Software Security Is a Shared Responsibility



  • software security

    Software security requires discipline and diligence, said Mårten Mickos, speaking at the Open Source Leadership Summit.

    Achieving effective security takes constant discipline and effort on everyone’s part – not just one team or group within a company. That was Mårten Mickos’s message in his keynote speech appropriately titled, “Security is Everyone’s Responsibility,” at The Linux Foundation’s recent Open Source Leadership Summit (OSLS).

    Mickos, CEO of HackerOne, which he described as a “hacker-powered security company,” told the audience that $100 billion has been spent on cybersecurity, yet, “Half of the money is wasted. We’ve been buying hardware and software and machines and walls and all kinds of stuff thinking that that technology and [those] products will make us secure. But that’s not true.”

    Even if you ply your network with hardware to create a perimeter around it, it won’t make your organization any more secure, Mickos said. The answer is much simpler, he maintained, and the magic bullet is sharing.

    “You share the defense, you share information, you work together,’’ he said. “You can’t have secure software if just some of your software engineers are in charge of security. You can’t just delegate it or relegate it to a security team. If you do that it won’t happen.”

    Mickos likened that approach to the 1990s, when companies had quality managers and people got ISO certifications. “It didn’t help. It reduced quality in the companies, because people felt that quality now was the job of somebody else, not of you.”

    Discipline

    Software security, Mickos said, “only happens when we’re very disciplined.”

    Mickos’ company has 160,000 contributors, including security researchers, ethical hackers and “white hats;” people who have signed up to find flaws in software, he said. Security vulnerabilities can emanate from situations even when there are no bugs, he noted, adding that HackerOne hacked the U.S. Air Force in eight minutes.

    “We found 200 vulnerabilities in the Air Force’s systems, 20 of those were found by Jack Cable, a 17-year-old high school student from Chicago, Ill.,” he said.

    HackerOne has fixed over 65,000 security vulnerabilities, Mickos claimed. “So that has removed a lot of holes where criminals could have entered. But there are still tens of millions of vulnerabilities; no one knows the exact number. But if we deploy 100 billion lines of code every year … there’s a lot of security to look after.”

    Pooled Defense

    In his speech, Mickos promoted the notion of a “pooled defense;” the idea that “the number of defenders is far larger than the number of bad guys.’ He said there are far more white hats in the world than there are cyber criminals or “black hats.”

    Cyber threats are often characterized as being asymmetric, he said, in the sense that one single criminal attacker can cause a lot of harm — so much so that a company needs 100 people to defend against it.

    “If companies can get together and pool their defense, you … suddenly you have 10 times the power of the attackers,’’ he said. “If you share information, share the defense, share best practices, and share the act of responding to threats, then you overcome the asymmetry and you turn it around.”

    It takes discipline and diligence, Mickos said, recalling how Equifax had “so many failures and acts of negligence or … omissions in the way they handle security,” and that “it was one single software vulnerability that led to the data breach in their systems.” Meanwhile, he added, “There’s nobody here who has a software system with just one vulnerability.”

    While people often complain about long passwords or having to use multi-factor authentication because it is so time-consuming, they had better get used to it, he cautioned.

    “Security doesn’t come for free. The only thing that … acts against these threats is the discipline and diligence [and] remembering long passwords,’’ Mickos said. “Even when somebody invents a method where we don’t need passwords anymore, you will be asked to do something else which is burdensome and every day, and where you’re not allowed to miss it one single time.”

    Mickos also had a message for educational institutions: “Don’t call it computer science and software engineering unless there’s security in it. Today, you can graduate in CS without taking a single course in security.” He said he didn’t pay attention to the importance of security when he was in college, but different times call for a different approach. Today, security “has to become part of everything we do.”

