├── test-article.md
├── googlefee7b161be7debc9.html.md
├── README.md
├── 5-open-source-cloud-platforms-for-the-enterprise.md
├── 5-open-source-vulnerabilities-you-should-know-about.md
├── 5-open-source-digital-asset-management-tools-to-check-out.md
├── open-source-disaster-recovery.md
├── 5-open-source-ai-deep-learning-projects-to-follow.md
├── 5-open-source-ETL-solutions-to-check-out.md
├── 5-open-source-siem-solutions-to-consider.md
├── 5-ways-to-secure-open-source-for-devops.md
├── owasp-top-10-tips-and-tricks.md
├── vulnerabilities-management-5-ways-to-find-and-fix-open-source-vulnerabilities.md
├── edr-security-what-it-is-and-why-you-need-it.md
├── digital-asset-management-what-it-is-and-how-it-can-help-your-business.md
├── why-your-business-needs-an-incident-response-plan.md
├── what-is-secops-and-how-it-can-benefit-you.md
├── optimizing-cloud-pricing:-aws-vs-azure.md
└── evaluating-cloud-backup-solutions.md


/test-article.md:
--------------------------------------------------------------------------------
1 | # Test Article
2 | 


--------------------------------------------------------------------------------
/googlefee7b161be7debc9.html.md:
--------------------------------------------------------------------------------
1 | google-site-verification: googlefee7b161be7debc9.html
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Open Source Discussions
 2 | ## By Limor Wainstein
 3 | 
 4 | Welcome to the open-source-discussions wiki! Below are some of my ramblings on open source solutions, DevOps and DevSecOps, cybersecurity and more!
 5 | 
 6 | [Why Your Business Needs an Incident Response Plan](https://github.com/limiw/open-source-discussions/blob/master/why-your-business-needs-an-incident-response-plan.md)
 7 | 
 8 | [5 Open Source AI Deep Learning Projects to Follow](https://github.com/limiw/open-source-discussions/blob/master/5-open-source-ai-deep-learning-projects-to-follow.md)
 9 | 
10 | [5 Open Source Cloud Platforms for the Enterprise](https://github.com/limiw/open-source-discussions/blob/master/5-open-source-cloud-platforms-for-the-enterprise.md)
11 | 
12 | [5 Open Source Digital Asset Management Tools to Check Out](https://github.com/limiw/open-source-discussions/blob/master/5-open-source-digital-asset-management-tools-to-check-out.md)
13 | 
14 | [5 Open Source ETL Solutions to Check Out](https://github.com/limiw/open-source-discussions/blob/master/5-open-source-ETL-solutions-to-check-out.md)
15 | 
16 | [Digital Asset Management - What It Is and How It Can Benefit Your Business](https://github.com/limiw/open-source-discussions/blob/master/digital-asset-management-what-it-is-and-how-it-can-help-your-business.md)
17 | 
18 | [5 Open Source SIEM Solutions to Consider](https://github.com/limiw/open-source-discussions/blob/master/5-open-source-siem-solutions-to-consider.md)
19 | 
20 | [5 Open Source Vulnerabilities You Should Know About](https://github.com/limiw/open-source-discussions/blob/master/5-open-source-vulnerabilities-you-should-know-about.md)
21 | 
22 | [EDR Security: What It Is and Why Do You Need It](https://github.com/limiw/open-source-discussions/blob/master/edr-security-what-it-is-and-why-you-need-it.md)
23 | 
24 | [Evaluating Cloud Backup Solutions (AWS vs. Azure vs. Google Cloud)](https://github.com/limiw/open-source-discussions/blob/master/evaluating-cloud-backup-solutions.md)
25 | 
26 | [Open Source Disaster Recovery? An Overview of Free and Open Source DR](https://github.com/limiw/open-source-discussions/blob/master/open-source-disaster-recovery.md)
27 | 
28 | [OWASP Top 10 Tips and Tricks](https://github.com/limiw/open-source-discussions/blob/master/owasp-top-10-tips-and-tricks.md)
29 | 
30 | [Vulnerabilities Management: 5 Ways to Find and Fix Open Source Vulnerabilities](https://github.com/limiw/open-source-discussions/blob/master/vulnerabilities-management-5-ways-to-find-and-fix-open-source-vulnerabilities.md)
31 | 
32 | [What Is SecOps and How it Can Benefit You](https://github.com/limiw/open-source-discussions/blob/master/what-is-secops-and-how-it-can-benefit-you.md)
33 | 
34 | [Optimizing Cloud Pricing: AWS vs. Azure](https://github.com/limiw/open-source-discussions/blob/master/optimizing-cloud-pricing:-aws-vs-azure.md)
35 | 
36 | [5 Ways to Secure Open Source for DevOps](https://github.com/limiw/open-source-discussions/blob/master/5-ways-to-secure-open-source-for-devops.md)
37 | 
38 | 
39 | 


--------------------------------------------------------------------------------
/5-open-source-cloud-platforms-for-the-enterprise.md:
--------------------------------------------------------------------------------
 1 | ## 5 Open Source Cloud Platforms for the Enterprise
 2 | 
 3 | Enterprise cloud adoption continues to soar, and [recent estimates](https://www.forbes.com/sites/louiscolumbus/2018/01/07/83-of-enterprise-workloads-will-be-in-the-cloud-by-2020/) suggest that 83 percent of enterprise workloads will be in the cloud by 2020. It’s almost automatic for many businesses to jump straight to the most popular, commercial names when considering a cloud service. 
 4 | 
 5 | Amazon Web Services, Google, and Microsoft Azure are some of the largest commercial cloud service providers, and they pretty much dominate the market. However, a range of additional commercial options, such as [Azure storage optimization](https://cloud.netapp.com/blog/azure-storage-behind-the-scenes) services, now exist that complement the services of Azure and AWS and promise to improve cost efficiency. 
 6 | 
 7 | Despite the success of commercial cloud platforms, a growing number of enterprises are shifting towards open source cloud platforms. Aside from the obvious benefit of lower costs, the open source model enables greater vendor agnosticism in the cloud while also being a more flexible choice for developers. With this in mind, take a look at the following five open source cloud platforms you might want to consider.
 8 | 
 9 | **1. OpenStack**
10 | 
11 | OpenStack is a popular cloud platform that provides the tools to build out public and private clouds. The platform revolves around a set of core services, including compute, networking, identity management, and storage among others. In this sense, it is a collection of loosely related software for building public or private clouds.
12 | 
13 | There is a web-based administrative dashboard for viewing, provisioning, and orchestrating resources. Developers can also manage resources using command-line tools or by interacting with the [OpenStack RESTful API](https://developer.openstack.org/api-guide/quick-start/). 
14 | 
15 | The modular architectural design makes OpenStack an attractive option for working with different open source components and not relying on a single vendor in addition to facilitating easy application scalability and elasticity. 
16 | 
17 | **2 . WSO2**
18 | 
19 | WSO2 Cloud is a PaaS offering released under the Apache License for hosting APIs in the cloud, and integrating applications and web services cloud-to-cloud or cloud-to-on-premise. 
20 | 
21 | There is also WSO2 Identity Cloud which provides single sign-on and centralized monitoring and reporting for your cloud-based applications for prudent identity access management. The user portal provides an application catalog for employees to easily discover the apps they need to use, and the sign on is useful in reducing the headaches that come with managing multiple credentials across different services and systems. 
