This combination brings Fugue’s capabilities to the Snyk Developer Security Platform, allowing for a cloud security posture management (CSPM) platform designed both by and for developers. For more information, see here. 

“As we join forces with Snyk today, our founding mission – security by and for developers – doesn’t change, but expands exponentially with the scope of the opportunity in front of us,” said Josh Stella, co-founder and CEO of Fugue. “We’re excited to now reach more developers in more places, helping them to not only build our future, but also successfully secure it.”

JetBrains adds advanced project management to YouTrack

JetBrains recently announced the 2022.1 release of YouTrack, its project management and knowledge base tool. With this, the team has introduced Interactive Gantt charts, allowing users to plan whole projects by dragging and dropping tasks on a timeline to schedule them and stretching them to set estimates.

After the dependencies between the tasks are established, the user can make changes and then update the start dates of the tasks that are affected further along the timeline with just one click. 

Akamai to acquire Linode

Akamai Technologies, a solution used to power and protect digital experiences, recently announced that it has entered into a definitive agreement to acquire the infrastructure-as-a-service platform provider, Linode.

According to the terms of the agreement, Akamai will acquire all of the outstanding equity of Linode Liability Company for about $900 million, after customary purchase price adjustments. 

To learn more about this transaction, see here. 

The post SD Times news digest: Snyk acquires Fugue; JetBrains adds advanced project management to YouTrack; Akamai to acquire Linode appeared first on SD Times.

For example, Amazon’s Climate Pledge promises the company will be net zero carbon by 2040, which is 10 years prior to the goal of the Paris Agreement. Last year, Microsoft pledged to be carbon negative—actually removing the carbon it emits from the environment—by 2030 and to completely remove all carbon the company has emitted since its founding in 1975 by 2050. In December 2020, Disney set new environmental goals for 2030, focusing on five areas: greenhouse gas emissions, water, waste, materials, and sustainable design.  The list of companies making similar pledges goes on and on.

While often when you think of what contributes the most to climate change, you might think of electronics that require mining rare minerals, one-time use products that end up in landfills, fossil fuels burned by various modes of transportation, or what we eat, but the internet — while not a physical product — is actually a huge contributor to greenhouse gas emissions. 

In fact, according to a report from The Shift Project, digital technologies contributed to 3.8% of global emissions in 2018.  To put this in perspective, the Sustainable Web Manifesto notes that “if the Internet was a country, it would be the 7th largest polluter.”

“An internet application is the silent killer when it comes to carbon emissions and things like that. A developer, when they’re writing a line of code, or adding an image or a third-party tag to a page, the last thing on their mind is the impact that’s going to have on energy efficiency,” said Michael Gooding, manager of solutions engineering at EMEA Akamai Technologies, a CDN company that has been investing in reducing its carbon footprint and that of its customers. 

In addition to reducing greenhouse gas emissions, there are a number of benefits that building more sustainable applications will provide. According to Chris Adams, co-founder of sustainability consultancy Greening Digital and director at the Green Web Foundation, the decisions that make an organization’s digital technologies greener also tend to save the company money. “If you’re burning needless compute as a developer, not only are you burning loads of cash, but the internet is basically the world’s biggest machine and still runs mostly on fossil fuels, so it also means you’re burning a lot of fossil fuels,” said Adams.

In addition to saving money, going green can also help your company attract top talent. “You can talk about climate in terms of retaining your best people or making it easier to attract people to a company, especially if you’re looking to hire a younger set of people, or actually once people have kids they tend to suddenly become much more interested in climate,” said Adams.

At a high level, efficiencies can be made in both software and hardware. According to Mike Mattera, director of corporate sustainability at Akamai Technologies, on the software side, there are efficiencies that can be built into code, such as optimizing images and being conscious of third-party libraries being added to an application. On the hardware side, improvements can be made such as running servers at hotter temperatures or using renewable energy. 

There are a number of resources out there that teams can use as a starting place and to look at for best practices. One popular resource is the Principles of Sustainable Software Engineering (Principles.green), which is a set of eight practices that can be used to “define, build, and run sustainable software applications.”

