application for that type of file. Some Linux distros give you that option in the Preferences panel also.

Give It a Spin

Unlike most office suite applications, OnlyOffice has a single launcher. It has no separate launchers for word processor, spreadsheet and slide presentation module. You click on the single menu item and the application opens to a file manager type page.


OnlyOffice file manager page

OnlyOffice does not have separate launchers for word processor, spreadsheet and slide presentation modules. You click on the single menu item and the application opens to a file manager page. From there you create a new file or open an existing document by clicking on the file name.


In the left column are buttons to create a new file for each of the three modules. On the larger right side of the screen is a directory view based on which option you select in the left column.

Under those options are buttons to display a list of recent files on the larger right column or open local files stored on the computer. Three other buttons let you sign up for a free trial period of collaboration features. The options are Share and Collaborate, view version histories, and collaborative review.

The OnlyOffice Desktop Editors release is available for Linux, Windows and Mac OS. The source code is available on GitHub released under the AGPL v.3 license.

Want to Suggest a Review?

Is there a Linux software application or distro you’d like to suggest for review? Something you love or would like to get to know?

Please
email your ideas to me, and I’ll consider them for a future Linux Picks and Pans column.

And use the Reader Comments feature below to provide your input.


Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.





Source link

Honey I Shrunk Ubuntu » Linux Magazine


Canonical is tightening its focus on cloud and enterprise markets. The company has released a new version of Ubuntu, dubbed Minimal Ubuntu, which it claims is optimized for automated use at scale, with a tiny package set and minimal security cross-section.

Canonical claims that Minimal Ubuntu is the smallest Ubuntu base image for cloud operations. These images are less than 50% the size of the standard Ubuntu server image, and boot up to 40% faster.

Small doesn’t mean less. Despite its reduced size, Minimal Ubuntu retains full compatibility with standard Ubuntu. Any Ubuntu package can be installed on Minimal Ubuntu.

“The small footprint of Minimal Ubuntu, when deployed with fast VM provisioning from GCE, helps deliver drastically improved boot times, making them a great choice for developers looking to build their applications on Google Cloud Platform,” said Paul Nash, Group Product Manager, Google Cloud.”

Images of Minimal Ubuntu 16.04 LTS and 18.04 LTS are available for use now in Amazon EC2, Google Compute Engine (GCE), LXD and KVM/OpenStack.

Source: https://blog.ubuntu.com/2018/07/09/minimal-ubuntu-released



Source link

OpenShift Brings Full Cross-Platform Flexibility to Azure Cloud | Enterprise


By Jack M. Germain

May 10, 2018 5:00 AM PT

Microsoft and Red Hat on Tuesday introduced OpenShift on Azure at Red Hat Summit 2018 in San Francisco.

OpenShift Brings Full Cross-Platform Flexibility to Azure Cloud

This release is the first fully managed, easy-to-use version of OpenShift in the cloud, the companies said. The fully managed integration of OpenShift on Azure means that Microsoft and Red Hat will join to engineer, operate and support the platform.

That combined support will keep it up-to-date with a single unified bill and an integrated support experience, so that in all respects it will run as a native Azure service, said Brendan Burns, a distinguished engineer for Microsoft Azure.

A “one throat to choke” strategy is a key element missing from other cloud-based OpenShift offerings, he said, noting customer feedback on its importance.

“This is a very significant development,” said Mike Ferris, vice president for business architecture at Red Hat.

“Our prior announcements were focused on providing customers with a technical integration backed by aligned support,” he told LinuxInsider, “but with this announcement we are jointly delivering a solution that creates a first-in-class container service for customers looking to leverage the Azure platform.”


Openshift on Azure

Click Image to Enlarge


What It Does

OpenShift is an open source container application platform developed by Red Hat. It runs on top of Docker containers and the Kubernetes container cluster manager for enterprise app development and deployment.

Azure is Microsoft’s enterprise-grade cloud platform. Red Hat and Microsoft have teamed up to optimize OpenShift while running on Azure to ensure enterprise performance standards and matching integrated support.

The companies first announced an expansion of their alliance last summer with initiatives designed to enable enterprises to adopt container usage more easily. Among them were native support for Windows Server containers on Red Hat OpenShift Container Platform, Red Hat OpenShift Dedicated on Microsoft Azure, and SQL Server on Red Hat Enterprise Linux and OpenShift.

That alliance now provides much more to customers than the original concept. It will be managed and engineered to make it easier and quicker to use on Azure, Burns said.

Red Hat and Microsoft will extend integrated, co-located Microsoft and Red Hat support to enable these new offerings across platforms. This approach will help to reassure IT organizations that Microsoft and Red Hat will provide a united front to address whatever challenges Docker and Kubernetes may present to enterprises on their path to digital transformation.

