Tuesday, July 11, 2017

2017-07-11 Tuesday - JavaScript Security/Audit/Vulnerability Checks

So, quite often, I have need to analyze a massively long list of JavaScript modules that are used in a vendor's solution, when I'm providing Enterprise Architecture oversight and assessment during the vendor evaluation phase of client RFP efforts.

To provide some confidence that there are no lurking serious security concerns with any of the JavaScript modules used in the vendor solution (and equally important - to identify those that are at, or beyond, end-of-life) - I would like to find a tool that would allow me to submit a file with the list of module names (with version numbers) - via a command line tool - and receive back some form of a report/analysis - identifying which ones may pose a high risk.

This posting is a placeholder for tools that I find that might be of utility in this effort - and hopefully of use to some future reader.

First, a quick survey of a Google search to help identify initial problem/solution domain articles to review:
I'll post an update next week based on what I find to be of practical use from the above list.

Monday, July 03, 2017

2017-07-03 Monday - STRUTS 2 - CVE-2017-5638

this time, a “minerd” crypto coin mining program will be downloaded as well with all of its prerequisites. The attacker masquerades the malicious process and its configuration with names similar to Apache server, to make it look more innocent when the infected user will list all the running processes.”
"These cryptocoin pools appear to be hosted in France under the 'crypto-pool.fr'"
One of the more fascinating aspects of this malware was the creative technique that the spearhead exploit uses to propagate itself. It will search for all the remote IP addresses that the administrator of the server was connecting to on this server. It searches the SSH “known_hosts” file, which keeps the IP addresses and fingerprints of all the servers to which the administrator was connecting. It also scans the Bash history file for any IP addresses used within the SSH command. Once this list of IP addresses is compiled, the script tries to connect to them via SSH. If the configured authentication was set up to use a key file instead of a username and password, the malware will successfully deploy itself on the remote machine.”
The same attacker (surprisingly using the same IP address) behind the previously described Apache STRUTS campaign varied the campaign again during the week of March 20th. This time, the payload infected Windows machines with the “Cerber” ransomware”

Saturday, July 01, 2017

2017-07-01 Saturday - Continuous Delivery

I'm interested in how folks have implemented approaches to achieving Continuous Delivery, so this posting is a placeholder for interesting stories I happen to find.

Expedia (under leadership by the then Senior Release Program Manager, Sandy Anuras) initiated a project called the "Shuntless Release Project" (circa 2008-2010) - which allowed Expedia "...to reduce the downtime for a release from 8+ hours to 0 minutes...".  I would like to find out more about that specific effort's approach, but in the meantime, here are a few more recent presentation decks I found on SlideShare.net that may be of interest:

Friday, June 30, 2017

2017-06-30 Friday - Dell Boomi

I'm doing some research today on the features and capabilities of Dell Boomi (as a cloud-hosted SaaS/iPaaS  integration layer).

These resource links may be of interest to others:

Tuesday, May 16, 2017

2017-05-16 Tuesday - HPE News: The Machine

"The prototype unveiled today contains 160 terabytes (TB) of memory, capable of simultaneously working with the data held in every book in the Library of Congress five times over—or approximately 160 million books."

"Based on the current prototype, HPE expects the architecture could easily scale to an exabyte-scale single-memory system and, beyond that, to a nearly-limitless pool of memory—4,096 yottabytes. For context, that is 250,000 times the entire digital universe today."

 *   160 TB of shared memory spread across 40 physical nodes, interconnected using a high-performance fabric protocol.
 *   An optimized Linux-based operating system (OS) running on ThunderX2, Cavium’s flagship second generation dual socket capable ARMv8-A workload optimized System on a Chip.
 *   Photonics/Optical communication links, including the new X1 photonics module, are online and operational.
 *   Software programming tools designed to take advantage of abundant persistent memory.

Friday, April 07, 2017

2017-04-07 Friday - O'Reilly Early Release - Learning TensorFlow

New O'Reilly early release book on TensorFlow

2017-04-07 Friday - R and Plotly for Enterprise Architecture Heat Maps

I'm experimenting with v4.5.6 of the R library - working with that latest version of R v3.3.3 - crafting some Enterprise Architecture executive reporting views.https://plot.ly/ 

This weekend I will explore Shiny as well 
"A web application framework for R Turn your analyses into interactive web applications" http://shiny.rstudio.com/gallery/


Thursday, February 23, 2017

2017-02-23 Thursday - Flow and Deep Work

A thought-provoking article on the concepts of Flow and Deep Work - well worth the time spent to read it.