The eight principles include:

1. Carbon: Companies should build applications that emit as little carbon as possible. 
2. Electricity: Because most electricity is produced by burning fossil fuels, companies should build applications that are energy efficient.
3. Carbon Intensity: Applications should be consuming the lowest amount of carbon intensity, which is a measure of how much carbon emissions are produced per kWh of electricity that is consumed. For example, wind, solar, and hydroelectric emit no carbon, while fossil fuel sources emit some amount of carbon to produce electricity. 
4. Embodied Carbon: When possible, build applications that can run on older hardware, because hardware releases carbon both when it is created and destroyed, so elongating the lifespan of a device helps to reduce carbon emissions. 
5. Energy Proportionality: Servers should be utilized as efficiently as possible. Servers aren’t configured for power-saving, and often are left in idle mode during low demand periods. To combat this, run work on as few servers as possible. 
6. Networking: Companies should try to reduce the amount of data they produce and store, and reduce the distance that data needs to travel across the network. 
7. Demand shaping: Rather than shaping supply to meet demand, consider shaping demand to match the supply. For example, video conferencing software often reduces the video quality to prioritize audio quality, rather than streaming at the highest quality possible the whole time.
8. Measurement and Optimization: Companies should focus on end-to-end optimizations on carbon efficiency across the entire organization. According to the Principle.green site, the most impactful optimizations will come from those who understand the carbon footprint of the entire stack, from the front-end to the data center. 

According to Adams, the Principles of Sustainable Software Engineering started when he was speaking with Asim Hussain, Green Cloud Advocacy Lead at Microsoft, who wanted to put together something like a 12 Factor App Methodology for sustainable software. “I thought yeah that’s a really good idea because in many cases there’s been a number of pieces and manifestos and things that have been put into the world previous, but in many cases it’s not always obvious how to go from something like signing a manifesto saying ‘yeah, I think we should care about humans as well as computers and the climate’ to then how does that translate into something meaningful?”

According to Adams, in addition to the Principles of Sustainable Software Engineering, there are a number of other resources for developers, such as the Sustainable Web Design Manifesto, which is a pledge of commitment to adhere to certain practices, and the ClimateAction.tech community, which Adams helped create. “We organized this as a community who are trying to green the way that we work as technology professionals, because we are in a relatively high leverage situation. It’s also kind of part of being a responsible professional in 2020 to have a stance and be thinking about this stuff, because we all need to be thinking about this and getting to net zero,” said Adams.

Another helpful resource is Energy Patterns, which is a catalogue of 22 items developed by Luís Cruz and Rui Abreu that developers can use to improve mobile app efficiency.

“The idea of having such a catalogue started because we realized that it’s really hard to build energy-efficient mobile applications,” said Cruz, one of the authors of Energy Patterns and assistant professor at Delft University of Technology (TU Delft). Thus, Energy Patterns was started as a method of collecting knowledge from experts in the area and compiling it in a form that anyone — from beginners to seniors — could ingest it.  

According to Cruz, some of the Energy Patterns are pretty basic, such as dark UI colors. It has become popular for apps to offer a dark mode option, but dark interfaces also require less energy, Cruz said. Other patterns in the catalogue are not even related to coding, but the way an app is designed. For example, informing users that clicking a certain button or using a feature might be energy intensive and letting the user decide how they want to use the app. “Sometimes it’s not only about fancy coding practices, it’s about thinking about the product,” said Cruz. 

Cruz noted that a lot of the Energy Patterns are things that are still pretty straightforward, but that developers tend to be unaware of. “That’s why we think this is important to integrate energy efficiency in the education foundation of computer scientists and of any software engineer, any developer,” said Cruz.  

Though adopting new practices or processes in development can often require a lot of change, Cruz doesn’t believe that’s necessarily the case here. He recommends developers consider meeting energy efficiency requirements the same way they would code quality in terms of readability or maintainability. 

The main challenge tends to be an organizational one of getting developers and leaders aligned. “Sometimes even if you’re a developer that cares about sustainability and likes to build energy efficient code it won’t be something valued at the organization,” Cruz said. However, he also noted that if all developers are sustainability advocates, the product they release will tend to be sustainable. This is why he advocates teaching sustainability in computer science programs and making changes through education. “I think through education, this is the best way of changing anything in our society. And the software engineering world, the tech industry, is no different on that,” Cruz said. 

