Tag Archives: Software

Budgeting Software Options to Keep Linux Users From Seeing Red | Reviews

By Jack M. Germain

May 17, 2019 9:48 AM PT

Budgeting apps come in all sizes and shapes. Budget apps for Linux are part of a software category that has been all but abandoned. But take heart. A number of Web-based solutions will more than meet your budget-tracking needs. If you still insist on finding a pure Linux-based application, do not mix the concept of open source with free.

If you want an actual free budget program that works well with your flavor of Linux OS, a Web-based offering may your best — or perhaps only — option. A few of these non-Linux solutions are proprietary products.

As is the case with the vacant category of Linux-made tax accounting software, some of your best options for working with your budget figures will be accessible through a browser. Ironically, the catch in finding your ideal budget software solution for your Linux OS is not open source — it’s that many of the budgeting app offerings cost money.

This week’s Linux Picks and Pans is a roundup of the best options for budget-tracking software for Linux. The winner for you might not be an open source entity.

Some solutions are standalone applications. Others are attached to Web-based software services. A few are free. Most come with a price tag, however. Just because an application runs on Linux does not mean it is free to use.

At a bare minimum, these applications and Web services will help you become more aware of where your money goes. A few might even help you figure out how to stem the financial bleeding, or at least slow it down for a month or two.

The products included in this budget-tracking roundup are not presented in any ranked order. Some are readily available in distro repositories. Other packages require manual installation. The rest you visit online.

You Need A Budget: A New Way to Track Your Spending

You Need A Budget app runs on Linux systems courtesy of Adobe AIR. YNAB also has a Web version that eliminates the need to be limited to an operating system. It operates a bit differently from earlier versions and other budgeting applications.

This personal financial budget app is income-based. After the 34-day free trial, it costs US$5 a month to use the YNAB Web and mobile app.

You Need a Budget app screenshot

– click image to enlarge –

The latest release is version 5. It brings some important updates that make it more competitive to use. The new budgeting approach forces you to shift your mindset to work your budget so that you live on last month’s money. The process encourages you to think ahead for your expenses, break them down month-by-month, and live off the money you earned the previous month.

The look and feel resembles traditional budgeting software. You enter your categories, track your spending, and adjust if you go over or under in certain categories. It is easy to personalize your budgeting by removing or adding categories in each section as needed.

At the top of the screen sits your total cash flow for the month. To the right sits the total amount budgeted for the month, along with your total monthly activity, and the total available amount of your budget. Plus, your total monthly inflows are visible.

When you add a bank account, you can enter your transactions manually or choose to link your accounts. This sets the foundation for adjusting your budget based on your cash flow and spending from the previous month.

As you spend, YNAB shows you what is left in your spending categories. If you go over on a category, you can shift money around to cover your additional spending.

For example, if you earn enough income that you have more money to budget, the top bubble turns green. That money is now available to roll over to the next month. Meanwhile, you are still aiming to spend only the money you had available last month.

Setting up and maintaining your budget with YNAB is simple and flexible. This new approach is called “aging your money.” If you can’t age the additional money yet, at least you can apply it to cover shortages in other categories.

Features include the ability to import transactions automatically, straight from multiple bank and credit card accounts. You then have to assign them to categories. Splitting these transactions between multiple categories is easy. Or you can enter your transactions by hand.

YNAB lets you track your credit spending separately from your bank account transactions. If your goal is to balance credit and cash spending, this is handy. YNAB syncs with more than 12,000 banks, and it lets you connect multiple devices.

Another neat feature is the ability to set financial goals in one or more budget categories. The process is as easy as clicking on a category and adding the goal.

Mint: Smooth Bank and Credit Account Syncing

Intuit Mint is a simple personal finance program that is Web-based. Your financial data gets updated automatically every time you visit the site. Mint presents your financial information in an easy-to-use interface with graphs and reminders.

Intuit Mint

The website and app combination provides everything you need in a budgeting and money-tracking tool. However, it lacks a standalone app for any desktop or laptop OS, and it has no bill payment capabilities.

The website and mobile apps are easy to use, whether to create a personal budget, track bills or set up payment alerts. The interface offers the added benefit of tracking your credit reports and your credit score, along with special tips and strategies to boost your credit profile.

The Mint system works across multiple financial platforms so you can work with all of your accounts in one place. Your bank account, credit card account, brokerage account and retirement savings account are all available on your website login and mobile apps.