22 | 
23 | Low monthly subscription fees, fully functional free trials, and automated scaling are also attractive features of this open source cloud platform. There is also a managed cloud option.
24 | 
25 | **3. Cloudify**
26 | 
27 | This open source software cloud orchestration platform simplifies deploying new applications in the cloud, and it is licensed under the Apache License 2.0. A set of recipes or blueprints are used to model your apps, and they include configurations, services, and dependencies. Cloudify uses these blueprints to automate the deployment of apps to cloud infrastructure. 
28 | 
29 | Cloudify encourages collaboration and sharing of blueprint files so that Devs and Ops are working from the same page, accelerating deployment to the cloud. This is important in an Agile environment where development teams are under pressure to release software fast and frequently. 
30 | 
31 | **4. Eucalyptus**
32 | 
33 | Eucalyptus is an open-source cloud platform that enables you to build private or hybrid cloud environments using existing clusters and server infrastructure. You can configure and provision compute, network, and storage resources via the Eucalyptus user interface, and the cloud environments you build are AWS-compatible. 
34 | 
35 | The commands in Eucalyptus manage both private Eucalyptus instances and public AWS EC2 instances, the combination of which gives a hybrid cloud environment. Each user gets an identity and administrators can group users together to exercise access control, and you can get even more fine-grained control over cloud resources by integrating Eucalyptus user identity management with [LDAP](https://searchmobilecomputing.techtarget.com/definition/LDAP) systems.
36 | 
37 | Eucalyptus is not as popular as it once was, and the company that maintained it from 2014, DXC, stopped developing it in 2017. The project has been forked, however, and AppScale Systems now provides technical support for customers. 
38 | 
39 | **5. Cloud Forms**
40 | 
41 | Cloud Forms is a Red Hat infrastructure management platform for private clouds and virtualized infrastructure. You get visualization into all private cloud resources and you can automate the provisioning of new resources. 
42 | 
43 | Cloud Forms has a strong emphasis on compliance, and it allows you to easily apply corporate governance policies across your cloud environments and obtain compliance data on all of your resources. 
44 | 
45 | 
46 | ## Wrap Up
47 | 
48 | Consider these open source platforms as solid alternatives to the more obvious commercial choices if you want greater flexibility in your cloud deployments without being tied to certain vendors. 
49 | 
50 | Open source has already made a huge impact on enterprise development, and as companies look to become more informed on their cloud choices, the open source model looks set to grow in influence on the cloud market over the coming years.
51 | 
52 |  
53 | 


--------------------------------------------------------------------------------
/5-open-source-vulnerabilities-you-should-know-about.md:
--------------------------------------------------------------------------------
 1 | # 5 Open Source Vulnerabilities You Should Know About
 2 | Whether you are a developer who directly uses open source software, libraries, and frameworks in your work, or you are reading from a business perspective, you probably understand the usefulness of open source in terms of facilitating the agility required of modern software development teams. 
 3 | 
 4 | An important early advocate of the free software model was Bruce Perens, who published the Debian Free Software Guidelines, which later became The Open Source Definition. Thanks to people like Perens, modern developers get free access to well-built code which they can adapt to their needs and use as the building blocks for proprietary applications. 
 5 | 
 6 | A [2018 report](https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/2018-ossra.pdf) featuring an audit of 1,100 commercial codebases found 96 percent of them used open source components and the average number of components per application was 257. According to the report, this figure is consistent with similar audits conducted on thousands of other codebases over the previous two years. 
 7 | 
 8 | However, [research from 2017](https://www.slideshare.net/secret/bEoOc8BYLU48Zj) found that 1 in 18 downloaded open source components contained a vulnerability. So, combined research shows that open source adoption is widespread but that organizations and development teams aren’t managing their open source usage adequately. 
 9 | 
10 | This article discusses five important open source vulnerabilities along with some best practices for improved open source vulnerability management and better security ([see this article by WhiteSource](https://resources.whitesourcesoftware.com/blog-whitesource/open-source-vulnerability-management) with some insights on the subject). 
11 | 
12 | **1. ShellShock**
13 | 
14 | News of the Shellshock privilege escalation vulnerability that targeted web servers first came to light in 2014. The family of exploits targets the Unix Bash shell, which is used by many web applications. It gives attackers a means to execute arbitrary commands and thus gain unauthorized access to a system, facilitating the creation of a botnet which can perform DDoS attacks.  
15 | 
16 | This is a particularly interesting example of a vulnerability that refuses to go away because it is very low-cost to attempt to exploit it. Surprisingly, [according to IBM](https://securityintelligence.com/cheap-shock-why-shellshock-is-still-a-thing/), 10 percent of servers remain unpatched for this flaw.  
17 | 
18 | **2. SegmentSmack**
19 | 
20 | A moderate vulnerability known as SegmentSmack in the Linux Kernel was found in July 2018. Some media outlets reported that this bug didn’t affect enterprise-grade distributions of Linux, however, this was proven to be untrue when [Red Hat announced](https://access.redhat.com/articles/3553061) that Red Hat Enterprise Linux versions 7 and 6 were both affected by the vulnerability, necessitating an update to the Linux kernel. 
21 | 
22 | This vulnerability makes the list because it is relatively recent, many developers use Red Hat as a platform for software development, and it just goes to show the importance of doing proper research on bugs to see whether they actually affect you.
23 | 
24 |  
25 | **3. glibc**
26 | 
27 | Anyone involved in web development should know about the glibc vulnerability, not because it remains unfixed for a significant portion of companies, but because it’s an example of a zero-day vulnerability that went unrecognized for eight years! 
28 | 
29 | The exploit found its way into glibc version 2.9 2008 but was only patched in the 2016 release of glibc 2.23. The majority of Internet-facing applications use glibc, which is an open source library. The glibc vulnerability highlights the need for a preventative vulnerability detection tool that can detect and alert you on zero-day exploits before they cause damage. 
30 | 
31 | **4. Heartbleed**
32 | 
33 | Heartbleed, which 99% of devs have no doubt heard of, is an OpenSSL vulnerability. First disclosed back in 2014, Heartbleed put sensitive information at risk by enabling hackers to steal information normally protected by SSL or TLS encryption. The healthcare industry was impacted profoundly by Heartbleed. 
34 | 
35 | Given that in industries such as healthcare, 80 percent of software vulnerabilities are over three months old, it’s worth reminding you of the Heartbleed bug as a case-in-point on the importance of maintaining visibility over open source components and their vulnerabilities. Shockingly, it was revealed in 2017 that almost 200,000 websites were still vulnerable to the Heartbleed bug; nearly three years after a fix was released. 
36 | 
37 | 
38 | **5. Apache Struts** 
39 | 
40 | Even people outside of development circles became familiar with Apache Struts when it was revealed that a vulnerability in Struts was behind the infamous Equifax data breach of 2017, for which a patch existed but was not applied by Equifax. The 2017 vulnerability again exemplifies the potential magnitude of what happens when you don’t update your open source software. 
41 | 
42 | However, and tying in nicely here, a more recent vulnerability was found in the same [Apache Struts](https://www.infosecurity-magazine.com/news/crypto-jackers-exploit-critical/) framework when it was found hackers could trivially and maliciously install a popular cryptocurrency miner on victim systems by exploiting improper validation of namespace input data.
