|
A good number of security vulnerabilities are discovered and fixed in non-official channels. We measured Snyk DB to uncover 67% more vulnerabilities than public databases. In 2018, new disclosures for npm grew by 47%, and Maven Central grew by 27%
|
|
Top ten most popular docker images each contain at least 30 vulnerabilities
-
snyk.io
-
7 years ago
-
eng
we found that 44% of docker image scans had known vulnerabilities, and for which there were newer and more secure base image available. Most vulnerabilities originate in the base image you selected. For that reason, remediation should focus on base image fixes.
|
|
81% believe developers should own security, but they aren’t well-equipped
-
snyk.io
-
7 years ago
-
eng
A worrying 27% of respondents stated they do not have any proactive or automatic way to find out about newly discovered vulnerabilities in their applications. 37% of users of users don’t implement any sort of security testing during CI.
|
|
Regex for for a single-threaded runtime could be devastating. We’ve also detected that the npm ecosystem has seen the most XSS vulnerabilities, Maven Central and PyPI follow next.
|
|
78% of vulnerabilities are found in indirect dependencies, making remediation complex
-
snyk.io
-
7 years ago
-
eng
Only one in three developers can address a high or critical-severity vulnerability in a day or less. The more we use open source software, the more risk we accumulate as we’re including someone else’s code that could potentially contain vulnerabilities now or in the future.
|
|
We had a meeting recently with 16 people on the video conference call. Due to poor planning and technical issues it took nearly half an hour to decide to postpone the meeting. That is eight man hours wasted - a whole day of work!
|
|
We had a meeting recently with 16 people on the video conference call. Due to poor planning and technical issues it took nearly half an hour to decide to postpone the meeting. That is eight man hours wasted - a whole day of work!
|
|
tldr; I'm working on a AOT-compiled Javascript implementation called jsc . Many dynamically typed programming languages have implementations that compile to native binaries: Python: Cython Common Lisp: SBCL Scheme: Chicken Scheme The benefits of compiling dynamically typed languages are similar to those of compiling statically typed languages: Simplified deployment via a single binary Simplified foreign-function interfaces e.....
|
|
After making a few changes to this blog in an attempt to appease Amazon and failing , I wanted to undo those changes. Thankfully, since this blog is hosted on GitHub pages, it’s versioned controlled via Git. Meaning I should easily be able to find the changes and undo them fairly easily.
|
|
The advantage of OpenID Connect is the fact that it’s standardized and widely adopted. This means that a library or tool designed to work with, e.g. Google accounts, can easily be adopted to work with e.g. Microsoft’s Active Directory or the Norwegian national ID provider ID-porten. Different Identity providers can support different levels of trust between you and your users. In my next few blogposts, I will explore different OpenID Connect..
|
|
Snyking in - Directory traversal vulnerability exploit in the st package
-
snyk.io
-
7 years ago
-
eng
Welcome to the first edition of a new exploit series we’re calling “Snyking In”! We’ll be looking at various security vulnerabilities, demonstrating how they can be exploited, as well as the potential risk they pose to your data and systems.
|
|
You can find my goodreads account at goodreads.com/jessfraz . Romanticized Tech I call this genre of books “romanticized tech” because of the way tech is portrayed in them in a very idealistic and whimsical way. It’s nice to pick up one of these if you are feeling very “Black Mirror” to remember why you might have even started in this field. Soul of a New Machine : Bryan Cantrill recommended this to me and it’s amazing. It’s about D....
|
|
The advantage of OpenID Connect is the fact that it’s standardized and widely adopted. This means that a library or tool designed to work with, e.g. Google accounts, can easily be adopted to work with e.g. Microsoft’s Active Directory or the Norwegian national ID provider ID-porten. Different Identity providers can support different levels of trust between you and your users. The protocol is perceived with an air of mystery by many develope..