Mattera also emphasized the important role developers play in this. “Having the engineers be able to make improvements, especially on the efficiency side is really the key to a successful program. If you don’t have the education and you don’t have those skill sets working on this, it’s definitely something that’s going to be really difficult to get off the ground, especially if you’re trying to work on server sprawl, or that kind of thing,” he said.

Adams added that another way to ensure success at adopting sustainable principles is to actually publicly state in your team that this is something to work on. “The key thing is literally just defending people’s time so that they can look into this stuff, but making it clear to the team that yes we give you permission to give a shit about the environment. It sounds really dumb, but the thing is that in many cases if you don’t feel empowered to do this, it’s always going to take second field. I think one of the most important things you could do as a team is to say we recognize that the science dictates that we need to take some action and we’re going to show that we’re looking into this and we’ll speak to other groups and we’ll see what’s going on here,” said Adams. 

The post Build environmental sustainability into your development teams appeared first on SD Times.

“Android Things makes building connected embedded devices easy by providing the same Android development tools, best-in-class Android framework, and Google APIs that make developers successful on mobile. Since the initial preview launch back in December, the community has turned some amazing ideas into exciting prototypes using the platform,” Dave Smith, developer advocate for IoT at Google, wrote in a post.

KITT.AI joins Baidu
KITT.AI is joining Baidu, a search, AI, and autonomous driving company, so it can reach more developers in the next few years. The goal of the joint mission is to make the complex world simpler with natural language technologies.

According to KITT.AI founder and CEO Xuchen Yao in a blog post, “KITT.AI’s products are deployed in smart phone apps, speakers, appliances, web chat, cars, homes, conference rooms, offices, hospitals, and even telephone lines.” With this announcement, nothing will change in existing products or brands within KITT.AI, and the company will continue to support its developers as a Baidu company, said Yao.

Akamai partners with Girls Who Code
Akamai Technologies will serve as a host company for the Girls Who Code seven-week Summer Immersion Program this year, so rising 11th and 12th grade girls can learn engineering skills, update their resumes and LinkedIn profiles, and participate in a “How the Internet Works” game.

“The imbalance in the numbers of women focused on careers in computer science, software development and Internet technologies continues to be one of our industry’s biggest challenges,” said Tom Leighton, CEO at Akamai. “Partnering with Girls Who Code is an important step towards better preparing young women for technology jobs – an investment, we believe, that is vital to the future of technology and innovation.”

Those in the program will also get a chance to tour Akamai’s Network Operations Control Center, learn computer skills training, and more.

Microsoft to reorganize for the cloud
Microsoft is reportedly planning a reorganization in its sales department to better focus on its cloud initiatives. According to a Bloomberg report, the company wants to improve its cloud software sales, and the restructuring could result in the loss of jobs for some employees. The changes will impact marketing efforts and could result in smaller personnel changes.

The full story is available here.

The post Android Things joins Hackster.io, Baidu acquires KITT.AI, and Akamai to host Girls Who Code — SD Times news digest: July 5, 2017 appeared first on SD Times.

Zero W aims to fix problems in the last variant by integrating more functionality into its core. It features the Cypress CYW43438 wireless chip for 802.11n wireless LAN and Bluetooth 4.0 connectivity, CSI camera connector, composite video, micro-USB power, and micro-USB on the go port.

“We imagine you’ll find all sorts of uses for Zero W,” wrote Eben Upton, founder of Raspberry Pi, in a blog post. “It makes a better general-purpose computer because you’re less likely to need a hub: If you’re using Bluetooth peripherals, you might well end up with nothing at all plugged into the USB port. And of course it’s a great platform for experimenting with IoT applications.”

New Relic updates its digital intelligence platform
New Relic wants to accelerate enterprise cloud initiatives with the latest release of New Relic Digital Intelligence Platform. The latest release features new alerting support for dynamic infrastructure, as well as expanded visibility into APM. These updates are designed to help developers monitor, manage and act on every change across the technology stack.

Other features include dynamic dashboards, company-wide dashboards, more flexibility with New Relic APM, new alerting capabilities for New Relic Infrastructure, and updates to its browser, mobile and synthetics solutions.