43 | 
44 | ## Closing Thoughts
45 | 
46 | The existence of vulnerabilities is no reason to halt the use of open source software in development. After all, this model continues to prove its benefits both to individual developers and entire organizations.
47 | 


--------------------------------------------------------------------------------
/5-open-source-digital-asset-management-tools-to-check-out.md:
--------------------------------------------------------------------------------
 1 | # 5 Open Source Digital Asset Management Tools to Check Out
 2 | 
 3 | ![](https://cdn.pixabay.com/photo/2013/10/25/17/26/tree-200795_1280.jpg)
 4 | 
 5 | 
 6 | ## Overview
 7 | 
 8 | Digital assets exist in a binary (electronic) format, provide value to their owners, and they come with the right to use them. Organizations have a growing number of digital assets at their disposal as they progress towards increasingly technological growth strategies through content marketing on blogs and video websites, website resources such as white papers, and more. 
 9 | 
10 | Furthermore, as the [Information Age](https://searchcio.techtarget.com/definition/Information-Age) has progressed, organizations have transformed their conventional graphic, print, and media assets into digital formats. As with any collection of assets, it’s important for companies to effectively manage their digital assets, and this is where digital asset management (DAM) comes into play. 
11 | 
12 | Digital asset management is a set of processes that a business undertakes to organize, store, manage, and easily retrieve its digital assets when they are required. DAM is typically conducted with the help of some tool or software system that builds a centralized digital library of all your assets, including documents, presentations, videos, and animations. 
13 | 
14 | DAM tools and software simplify the whole approach to digital asset management, enabling businesses to classify digital assets and monitor usage rights. Additionally, different organizational departments can easily find all existing digital assets and extract value from them using their own workflows and strategies. There are also tools that provide extended capabilities, like [marketing automation](https://technologyadvice.com/marketing-automation/) and artificial intelligence (AI). 
15 | 
16 | As with endless areas of enterprise technology, the open source model has had a profound impact on digital asset management. A range of excellent open source digital asset management tools are now freely available. Read on to find out about five such tools. 
17 | 
18 | ### Open Source DAM Tools
19 | **ResourceSpace**
20 | 
21 | ResourceSpace is open source DAM software that enables teams to easily share assets across a central hub, bringing teams and digital files together. You get a range of helpful features, including a fast and flexible search system, and advanced tagging and categorization capabilities for assets.  Advanced privacy setting help to secure your assets too. 
22 | 
23 | The free usage terms of ResourceSpace specify that you can store up to 10 gigabytes of data for free. This level of storage wouldn’t meet the needs of a large business, however, it might be fine for startups and small businesses. 
24 | 
25 | 
26 | **Razuna**
27 | 
28 | Razuna provides a hosted open source digital asset management solution that creates a centralized digital library for your team where everyone is on the same page. You can easily convert files within Razuna. Additional appealing attributes of this tool include the fact that it uses SSL encryption for security and promises 99 percent uptime. 
29 | 
30 | The Razuna website cites some large and familiar company names as using their DAM, including the BBC, lenovo, and GlaxoSmithKline.  
31 | 
32 | **Nuxeo**
33 | 
34 | The Nuxeo content management platform comes with a with a user-friendly DAM solution that adapts to the way your organizations works. Forrester Wave for DAM 2018 report identified Nuxeo as a strong performer for digital asset management. The web UI lets you browse your assets and manage different asset classes, such as images and videos. 
35 | 
36 | Another interesting feature of Nuxeo is how it lets you analyze all digital content data in real-time and visualize trends and asset performance. 
37 | 
38 | **Pimcore**
39 | 
40 | Pimcore is another open source DAM software option that promises it has the ability to integrate, consolidate, and manage any type and any amount of digital assets in any format. This system promises a powerful central repository for any type of digital asset and its meta-data which integrates with other business systems for seamless delivery of digital assets.  
41 | 
42 | Pimcore has an API-driven interface that easily integrates with your existing environment. Workflow automation is another feature of Pimcore that can boost your multi-channel marketing strategies via a workflow engine for defining business processes. 
43 | 
44 | **Darktable**
45 | 
46 | Darktable is a solid option as a DAM tool for websites or companies that rely heavily on visual digital assets, such as photographers. Darktable works as an image manager through the lighttable portion of the tool, which lets you organize, tag, and review images. You can also process images in RAW format. 
47 | 
48 | ### Paid DAM Tools
49 | From an enterprise perspective, paid DAM software offers much more in terms of the level of support on offer, additional functionality, and in most cases, much higher storage capacity than open source options. Some examples of premium DAM software are:
50 | 
51 | * [Cloudinary cloud based digital asset management](https://cloudinary.com/solutions/digital_asset_management), which provides DAM in the cloud and uses AI for automatic asset tagging. 
52 | * [Adobe Experience Manager Assets](https://www.adobe.com/experience-cloud/topics/digital-asset-management.html), which provides a central DAM hub that connects to other enterprise software solutions. 
53 | * [Aprimo](https://www.aprimo.com/platform/digital-asset-management/), which helps to automate the delivery of approved, brand-compliant content. Aprimo also comes with ideation tools that help content marketers and creative teams ideate faster and better.
54 | 
55 | ## Wrap Up
56 | Whether you are a budding startup or a large enterprise, there is a DAM tool or solution out there that suits you. Perhaps it’s best to begin with one of these open source tools before moving onto premium options as your business grows. 
57 | 


--------------------------------------------------------------------------------
/open-source-disaster-recovery.md:
--------------------------------------------------------------------------------
 1 | # Open Source Disaster Recovery? An Overview of Free and Open Source DR
 2 | ![](https://cdn.pixabay.com/photo/2017/02/08/14/31/computer-2049019_1280.jpg)
 3 | 
 4 | ### Overview 
 5 | 
 6 | Disaster recovery (DR) involves the use of tools, processes, and policy-based rules to quickly restore a company’s most important IT infrastructure in the event of an unplanned outage. These outages or disasters could be as a result of natural causes ( e.g. hurricanes knocking out power grids) or human influences (an employee accidentally deleting a database).
 7 | 
 8 | You can view DR as a subset of business continuity in which the emphasis is on restoring mission-critical systems, data, and applications. The broader context of business continuity deals with planning, preparation, strategies, and tools to recover normal operations after a disaster. 
 9 | 
10 | Failure to adequately implement a disaster recovery plan can wreak havoc on a business or organization. The longer your mission-critical systems remain offline, the higher the costs associated with a disaster. [Gartner](https://blogs.gartner.com/andrew-lerner/2014/07/16/the-cost-of-downtime/) estimates the cost of downtime to be in the region of $5,600 per minute for the average business, which suggests just how important it is to have the necessary processes and tools in place for quick recovery. 
11 | 
12 | Speaking of tools, disaster recovery is an area in which the open source model has again shown its worth in making a range of high-quality tools freely available to the public. Some companies or individuals might not have the budget to afford enterprise-level proprietary tools. However, open source tools can assist with getting mission-critical systems back online or restoring your most important data swiftly following an outage. This article discusses five excellent and free DR tools. 
13 | 
14 | ### Open Source DR Tools
15 | 
16 | **Clonezilla**
17 | 
18 | This disk cloning and data recovery program comes in both a single-desktop Live edition and an SE server edition. The server edition can be deployed on 40 machines at the same time. Clonezilla is particularly good for disasters that result in the loss of important data. You can completely clone the contents of an individual hard disk drive to an external drive. 