|
|
Releasing HypriotOS 1.10.0: Docker 18.06.3 CE from Raspberry Pi Zero to 3 B+
-
blog.hypriot.com
-
7 years ago
-
eng
We’re proud to announce our 1.10.0 release of HypriotOS - the fastest way to get Docker up and running on any Raspberry Pi. Features of HypriotOS Latest Docker Engine 18.06.3-ce You can use the latest features of the freshly-baked Docker Engine 18.06.3-ce that is still warm. It includes the Swarm Mode, which allows high availability of services in a multi-node cluster within just a few simple commands. This version contains a fi....
|
|
I open-sourced this fun little program: https://github.com/glaretechnologies/fractal It animates a Julia set in realtime using OpenGL shaders. It has some funky colouring techniques so looks a bit nicer than your average fractal.
|
When I first read this tweet thread about the Aragon governance proposals voting on a rainy afternoon walk a month ago, my first reaction was blurting out “I’m sorry, but what the actual fuck?” Were I not in public, I would’ve bursted out laughing. Aragon is one of the most promising governance projects in the space, with more than 20k token holders, 70k Twitter followers, and a $14M token market cap. Guess how many people voted in their..
|
|
In this article, we build a simple WebApi with F# and NetCore. Target is C# developers who want to know more about functional languages and F# in particular.
|
|
Marcin Borkowski has a nice tip to quickly copy text or URLs between desktop and mobile using QR codes. Wrote a little elisp to do a similar thing using the clipboard via Emacs: (defun ar/misc-clipboard-to-qr () "Convert text in clipboard to qrcode and display within Emacs." (interactive) (let ((temp-file (concat (temporary-file-directory) "qr-code"))) (if (eq 0 (shell-command (format "qrencode -s10 -o %s %s" temp-file (shell-qu..
|
|
tmux the terminal multiplexer is one of those brilliant tools I use all day. I am not a tmux expert, nor do I have any need to be. What follows is the bare minimum you need to know to feel productive in tmux, written for some work colleagues. The following assumes you have not configured or tweaked tmux in any way opting for the default settings. From the command line to start or connect to tmux
|
|
Experiments, growth engineering, and the perils of not disguising your API routes: Part 1
-
jonlu.ca
-
7 years ago
-
eng
Inspecting exposed experiment APIs to understand how growth teams test product changes in production.
|
|
Experiments, growth engineering, and the perils of not disguising your API routes: Part 1
-
jonlu.ca
-
7 years ago
-
eng
Inspecting exposed experiment APIs to understand how growth teams test product changes in production.
|
|
A few of you, thank you, have reached out to me saying that you love my writing style. It means a lot to me because I like to think that I write how I speak. This was not always taken well, however. I tend to be a bit of a sarcastic troll. The following post is meant to show others who may be like me and hesitant towards their writing style due to feedback they’ve gotten. I’d love to empower them to be comfortable with themselves. In hi....
|
Gamification for engagement and monetisation engagement and monetisation are nearly two aspects of the same thing. The user want to use to your app and is ready to invest more time or more money for it. Examples: Reddit : gamified status. Paid for social status using credits Audible : subscription earn you points, with points you can gain option to download books. Stop your sub and you lose all your points.
|
|
Gamification for engagement and monetisation engagement and monetisation are nearly two aspects of the same thing. The user want to use to your app and is ready to invest more time or more money for it. Examples: Reddit : gamified status. Paid for social status using credits Audible : subscription earn you points, with points you can gain option to download books. Stop your sub and you lose all your points.
|
|
Ubuntu is a very popular operating system for robotics, for a number of reasons. Perhaps the software stack one happens to use prefers Ubuntu, or the hardware one is using only distributes drivers for Ubuntu. Maybe one’s team is already familiar with it, or decision-makers like that it has long-term support releases and extended security maintenance. Perhaps one views snaps as the perfect way to support and update robots in the field, and s..
|
|
Wednesday when I posted my monthly blog stat report I said that “February has been a frustrating month for me in the blogosphere, for reasons I cannot disclose” but that “I probably will be able to Friday.” Well, it’s Friday, and while things haven’t gone the way I hoped, they have gone the way I expected.
|
|
The new year has begun... A while ago! My last post Was almost 9 months ago, more than half a year has passed. A lot has happened but I still feel like time has passed quickly.