Distinct Difference

Red Hat offers OpenShift Dedicated on both Amazon Web Services and Google. However, as Red Hat OpenShift on Azure is operated jointly, customers will receive the benefits of the infrastructure, operations and scale of Azure, along with container, Linux and DevOps expertise from Red Hat.

“The core platform is still OpenShift, creating a consistent platform for app development and deployment in every footprint that OpenShift is offered,” said Red Hat’s Ferris.

Separate Not Equal

Enterprises see the benefit in using containerized applications to run their mission-critical applications, noted Microsoft’s Burns. But most IT organizations have not standardized on a single infrastructure stack.

Heterogeneous environments often use both Windows and Linux platforms. Siloing applications makes it difficult for a business to adopt DevOps practices.

Managing the infrastructure for cloud-native applications and the container platforms that power them is critical to digital transformation. However, managing the infrastructure for these technologies can be complex and time-consuming for already-stretched IT teams, Burns pointed out.

Having a managed service will free customers from having to focus on infrastructure management, allowing them to focus instead on containerized application development leveraging the Azure services, Ferris suggested.

“Faster, more reliable, more scalable applications will result in more rapid and innovative features for end users, backed by both Microsoft and Red Hat,” he said.

Problem Solved

Red Hat OpenShift is the first container application platform built from the open source Kubernetes project to support both Linux and Windows Server container workloads in a single platform across the multiple environments of the hybrid cloud.

This breaks down silos and makes it easier for enterprises to pursue a cloud-native agenda, Burns explained.

“Alongside Microsoft, Red Hat is providing a way for organizations to truly make the technology choices that matter to them, from containerized workloads to public cloud services, without adding an equal burden of complexity,” said Matthew Hicks, vice president of Software Engineering for OpenShift and Management at Red Hat.

The integrated support teams offer an achievable pathway to digital transformation that offers the capabilities, flexibility and choice required to power the future of enterprise IT, he added.

Benefits Included

Because it is continually updated by developers, OpenShift has a smaller attack surface for vulnerabilities, noted Robert Corradini, director of product management at
5nine. This makes the platform ideal for enterprises who have compliance mandates around open source and free software for those with existing Red Hat licensing deals.

Platform strengths include auto-scaling, which helps manage container sprawl; monitoring, which enables performance insights on each individual container; and security, which looks for abnormalities, he told LinuxInsider.

“One weakness could be the limitations of not being community developed — so less innovation — and also variable cost, which could make expenses unpredictable,” Corradini said.

As OpenShift is an open source product, its developer communities can help provide rapid bug fixes pretty quickly. Plus, Openshift is vendor-agnostic, noted Anthony James, CMO at
CipherCloud.

“You can move container applications around rapidly and do not have the issues of getting yourself extracted from proprietary platforms,” he told LinuxInsider, adding that the managed service for hybrid clouds provides customers with a single point of contact for planning, implementation and support.


Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.





Source link

Cinnamon Desktop Spices Up RoboLinux Raptor | Reviews


By Jack M. Germain

May 19, 2018 5:00 AM PT

RoboLinux is a unique distro that focuses on incorporating Windows versions XP through 10 within a fully functional Linux operating system.

You might never need the Stealth VM features that let you easily install and run Microsoft Windows within most any Linux distro. Still, RoboLinux is a topnotch general purpose Linux computing platform that comes with a choice of leading desktop environments.

RoboLinux does what other Linux distros can’t. It creates a cloned Drive C from a Windows partition and installs your favorite Windows version with all of your costly Windows software running in a virtual machine. It does this for free under current marketing plans. RoboLinux is also a free download.

All currently supported Robolinux OS releases come with free tech support. This combination of benefits makes RoboLinux an ideal platform for enterprises and SOHOs, as well as individual users, to transition to Linux.

RoboLinux Raptor 9.2.1, released last week, runs the newest iterations of Cinnamon and MATE 3D desktops. Or you can choose from previous editions that include XFCE, GNOME 3, LXDE and KDE.


 RoboLinux Rapture 9.2.1. Cinnamon desktop

The Cinnamon desktop brings a familiar look and feel to RoboLinux Rapture 9.2.1.


The upgraded versions provide Long-Term Support until 2021. They run newer Linux kernels that bring improved speed, more security and better stability.

Both of the new Robolinux 9.2 Versions have fixes for the recent x86 and x64 Spectre and Meltdown vulnerabilities. Both new Robolinux 9.2 Raptor versions provide optional UEFI support and have the newest VirtualBox version 5.2.10.

Test Flight Odyssey

I tested and reviewed prior MATE and GNOME editions several years ago. I was impressed with RoboLinux then. I am even more satisfied with RoboLinux now.