19 | 
20 | Clonezilla falls under the category of bare metal backup and recovery options, which means that you can use this tool to easily rebuild failed systems from scratch after they suffer some sort of failure.
21 | 
22 | **Amanda**
23 | 
24 | This open source backup and recovery software protects more than a million servers and desktops worldwide. The software protects computers and services running various operating systems, including Windows, Linux, and Mac OS-X. 
25 | 
26 | Amanda dramatically simplifies DR by letting administrators set up a single server which backs up multiple networked clients to a variety of storage options, such as tape storage, Amazon S3 cloud storage, or disk storage. 
27 | 
28 | **Relax and Recover**
29 | 
30 | Relax and Recover is another open source disaster recovery tool that falls under the category of bare metal recovery. The tool uses a set-and-forget approach, allowing you to easily set up a data backup option for later recovery without any ongoing maintenance. 
31 | 
32 | Individual users can recover home systems from a bootable USB stick while organizations can collect ISO images on a central backup server. Relax and Recover is a Linux tool. 
33 | 
34 | 
35 | **Bacula**
36 | 
37 | Bacula provides enterprise-level open source data backup and recovery software. What’s great about this tool is that it helps to automate laborious processes that typically require the input of a system administrator or user. 
38 | 
39 | Bacula works on networks featuring many different kinds of computer systems and it has client-server communication over TCP/IP, client-side compression, and data encryption features. You also have the option to store your backed up data in a secondary off-site location. 
40 | 
41 | **Disaster Recovery Linux Manager**
42 | 
43 | Disaster Recovery Linux Manager (DRLM) provides open source centralized management of disaster recovery implementations that use relax and recover. As the size of the infrastructure grows from a couple of machines to tens of machines or even hundreds, it becomes essential to use a management tool for more efficient management of DR backups and lower costs. 
44 | 
45 | DRLM lets you create, modify, and delete relax and recover clients and networks using simple commands. You can also restore specific clients with just one command, and you can start rear backups remotely.
46 | 
47 | ### Additional DR Tools
48 | 
49 | The value of paid tools is that they typically come with better customer support and more features than their open source counterparts, although this is not always strictly true. Some examples of premium DR tools include:
50 | 
51 | * Azure Site Recovery—this cloud-based disaster recovery service uses the [Microsoft Azure](https://azure.microsoft.com/en-us/services/site-recovery/) cloud to deliver mission-critical IT infrastructure while promising rapid recovery times. Helpfully, you can use this service for free to start out. 
52 | * IBM Resiliency Services—[IBM’s Disaster Recovery as a Service (DRaaS)](https://www.ibm.com/us-en/marketplace/disaster-recovery-as-a-service) option continuously replicates critical data and infrastructure to the cloud for rapid recovery during the all-important post-outage phase. 
53 | * N2WS—this [AWS disaster recovery service](https://n2ws.com/product/aws-disaster-recovery) protects organizations dependant on AWS from AWS outages by replicating cloud instances and storage volumes to different regions. 
54 | 
55 | ### Wrap Up
56 | 
57 | Disaster recovery doesn’t have to be prohibitively expensive, and these open source tools show that you can achieve a good level of protection without spending a dime. If you have the budget and your organization is large, you might consider some of the enterprise-level options.
58 | 


--------------------------------------------------------------------------------
/5-open-source-ai-deep-learning-projects-to-follow.md:
--------------------------------------------------------------------------------
 1 | # 5 Open Source AI Deep Learning Projects to Follow
 2 | 
 3 | **Overview**
 4 | 
 5 | This article overviews five open source [artificial intelligence](https://www.datamation.com/artificial-intelligence/top-artificial-intelligence-companies.html) (AI) and deep learning projects that developers should keep an eye on and look to experiment with. As more companies invest in AI, more jobs will be created in this field, many of which will be in development roles. In fact, despite frequent concerns citing AI as having the potential to wipe out human labor, [Gartner](https://www.gartner.com/newsroom/id/3837763) says that A.I. will create more jobs than it eliminates. 
 6 | 
 7 | ### A.I. and Deep Learning Development
 8 | The decentralized open-source development model has impacted computer science in some profound ways; chief among them in recent years has been the rapid advancements in artificial intelligence. Exciting branches of AI such as machine learning and deep learning have come on leaps and bounds in recent years, and each passing year sees more [deep learning breakthroughs](https://www.forbes.com/sites/mariyayao/2018/02/05/12-amazing-deep-learning-breakthroughs-of-2017/#64c8f5af65db). 
 9 | 
10 | No longer are A.I. libraries, frameworks, and platforms restricted to the few. Large technology companies including Microsoft and Amazon Web Services have released open source projects that give developers and data scientists the tools needed to improve their proficiency in coding and building A.I. applications and models. 
11 | 
12 | Following on from the success of open source projects, low-cost commercial platforms have also emerged that provide the tools needed to work with more high-level applications of A.I., [such as deep learning for computer vision](https://missinglink.ai/), which aims to equip computers with the power to gain a high-level understanding of images. 
13 | 
14 | ### Open Source AI Projects
15 | 
16 | **Gluon**
17 | 
18 | Gluon is an open source deep learning interface that improves the speed, flexibility, and accessibility of deep learning technology for all developers without compromising performance. 
19 | 
20 | The Gluon project provides a concise API for defining machine learning models using pre-built neural network components, and it was jointly collaborated on by AWS and Microsoft. The user-friendly API lets developers build deep learning networks using clear, concise code while abstracting away the complexities, such as weighted scoring functions. 
21 | 
22 | Often in frameworks that attempt to simplify the process of building deep learning models, performance is impacted, however, AWS and Microsoft are clear that this is what differentiates Gluon from similar frameworks. This is definitely a framework worth experimenting with for developers who are new to deep learning. 
23 | 
24 | **Caffe**
25 | 
26 | [Caffe](http://caffe.berkeleyvision.org/) is an open source deep learning framework with a Python-based interface. Developed by Berkeley AI Research and community contributors, Caffe is available under the BSD 2-Clause open source license. It is designed with modularity and expressiveness in mind—developers can define models through configuration alone, without needing to hard-code them. 
27 | 
28 | The Caffe project also emphasizes how its speed is ideal for experiment and research purposes. It has the ability to process over 60 million images per day with a single NVIDIA K40 GPU. Developers not wanting to use the Python interface also have the choice to use command line or Matlab interfaces. 
29 | 
30 | **TensorFlow**
31 | 
32 | Originally developed by a team of Google engineers and researchers, the TensorFlow open source machine learning framework has grown to become one of the most well-maintained and popular projects, with over 28,000 commits and over 1,300 Github contributors. 
33 | 
34 | The TensorFlow Keras API gives developers the building blocks to create and train deep learning models in a beginner-friendly way. You can easily get to grips with basic classification and text classification before moving onto more complex workloads such as using production-scale machine learning models.  
35 | 
36 | **SHAP**
37 | 
38 | The projects mentioned thus far are more concerned with providing the basic building blocks of getting to grips with AI branches such as deep learning and machine learning. 
39 | 
40 | One important question that arises when becoming proficient at building and experimenting with such models is why did an algorithm make a certain decision. When you get insight into a given model’s inner workings, you get a solid base from which to improve its performance. 