|
|
This post, co-written by Weaveworks and Snyk, explains how by using a GitOps continuous integration (CI)/continuous delivery (CD) pipeline combined with good security practices improves the overall security of your development workflow to Kubernetes.
|
|
here is how you can restream a source video from one RTMP to Facebook live 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ffmpeg -i "rtmp://yourInputStream.stream" \ -r 30 \ -ar 44100 \ -s 1280x720 \ -c:a libfdk_aac -b:a 90k \ -movflags +faststart \ -preset veryfast -crf 28 \ -tune zerolatency \ -profile:v baseline \ -maxrate 1000k \ -vcodec libx264 \ -bufsize 10000k \ -g 60 \ -max muxing_queue_size 1024 \ -f flv "rtmp://live-api-s.
|
|
here is how you can restream a source video from one RTMP to Facebook live 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ffmpeg -i "rtmp://yourInputStream.stream" \ -r 30 \ -ar 44100 \ -s 1280x720 \ -c:a libfdk_aac -b:a 90k \ -movflags +faststart \ -preset veryfast -crf 28 \ -tune zerolatency \ -profile:v baseline \ -maxrate 1000k \ -vcodec libx264 \ -bufsize 10000k \ -g 60 \ -max muxing_queue_size 1024 \ -f flv "rtmp://live-api-s.
|
|
Introduction When starting on a new project or prototyping on a new idea, I find myself doing the same tasks again and again. Thanks to Kubernetes it’s possible to setup a new env from scratch really fast. Here is a quick setup (mostly notes) to create a dev environment using Minikube and the workflow I’m using with it. Not knowing in advance where this future project will be hosted, I try to stay platform agnostic.
|
|
Two decades ago, a piece of open source software I wrote for a Canadian HPC project caught the attention of someone working for NASA JPL, and after a few emails and a call regarding our experience applying it, a modified version of it was used in a small way to help the Mars Exploration Rover (MER) mission involving the rovers Spirit and Opportunity. With last week’s announcement that the MER mission is officially over, it’s nice to know ..
|
|
Two decades ago, a piece of open source software I wrote for a Canadian HPC project caught the attention of someone working for NASA JPL, and after a few emails and a call regarding our experience applying it, a modified version of it was used in a small way to help the Mars Exploration Rover (MER) mission involving the rovers Spirit and Opportunity. With last week’s announcement that the MER mission is officially over, it’s nice to know ..
|
|
I spent the last couple of days in the O’Reilly Architecture Conference and HIMSS (Healthcare Information and Management Systems Society) Conference. During that time, I had the chance of listening to quite a few technical marketing spiels. Some of them were technically very impressive, but missed the target by a planet or two. I came up with a really nice analogy for how such presentations do a great disservice for their purpose. C....
|
|
February has been a frustrating month for me in the blogosphere, for reasons I cannot disclose at the moment - although I probably will be able to Friday. My stats are down, too, but not as bad as they used to be.
|
|
I like to consider all the variables in a problem space before coming to a conclusion. As humans we have a tendency to jump to conclusions rather quickly. I try not to do this but everyone makes mistakes. More information about Intel SGX was brought to my attention after my initial blog post on it. I’d like to take the time to go through that information and my current thoughts on the technology after having this extended context. Tra....
|
|
I’ve recently been working with cloud-init in Azure to setup Ubuntu machines and for the most part I’ve really like it as it solves lots of problems and fits my use case BUT debugging it has been a pain so I thought I’d write up some notes here for others. Did it work? After deployment SSH onto the node and run this: cloud-init status -w <- wait for it to finish
|
|
Concerned about npm vulnerabilities? It is important to take npm security best practices into account for both frontend, and backend developers. Open source security auditing is a crucial part of shifting security to the left, and npm package security should be a top concern, as we see that even the official npm command line tool has been found to be vulnerable.
|
|
Dialyzer is a great tool to validate Erlang code, but it might slow down your development process if devs are applying it to huge codebases constantly. Particularly if that code was never analyzed with it. This article is our answer to the big question : How to start using dialyzer in a huge project where it was never applied before? 10-15 minute read Continuing with our series of articles about the usage of Erlang/OTP to build ....
|