Mint has several key features that make it more than useful. It sends you alerts when you go over your budget. Using it is totally free. Mint comes from Intuit’s TurboTax.

Mint and its clone-like apps use a very effective expense tracking and management system. In fact, it is the key to taking control of your budget and reaching your spending goals.

For example, whether the display is on a full-size computer or laptop screen, or a much smaller mobile device screen, it presents an overview of your budget status and your individual financial components, showing monthly income, the amount spent on bills and other categories, and the amount of money left over.

Mint’s analysis gives you personalized money-saving tips and spending advice. When you make a financial decision, such as a large purchase, Mint steps in and shows you ways to save money and make better choices.

Personal budgeting on Mint makes it easy to enter your accounts quickly. You can import the information without completing an endless succession of steps. Everything you need is in one place. For instance, the built-in finance calculator shows you visual aids, such as graphs and charts, to reveal the whole financial picture.

You decide what to do with your money. You can adjust your budget based on the tips and recommendations. You can set alerts and reminders to avoid missing payment due dates and incurring late fees that put more strain on your budget. You also can have Mint send set text alerts and emails to remind you of nearly anything that relates to your budget.

Mint’s primary feature is budgeting and tracking expenses, and this is where the service really shines. Budgeting is super easy to set up: After you download and sync your transactions, they will get auto-categorized into predefined categories. You can create your own subcategories, but unfortunately cannot modify the top-level ones.

Another prominent feature is the goal-tracking and managing feature. New goals, such as paying off credit card debt or saving for a new home, are simple to set up and easily are reflected in your monthly budgeting.

MoneyDance: A Complete Financial Toolkit for Linux

MoneyDance is easy-to-use personal finance software that runs on Linux and is loaded with features that go well beyond basic budgeting. You can ignore the other modules and just focus on using the budgeting options if you wish.

MoneyDance app screenshot

– click image to enlarge –

However, the overlapping financial components can be useful. Much like an office suite, MoneyDance offers a complete set of financial tools that include online banking and bill payment, account management, budgeting, and investment tracking. It handles multiple currencies and virtually any financial task with ease. The download provides a limited free trial, but you can remove its limitations by purchasing a license.

Moneydance can download transactions automatically and send payments online from hundreds of financial institutions. It learns how to categorize automatically and clean up downloaded transactions.

Using it is fairly straightforward. You start at the summary page. There you see an overview of your finances. It displays account balances, upcoming and overdue transactions, and reminders. It also points out exchange rate information.

Click on an account or choose an account from the drop-down account list to view that account’s register and enter transactions or reconcile the account against a statement. Clicking on a transaction reminder displays a window to record the transaction automatically.

The account register lets you enter, edit and delete transactions. Visually, it resembles a paper checkbook register with two spreadsheet-like improvements. One, it calculates balances and sorts transactions automatically. Two, the payee autocomplete feature enters and categorizes your transactions automatically.

You can use the graphs and reports feature to generate visual reports of your income and expenses. You can set the graph type, the date range, and any specific settings for the type of graph you desire. Pop-up balloons display more information about the graphed data as you move the mouse pointer over different regions of the screen. Graphs also can be printed or saved to PNG image files.

Use the free Moneydance mobile app for Apple or Android to enter or edit transactions and view balances on the go. Changes sync instantly and securely with your desktop.

MoneyDance 2019.2 Spring Edition downloads for Linux, macOS and Windows are free in limited feature trial versions. You can remove feature limitations by purchasing a license for $49.99.

wxBanker: A Barebones Budgeting and Basic Financing Kit for Linux

wxBanker is ideal for users who just want to keep track of their most basic finances. It does two things well.
First, it keeps your own separate balances to compare with your online banks and other accounts. If you are looking for a lightweight advanced digital checkbook register, wxBanker is an excellent alternative to using a spreadsheet-style transaction register. wxBanker synchronizes account balances online via Mint for added functionality.

wxBanker app screenshot

– click image to enlarge –

It has a secondary function as well. It is a simple tool for keeping track of your expenses and spending. For example, you can spend $360 at several stores without hoarding receipts to remember what you bought. This package will help you keep track of the cost of each item.

wxBanker has a clean interface that syncs with Mint. This gives you added features and functionality. It does not handle your small business needs, and it will not sync with your bank records. However, it will record all of your transactions, and it includes a built-in calculator.