“As enterprises adopt the public cloud as a key component of their digital strategy, New Relic allows them to measure the health of their applications across their entire stack to give them the confidence to migrate faster and accelerate initiatives,” said Jim Gochee, chief product officer, New Relic.

Mozilla acquires Pocket
Mozilla is focusing on mobile and content discovery with its acquisition of Pocket. Pocket is a save-for-later service provider, and according to Mozilla, the acquisition will help grow its own mobile presence and provide tools to help users discover and access web content.

“We believe that the discovery and accessibility of high-quality web content is key to keeping the Internet healthy by fighting against the rising tide of centralization and walled gardens,” said Chris Beard, CEO of Mozilla. “Pocket provides people with the tools they need to engage with and share content on their own terms, independent of hardware platform or content silo for a safer, more empowered and independent online experience.”

Red Hat releases Ansible Tower3.1
Red Hat is updating its enterprise-grade, agentless automation platform to help teams better scale DevOps automation. Ansible Tower is designed to help improve productivity and reduce downtime. Ansible Tower 3.1 features multi-playbook workflows, scale-out clustering, a streamlined job details page, integration with enterprise logging providers, and new search capabilities.

“DevOps teams look to IT automation to help speed productivity and manage complex deployments,” said Tim Cramer, head of engineering for Ansible. “The new workflow functionality in Ansible Tower 3.1 takes those capabilities a step further by helping to make automation even more intuitive. With workflows, users can run separate playbooks in a dependent fashion, including the ability to run different playbooks based on the success or failure of the prior job—further reducing manual process and enabling faster time to market.”

Akamai announces new mobile performance features
Akamai is updating its services to help developers and app owners take hold of their website and mobile app experiences. The company announced the latest version of Akamai Ion, its Web Performance Solution, as well a new mobile app performance SDK.

Features of Ion include automation performance optimization, and cellular optimization. The mobile app performance SDK is designed to help developers provide custom and differentiated experiences.

“We believe this release of Ion marks the beginning of a new kind of powerful performance optimization—one that is powered by applying machine learning to real-user data,” said Ash Kulkarni, senior vice president and general manager of the Web Performance Business Unit at Akamai. “Ion customers will be able to quickly and easily take advantage of these capabilities to address the demands of mobile users.”

The post Raspberry Pi Zero W, Mozilla acquires Pocket, and Ansible Tower 3.1—SD Times news digest: Feb. 28, 2017 appeared first on SD Times.

Akamai, a content delivery network company, released its second quarter 2016 “State of the Internet” report that gathers data on connection speeds and the impact the Internet has on businesses. A majority of the report features global statistics, including connection speeds, broadband adoption metrics, notable Internet disruptions, IPv4 exhaustion and IPv6 implementation.

(Related: How developers can exploit the future of the mobile web)

The report highlighted global connection speed, stating it decreased 2.3% from the first quarter of 2016 to 6.1 megabits per second. (This was still a 14% increase year over year.) The average peak connection speed increased 3.7% to 36 megabits per second in the second quarter, rising 2.5% year over year.

The continued increase of speed is a reassuring trend for online retailers preparing for the holiday season. Developers should also consider changes in global connection speed, especially mobile speeds for their target audience, said the editor of the report, senior director of industry and data intelligence at Akamai David Belson. Global connection speeds can impact the quality of videos within applications, as well as things like multiplayer online games or the amount of data that an app might need to download.

“Similar consideration should also be given to fixed connection speeds; while Wi-Fi connections may run at higher speeds between the device (phone/tablet) and the router, that last-mile connection back to the ISP could be a bottleneck,” said Belson.

According to him, developers should not assume that users will always have Internet connections, nor should they assume that all users have access to high-speed Internet.

Belson said that developers should allow their applications to support IPv6 natively, since some network service providers are moving to only providing IPv6 addresses to end users, which means they are transitioning away from IPv4.

IPv4 exhaustion was another issue reviewed in Akamai’s report. This issue was identified at least 20 years ago, which drove the development of IPv6, said Belson.

“Due to the way that address space has been allocated over the years, available address space has largely been exhausted in most regions, meaning that networks/enterprises can either no longer obtain new IPv4 address space, or they need to buy it on the open market, potentially at significant cost,” he said.