41 | 
42 | Furthermore, because deep learning has applications in some really important fields (e.g. healthcare), it is imperative that end users trust the system, which can only happen when they understand its predictions. 
43 | 
44 | [SHAP](https://github.com/slundberg/shap) is an open source project that attempts to interpret the output/predictions of machine learning models using Shapley values, which is a concept in game theory.  
45 | 
46 | **Microsoft Cognitive Toolkit**
47 | Microsoft’s own open source deep learning framework, Microsoft Cognitive Toolkit, is another solid option for developers searching for an expressive, easy-to-use architecture for deep learning models. 
48 | 
49 | The framework describes neural networks via a series of computational steps using a directed graph. You can work with Microsoft Cognitive Toolkit in your library in Python, C#, or C++. Alternatively, you can use it as a standalone tool and work with it using its native BrainScript model description language.
50 | 
51 | ## Wrap Up
52 | The open source model gets high-quality, well-maintained AI frameworks and libraries into the hands of developers. Experiment with some of these open source projects to get a solid introduction to AI and deep learning from a development perspective, and you’ll soon be able to delve into more complex areas of interest, such as deep learning for computer vision. 
53 | 


--------------------------------------------------------------------------------
/5-open-source-ETL-solutions-to-check-out.md:
--------------------------------------------------------------------------------
 1 | # 5 Open Source ETL Solutions to Check Out
 2 | 
 3 | ![etl](https://cdn.pixabay.com/photo/2017/02/01/20/47/integration-2031395_1280.png)
 4 | 
 5 | This article overviews five open-source tools you can use to help you out with one of the most important processes involved in deriving value from data — [Extract, Transform, and Load](http://www.etldatabase.com/etl-process/) (ETL). 
 6 | 
 7 | ## ETL & Data Warehousing
 8 | Organizations and businesses are becoming increasingly data-driven in their decision-making. These entities, whether they are not-for-profit charities or large enterprises, collect a wealth of information in their various IT systems, including databases, transactional systems, website analytics, and marketing software. 
 9 | 
10 | The idea behind moving towards data-driven decisions is that such decisions tend to be more informed when they are backed up by hard data rather than using intuition and observation alone. However, it is difficult to make accurate decisions when you analyze organizational data from different sources in isolation. 
11 | 
12 | A data warehouse is a special type of data repository in which data is integrated into a common, aggregated format from all sources within an organization. The integrated data is then arranged within a data warehouse system in such a way as to make it optimized for analysis using various business intelligence tools, reporting tools, and data analytics software. (This [data warehouse guide](https://panoply.io/data-warehouse-guide/) goes more in-depth into the specifics of how a data warehouse works.)
13 | 
14 | A major challenge in the implementation of data warehouses is how to get data from various source systems and integrate it into a unified format that is optimized for analysis and reporting. This need for data integration is precisely the role that ETL fulfills. ETL typically combines three functions into the one tool, and it covers the extraction of data from source systems, its transformation into the right format and structure, and its loading into a data warehouse. 
15 | 
16 | One option is to hand-code the ETL process, but this is complex and time-consuming. Open source ETL tools exist that can help organizations ETL their data much more efficiently and at no cost. 
17 | 
18 | ## Open Source ETL Solutions
19 | 
20 | **Pentaho Kettle**
21 | 
22 | Pentaho is a business intelligence suite that  is available in both open source and commercial versions. The specific Pentaho tool for ETL is Kettle, which runs on a JavaScript engine. This tool has a very intuitive graphical user interface and it interprets ETL processes written in XML format. You also get data visualization capabilities and analytics included. 
23 | 
24 | Kettle comes with easy drag-and-drop data integration and a scheduling component for coordinating ETL workflows. A potential disadvantage of Kettle is that is quite a computationally heavy tool that consumes a lot of memory and processing power. 
25 | 
26 | **Talend**
27 | 
28 | Talend Open Studio is an open-source data integration tool licensed under the Apache License. Talend comes with Eclipse-based developer tooling, the ability to map, aggregate, sort, and merge data, and master jobs to orchestrate ETL processes. Similar to Kettle, there is also drag-and-drop functionality. Talend has connectors to relational database systems like Microsoft SQL server, to SaaS solutions like Salesforce, and to CRM software. 
29 | 
30 | Open Studio is a limited version of an equivale yet more full-featured enterprise tool, and as a result, the open-source version is limited in comparison.   
31 | 
32 | **Apatar**
33 | 
34 | Apatar is an open-source data integration and ETL tool written in the Java language. There is a visual job designer that enables people who aren’t developers to connect different applications. The visual mapping extends to the tool’s data transformation functions, and you can perform or modify complex transformations via an intuitive GUI. You also get connectivity to all major data sources.  
35 | 
36 | **GeoKettle**
37 | 
38 | GeoKettle is a metadata-driven ETL tool specifically dedicated to [spatial data ](https://searchsqlserver.techtarget.com/definition/spatial-data), which is data about physical objects. This open-source tool is actually another version of Pentaho Kettle which has been specifically tailored to suit geospatial data, allowing you to extract, transform, and populate data into a data warehouse. 
39 | 
40 | You can extract data from spatial data sources residing in systems like PostGIS, Oracle spatial, and MySQL, spatial OLAP systems, and geo files. Among the included transformation capabilities are joining, mapping, scripting, filtering, and merging. There’s a GUI for visualizing and editing transformation rules. 
41 | 
42 | **Scriptella**
43 | 
44 | Scriptella is an open-source ETL and script execution tool written in the Java language. You can execute scripts written in SQL, JavaScript, JEXL, Velocity and other languages to perform data transformations. You can also perform cross-database ETL operations. This open-source project emphasizes low memory consumption and high-performance with a minimal burden on processors.  
45 | 
46 | ## Wrap Up
47 | Several open-source projects provide excellent options for data integration using ETL. Open-source versions of commercial tools are typically feature-limited, but they can be solid options for small-scale data pipelines. Furthermore, with some extra work in terms of configuring your open source ETL tools, you might find you get more out of them. 
48 | 
49 | It’s also worth considering that organizations are increasingly collecting continuous streams of data that they want to analyze in real-time for the most up to date insights. ETL tools, both open source and paid, need to be able to support this need going forward. Whichever tool you choose, don't forget to secure your data. There are open source security tools available. However, if you are not an expert, you might want to consider outsourcing the service to a [cybersecurity company](https://www.esecurityplanet.com/products/top-cybersecurity-companies.html).
50 | 


--------------------------------------------------------------------------------
/5-open-source-siem-solutions-to-consider.md:
--------------------------------------------------------------------------------
 1 | # 5 Open Source SIEM Solutions to Consider
 2 | ![](https://cdn.pixabay.com/photo/2018/05/14/16/25/cyber-security-3400657_1280.jpg)
 3 | 
 4 | Security Information and Event Management (SIEM) is a type of IT security system or software that gathers log and event data from different components of an organization’s IT infrastructure, monitors security threats in real-time using correlation rules, and allows security professionals to visualize threats on a central dashboard. 
 5 | 
 6 | SIEM software is also useful in assisting organizations with meeting their compliance requirements. In fact, the need to simplify compliance with regulations like [PCI DSS](https://resources.infosecinstitute.com/siem-use-cases-pci-dss-3-0-part-1/#gref) is one of the main factors that drives the adoption of SIEM software. SIEM automates many aspects of compliance, including gathering compliance data and producing relevant reports. PCI DSS is a regulation that organizations accepting credit card payment need to comply with. 
