All posts by Code Curmudgeon

I've been working in Software Development at Parasoft since 1992 - which in my opinion is before the epoch (my measure being the first real use of the web). I've been involved deeply in creating software, creating software tools, and helping customers address their software problems including automotive, cybersecurity and embedded. The views and opinions expressed herein are those of the author and do not necessarily reflect the views of anyone else on the planet. Caveat lector. You can follow me on twitter @CodeCurmudgeon, Google+, Static Analysis for Fun and Profit, Facebook, and LinkedIn.

Top 10 Ways to Spot a Cybersecurity Expert

When you’re looking for a cybersecurity expert it’s important to be able to spot who knows what they’re doing and who doesn’t. Well in this case the title of the post is a bit of click-bait. Got you, didn’t I? This is really how to spot someone who is NOT a cybersecurity expert. Probably I should have titled it Ten Ways to Spot a Cybersecurity Fake. Let’s take a serious topic and have a bit of fun at the same time. Here’s the list.

#10 – Mobile phone is more than a year old
You just can’t push updates to old phones. Unfortunately this is as true for security patches as it is for bug fixes. If you want to be secure you’ve got to keep it patched, and to keep it patched you’ve got to have current hardware. In the smartphone world, this means your phone is less than 12 months old. An “expert” who carries a crappy phone isn’t paranoid secure enough for me.
#9 – Still carrying a Blackberry
The internet age moves fast and you have to keep up. Blackberry is a bit of a dinosaur and you’re just not getting all the latest that you get from more agile vendors. Avoid dinosaurs when looking for technical help, they simply won’t be aware of the latest threats and rely on outdated models of security.
#8 – Wears a suit
In the IT industry nothing says sales rep like a suit does. Now this person might understand the need and value of enhanced cybersecurity, but they don’t know what you really need to do. If they’re not a sales rep, then they’re probably just a dinosaur, because tech people don’t wear suits anymore. See above.
#7 – Wears a tie
Do I really have to explain? Have you ever met someone who really got cybersecurity who was wearing a tie? See above. (Sorry Kevin – you’re the exception. You rock the cravat.)
#6 – Uses open wifi
Any security professional worth their salt is deathly afraid of open wifi. It doesn’t matter if it’s a hotel, a coffee shop, or an airport. Cyberpeople carry their own internet in their pocket.
#5 – Never uses cash
Between the Target hack and ATM skimmers at the gas pump, a healthy dose of paranoia when it comes to credit cards is a good idea. I’ve gone back to using cash a lot more than I used to and you should too.
#4 – Thinks eight characters is enough for a password
Seriously, rainbow tables people. If your password is leaked in a data breach it can take as little as a couple of milliseconds to crack an 8 character password. If they don’t know this, then their knowledge is years out-of-date.
#3 – Thinks funny characters you wont’t remember are good for passwords
I’m sorry but *#*%^)-} isn’t a great password. You will never be able to remember it, you’ll write it down and anyway it’s in a rainbow table so it’s not much better than 12345. You’re better off which an unbelievably long password you can remember that has a few funny tweaks than 8 pieces of gibberish.
#2 – Doesn’t wear glasses
Anyone spending their life on a computer has killed their eyes. If they’re not spending their life on the computer, they’re not passionate enough. You want someone who prefers the internet to real life. To paraphrase OrwellFour eyes good, two eyes bad
#1 – Doesn’t use the command line
Everyone with a hacker mentality uses the command line, regardless of operating system. Anyone without a hacker mentality isn’t qualified to be working in cybersecurity.

I warned you up front we were going to have some fun with this, and hopefully you did. But in reality some of these tips will help you vet your cybersecurity expert. Even just tossing some of the terms above at them to see how they respond may tell you something. If they use a term you don’t know make them explain it – if they can’t explain it they probably don’t understand it very well.

If you don’t know enough to tell a real expert from a fake, get help from someone you can trust, and stay safe out there!

Open-Source Project Activity Demystified

Open-source projects are spread across a wide spectrum of maturity and activity. When choosing to use open-source it’s important to select a project that has lots of active contributors and recent development unless you’re expecting to take on the project development yourself.

Determining project activity can be done by looking at project statistics such as GitHub provides. Often projects are started by a single individual who has a particular problem they want/need to solve. Once the software is “working” the project can stagnate. A few select projects reach a critical mass where multiple contributors work to keep the project up to date, fix bugs, add features and create a large useful popular project.

Open-source activity basics

Here we will compare a small semi-active project Netflix curator with an active popular one, Angular.js to see how you can tell the difference. First, there are three basic statistics at the top of every GitHub project: Watch, Star and Fork.


Watch is the number of people who have added the project to their watchlist. This gives them updates about the project and is an indication of the number of people who care about changes to the code, rather than just use the project.