Developers should test their applications to make sure they support both IPv4 and IPv6, and making the latter a requirement on the growing number of mobile network providers like Verizon Wireless, said Belson.

“They should also ensure that the applications they are developing are secure, taking the necessary steps to avoid exposing a user’s personally identifiable information, or having vulnerabilities that could be exploited, placing the user’s device at risk,” he said.

The post Report: Developers should consider connection speeds, IPv4 exhaustion appeared first on SD Times.

In the time since Let’s Encrypt began its beta in November of last year, the site has handed out more than 1.6 million certificates, encrypting more than 3.8 million websites.

(Related: EFF files amicus brief in favor of Apple vs. the FBI)

Stephen Ludin, chief architect at Akamai, said, “From the very beginning, Akamai has been committed to supporting Let’s Encrypt’s vision of enabling greater use of SSL/TLS across the Internet. This milestone is confirmation of Let’s Encrypt’s ability to execute on that vision and have a tremendous impact to the Internet ecosystem.”

The Let’s Encrypt site is now responsible for bringing the entire WordPress blogosphere into SSL as well. That site used Let’s Encrypt to handle more than a million hosted blogs.

In addition to officially leaving beta, Let’s Encrypt added some new sponsors to its group. Duda, Fastly, Gemalto, HPE and ReliableSite have all joined as sponsors, which also include Akamai, Cisco, Google and Mozilla.

“We’re very proud to be a Gold Sponsor for Let’s Encrypt, which leverages our industry-leading hardware security modules to protect their certificate authority system,” said Todd Moore, vice president of encryption product management at Gemalto. “Encryption by default is critical to privacy and security, and by working with Let’s Encrypt Gemalto is helping to deliver trust for the digital services that billions of people use every day.”

The post EFF hands out free certs for all appeared first on SD Times.

Let’s Encrypt, which is also backed by Akamai, Cisco, IdenTrust, Mozilla and University of Michigan researchers, is intended as a large-scale effort to clear the remaining Internet-wide roadblocks to transitioning from HTTP to HTTP Secure (HTTPS), and to encrypt every website with HTTPS by default. According to the EFF news release, the CA initiative will focus on reducing the complexity of implementing HTTPS by simplifying the process of obtaining, installing and managing HTTPS certificates.

For Web developers, this means a much shorter setup time for HTTPS—several hours reduced to 20-30 seconds—and several new Web technologies to help developers automate and secure HTTPS protocols on their sites and Web applications.

A new open-source protocol called ACME will help support stronger domain validation, and a combination of certificate datasets (such as the EFF’s Decentralized SSL Observatory, the University of Michigan’s scans.io and Google’s Certificate Transparency log) will aid in assessing HTTPS certificate security. A new nonprofit organization called the Internet Security Research Group (ISRG) will manage the CA initiative.

“With our client software, which speaks ACME to the Let’s Encrypt API servers, developers can set up [Transport Layer Security] simply by providing a domain name,” ISRG executive director Joshua Aas told SD Times. “There are, and will be, more-advanced options providing more control.”

Aas said developers looking to get involved with Let’s Encrypt should start by checking out CA specifications and software on GitHub, including the Let’s Encrypt developer preview. The ISRG is looking for developer feedback on use cases, the tool’s user interface and behavior, and the protocol itself.

“Each specification and piece of software has its own repository and issues tracker,” Aas said. “Developers can help by filing new issues and resolving existing issues. As we move forward, we’ll add more infrastructure for developer interaction.”

Let’s Encrypt has set a launch date of summer 2015, and in the meantime the ISRG will be writing software, installing hardware, working to pass audits, and building an open-source community around the certificate authority. According to Aas, the ISRG hopes to accelerate the adoption rate of Web-wide HTTPS deployment within the next year before the official launch.

Ultimately, Aas, the ISRG and the entire coalition behind Let’s Encrypt are working toward changing attitudes about the Internet-wide importance and priority of HTTPS.

“We’d like to see Web developers and system administrators view secure and encrypted communication as the default mode of operation,” Aas said. “Right now, for example, HTTP is the default and HTTPS is considered to be an optional feature. That needs to change, and similar changes in terms of choosing security by default probably need to be made in other parts of the Web development stack as well.”