 7 | 
 8 | For example, PCI DSS requirement 12.5.4 stipulates that organizations should administer user accounts, including additions, deletions, and modifications. A SIEM use case to meet this requirement is to monitor event data for the addition, deletion, or modification of user credentials. 
 9 | 
10 | To get more technical information on the specifics of what SIEM is and how it works, check out this [what is SIEM?](https://www.exabeam.com/siem-guide/what-is-siem/) guide.
11 |  
12 | ### Open Source vs Paid SIEM
13 | 
14 | Organizations looking to add SIEM capabilities to their IT security and compliance arsenal can generally choose between either a commercial product or open source software and tools. Commercial SIEM systems are generally more feature-rich and they include all core SIEM capabilities such as event correlations and reporting. Furthermore, when purchasing an enterprise-level SIEM tool, you’ll usually get support included for that tool with the cost price. 
15 | 
16 | However, many organizations and smaller businesses either cannot afford such products or they prefer working with open source tools. It is quite possible to implement an open source SIEM solution, but it’s important to note that when using open source, this will typically involve bringing multiple tools together to achieve the required functionality. 
17 | 
18 | The beauty of the open source model is that you get high-quality code and SIEM capabilities for free and you can modify the code as you wish. The following are some examples of SIEM tools you can use if you opt to go down the open source route. 
19 | 
20 | ### Open Source SIEM Tools
21 | 
22 | **1. OSSIM**
23 | 
24 | OSSIM is an open source SIEM system that combines native log storage and correlation capabilities with a range of tools from other open source projects to help it closely replicate the functionality of a proprietary SIEM system. 
25 | 
26 | The open source projects integrated with OSSIM include OpenVAS, Munin, and Snort. Users access all available tools and configurations from a browser-based interface. OpenVAS is an open source vulnerability assessment tool that uses correlations between logs and vulnerability scanners to identify advanced threats. 
27 | 
28 | OSSIM is an excellent option for smaller SIEM deployments but it may experience performance issues when scaling it up to the needs of a large organization. 
29 | 
30 | **2. OSSEC**
31 | 
32 | OSSEC is an open source [intrusion detection system](https://searchsecurity.techtarget.com/definition/intrusion-detection-system) (IDS) that monitors host computer systems for suspicious network activity. This tool works with a slew of operating systems, including Windows, MacOS, Solaris, and Linux. 
33 | 
34 | The architecture of OSSEC is such that you can use it on multiple types of systems, including computers, firewalls and routers. You can monitor multiple systems from a centralized location and integrate it with a visualization dashboard like Kibana, giving you a more intuitive view over network activity data and alerts. OSSEC also has a log analysis engine that can correlate log data.   
35 | 
36 | **3. SIEMonster**
37 | 
38 | This open source SIEM software is available in both free and premium options. This particular tool is composed of a range of underlying open source components that deliver most of the major functions expected of any SIEM software. 
39 | 
40 | There is a [Kibana](https://github.com/elastic/kibana) user interface to enable data visualization and a separate Mine|Meld user interface for threat intelligence purposes. You can also set up event-based alerts from the dashboard. 
41 | 
42 | **4. Prelude**
43 | 
44 | Prelude is another handy open source SIEM project. Prelude is similar to OSSIM in that it is a framework that unifies other open source projects to deliver necessary SIEM functions. Prelude gathers log and event data from many sources and stores the data in the IDMEF format. Among the main SIEM capabilities are the ability to set up correlation rules, data filtering, analytic tools, and data visualization. 
45 | 
46 | There is a commercial counterpart to Prelude, and the official documentation highlights that the open source version is for evaluation, research and test purposes in very small environments. Therefore, larger organizations might have trouble in getting adequate performance from this tool. 
47 | 
48 | **5. ELK**
49 | 
50 | The ELK stack is an open source solution composed of three different open source projects: Elasticsearch, Logstash, and Kibana. You’ve already found out about Kibana as a visualization tool. Elasticsearch is a search and analytics engine and Logstash is a data processing pipeline. The ELK stack is not a SIEM tool in itself but it can be used for SIEM purposes. 
51 | 
52 | Logstash can receive log data from multiple sources and correlate that data while Elasticsearch helps to store and index data. Together with Kibana, this stack provides the building block for a robust SIEM system. However, the ELK stack does not come with inbuilt reporting or alerting, and you may have to pay an extra fee for those components. 
53 | 
54 | **Wrap Up**
55 | 
56 | There are some really good open source options available for organizations looking to implement SIEM. The main limitations are typically performance at scale and steep learning curves. Whether you opt for commercial or open source, SIEM can help with a range of IT security and compliance functions. 
57 | 


--------------------------------------------------------------------------------
/5-ways-to-secure-open-source-for-devops.md:
--------------------------------------------------------------------------------
 1 | # 5 Ways to Secure Open Source for DevOps
 2 | ![open source DevOps](https://cdn.pixabay.com/photo/2018/02/15/18/29/devops-3155973_1280.jpg)
 3 | 
 4 | DevOps development practices shorten development life cycles and improve the overall efficiency of release delivery for software projects. Collaboration, automation, continuous testing, and various tools help to achieve the aims of DevOps practices. 
 5 | 
 6 | Open source empowers DevOps practices by providing developers with well-built libraries, frameworks, and other components they can use as the building blocks of the software they release. The security of open source code is an important topic in DevOps. Read on to find out why security is so vital and five ways to secure open source in DevOps teams. 
 7 | 
 8 | ## Open Source and DevOps
 9 | The average commercially developed application contains [257 open source components](https://news.slashdot.org/story/18/05/22/1727216/the-percentage-of-open-source-code-in-proprietary-apps-is-rising). Additionally, several of the open source tools used by DevOps teams are open source, including Jenkins, Apache Maven, and  JUnit. 
10 | 
11 | Not only does open source save money and make development more efficient, but its core tenet of collaboration also aligns well with what DevOps is all about. It’s clear that open source and DevOps is a powerful combination that drives faster time to market with frequent updates, fixes, and new features. However, for DevOps and open source to truly work together, it’s time to think more about security. 
12 | 
13 | ## DevOps and Open Source Security
14 | A problem with open source and DevOps is that security tends to get left as an afterthought. Open source vulnerabilities have been the cause of several high-profile cybersecurity incidents in recent times. Everyone knows about Equifax, which was caused by not updating a vulnerable version of an open source web framework. 
15 | 
16 | There is a need to shift security left and embed it into the software development cycle from the start of development if security is going to improve in DevOps teams. Bolting security on at the end of development leads to inadvertent vulnerabilities and insecure code. 
17 | ## Tips to Improve Open Source Security in DevOps
18 | 
19 | **1. Culturally Adapt to DevSecOps**
20 | 
21 | The first aim is to get developers and operations workers on board with the idea of security being embedded into the entire product lifecycle from design to development to delivery and support. Shifting left and keeping developers and operations happy means making sure DevOps efficiency and speed are not compromised. This resource reviews the specific [DevOps security challenges](https://resources.whitesourcesoftware.com/blog-whitesource/shifting-security-left-3-devsecops-challenges-how-to-overcome-them) of shifting left. 