Its lightweight nature gives this Linux banking application another convenience service point. Use it to create arbitrary accounts to keep track of your other banking functions. For instance, use it to track reimbursable deposits, loans with friends, or allocations of monthly savings for special purchases.

wxBanker does what you would expect from any basic banking software. It lets you keep track of account balances easily. Its functions include adding, editing and removing transactions and accounts, making transfers, searching transactions, and viewing a graph of balances over time. An integrated calculator also makes calculations quickly and easily.

You can download the free open source wxBanker project from
Launchpad. It is also available in the official Ubuntu repositories. Yet another option is to use the PPA to obtain the latest version.

Make sure you have python-wxgtk2.8 installed as a required dependency.

BudgetView: A Budgeting Bonanza for Linux Users

BudgetView is a free featured-packed budgeting solution that comes with data import, operations and unlimited user sessions, and supports limitless bank accounts. It also includes a budget calculator, data management features, and customization capabilities.

BudgetView app screenshot

– click image to enlarge –

Import your financial statements from your bank’s website. After a couple of sessions, BudgetView automatically categorizes most of your transactions, leaving only a few operations for manual processing. This way, your budget can be up to date in just a few minutes, at any time!

BudgetView comes with a powerful set of features that are fully activated without having to buy anything:

  • Data import of transaction records to OFX, QIF or CSV from the bank website;
  • Recovery operations from Microsoft Money, Intuit Quicken, or any other application capable of exporting records to OFX, QIF or CSV;
  • Operations such as adding notes; changing labels; splitting one operation into several; shifting an operation to the previous or next month’s budget; filtering your operations by accounts, envelopes or month; and searching operations by label;
  • Data management tasks such as exporting your statements as QIF or TSV files to be imported into other budget management tools; copying the contents of tables displayed in BudgetView to paste into a spreadsheet program such as Excel or Numbers; creating and restoring backup copies of your data; printing your transaction records; and storing your data locally or in Dropbox or Google Drive.

Other essential features include options to use a password, fully encrypt data, set up multiple user sessions and unlimited bank accounts, and manage debit and credit card accounts.

A built-in budget calculator helps you organize your budget as a set of envelopes organized into revenues, fixed, variable, savings and extras. The calculator lets you observe the evolution of your accounts’ positions in the weeks and months ahead. It also assists in transferring the remainder of an envelope to the next month.

A bit of a learning curve and setup period are necessary to get the best results from BudgetView. For the first sessions, you will need one or two sessions from 30 minutes to two hours long in order to set up your initial budget and get comfortable with the application.

Then plan on setting aside two to five sessions each month at five to 20 minutes each. That time will let you update and pilot your budget.

BudgetView is available for download in .DEB, .RPM, and compressed .SH format for all other installation needs. The free version of BudgetView is largely enough for managing most family budgets without any limitation.

You can install paying add-ons to benefit from advanced budgeting features. Each add-on costs about $20 and includes an Android mobile app, a budget analysis tool, an organizing component for budget categories, and an accessory to add more functions to the basic feature set.

Budget Calendar: Simple Home Budget and Payment Planning For Linux

Budget Calendar is just that. It shows all transactions in an easy-to-understand calendar format. It identifies each payment type at a glance with unique icons on the calendar monthly view.

Budget Calendar app screenshot

– click image to enlarge –

While this budgeting tool is unique to MiShell Software Systems, it is not the only budget software bearing the “budget calendar” name or a similar one. You want the MiShell product for the Linux compatibility.

Budget Calendar has an intuitive and unusual user interface. In the setup panel, enter the amount and dates of your expected income at the start of the month. As you make payments or banking transactions, click the calendar day to enter the details. The calendar view shows the total funds available, the amount of the bill pay or other transaction, and the updated balance.

The day squares on the calendar vary in color, and the outgoing entries are displayed in a color, as is the running balance. As you enter payment details, you can assign an identifying category icon with a click.

You can drag budgeting entries around the daily squares to fit your needs. Budget Calendar shows you where and when you are spending your money and lets you easily adjust your balance when needed.

The top portion of the calendar screen displays navigational links to different parts of the calendar year. Other links show graphs of spending patterns and other financial analyses. The top left portion of the screen shows a list of running balances and average money-in and money-out statuses. Everything you need to know is clearly visible or a quick click away.