    We Can Turn the Ship

    When everyone recognizes that security is a shared responsibility, he stressed, “the ship will turn. It’s a big ship, so it turns slowly, but it will turn, and we will get to a state that is similar to what we have with airline safety or hospital hygiene or … automotive safety, where today it all works. But it works because we do it together and we jointly take responsibility for it.”

    Watch the complete presentation below:

    The post Software Security Is a Shared Responsibility appeared first on The Linux Foundation.

    https://www.linuxfoundation.org/blog/software-security-is-a-shared-responsibility/





Tmux Commands

screen and tmux

A comparison of the features (or more-so just a table of notes for accessing some of those features) for GNU screen and BSD-licensed tmux.

The formatting here is simple enough to understand (I would hope). ^ means ctrl+, so ^x is ctrl+x. M- means meta (generally left-alt or escape)+, so M-x is left-alt+x

It should be noted that this is no where near a full feature-set of either group. This - being a cheat-sheet - is just to point out the most very basic features to get you on the road.

Trust the developers and manpage writers more than me. This document is originally from 2009 when tmux was still new - since then both of these programs have had many updates and features added (not all of which have been dutifully noted here).

Action tmux screen
start a new session tmux OR
tmux new OR
tmux new-session
screen
re-attach a detached session tmux attach OR
tmux attach-session
screen-r
re-attach an attached session (detaching it from elsewhere) tmux attach -d OR
tmux attach-session -d
screen -dr
re-attach an attached session (keeping it attached elsewhere) tmux attach OR
tmux attach-session
screen -x
detach from currently attached session ^b d OR
^b :detach
^a ^d OR
^a :detach
rename-window to newname ^b , <newname> OR
^b :rename-window <newn>
^a A <newname>
list windows ^b w ^a w
list windows in chooseable menu ^a "
go to window # ^b # ^a #
go to last-active window ^b l ^a ^a
go to next window ^b n ^a n
go to previous window ^b p ^a p
see keybindings ^b ? ^a ?
list sessions ^b s OR
tmux ls OR
tmux list-sessions
screen -ls
toggle visual bell ^a ^g
create another window ^b c ^a c
exit current shell/window ^d ^d
split window/pane horizontally ^b " ^a S
split window/pane vertically ^b % ^a |
switch to other pane ^b o ^a <tab>
kill the current pane ^b x OR (logout/^D)
collapse the current pane/split (but leave processes running) ^a X
cycle location of panes ^b ^o
swap current pane with previous ^b {
swap current pane with next ^b }
show time ^b t
show numeric values of panes ^b q
toggle zoom-state of current pane (maximize/return current pane) ^b z
break the current pane out of its window (to form new window) ^b !
re-arrange current panels within same window (different layouts) ^b [space]
Kill the current window (and all panes within) ^b killw [target-window]
  • Open Source Summit

    Join us in Edinburgh! Submit a proposal to speak by July 1 for Open Source Summit & ELC + OpenIoT Summit Europe.

    Submit a proposal to speak at Open Source Summit Europe & ELC + OpenIoT Summit Europe, taking place October 22-24, 2018, in Edinburgh, UK, and share your knowledge and expertise with 2,000+ open source technologists and community leaders. Proposals are being accepted through 11:59pm PDT, Sunday, July 1.

    This year’s tracks and content will cover the following areas at Open Source Summit Europe:

    Cloud Native Apps/Serverless/Microservices Infrastructure & Automation (Cloud/Cloud Native/DevOps) Linux Systems Artificial Intelligence & Data Analytics Emerging Technologies & Wildcard (Networking, Edge, IoT, Hardware, Blockchain) Community, Compliance, Governance, Culture, Open Source Program Management (Open Collaboration Conference track) Diversity & Inclusion (Diversity Empowerment Summit) Innovation at Apache/Apache Projects TODO / Open Source Program Management

    View the full list of suggested topics for Open Source Summit Europe.