22 | 
23 | The cultural adaptation of going from DevOps to DevSecOps requires embedding application security functions, tools, and tests throughout the DevOps workflow. Frank and honest communication with DevOps teams is crucial. You need to drive home the importance of releasing secure applications, particularly in relation to using open source components. 
24 | 
25 | In a DevSecOps culture, security teams work alongside developers and operations to secure software with reduced technical debt and waiting times for security tests.
26 | 
27 | **2. Automate Security**
28 | 
29 | Automation lies at the heart of DevOps. A reason for the traditional misalignment between security and DevOps is that code commits far outpace the speed at which security teams can review the code properly. Security automation can overcome any cultural resistance to a DevSecOps approach. 
30 | 
31 | Automation in security processes like configuration checks, code analysis, patch management, and vulnerability scanning is imperative if security is going to be successfully embedded in DevOps workflows. Security teams need to prioritize deploying automated software to identify vulnerable open source code, and the earlier they can find such vulnerabilities, the cheaper it is to fix them.  
32 | 
33 | **3. Create an Open Source Policy**
34 | 
35 | An open source policy establishes guidelines and rules around using open source components in applications. Security teams can create a policy that helps the transition to DevSecOps by emphasizing that application security is everyone’s responsibility. Organizations can look to freely available examples of internal open source policies like [Google’s](https://opensource.google.com/docs/) for inspiration.
36 | 
37 | By providing a framework for DevOps teams on how to securely source and use open source code, a policy can help mitigate many technical, legal, and business risks. Advise developers to use only open source code from trusted repositories and to regularly check vulnerability databases. 
38 | 
39 | The policy should also focus on tools and processes that help security teams draw up a Bill of Materials showing all components used to build software. Greater visibility into open source components reduces the risk of using vulnerable or out of date code. 
40 | 
41 | **4. Track Security Throughout**
42 | 
43 | Security needs to remain visible throughout DevOps workflows. Task or project management tools need to include tracking for security processes and checks to maintain good visibility. Integrating security frameworks with DevOps tools like Jenkins and Ansible via API endpoints can ensure security checks work seamlessly in CI/CD pipelines. 
44 | 
45 | **5. Encourage Application Security Training**
46 | 
47 | Security professionals can train developers in the basics of application security with an emphasis on open source. The training can cover using automated security tools and ways to verify if code is safe as developers are working on it. Many undergraduate computer science degrees don’t focus on secure software development in their modules. 
48 | Alongside a good policy, this training equips development teams with the security-first knowledge needed to avoid vulnerabilities slipping into software. 
49 | 
50 | ## Conclusion
51 | 
52 | Open source code facilitates the achievement of a DevOps culture, however, too many organizations neglect security as part of their DevOps cultural shift. Introducing security early into development cycles reduces potential vulnerabilities from open source code while also unearthing problems earlier when they are easier and less expensive to fix. 
53 | 
54 | Follow the best practices to help establish security as a pillar of successful software development in DevOps environments with functional software that is more resistant to data breaches and other cyber threats. 
55 | 


--------------------------------------------------------------------------------
/owasp-top-10-tips-and-tricks.md:
--------------------------------------------------------------------------------
 1 | # OWASP Top 10 Tips and Tricks
 2 | ![owasp top 10](https://images.unsplash.com/photo-1555949963-ff9fe0c870eb?ixlib=rb-1.2.1&ixid=eyJhcHBfaWQiOjEyMDd9&auto=format&fit=crop&w=2850&q=80)
 3 | 
 4 | Open Web Application Security Project (OWASP) is a non-profit organization that provides tools and advisory documentation to help improve web application security worldwide. Read on to learn about the OWASP Top Ten, which is one of the organization’s most important documents for securing applications. You’ll also get ten tips to mitigate the OWASP Top Ten risks. 
 5 | ## What Is the OWASP Top Ten?
 6 | The OWASP Top Ten is a document that spreads awareness about the most critical risks to web application security. Security experts worldwide share their knowledge and come to a consensus on the risks that the document should contain. The OWASP urges corporations, universities, government agencies, and other organizations to adopt the document and minimize the ten risks. 
 7 | 
 8 | OWASP releases an updated version of its top ten risks every few years—the latest one was released in November 2017. The risks on the latest [OWASP Top 10](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf) include injection, broken authentication, and sensitive data exposure. Data loss, litigation issues, leaked proprietary information, and loss of customer confidence are some of the consequences of a breached web application. 
 9 | ## Mitigating OWASP Top Ten Risks
10 | 
11 | **1. Use Software Composition Analysis**
12 | 
13 | Risk A9 on the OWASP list is “using components with known vulnerabilities”. A number of high-profile cybersecurity incidents in recent times happened because organizations used vulnerable open source components. To protect against this risk, it is important to use software composition analysis (SCA) tools that can identify all components and their dependencies in web applications and check for vulnerabilities. 
14 | 
15 | The OWASP has its own free SCA utility, and this [OWASP Dependency Check guide](https://resources.whitesourcesoftware.com/home/owasp-dependency-check) provides details on the utility’s features and functionality. You can also get more advanced SCA solutions that provide dashboards and automated rules for vulnerability remediation. 
16 | 
17 | **2. Strengthen Application Authentication**
18 | 
19 | The second vulnerability (A2) on the list is broken authentication, which is when attackers bypass the authentication methods used by a web application. In web apps without automated [credential stuffing](https://www.owasp.org/index.php/Credential_stuffing) protections, intruders can use lists of stolen/breached credentials and repeatedly try to access an application with automated login attempts. Weak passwords and incorrect session timeouts also contribute to broken authentication.
20 | 
21 | Protect against credential stuffing and brute force login attacks by adding multi-factor authentication. Other tips include using checks against weak user passwords and do not store session IDs in URLs. 
22 | 
23 | **3. Regularly Review Security Configurations**
24 | 
25 | In 2018, an open Amazon S3 bucket exposed the personal information of thousands of FedEx users. The OWASP Top Ten mentions this type of incident in its sixth (A6) web application security risk: Security Misconfiguration. Leaving important files and directories open, using out of date software, and leaving default accounts enabled are all examples of security misconfiguration. 
26 | 
27 | To combat this risk, regularly review security configurations to make sure everything is in order, especially cloud storage permissions. Apply the latest security updates to libraries and frameworks. 
28 | 
29 | **4. Prevent Cross Site Scripting (XSS)**
30 | 
31 | Cross Site Scripting (XSS) has the second highest prevalence of the ten web application security risks in OWASP’s document. XSS attackers insert malicious scripts into trusted websites, targeting unsuspecting users. XSS vulnerabilities are found in up to two-thirds of web applications.
32 | 
33 | Prevent XSS by using frameworks that are more resistant to XSS, such as Ruby on rails or React JS, but make sure you know about the limitations of their defenses too. Scan your source code for XSS vulnerabilities during development. Conduct penetration tests on your web apps before committing them to production. 
34 | 
35 | **5. Encrypt Your Data Properly**
36 | 
37 | Security risk A3 in the OWASP document highlights the issue of sensitive data exposure. Attackers frequently try to get access to sensitive data because information like credit card numbers, business secrets, and personal information are potentially lucrative. Some problems that expose web applications to sensitive data breaches are transmitting or storing data in clear text and using weak or old cryptography algorithms.
