Salesforce outage.

It appears Salesforce was shutting down its services May 17th 2019. Reason was a faulty configuration of scripting options, that allowed users to access to all their company’s Salesforce data. To prevent worse, Salesforce shut down.

Salesforce said the script only impacted customers of Salesforce Pardot – a business-to-business (B2B) marketing-focused CRM.

However, out of an abundance of caution, the company decided to take down all other Salesforce services, for both current and former Pardot customers.

Source: Faulty database script brings Salesforce to its knees | ZDNet

VMware acquires Bitnami

Bitnami is a name that many may know from packaged applications available on the major cloud marketplaces. The company packages up applications for easier consumption and adoption, and the concept became quite popular. Today, VMWare announced the acquisition of Bitnami for an undisclosed amount of money.

VMware announced today that it’s acquiring Bitnami, the package application company that was a member of the Y Combinator Winter 2013 class. The companies didn’t share the purchase price. With Bitnami, the company can now deliver more than 130 popular software packages in a variety of formats, such as Docker containers or virtual machine, an […]

Source: VMware acquires Bitnami to deliver packaged applications anywhere | TechCrunch

Infosec community

Gerade brennt eine Security Diskussion darum, dass Videolan Updates für seinen Mediaplayer nur über http:// ausliefert. Auch meiner Meinung nach entspricht das nicht dem Standard von 2019, aber hey. Wohl hatten die Entwickler verschiedene Argumente, an dem Verfahren festzuhalten. Signaturen via gpg, Maintenance, Aufwand und so.

Jedenfalls eröffnet die Situation eine spannende Diskussion darüber was denn nun das richtige Vorgehen ist und vor allem: wer denn nun Recht hat. Die Videolan Community jedenfalls scheint die Kollegen von Infosec nicht sehr sympathisch wahrzunehmen.

Aus meiner professionellen Erfahrung muss ich leider konstatieren: auch anderswo gibt es keineswegs einen Zusammenhalt von Dev und Sec. Die Wahrnehmung wird in vielen Softwareentwicklungsteams sehr ähnlich sein. Viel mehr ist das ein ständiges sich gegenseitig sich anpöbeln. Ganz ähnlich wie in der beschriebenen Fall.

Das ist sogar nachvollziehbar weil es zwei Parteien sind, die individuelle Interessen vertreten. Und es gibt aus der Situation in der Regel auch keinen vernünftigen Ausweg, weil die Incentivierung der Teams nicht das gleiche Ziel anstreben. Security ist damit Teil eines Problems und nicht Teil einer Lösung.

“So könnt Ihr das nicht machen” eröffnen die einen, deren Auftrag es ist, Fehler in Software zu finden. “Hey, wir haben uns da Monatelang was dabei gedacht” halten Entwickler dann dagegen und schon ist die Debatte in vollem Gang.

Gerade weil in der Regel das Aufgabengebiet der Security Kollegen sich darauf beschränkt, Fehler aufzuzeigen, ist es für die gegenüber stehende Partei nur nachvollziehbar, jedes Audit als Quelle für zusätzliche, oft kaum nachvollziehbare Arbeit oder sogar Schikane wahrzunehmen.

Wenn Infosec auch einen Weg aufzeigen kann, der mit der Situation der Entwickler vereinbar ist, gelingt es sichere Software zu schreiben. Nur Fehler aufzuzeigen ist dafür zu wenig.

Im Fall von Videolan wird die Debatte nun öffentlich geführt, was nicht sehr schön zu verfolgen ist, aber es ist eine notwendige Debatte für jede tiefere Integration von Development und Security.

Change.

Yesterday, a software engineer, also new to the organization, roughly told me the following. The way the organisation plans projects is so different to what he is used to as a software engineer. Planning projects with a horizon of 12 or even 24 months is something he says he just cannot wrap his head around.

While this is very common and necessary in the hardware industry, it is indeed something terribly alienating software people. Software is typically treated as a living product, that takes tiny changes at a time, it is more governed towards a direction to take than having the one exact goal it has to hit by a specific date.

These very fundamental goals both mindsets follow make it difficult for change to happen. While the software engineer above obviously has a point to make, he cannot reach the people he needs to reach, because both sides are just too far apart.

At the same time, I don’t yet have an answer to the problem, but the problem itself became so obvious when this colleague told me he just doesn’t know what to say. The digital world does not yet have a common language, not to mention a common way to think about approaching problems, and unless this hurdle is taken, change will only happen slowly.

Ocedo acquired by Riverbed

Riverbed Announces Acquisition of Leading SD-WAN Provider Ocedo 

Acquisition accelerates Riverbed’s strategy to deliver next-generation software-defined networking solutions to customers, and creates significant new growth opportunities

Guess that’s good news for the distribution of Ocedo’s products.

via: Ocedo acquired by Riverbed

Software Defined Networks

For the most of my career I spent time configuring TCP stacks, IP ACLs, firewall rules and layer2 links. I worked with devices of multiple vendors, pulled together hubs, switches, routers and packet filters, used hardware and software tools to find why an application won’t connect to a remore peer. For the most time. Still, these days are over, since I’ve choosen a career working with customers a few years back. And while the interesst in techology is still there, the desire to dive into cabling and repetitive flipping switches has become very low over the years. Just as everything else in computing has been consumerized by the cloud, the network itself is still manual work (if done properly).

Software-Defined Networks may be here to overcome this perpective.
Continue reading Software Defined Networks

SoftWare Engineering Body of Knowledge v3

The Ballot version of the complete SWEBOK Guide V3 has been finalized and is now available. Everyone is invited to read the manuscript and to view the report of collected public review comments and their resolutions.

IEEE Computer Society Members Are Invited to Vote to Move Document Forward to Publication

via SWEBOK V3 Ballot.