Star is the number of people who find a project interesting and want to indicate that. It also adds a bookmark for favorite projects.

Fork is the number of people who have cloned the repository with the intention of adding their own changes to it. Often times such people don’t actually contribute but it shows a level of interest in contributing.

Notice that the very popular and active Angular.js project has over ten times as many watchers as Netflix curator. As for Forks, Angular.js has an even bigger margin over Netflix curator – almost one thousand times as many forks.

Contributors

A second area to look is the “Graphs” tab which shows graphically information about contributors, frequency of code changes, etc. The graphs below show the contributors to each project.

Graph of top contributors to angular.js project
Angular.js top contributors

Notice that the top 4 contributors to Angular.js each have tens of thousands of commits. The list of significant contributors is quite large which not only provides a wealth of ideas for new features but also reduces risk when a contributor leaves the project.

In contrast, the top 4 contributors to Netflix curator quickly drops to less than 100 commits – again a difference of almost one thousand times. If the main contributor leaves, or grows bored and moves on to something else, the project is completely stagnant – if you want anything you’ll need to do it yourself.

Graph of top contributors to netflix curator project
Netflix curator top contributors

Code change frequency

Next we can look at the frequency of code change. The Netflix curator exhibits a common tendency for a project to stagnate at some point as it has the basics of the desired functionality from the single original contributor.

Graphs of code update frequency for netflix curator project
Netflix curator code update frequency

A larger set of contributors with more ideas and free time helps to keep a project vibrant as you can see with the Angular.js project. Studies have shown that larger and more complex open-source projects tend to attract more developers.

Graphs for code update frequency for angular.js project
Angular.js code update frequency

Network / Project forks

Finally, we can check the network graphs to see how many people are forking the project and doing something new with it, which is a telling indicator of how many people are really interested in the project and want to do their own thing with it. Note here that we have only a couple of forks for Netflix curator that were never merged back in,

graph showing how many forks there are for netflix curator project
Netflix curator network forks

while the Angular.js project has too many forks to display.

message that there are too many forks to display
angular.js network forks

At any given time you can quickly see which repositories are most active by checking https://bithub-ranking.com and an explanation of the GitHub statistical graphs are available at https://help.github.com/articles/about-repository-graphs/.

While most typical open-source projects won’t make the most-popular list, doing a bit of investigation into the health of an open-source project can help make sure that the code you’re using will be maintained and updated to keep up with emerging technologies for years to come.

Parasoft Rides the Testing Wave

Those of you who follow me regularly know that I generally like to keep things vendor neutral. As my bio shows I’ve been working at Parasoft since 1992 on software development and testing tools. From time to time we do some pretty cool stuff and/or get some recognition that I think would be interesting for you to know about and frankly I’m proud of what we do.

Recently Parasoft participated in the Forrester Wave for Modern Application Functional Test Automation Tools and we did very well. I spend a lot of my time focusing (and harping) on very codecentric tools and ideas, but our functional test solution is really second to none. It was great to see recognition for that. Forrester Research said:

“Parasoft has the strongest continuous testing product offering, with a long list of mature features in UI automation and comprehensive functional API testing automation and rich integrations with third-party CI/CD pipeline tools … These features plus the solution’s performance and service virtualization tools make it stand out. Parasoft’s solution also stood out in our assessment of maintenance, reuse, and reporting analytics.”

The truth is that functional testing is a tedious pain and sometimes tools in this area are worse than the alternative. Open source tools in the space tend to focus on a few very narrow topics and lack basic user-friendly functions like a graphical UI. The tools from the “big boys” are not only expensive but in the end way too complicated to setup and use. We’ve managed to make something that is highly automated, easy-to-use, and rich in features. The trifecta of software testing. 😉

To get a copy of the report click here and if you haven’t seen these tools yet, you should check them out.

IoT Hall-of-Shame Facebook Page

Greetings and Happy New Year. It’s early in the month and we’ve already had our first reported IoT Hall-of-Shame entry, as you know if you follow that page or my twitter @codecurmudgeon. For those who live inside Facebook I’ve decided to make your life easier by adding a Facebook page for the Internet-of-Things IoT Hall-of-Shame as well. That way you can just follow it and it will show up in your Facebook feed.

“Things” are being hacked at a furious pace – some even call it the “Internet of Evil Things”. It’s amazing how often I find out about a new hack every single day. Is your TV going to spy on you? Is it easy to hack your phone? Is the stoplight on your corner vulnerable? Keep up to date on what’s happening.

Go check it out, like the page, follow it for the latest IoT Hall-of-Shame updates, and tell your friends. And when you hear about any IoT devices getting hacked please let me know!