Part of the Budget Calendar’s function involves parsing your actual spending activities with the established monthly budget that you’ve set up. The cute graphics and colorful icons let you see what your money situation is at all times. Your job is to make adjustments as you spend your money so you can cover or prevent cash shortfalls.

This is a novel approach that makes it fun to stay on top of your budget. The graphical approach is much different than traditional ledger-style bookkeeping processes.

Budget Calendar is a simple yet powerful intuitive software tool at an affordable price. Try it free for 30 days. Then purchase a household desktop license for $29.95 to use on all computers that belong to you. Updates are free, and well-done tutorials get you started quickly.

Bottom Line

These six budget-manager solutions for Linux offer a varied range of features and user interfaces. Some of these Linux money applications are good starting products for users with little or no experience with this category of software or online service. Other titles give you all of the tools to manage your household and your small business budgets.

Some of them are easy to set up and use. Others are more involved and can be frustrating if you are not familiar with money managing procedures.

Want to Suggest a Review?

Is there a Linux software application or distro you’d like to suggest for review? Something you love or would like to get to know?

email your ideas to me, and I’ll consider them for a future Linux Picks and Pans column.

And use the Reader Comments feature below to provide your input!

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.

Source link

Digging for Bitcoin Is a Labor of Love | Software

It would have been reasonable for those attending Josh Bressers’ session at last month’s
CypherCon — myself included — to expect a presentation by a cryptocurrency expert. It was billed as a talk about plumbing the depths of the bitcoin blockchain. When Bressers admitted that his material grew out of a hobby, I was surprised. Still, the talk was far from disappointing.

Instead, “Spelunking the Bitcoin Blockchain” offered a glimpse of the impact that “amateurs,” in the best sense of the word, ultimately have on the development of cryptocurrencies.

Similar to the way a lot of passion projects unfold, Bressers started out by going down a rabbit hole — one that is of interest to many working and playing with technology — out of sheer curiosity.

“Being able to see the data and answer questions is very powerful,” he said. “Once you start to investigate something like bitcoin, every question you answer takes you down a path with more questions and new answers I can’t even imagine.”

Luckily for him, Bressers didn’t have to start delving into bitcoin from square one. His background with Elastic, as a member of its product security division, equipped him with the technical command to set up a continually refreshing interactive dataset of the bitcoin blockchain. Right off the bat, his queryable data portal painted a vivid picture of bitcoin’s ledger.

“Since starting this project, I’ve learned quite a lot about how [bitcoin] works — everything from how the client stores data to what the data is, how others are using bitcoin in ways the creators probably never imagined,” he said. “The fact that anyone can put anything in the blockchain intrigued me, but I ended up finding many interesting things in all the data.”

“Anything” is no exaggeration. Specifically, Bressers’ digging led him to the bitcoin ledger’s breadcrumb trail of null blocks, a relatively unexplored oddity in bitcoin’s architecture that allows anyone to record arbitrary strings of data into its blockchain instead of transfer value. Like value transfers, though, the null blocks remain permanently and cryptographically recorded in the global public ledger.

Interesting Gems

Along with curios like null data, Bressers uncovered some broader trends in bitcoin’s developmental history. With bitcoin, the number of transactions that are resolved (that is, recorded in the ledger via mining) in each block varies.

In its infancy, that was because the number of transactions came nowhere close to the 1MB maximum block size imposed shortly after the software’s public release. However, as bitcoin boomed in popularity, the transaction count quickly approached the limit.

One relationship Bressers found between block size and transaction count per block was that, according to his observations, after the maximum size restriction was eliminated, the number of transactions dipped to even out the overall rate of transactions to roughly the same as under the 1MB limit.

While it might constitute little more than a fascinating statistic to hobbyists like Bressers, this kind of correlation can lend valuable insight to cryptocurrency developers and users.

“I think I’ve gained a new appreciation for the challenges the developers have, and some of their solutions,” Bressers said.

At multiple points in his presentation, Bressers maintained that he was not a data scientist, which is certainly true in a professional sense. However, whether one’s discoveries or research constitute data science, or at least serve a similar function as data science, is more a matter of perspective. In fact, data science is so new that even professional practitioners are only just arriving at a consensus on what it means.

Identifying New Properties

Corey Stedman, founder and CEO of cryptocurrency accounting firm DEI, would not classify himself as a data scientist either, but the discipline is one he is picking up as part of his entrepreneurship. For him, data science simply involves using data to drive actionable decisions.

