Docker has announced an update with new features, improvements and fixes. Docker 1.13 includes the ability to compose files to deploy swarm mode services; improved CLI backward-compatibility; cleanup commands; CLI restructuring; monitoring improvements; build enhancements; and the public data of Docker for AWS and Azure.In addition, Docker 1.13 features experimental capabilities in Docker build and Docker service logs.GitHub makes its data available for analysis on BigQueryGitHub is making its data available for public analysis on BigQuery, a data warehouse for large-scale data analytics. The GitHub 3TB+ dataset features all the GitHub activity to date, and includes more than 2.8 million open-source projects.Users can look at the data through two datasets: the GitHub Archive project and the GitHub Public Data Set. Some queries ran so far include code comments, countries with the most open-source developers, emotions expressed in commit messages, and information about bigger pull requests. Researcher develops new database-analytics platformA former researcher from the MIT’s Computer Science and Artificial intelligence Laboratory (CSAIL) has developed a new database-management system designed to run GPUs instead of CPUs. MapD, developed by CEO Todd Mostak, uses GPUs in order to query and map billions of data points in milliseconds. According to him, it is 100x faster than traditional systems.“In most implementations, the data is initially stored on a CPU, moved to the GPU for a query, and results are moved back to the CPU for storage. Even if you speed up the computation time of a query [by using a GPU], you lose most of the speed by transferring from CPU to GPU and back,” said Mostak. MapD caches data on GPUs so there is no moving back and forth or time wasted, according to him.More information is available here.DOT designates automated vehicle proving groundsThe U.S. Department of Transportation wants to foster self-driving vehicle innovation while promoting safety. The DOT announced 10 proving ground pilot sites for testing and sharing information about automated vehicle technology.According to the department, the proving grounds will help transform personal and commercial mobility, and provide critical insights into automated driving.“The designated proving grounds will collectively form a Community of Practice around safe testing and deployment,” said U.S. Transportation Secretary Anthony Foxx. “This group will openly share best practices for the safe conduct of testing and operations as they are developed, enabling the participants and the general public to learn at a faster rate and accelerating the pace of safe deployment.”The full list is available here.
The guide states that discovered vulnerabilities need to be tracked and action should be taken to remediate, mitigate, and accept the risk. “Performing the secure development practices outlined in this document will aid in identifying these weaknesses. However, simply performing these activities is not sufficient. Action should be taken to correct the identified weaknesses to improve the overall security posture of the product,” the guide says.Organizations also need a strategy to disclose vulnerabilities, particularly those that are publicly disclosed or being actively exploited. Customers should be provided with timely information, guidance, and mitigations or updates to address those vulnerabilities.The guide also urges organizations to consider the following when planning implementation of an SDL: the culture of the organization; expertise and skill level of the organization; product development model and lifecycle; scope of the initial deployment; stakeholder management and communication; efficiency measurement; SDL process health; and value proposition for the secure development practices.“As the threat landscape and attack methods continue to evolve, so too have the processes, techniques and tools to develop secure software. Fundamental Practices for Secure Software Development is an essential guide to help address these threats. It is considered by many in the industry as a go-to resource for secure software development best practices,” said Steve Lipner, executive director for SAFECode. “Much has changed and been learned over the last few years and the third edition includes many new updates and additional content.”While can be a challenging task to sit down and create a set of best practices for the entire industry, SAFECode says the guide was created from the experiences of organizations that build software that reaches millions of users, but the principles offered in the guide will be applicable to organizations of varying sizes.The best practices offered in SAFECode’s guide are currently being practices by companies such as Dell EMC, Microsoft, Intel, Adobe, Symantec, Siemens AG, and CA Technologies. The Software Assurance Forum for Excellence in Code (SAFECode) has announced the release of the Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Life Cycle Program (Third Edition). The publication is a set of best practices designed to help organizations improve their software assurance programs and encourage adoption of secure development practices. Some of the topics included in this edition are requirement identification, management of third-party components, security issue management, and vulnerability response and disclosure. It also goes over what organizations need to consider when planning and implementing a successful Secure Development Lifecycle (SDL) program. Significant revisions in this edition include specific guidance on secure development techniques, guidance on critical security features, the relationship of the security response process to secure development and considerations for planning and implementation of a successful Secure Development Lifecycle (SDL) program.According to SAFECode, companies should establish a workflow that can help them identify their security requirements. Those security requirements need to be tracked throughout implementation and verification as well, the guide notes. It recommends managing controls as structured data in an Application Development Lifecycle Management system instead of in an unstructured document. In terms of third-party components, organizations should choose established frameworks and libraries that provide sufficient security for their use cases and are capable of defending against known threats, according to the guide. It cautions organizations not to waste resources and introduce new risks by re-implementing security features native to the framework.