    Suggested Embedded Linux Conference (ELC) Topics:

    Audio, Video, Streaming Media and Graphics Security System Size, Boot Speed Real-Time Linux – Performance, Tuning and Mainlining SDKs for Embedded Products Flash Memory Devices and Filesystems Build Systems, Embedded Distributions and Development Tools Linux in Devices such as Mobile Phones, DVRs, TVs, Cameras, etc Use of Linux in Automotive Drones and Robots Linux in the Internet of Things Practical Experiences and War Stories Standards Public Infrastructure Industrial Automation

    This year’s tracks and content will cover the following areas at ELC:

    Suggested OpenIoT Summit Topics:

    Real-Time OS (Zephyr, RIOT, MyNewt, FreeRTOS, NuttX, mbed and Others) Outside World Meets IoT (Sensor Interaction, Low Footprint, Connected Sensors, EMF/RFI Impact) Bootloaders, Firmware & Updates Containers Distributed Edge Application Technologies On-device Analytics Blockchain for Constrained Devices Device Management Power Management Configuration Management Developing for Security Safety Considerations Certifications – Lessons Learned Taking Devices to Product

    View the full list of suggested topics for ELC + OpenIoT Summit Europe.

    SUBMIT FOR OPEN SOURCE SUMMIT EUROPE »SUBMIT FOR ELC + OPENIOT SUMMIT EUROPE »

    Sign up to receive updates on Open Source Summit Europe and ELC + OpenIoT Summit Europe:

    Register & Save

    Not submitting, but plan to attend? Register before August 18 and save $300 with early bird pricing. One registration gets you access to both Open Source Summit Europe & ELC + OpenIoT Summit Europe.

    Interested in Sponsoring?

    Showcase your thought leadership among a vibrant open source community and connect with top influencers driving today’s technology purchasing decisions. Learn how to become a sponsor of Open Source Summit Europe or ELC + OpenIoT Summit Europe.

    The post Last Chance to Speak at Open Source Summit and ELC + OpenIoT Summit Europe – Submit by July 1 appeared first on The Linux Foundation.

    https://www.linuxfoundation.org/blog/last-chance-to-speak-at-open-source-summit-and-elc-openiot-summit-europe-submit-by-july-1/

    read more
  • Open Source Guides

    The Open Source Guides for the Enterprise are now available in Chinese.

    The popular Open Source Guides for the Enterprise, developed by The Linux Foundation in collaboration with the TODO Group, are now available in Chinese. This set of guides provides industry-proven best practices to help organizations successfully leverage open source.

    “Making these resources available to Chinese audiences in their native language will encourage even greater adoption of and participation with open source projects,” said Chris Aniszczyk, CTO of Cloud Native Computing Foundation and co-founder of the TODO Group. The guides span various stages of the open source project lifecycle, from initial planning and formation to winding down a project.

    The 10 guides now available in Mandarin include topics such as:

    Creating an Open Source Program by Chris Aniszczyk, Cloud Native Computing Foundation; Jeff McAffer, Microsoft; Will Norris, Google; and Andrew Spyker, Netflix Using Open Source Code by Ibrahim Haddad, Samsung Research America Participating in Open Source Communities by Stormy Peters, Red Hat; and Nithya Ruff, Comcast Recruiting Open Source Developers by Guy Martin, Autodesk; Jeff Osier-Mixon, Intel Corporation; Nithya Ruff; and Gil Yehuda, Oath Measuring Your Open Source Program’s Success by Christine Abernathy, Facebook; Chris Aniszczyk; Joe Beda, Heptio; Sarah Novotny, Google; and Gil Yehuda

    The translated guides were launched at the LinuxCon + ContainerCon + CloudOpen China conference in Beijing, where The Linux Foundation also welcomed Chinese Internet giant Tencent as a Platinum Member.

    The post Open Source Guides for the Enterprise Now Available in Chinese appeared first on The Linux Foundation.

    https://www.linuxfoundation.org/blog/open-source-guides-for-the-enterprise-now-available-in-chinese/

    read more
});