“The way that I would define data science is not taking data for surface value, but looking at it in a really granular, nuanced view, and then applying it for results, for review,” Stedman said.

Correlations like the fall in transactions with the removal of the block limit, or transactions with price generally, which Bressers encountered, are useful to cryptocurrency businesspeople like Stedman in addressing development challenges like scaling.

“When you think of any cryptocurrency, whether it’s bitcoin or whatever,” Stedman said, you have to ask, “how could it accommodate 100 million people? So, bitcoin, for instance, would not be able to accommodate 100 million users for a couple of reasons, and that’s one of the main bottlenecks.”

The most significant strides that studying blockchains to any degree affords developers and users, to Stedman, is purely its ability to explore new potential applications. Stedman illustrated the point by making an analogy between cryptocurrencies and elements on the Periodic Table, in that the study of both aims to identify new innate properties.

“With cryptocurrencies, for the most part, all of them can do value transfer fairly well,” he said. “However, when you look at something like Ethereum, what Ethereum did is that it changed the game a little bit, where now you have this world computer where you can program the money to do things, and a lot of other blockchains replicated that. What I see is other cryptocurrencies realizing their properties.”

Amateur Roots

There is value in broadly tracking the kind of metaphorical cryptocurrency vital signs that Bressers captures in his live bitcoin data feed, said Hannah Rosenberg, managing director of the Blockchain Institute.

“When I’m looking at a new coin,” she said, “I always start with, you know, [looking] at the software and then at the monetary theory aspects of things: Is there a cap on this coin? Is there inflation? Is it predictable? Who controls it? Then you wind up in more data analysis stuff: How many people are using it? How many nodes are there on the network? That type of thing.”

While crediting the amateurs who study cryptocurrencies, Rosenberg also underscored the critical role amateurs play in creating and sustaining cryptocurrencies all over the ecosystem — even including the invention of bitcoin itself.

“Bitcoin is an amateur project. … This is just someone’s hobby project that they released on the Internet,” she said. “Because of the nature of it, because of the lack of a leader, I think in bitcoin — at least to me, I think a lot of other people — it is a project that winds up feeling like yours, even though I don’t have any core commits.”

The reliance on the passionate work of nonprofessionals is just as current in cryptocurrencies as it is part of their history. In Rosenberg’s experience, which encompasses organizing cryptocurrency meetup groups, the transition from wide-eyed initiate to in-the-trenches entrepreneur is often rapid and dramatic.

“A lot of times … the common story is, ‘Oh, I heard about it years ago, I thought it was interesting and kept following it, and then finally one day I decided to come in here and check it out,'” Rosenberg said. “They have a good conversation, they’ll keep coming back, and then a year later, they come in and go, ‘Hey, Hannah, did you hear about my new project?'”

Data Inquisitiveness

There is a notable degree of convergence on the idea that cryptocurrencies could stand to see more data science applied to them — or that in some cases, they eventually may demand that kind of critical analysis.

In Stedman’s view, the prospect of cryptocurrency integration into the fabric of the global financial system looms large, and gaining a more concrete understanding of cryptocurrency behaviors is crucial to making the synthesis a harmonious one.

“Cryptocurrency is not going anywhere. It’s here to stay, and I think that [the cryptocurrency community and the traditional finance community] don’t have to be in contention with each other,” he said. “This is not the horse and carriage versus cars.”

By contrast, Rosenberg sees blockchain technology advances primarily as influencing how the Web 3.0 standard materializes, particularly in regard to the integrity of user personal data. In a world where blockchain use proliferates as a means of user identity verification, the onus for implementing it properly will fall on those further and further from the core of the cryptocurrency community, encompassing Web, application and operating system developers.

“The private Web … is a restructuring of the Internet in a way where people have control over their own data,” Rosenberg said, “and so a Web developer needs to know about [blockchain], because especially if you’re doing e-commerce Web development, this is going to come into play. Or if you’re just doing any kind of Web development, sooner or later I really think this is going to be something they’re going to have to learn.”

If nothing else, bitcoin’s significance, to Bressers, is more as a jumping-off point for data inquisitiveness, whether applied to cryptocurrencies or anything else. This is so much the case that he premised his talk in large part on that kernel of thought.

“The biggest takeaway I hope people see is the power of being able to quickly look at data,” he said. “I would hope the audience either expands on my current bitcoin work, or uses it as an inspiration to build their own projects looking at data in new and interesting ways.”