The premise behind RoboLinux makes this distro a must-try computing platform. For instance, I can hang on to my workbench Windows software without actually keeping separate physical boxes that add to my office clutter.

My reacquaintance with RoboLinux via this latest release was a win-win event. My workload rarely requires Microsoft software these days, so I have little need for dedicating and maintaining a Windows computer. I certainly have more fun with Linux.

With RoboLinux, I am able to maintain a Windows setup without the hassles of dual booting Windows and Linux. Plus, being able to run all of my Windows stuff in a virtual machine in a separate workspace within my workhorse Linux OS is a huge convenience.

The latest RoboLinux release gave me an excuse to test-drive my favorite desktop environment — Cinnamon — in a different distro. My plan was to see how well the Raptor 9.2 series handled.


 RoboLinux Rapture 9.2.1. Cinnamon desktop control panel

The Cinnamon desktop’s control panel gives users a vast range of options for personalizing the way RoboLinux works.


The experience was so successful I decided to upgrade my earlier RoboLinux installation and clone my Windows 10 installation to run in a VM. The added benefit is the opportunity to run a nifty, speedy RoboLinux distro on a different computer while retaining my Cinnamon desktop preference.

Fast and Slick

The developer’s website focuses mostly on the benefits for new Linux users to drag their Windows software to Linux without using the clunky WINE application to run isolated Windows software. However, RoboLinux is a good Linux platform in its own right.

Many of the specialized systems applications are devoted to transplanting the Windows OS and software to run in a VM. That is a good incentive for newcomers to switch to Linux.

However, do not lose sight of the solid performance you get from RoboLinux. The latest release is stuffed with some of the best applications that Linux has to offer. It easily can be your everyday workhorse computer platform.

RoboLinux is based on Debian Linux. A huge selection of Linux packages are readily available using the distro’s own software center interface or the Synaptic Package Manager.

Included in Robolinux 9.2.1:

  • Firefox version 59.0.2
  • Thunderbird version 52.7.0
  • a significant number of key upstream security and application updates
  • several more automated driver installers to support newer hardware

Perhaps one of RoboLinux’ best features is the ability to use its Robolinux C: Drive to VM packages and related Windows cloning tools in many different Linux distros. You can download just the tools and use them in your preferred Linux distro instead of RoboLinux.

Look and Feel

Each of the supported desktop environments comes with a different appearance and feature set. However, each desktop includes a tightly integrated set of RoboLinux tools that clearly differentiate this distro from others in Linuxland.

That uniqueness is especially noticeable in the Cinnamon desktop. In any distro that offers the Cinnamon flavoring, one of the best attributes is the ability to configure and personalize nearly every aspect of the display and desktop functionality.

For example, RoboLinux has a supply of drivers unmatched elsewhere. The main menu has a separate category for specialized installers.

One in particular provides a one-click ability to install a collection of popular Cinnamon apps. Other options let you install specialized security and Internet tools, such as the TOR browser and
Steam games access.

When you add the additional RoboLinux toolset to the array of controls already available in Cinnamon, you get an unbeatable computing experience.

Big Bag of Tricks

RoboLinux comes with everything a user needs — and then some — to make daily computing tasks convenient. Many of the software packages typically are not found bundled in Linux distros.

The built-in optional one-click app installers include C Drive to VM, Tor Browser, Tor Chat, BleachBit, Wireshark, I2P, Clam AntiVirus and Steam.

The high level of support exceeds what most other Linux distros offer. RoboLinux goes well beyond passive community boards to solve user issues. I sent a direct message to RoboLinux tech support using the website’s contact us messaging center. In less than two hours, I had a detailed response in my in-box.

The website is stocked with very useful how-to videos and other instructions for installing RoboLinux and using its collection of specialized system tools. The fact that the developer provides all of this for free is reason enough to check out this distro.

Bottom Line

The only drawback for me was the developer’s heavy-handed manner of pleading for support. On the other hand, I get that the open source model poses a financial challenge. Giving away Stealth VM components for free now, rather than charging nominal and very reasonable prices, clearly is a survival risk.

So, consider the developer’s request to take a few seconds to click on the sponsors’ ads while browsing the website. Also try not to be put off by the impression that you have to make a donation to download the free Linux OS. Just scroll through the download page to find the free download link.

RoboLinux will impress both newcomers and seasoned Linux users. The Cinnamon desktop edition is an excellent starting point with its simple yet powerful user interface. Installation is quick and simple.

Want to Suggest a Review?

Is there a Linux software application or distro you’d like to suggest for review? Something you love or would like to get to know?

Please
email your ideas to me, and I’ll consider them for a future Linux Picks and Pans column.

And use the Reader Comments feature below to provide your input!


Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.





Source link

DevOps: Plenty of Devs, Not Enough Ops | Developers


In spite of all the high-profile breaches that seem to sweep the headlines with greater frequency, companies slowly but surely have been getting a handle on internal security practices. At this point, it’s hard to imagine any employee, in or out of the tech sector, who hasn’t been run through antiphishing training.

However, security is only as strong as its weakest link, noted David Bryan, a penetration tester and senior managing consultant at IBM X-Force Red. The link that still needs reinforcing is also the one that — for a company marketing software products — is the most fundamental: developers.

In his presentation at the third iteration of the
CypherCon hacker conference held last month in Milwaukee, Bryan described an anonymized engagement in which he probed the network of a development team responsible for 1.2 million user accounts. His purpose was to demonstrate that it is precisely the singular emphasis on developers speeding their code through production deadlines that leads to glaring security oversights.

“They have a deadline that they have to meet. The deadline doesn’t necessarily have to include security,” he said, but “it definitely includes functionality, and a deadline can mean the difference between actually taking a vacation and not.”

The deficit of security in development practices is due to more than just tight deadlines, though. Many developers can’t put security into practice because they never learned it in theory. There is such a dizzying array of concepts, languages, and tools for developers to get the hang of that often security and even basic networking concepts are crowded out of the curriculum in favor of more programming tradecraft.

“Even in these developer bootcamps, they’re just trying to get people up to speed on using the dev tools and not necessarily even talking about security,” Bryan said.

Hurtling Toward a Deadline

Programming has become such an indispensable tool that before educators have a chance to instill security consciousness in their trainees, they’re on to the next crop of students.

Referring to the infamous
Steve Ballmer rant to which his talk’s title, “Developers. Developers, Developers,” cheekily nods, Bryan said, “We keep coming back to that. We need to get more people developing, which is good, but we forget about adding in security or adding in review of the environment, until a pentester comes along and says, ‘oh, hey, your machine is vulnerable, and it’s been vulnerable for X amount of months.'”

The final leg that props up this edifice is the prevalence of tools that — by their failure to require better security models — indulge the bad, if understandable, habits of twitchy developers hurtling toward a deadline without the background to know what, beyond functionality, they should be looking for in reviewing their work.

“Why are [DevOps tools developers] creating tools, like Jenkins or Marathon, that don’t require authentication? Just because it’s behind a firewall doesn’t mean that some attacker isn’t going to actually try and leverage it at some point,” Bryan pointed out.

In a way, this component is a natural outgrowth of the preceding one, in that developers of development tools on rigid timetables and lacking a sense for security will create tools that embody those traits, only to perpetuate the cycle when developers in the rest of the software world depend on them in their work.

A Little Goes a Long Way

So how does the industry treat these development ills? Like any malady, treatment starts with diagnosis.

“I would say it’s probably 50/50: I think there’s some onus on app-dev type tools to actually create logins, provide logins, things like that,” Bryan said, “but I think it’s also on the development team too, from the perspective of don’t leave your SSH keys available on open NFS mounts or open SMB shares, or even SMB shares that are shared by multiple people, because then someone can grab that private SSH key and reuse it on their environment.”

While developing improved tools — ones that won’t suffer weak default logins or any other number of security-poor shortcuts — is certainly an admirable and necessary goal, developers are left without adequate alternatives as the next generation of development platforms take shape.

In the interim, Bryan maintains that the most reliable approach is to make security a concerted part of the development cycle and not — as in some of the better development teams now (to say nothing of less diligent ones) — simply apply a supplemental security review at the end.

“It needs to be part of the process,” Bryan said. “So, as you check in code, there’s probably some sort of functionality review that happens or should happen with your code, but there should also be sort of a security review.”

Finally, Bryan advised that developers double-check not only that their development and production environments are not any more closely linked than they need to be, but also that there are no lingering points of access — like SSH keys or other login credentials — left in the development environment, in case they don’t sufficiently sever the link to the production environment.

“And then from an infrastructure perspective, again, [it’s about] cleaning up after yourself, making sure that whoever’s done the deployment has cleaned up their credentials, cleaned up their temporary files,” Bryan said. “The number of times that I come across a temp file that’s got logs or something like that that has usernames and passwords just drives me nuts.”

As hacker con season rolls along and the weather warms up, it pays to remember that a little spring cleaning — whether in your garage or your garage startup, or in a much bigger development team — goes a long way.


Jonathan Terrasi has been an ECT News Network columnist since 2017. His main interests are computer security (particularly with the Linux desktop), encryption, and analysis of politics and current affairs. He is a full-time freelance writer and musician. His background includes providing technical commentaries and analyses in articles published by the Chicago Committee to Defend the Bill of Rights.





Source link