Survey finds that devops teams are automating security throughout the software development lifecycle to create better and safer code.
It’s no secret that traditional development and operations teams view security controls as slow and cumbersome, and often look for ways to bypass the requirements in their rush to get software out the door. However, only 28 percent of respondents from organizations with mature devops practices felt that security requirements slowed down software development, Sonatype found in its 2017 DevSecOps Community Survey. In fact, 84 percent of respondents from mature devops organizations viewed application security as a safety measure, not an inhibitor to innovation.
Google this week released a developer preview of Android O, the next version of its mobile operating system the includes several mostly incremental feature upgrades over the currently available version Android N also known as Nougat. Key among the upgrades are those that are designed to improve battery life, application notifications and the ability for users to store data such as addresses, user names and passwords for auto filling login and other repetitive information.
The Developer Preview comes with an updated software development kit that developers can use for testing the OS on devices like the Nexus 5X, Nexus 6P and Google Pixel devices.
Ian Downes is engineering manager for the compute platform team at Twitter. His team of about 10 engineers and a few other staffers buoys a platform providing container infrastructure to much of the stateless services powering twitter.com and its advertising business. Downes spoke recently at Container World on “Twitter’s Micro Services Architecture: Operational & Technical Challenges.”
When people talk about containerization, he says, it’s often about how it can enable scale and disruption, but that doesn’t interest Downes much.
“What I’m more interested in are scaleable operations — independent of what scale you’re at,” he says.
Linux users have a new option if they want to watch Netflix — the streaming service is now compatible with Firefox for the platform. Before this, only Google Chrome could play videos from the website outright. There was even a time when users had to make sure they’re using a version of Chrome with the required Encrypted Media Extension (EME) support.
Just based on the paper title alone, if you had to guess what the situation is with outdated JavaScript libraries on the web, you’d probably guess it was pretty bad. It turns out it’s very bad indeed, and we’ve created a huge mess with nowhere near enough attention being paid to the issue. The first step towards better solutions is recognising that we have a problem, and Lauinger et al., do a tremendous job in that regard.
In this paper, we conduct the first comprehensive study of client-side JavaScript library usage and the resulting security implications across the Web. Using data from over 133K websites, we show that 37% of them include at least one library with a known vulnerability; the time lag behind the newest release of a library is measured in the order of years.
Persistent memory, unlike volatile memory, retains its contents even if the server has a power failure. However, as Tomasz Kapela, Software Engineer at Intel, points out during his LinuxCon Europe 2016 talk, persistent memory is hard to achieve. Since persistent memory programming is non-trivial, they have been focused on making it easier for the end user and for applications to use persistent memory correctly.
Kapela starts off by describing the Non-Volatile Memory (NVM) programming model created by the Storage Networking Industry Association (SNIA), which is an organization focused on standards for storage and networking. The NVM programming model basically describes using a persistent memory device that allows you to mmap a file to your virtual memory inside of the process where you can do loads and stores and flushes onto the memory device without really involving the kernel of the file system.
As part of the NVML team, they have a set of open source libraries designed to work on Linux and tackle the problem of persistent memory programming. The libraries include:
libpmem: The basic library, flush to persistence
libvmem: Volatile Memory Allocator
libvmmalloc: Transparent use of libvmem
libpmemblk: Persistent memory carved into blocks
libpmemlog: Log file (append-mostly)
libpmemobj: Transactional Object Store
To address some of the pain points and limitations of using C for persistent memory, Kapela discussed how they are using C++ to develop persistent memory extensions to libstdc++ and libc++. He talked in detail about how they are encapsulating type info into a smart pointer, and making life easier with RAII and lambdas for transactions. With the increase in container usage, they are also working on a proof of concept for persistent memory containers.
Watch the video of Kapela’s entire talk to get all of the details about the persistent memory extensions to libstdc++ and libc++.
Interested in speaking at Open Source Summit North America on September 11-13? Submit your proposal by May 6, 2017. Submit now>>
Not interested in speaking but want to attend? Linux.com readers can register now with the discount code, LINUXRD5, for 5% off the all-access attendee registration price. Register now to save over $300!
Whether because of government regulation or good old-fashioned self-interest, we can expect increased investment in IoT security technologies. In its recently-released TechRadar report for security and risk professionals, Forrester Research discusses the outlook for the 13 most relevant and important IoT security technologies, warning that “there is no single, magic security bullet that can easily fix all IoT security issues.”
A successful devops transformation sees a change in organisational culture. These changes often come in the way of adoption of specific tools or practices. However, to change culture, you need something more fundamental than just the introduction of new tools, or pushing everyone into Scrum teams.
Just like the agile transformations of the past, there was a difference between ‘Doing Agile’, and ‘Being Agile’. ‘We do standups’ – therefore we are Agile. Are we ‘Doing devops’ or are we ‘Being devops’? Agile cultures have evolved to a deeper understanding that it’s not about the team structure, or even the ceremonies, but it is about the values that they hold.
So if we are to be successful with a devops transformation, what are the values we should be aiming to foster, and why are these important in the first place?
Embracing cloud native applications means changing how we think about, develop, and deploy applications. This shift is not just technological. It impacts the structure of organizations, as teams align to common business outcomes.
There is a rough consensus on many cloud Native traits. Containers as an atomic unit, for example. Micro-servicesas a means of both construction and communication. Platform independence. Multiple language support. Automation as a feature of everything from build to deployment. High uptime. Ephemeral infrastructure(cattle not pets). And so on
