Implement DevSecOps to transform your business to IT-as-code

Conduct an online search and you’ll find close to one million websites offering their own definition of DevSecOps.

Why is it that domain experts and practitioners alike continue to iterate on analogous definitions? Likely, it’s because they’re all correct. DevSecOps is a union between culture, practice and tools providing continuous delivery to the end user. It’s an attitude; a commitment to baking security into the engineering process. It’s a practice; one that prioritizes processes that deliver functionality and speed without sacrificing security or test rigor. Finally, it’s a combination of automation tools; correctly pieced together, they increase business agility.

The goal of DevSecOps is to reach a future state where software defines everything. To get to this state, businesses must realize the DevSecOps mindset across every tech team, implement work processes that encourage cross-organizational collaboration, and leverage automation tools, such as for infrastructure, configuration management and security. To make the process repeatable and scalable, businesses must plug their solution into CI/CD pipelines, which remove manual errors, standardize deployments and accelerate product iterations. Completing this process, everything becomes code. I refer to this destination as “IT-as-code.”

Why is DevSecOps important?

Whichever way you cut it, DevSecOps, as a culture, practice or combination of tools, is of increasing importance. Particularly these days, with more consumers and businesses leaning on digital, enterprises find themselves in the irrefutable position of delivering with speed and scale. Digital transformation that would’ve taken years, or at the very least would’ve undergone a period of premeditation, is now urgent and compressed into a matter of months.

The keys to a successful DevSecOps program

Security and operations are a part of this new shift to IT, not just software delivery: A DevSecOps program succeeds when everyone, from security, to operations, to development, is not only part of the technical team but able to share information for repeatable use. Security, often seen as a blocker, will uphold the “secure by design” principle by automating security code testing and reviews, and educating engineers on secure design best practices. Operations, typically reactive to development, can troubleshoot incongruent merges between engineering and production proactively. However, currently, businesses are only familiar with utilizing automation for software delivery. They don’t know what automation means for security or operations. Figuring out how to apply the same methodology throughout the whole program and therefore the whole business is critical for success.

Data startup Axiom secures $4M from Crane Venture Partners, emerges from stealth

Axiom, a startup that helps companies deal with their internal data, has secured a new $4m seed round led by UK-based Crane Venture Partners, with participation from LocalGlobe, Fly VC and Mango Capital. Notable angel investors include former Xamarin founder and current GitHub CEO Nat Friedman and Heroku co-founder Adam Wiggins. The company is also emerging from a relative stealth mode to reveal that is has now raised $7m in funding since it was founded in 2017.

The company says it is also launching with an enterprise-grade solution to manage and analyze machine data “at any scale, across any type of infrastructure”. Axiom gives DevOps teams a cloud-native, enterprise-grade solution to store and query their data all the time in one interface – without the overhead of maintaining and scaling data infrastructure.

DevOps teams have spent a great deal of time and money managing their infrastructure, but often without being able to own and analyze their machine data. Despite all the tools at hand, managing and analyzing critical data has been difficult, slow and resource-intensive, taking up far too much money and time for organizations. This is what Axiom is addressing with its platform to manage machine data and surface insights, more cheaply, they say, that other solutions.

Co-founder and CEO Neil Jagdish Patel told TechCrunch: “DevOps teams are stuck under the pressure of that, because it’s up to them to deliver a solution to that problem. And the solutions that existed are quite, well, they’re very complex. They’re very expensive to run and time-consuming. So with Axiom, our goal is to try and reduce the time to solve data problems, but also allow businesses to store more data to query at whenever they want.”

Why did they work with Crane? “We needed to figure out how enterprise sales work and how to take this product to market in a way that makes sense for the people who need it. We spoke to different investors, but when I sat down with Crane they just understood where we were. They have this razor-sharp focus on how they get you to market and how you make sure your sales process and marketing is a success. It’s been beneficial to us as were three engineers, so you need that,” said Jagdish.

Commenting, Scott Sage, Founder and  Partner at Crane Venture Partners added: “Neil, Seif and Gord are a proven team that have created successful products that millions of developers use. We are proud to invest in Axiom to allow them to build a business helping DevOps teams turn logging challenges from a resource-intense problem to a business advantage.”

Axiom co-founders Neil Jagdish Patel, Seif Lotfy and Gord Allott, previously created Xamarin Insights that enabled developers to monitor and analyse mobile app performance in real-time for Xamarin, the open-source cross-platform app development framework. Xamarin was acquired by Microsoft for between $400 and $500 million in 2016. Before working at Xamarin, the co-founders also worked together at Canonical, the private commercial company behind the Ubuntu Project.

Homeland Security warns over ‘wormable’ Windows 10 bug

Homeland Security’s cybersecurity advisory unit is warning Windows 10 users to make sure that their systems are fully patched, after exploit code for a “wormable” bug was published online last week.

The code takes advantage of a security vulnerability patched by Microsoft back in March. The bug caused confusion and concern after details of the “critical”-rated bug were initially published but quickly pulled offline.