Jonathan Terrasi has been an ECT News Network columnist since 2017. His main interests are computer security (particularly with the Linux desktop), encryption, and analysis of politics and current affairs. He is a full-time freelance writer and musician. His background includes providing technical commentaries and analyses in articles published by the Chicago Committee to Defend the Bill of Rights.

Source link

AMD Radeon Pro Software for Enterprise 19.Q2 for Linux Released


Shipping today is the “Radeon Pro Software for Enterprise 19.Q2 for Linux” driver package as the newest hybrid driver update for Linux systems with AMD Radeon Pro (and consumer) graphics, aiming to increase performance against NVIDIA Quadro hardware.

In AMD’s press communications today, they are talking up higher performance in real-world design workflows, better support for critical design and productivity workflows, and better workstation power. However, it’s not immediately clear how well some of these updates translate on the Linux side with some of the mentioned workstation software is Windows-only. Unfortunately we don’t have any Radeon Pro hardware for verification of the Linux driver update performance changes, but at least there is this quarterly Linux driver update out today.

The Radeon Pro Software for Enterprise 19.Q2 for Linux update is available for RHEL/CentoS 7.6, RHEL/CentOS 6.10, Ubuntu 18.04.2 LTS, and SUSE Linux Enterprise Desktop/Server 15. There isn’t yet support for the new Red Hat Enterprise Linux 8.0.

As for the Linux driver build specifically, the release notes mention the highlight is multi-GPU fan boost now working with this Linux driver update. There are also mentioned fixes around display problems previously when using Ubuntu 18.04.2 on Wayland, 4K resolution issues now resolved, and addressing a cube rotation problem with the DGMA test.

Those wanting to try out this Radeon Pro Software Enterprise 19.Q2 Linux driver update can grab the new hybrid driver build from AMD.com.

Open Source Flaw Management Shows Signs of Improvement: Report | Software

By Jack M. Germain

Apr 30, 2019 1:16 PM PT

Almost two years after the infamous
Equifax breach, many organizations still struggle to identify and manage open source risk across their application portfolios.

Meanwhile, the latest report tracking open source security shows a 40 percent rise in the average number of open source components detected in each codebase analyzed. The scanned software includes commercial applications.

Black Duck by Synopsys on Tuesday released its annual Open Source Security and Risk Analysis, which examines the open source audit results of scanned codebases to identify insightful trends and patterns in open source usage. The report also looks at the prevalence of insecure open source components and software license risk.

Titled “Understanding Open Source Risk and Why It’s So Important to Manage,” the report compiles research backed by the
Synopsys Cybersecurity Research Center (CyRC). It provides an in-depth look at the state of open source security, license compliance and code-quality risk in commercial software.

The CyRC Belfast team examined findings from the anonymized data of more than 1,200 commercial codebases reviewed by the Black Duck Audit Services team in 2018. The 17 industries represented in the report range from aerospace to virtual reality. The audit services team reviewed an average of 71 codebases per industry during 2018.

The continued growth of open source components in commercial codebases is mitigated by the report’s finding that many of open source vulnerabilities detected were first disclosed more than a decade ago.

The percentage of codebases containing vulnerable components has decreased, the report notes. The percentage of codebases containing license conflicts also has decreased.

The least surprising trend identified is that open source adoption has continued to rise, and the majority of codebases contain more open source than proprietary code, according to Tim Mackey, senior technical evangelist at Synopsys.

“One trend that is concerning is that the majority of codebases (60 percent) contain at least one vulnerable open source component, and 40 percent contain at least one high-risk vulnerability. Similarly, open source license compliance continues to be a challenge, with 68 percent of codebases containing some form of open source license conflict,” he told LinuxInsider.

Results Highlights

Audits found open source in more than 96 percent of codebases scanned in 2018. That percentage is similar to the figures from the last two OSSRA reports.

Most of the codebases that contained no open source consisted of fewer than 1,000 files. More than 99 percent of the codebases scanned in 2018 with more than 1,000 files contained open source components.

In most industries, the year-to-year difference in the percentage of codebases containing open source was negligible, according to the report. The audited codebases generally were from companies whose business is building software rather than from enterprises for whom software supports their main business.

The audits found, on average, 298 open source components per codebase in 2018 versus 257 in 2017. Open source represented 60 percent of the code analyzed in 2018, up from 57 percent in 2017.