More information is available on the Let’s Encrypt website.

The post EFF wants to make HTTPS the default protocol appeared first on SD Times.

Take, for example, the National Weather Service’s website, which is operated by the United States National Oceanic and Atmospheric Administration, or NOAA. On August 29, the service went down, hard, as single rogue Android app overwhelmed the NOAA’s servers.

As far as anyone knows, there was nothing deliberately malicious about the Android app, and of course there is nothing specific to Android in this situation. However, the app in question was making service requests of the NOAA server’s public APIs every few milliseconds. With hundreds, thousands or tens of thousands of instances of that app running simultaneously, the NOAA system collapsed.

There is plenty of blame to go around. Let’s start with the app developer.

Certainly the app developer was sloppy, sloppy, sloppy. I can imagine that the app worked great in testing, when only one or two instances of the app were running at any one time on a simulator or on actual devices. Scale it up—boom! This is a case where manual code reviews may have found the problem. Maybe not.

Alternatively, the app developer could have checked to see if the public APIs it required (such as NOAA’s weather API) could handle the anticipated load. However, if the coders didn’t write the software correctly, load testing may not have sufficed. For example, say that the design of the app was to pull data every 10 seconds. If the programmers accidentally set up the data retrieval to pull the data every 10 milliseconds, the load would be 1,000x greater than anticipated. Every 10 seconds, no problem. Every 10 milliseconds, big problem. Boom!

This is a nasty bug, to be sure. Compilers, libraries, test systems, all would verify that the software ran correctly, because it did run correctly. In the scenario I’ve painted, it simply wasn’t coded to meet the design. The bug might have been spotted if someone noticed a very high number of external API calls, or again, perhaps during a manual code review. Otherwise, it’s not hard to see how it would slip through the crack.

Let’s talk about NOAA now. In 2004, the weather service beefed up its Internet loads in anticipation of Hurricane Charley, contracting with Akamai to host some of its busiest Web pages, using distributed edge caching to reduce the load. This worked well, and Akamai continued to work with NOAA. It’s unclear if Akamai also fronted public API calls; my guess is that those were passed straight through to the National Weather Service servers.

NOAA’s biggest problem is that it has little control over external applications that use its public APIs. Even so, Akamai was still in the circuit and, fortunately, was able to help with the response to the Aug. 29 accidental DDoS situation. At that time, the National Weather Service put out a bulletin on its NIDS messaging service that said:

TO – ALL CUSTOMERS SUBJECT – POINT FORECAST ISSUES. WE ARE PROVIDING NOTICE TO ALL THAT NIDS HAS IDENTIFIED AN ABUSING ANDROID APP THAT IS IMPACTING FORECAST.WEATHER.GOV. WE HAVE FORCED ALL SITES TO ZONES WHILE WE WORK WITH THE DEVELOPER. AKAMAI IS BEING ENGAGED TO BLOCK THE APPLICATION. WE CONTINUE TO WORK ON THIS ISSUE AND APPRECIATE YOUR PATIENCE AS WE WORK TO RESOLVE THIS ISSUE.

Kudos to NOAA for responding quickly and transparently to this issue. Still, this appalling situation—that a single DDoS attack could cripple such a vital service—is unacceptable. Imagine if this had been a malicious attack, rather than an accidental coding error, and if the attacker was able to modify the attack in real time to go around Akamai’s attempts to block the traffic.

What could NOAA have done differently? For best results, DDoS attacks must be blocked within the network before they reach (and overwhelm) the server. Therefore, DDoS detection and blocking systems should already have been in place.

In addition, there should also have been detection systems within the API servers themselves, with the ability to detect potential attacks due to abnormally high volumes of requests from a specific app, raise alarms, and also drop such requests (which is fast and takes few resources), instead of servicing them (which is slow and takes more resources). Perfect? No. DDoS scenarios are nasty and messy. No matter how you slice it, though, a single misbehaving app should never be able to crash your server.

Do you have code or resources in place to detect and react to a DDoS situation? Write me at alan@camdenassociates.com.

The post Zeichick’s Take: Tomorrow’s forecast: Distributed Denial of Service appeared first on SD Times.