The exploit code, known as SMBGhost, exploits a bug in the server message block — or SMB — component that lets Windows talk with other devices, like printers and file servers. Once exploited, the bug gives the attacker unfettered access to a Windows computer to run malicious code, like malware or ransomware, remotely from the internet.

Worse, because the code is “wormable” it can spread across networks, similar to how the NotPetya and WannaCry ransomware attacks spread across the world, causing billions of dollars in damage.

Even though Microsoft published a patch months ago, tens of thousands of internet-facing computers are still vulnerable, prompting the advisory.

In the advisory, Homeland Security’s Cybersecurity and Infrastructure Security Agency said hackers are “targeting unpatched systems” using the new code and advise users to install updates immediately.

The researcher who published the code, a GitHub user who goes by the handle Chompie1337, said by their own admittance that their proof-of-concept code was “written quickly and needs some work to be more reliable,” but warned that the code, if used maliciously, could cause considerable damage.

“Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die,” said the researcher.

If you haven’t updated Windows recently, now would be a good time.

An unsecured database exposed the personal details of 202M job seekers in China

The personal details belonging to more than 202 million job seekers in China, including information like phone numbers, email addresses, driver licenses and salary expectations, were freely available to anyone who knew where to look for as long as three years due to an insecure database.

That’s according to findings published by security researcher Bob Diachenko who located an open and unprotected MongoDB instance in late December which contained 202,730,434 “very detailed” records. The database was indexed in data search engines Binary Edge and Shodan, and was freely visible without a password or login. It was only made private after Diachenko released information about its existence on Twitter.

Diachenko, who is director of cyber risk research at Hacken, wasn’t able to match the database with a specific service, but he did locate a three-year-old GitHub repository for an app that included “identical structural patterns as those used in the exposed resumes.” Again, ownership is not clear at this point although the records do seem to contain data that was scraped from Chinese classifieds, including the Craigslist-like 58.com.

A 58.com spokesperson denied that the records were its creation. They instead claimed that their service had been the victim of scraping from a third-party.

“We have searched all over the database of us and investigated all the other storage, turned out that the sample data is not leaked from us. It seems that the data is leaked from a third party who scrape[d] data from many CV websites,” a spokesperson told Diachenko.

TechCrunch contacted 58.com but we have not yet received a response.

While the database has now been secured, it was potentially vulnerable for up to three years and there’s already evidence that it had been regularly accessed. Although, again, it isn’t clear who by.

“It’s worth noting that MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline,” Diachenko wrote.

There’s plenty of mystery here — it isn’t clear whether 58.com was behind the hole, or if it is a rival service or a scraper — but what is more certain is that the vulnerability is one of the largest of its kind to be found in China.

GitHub CFO Vlado Herman Is No Longer At The Company

vlado herman We’re hearing from sources that GitHub CFO Vlado Herman, who joined in December 2012, is no longer at the company. Herman was a high-profile hire at the time — and prior to GitHub, he was the CFO of Yelp. To be sure, as a company matures, executive departures can and often do happen. He had been at the company for around three years. We’re also hearing that David McJannet,… Read More

At GitHub You Don’t Need No Stinkin’ Office, But There Is A Nice One If You Do

GitHub Offices with comfy chair with stuffed GitHub animal sitting on it. If you want to work for GitHub, the software development collaboration hub built on the open source Git project, you have to be independent and able to work outside the confines of what most organizations would consider normal operational guidelines. You don’t have to come to the office. In fact, you are encouraged to work where you want in the world at whatever timing makes sense for you. Read More

Stripe Hires Away Twitter’s Romain Huet To Lead Global Developer Relations

Stripe Office At Twitter’s Flight conference, one of the stand-out portions of the keynote was a pretty epic on-stage coding exercise. It lasted about a half hour and turned into a sample project that was immediately made available on Github. One participant, Romain Huet, is leaving Twitter for online payments service Stripe to run its global developer relations team. He joined Twitter in 2013… Read More

Trello Launches Revamped Business Offering With Third-Party Integrations

Trello-Slack-Integration Back in 2013, project management service Trello launched its ‘Business Class’ service as a basic paid offering for teams that needed extra features like Google Apps integration and more granular administrative controls. Today, the company is launching a revamped version of its business offering that introduces new features like third-party integrations with tools like Slack, GitHub… Read More

Hardware Incubators Are Critical To The Future Of Making Things

shutterstock_265657364 Hardware is hot — and poised to get hotter. Venture capital investment in connected device hardware startups reached approximately $1.48 billion in 2014, more than triple the amount of two years earlier. Meanwhile, the “fairy tale” acquisitions of Dropcam, Nest, Beats and Oculus — and the IPOs of Fitbit and GoPro — fuel public interest and momentum for new startups… Read More

Setting The Right Valuation For A Competitive Series A Round

Dollars on a green background Founders are often puzzled by how VCs derive valuations for competitive Series A rounds. A competitive Series A round is an equity round where a company generally raises greater than $5 million led by a top-quartile venture capital firm. During these Series A rounds, it is not uncommon for founders to receive multiple term sheets from lead investors at different valuations, and to feel… Read More