“The main takeaway from this report is that the security and license compliance risk associated with the use of open source is very real, but it is the risk that can be managed with a proactive open source governance policy, automated tools like software composition analysis and an effective patching strategy,” said Mackey.

Encouraging Indications

This year’s report shows signs of an improving situation. There definitely are encouraging data points suggesting the industry may be turning the corner in terms of organizations’ ability to manage open source risk, noted Mackey.

For example, while 60 percent of codebases contained at least one vulnerable open source component, that number is down significantly from the 78 percent observed in the 2018 OSSRA report, he said. Likewise, the 68 percent of codebases containing some form of open source license conflict is slightly better than the 74 percent seen in last year’s report.

“This is a good thing, as it shows how teams are continuing to leverage open source to accelerate innovation,” Mackey observed, “but more open source also means more open source risk that needs to be managed.”

Enterprise IT and corporate security workers should not be concerned that the rise in open source code may create greater security risks, suggested Tobie Langel, principal at consulting firm

“There is no reason to believe that open source software is inherently less secure than closed source software,” he told LinuxInsider. “However, when a security issue is found in open source software that is used across the industry, the impact can be greater, as it is ubiquitous.”

Sustaining and securing open source is the industry’s biggest challenge right now — but open source also is where the most innovation is happening.

“I am confident we will get there,” Langel said. “Open source is by far the most effective means of building software and innovating at scale, once we find the right set of solutions to provide long term maintenance. It will also be the most secure solution by far.

Common Code Risk Critical

Numerous components were commonly used across different codebases, researchers found. For example, jQuery, open source software using the permissive MIT License, was found in 56 percent of the scanned codebases and in virtually every industry covered in the OSSRA report.

Other notable open source components found in the scans include Bootstrap, an open source front-end Web framework; jQuery UI, a curated set of user interface interactions, effects, widgets and themes built on the jQuery JavaScript Library; and Font Awesome, an open source font and icon toolkit based on CSS and LESS.

Despite using so much open source, few companies accurately track the components they use in their code. Most lack the policies, processes and tools to keep up with the choices made by their developers, according to the report. As a consequence, all the good functionality that comes with open source also brings along a variety of risks.

“Open source libraries are a double-edged sword,” remarked Manish Gupta, CEO of

Widely used open source software tools are generally more stable and more robust than custom code, he told LinuxInsider, because they are deployed in a variety of environments and have been battle-tested.

Bugs and vulnerabilities potentially are reported and fixed much faster than in custom-code that is leveraged by only one organization. However, the documented system of CVEs means that attackers know how your libraries are vulnerable, Gupta cautioned, and they can create an exploit much more easily.

“This means that consumers of OSS must stay on top of patches, which is not always easy to do,” he said. “The security industry hasn’t provided effective solutions to the developers to deal with this dilemma. The tools merely tell developers which OSS libraries being used are vulnerable.”

Clarifying Risk From Use

A key takeaway in the report is the care it takes not to mischaracterize the findings as an attack on the use of open source technology itself. Open source is not less secure than proprietary code. Nor is it more secure.

All software has weaknesses that are potential vulnerabilities, whether the code is proprietary or open source, the report warns. Organizations that use open source must identify and patch.

That management process is challenging, since most organizations have thousands of different pieces of software, ranging from mobile apps to cloud-based systems to legacy systems running on-premises. Software in general is a mix of commercial off-the-shelf packages, open source software and custom-built codebases — and vulnerabilities affect all of them, the report emphasizes.

“The use of any software comes with inherent risks, but open source software presents a few unique challenges,” said Mackey.

The first challenge concerns license obligations that can be opaque and easy to overlook compared to commercial software. The second challenge is the responsibility for identifying and patching open source security vulnerabilities, which falls solely on the organization using the software.

“Commercial software vendors can proactively urge, or in some cases, force their customers to update or apply security patches,” Mackey said. “Managing open source security and license risk should be viewed as an accepted cost of otherwise free open source software.”

Attack Vectors Persistent

An alarming number of companies fail to patch the software they use, whether proprietary or open source, the report said. That makes them targets.

Unpatched software vulnerabilities are one of the biggest cyberthreats organizations face. Unpatched open source components in software add to security risk. Certain characteristics of open source make vulnerabilities in popular components attractive to attackers.

Makers of commercial software can push fixes, patches and updates to users automatically. Open source has a pull support model. That makes the users responsible for keeping track of both vulnerabilities and fixes for the open source software they use.

The pervasiveness and ubiquity of open source pose management tasks that extend far beyond many organizations’ capabilities, as they do not do manual tracking of components, their versions and their vulnerabilities, according to the report.

Assistance Required

Organizations using open source must establish management strategies to identify and patch known vulnerabilities in open source components, notes the report. Vulnerabilities are disclosed through sources such as the National Vulnerability Database (NVD), mailing lists, GitHub issues and project homepages.

The widespread use of open source makes it imperative for organizations to keep accurate, comprehensive and up-to-date inventories of the open source components used in their applications. An incomplete inventory makes it extremely difficult to maintain adequate software asset management procedures, according to the report.

The increase in open source vulnerability age, despite a decrease in the number of codebases containing open source vulnerabilities, is interesting, said Synopsys’ Mackey, “but our audits often reveal that organizations are tracking less than half the open source in use. You can’t patch what you aren’t aware of.”

Sample Solutions

One solution for organizations using open source code is to tap into readily available sources tracking vulnerabilities, suggested Gabriel Bianconi, founder of
Scalar Research.

“Large projects often have mailing lists announcing bug fixes and vulnerabilities,” he told LinuxInsider. “There are several vendors providing software to monitor security risks in open source libraries and dependencies used by your company.”

More often than not, the biggest problem is that the company is using an outdated version of the codebase that does not contain the latest security patches.

“Professionals must ensure that their dependencies are consistently updated,” Bianconi said.

Breaking Breaches

“POODLE,” “Heartbleed” and “Spectre” are not just cute monikers for security vulnerabilities. They are very real and potentially dangerous holes, noted Steve Tcherchian, chief product officer at

When an application vulnerability is identified, it typically is followed by a patch or new version to remediate the vulnerability, he explained, and with the proliferation of free and open source software, this activity becomes critically important.

“Oftentimes procrastination takes over, and the application is not timely patched for a variety of reasons,” Tcherchian told LinuxInsider. “This now leaves the application wide open to a published, and in most cases, publicized vulnerability.”

As for how to change the mentality within a development organization to be more security-focused, education and reinforcement are key, Tcherchian said.

“Security cannot be left for the end. Introduce security into your development processes early and re-introduce them often,” he added.

More Action Needed

The report cites a conclusion by the U.S. Senate Permanent Subcommittee on Investigations declaring that Equifax’s lack of a complete software inventory was a contributing factor to its massive 2017 data breach.

A number of reliable strategies exist to ensure that open source components used in applications are up-to-date with crucial patches applied, noted Matt Wilson, chief information security advisor at
BTB Security.

“The good news is that they aren’t terribly complicated. What is important is that teams are aware of what you run in your environment, which can be hard for less mature organizations,” he told LinuxInsider.

The process involves maintaining awareness of updates to the code you run, applying patches as quickly as possible, and ensuring you conduct regular testing of your application/environment as a catch-all, Wilson explained.

Several industries, such as government, healthcare and automotive, have started to adopt standards that require organizations to inventory and track their use of open source components in a software bill of materials, according to Synopsys’ Mackey.

“This is a good first step,” he said. “After all, you can’t manage risk you don’t know exists.”

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.

Source link

The Apache Software Foundation Completes Migrat… » Linux Magazine

The Apache Software Foundation (ASF), home to some of the biggest open source projects, has migrated its Git service to GitHub.

According to the foundation, Apache projects initially had two version control services available via ASF Infrastructure: Apache Subversion and Git. Through the years, an increasing number of projects and their communities wanted to see their source code available on GitHub. As these were read-only mirrors, the ability to use GitHub’s tools around those repositories was limited.

ASF has over 200M+ lines of code which are managed by a large community comprising 730 individual ASF Members and 7,000 Apache code committers. Over its 20 year history, 1,058,321,099 lines of code have been committed across 3,022,836 code commits.

“In 2016, the Foundation started integrating GitHub’s repository and tooling, with our own services. This enabled selected projects to use GitHub’s excellent tools,” said Greg Stein, ASF Infrastructure Administrator.

Commenting on this migration, Nat Friedman, Chief Executive Officer of GitHub said, “Whether we’re working with individual Open Source maintainers and contributors or some of the world’s largest Open Source foundations like Apache, GitHub’s mission is to be the home for all developers by supporting Open Source communities, addressing their unique needs, and helping Open Source projects thrive.”

Source link