38 | 
39 | The main thing is to encrypt all sensitive data, whether it is at rest or in transit. Use strong up-to-date encryption algorithms and hashing functions for passwords. Don’t retain sensitive data if you don’t need it and make sure you classify sensitive data that is either processed, stored, or transmitted by an application. Apply appropriate controls for sensitive data at rest or in motion as governed by regulations such as GDPR or PCI DSS. 
40 | 
41 | **6. Use Thorough Logging and Monitoring**
42 | 
43 | Insufficient logging and monitoring is the final risk included in the top ten list, and its exploitation is the foundation for many major cyber attacks on web apps. Cybercriminals know that a lack of proper monitoring increases the time taken for security teams to respond to incidents, making their attacks more likely to succeed. 
44 | 
45 | Vulnerable applications tend not to log events such as failed logins or high-value transactions. Other signs of a vulnerability in logging and monitoring are unclear log messages, not monitoring logs for suspicious activity, and ineffective alerts or response escalation.
46 | 
47 | A thorough logging system must log all events with user context to identify suspicious or malicious accounts. Log management tools need to be in place for a holistic view of generated log messages. Set up automated monitoring and alerting to achieve faster responses to suspicious activity. 
48 |  
49 | ## Conclusion
50 | 
51 | Whether you are a developer or part of an IT security team, it’s important to learn about the OWASP top ten. Organizations should understand that application security is not optional. Stakeholders need to put an organization-wide initiative in place to improve app security. Encourage different teams to work together efficiently, including security, software developers, and managers, to prevent critical security risks using the tips here as a guideline.
52 | 


--------------------------------------------------------------------------------
/vulnerabilities-management-5-ways-to-find-and-fix-open-source-vulnerabilities.md:
--------------------------------------------------------------------------------
 1 | # Vulnerabilities Management: 5 Ways to Find and Fix Open-Source Vulnerabilities
 2 | 
 3 | ![](https://cdn.pixabay.com/photo/2016/12/21/17/39/cyber-security-1923446_960_720.png)
 4 | *Image source: [Pixabay](https://pixabay.com/illustrations/cyber-security-internet-security-1923446/)*
 5 | 
 6 | ## Overview
 7 | 
 8 | Open source adoption continues to grow at enterprises and other organizations. Development teams often use well-built operating systems, libraries, and frameworks as the building blocks of commercial or non-commercial applications. Ready-made open source software like database programs can support internal IT infrastructure. 
 9 | 
10 | Using open source components is a cost-effective way to meet the need for speed and agility with modern development practices. However, open source comes with its own security challenges, and failing to meet them can expose organizations to serious vulnerabilities. Read on to find out about open source security issues and five ways to find and fix these issues. 
11 | ## Open Source Security Issues
12 | 
13 | **Lack of open source visibility**
14 | 
15 | This open source security risk comes from poor management of open source use rather than an inherent lack of security in open source components and software. Just [28 percent of organizations](https://www.csoonline.com/article/3157377/open-source-software-security-challenges-persist.html) regularly analyze applications to get visibility into which open source components their dev teams are using. Without a full and transparent open source inventory, vulnerabilities in applications can easily go unnoticed. 
16 | 
17 | **Not applying updates on time**
18 | 
19 | Another risk responsible for many recent high-profile data breaches is the failure to promptly apply updates to open source components. Patches in open source projects often address vulnerabilities that can expose organizations to serious vulnerability issues. Opportunistic hackers can easily see when an open source project is updated to address a security issue, and they can use this knowledge to find victims that are slow to update. 
20 | 
21 | **Lack of security standardization**
22 | 
23 | The community-driven way of maintaining open source projects leads to a lack of security standardization across the industry. Just [42 percent of project maintainers audit open source code](https://thenewstack.io/ossmaintainer_security/) at least once per quarter. Furthermore, many of the leading public Github repositories do not have security documentation. 
24 | 
25 | When open source maintainers find and fix problems, most of them add the security-related announcements to the release notes. However, the majority of maintainers do not catalog vulnerabilities in the CVE database due to both a lack of understanding of the process and not enough time. 
26 | 
27 | ## 5 tips for Finding and Fixing Open Source Vulnerabilities
28 | 
29 | **1. Set Open Source Rules and Standards**
30 | 
31 | It’s tough to blame developers to using vulnerable components without a consistent set of standards around open source use. Organizations need to prioritize creating an open source policy that clearly educates about open source risks and instructs on best practices for safe open source use. 
32 | 
33 | Standards can include having to prove the security of the component before using it and never downloading components from untrusted repositories. 
34 | 
35 | **2. Learn About CVSS v3**
36 | 
37 | Developers and IT security teams should become familiar with the [CVSS v3 changes](https://resources.whitesourcesoftware.com/blog-whitesource/cvss-v3-creates-new-challenges-for-developers) that score vulnerabilities differently from previous versions. Some vulnerabilities rated medium severity under the previous CVSS version would receive a high severity rating in the new version, calling for faster remediation. CVSS v3 is the latest update to the Common Vulnerability Scoring System, which quantifies the severity of vulnerabilities. 
38 | 
39 | Not all vulnerabilities are equally severe, and an important part of securing open source is knowing the issues that need immediate remediation. 
40 | 
41 | **3. Get an Open Source Inventory**
42 | 
43 | Getting a transparent inventory of all open source components and dependencies you use is imperative in finding and fixing vulnerabilities. Disregard outdated methods like spreadsheets—development teams need something more efficient that runs with minimal effort and doesn’t waste their time. 
44 | 
45 | Software composition analysis solutions run continuously and generate an inventory of all the components that make up an application. Some tools even come with automated security and license policy enforcement. Make sure you have an inventory of components both in development and in production. 
46 | 
47 | **4. Always Use Updated Components**
48 | 
49 | A good inventory also shows the latest version of each open source component. Use this to your advantage and encourage developers to always update components promptly. It’s important to remember that the latest patches often address important vulnerabilities for which no official CVE database entry exists yet because developers didn’t create one. 
50 | 
51 | An automated tool like commit watcher can help you keep a closer eye on security issues by scanning the release notes or messages accompanying code commits for phrases such as “XSS attack fix”. Proactively monitoring commits like this can lead to faster detection of vulnerabilities and quicker updates. 
52 | 
53 | **5. Consider Building Components In-House**
54 | 
55 | If an open source project is active and well-supported with a reasonably sized developer community, there is no reason to stop using it. However, you should consider building your own in-house tools to replace unsupported or expired components. The time and cost to build a replacement tool are well-spent if they give you back control over security. 
56 | 
57 | Some larger companies have even started to build libraries and components as replacements for unsupported projects and release them under an open source license. Microsoft is an example of this, and the result has been more trust and respect from open source developers. Another positive of releasing back into the open source community is improved component security due to more developers submitting patches and revisions.
58 | 
59 | ## Conclusion
60 | 
61 | Open source components are generally safe if organizations manage their use properly. Having a large community of active developers contributing to and maintaining an open source project doesn’t guarantee anything about security, so it is important to have your own defenses in place. 
62 | 
63 | Document an open source policy, get visibility into open source components, and keep up with the CVSS v3 to assess vulnerability severity. Lastly, make sure that any tools you use for finding and fixing open source vulnerabilities facilitate DevOps, Agile, and CI/CD practices by not slowing down development.
64 | 


--------------------------------------------------------------------------------
/edr-security-what-it-is-and-why-you-need-it.md:
--------------------------------------------------------------------------------
 1 | # EDR Security: What It Is and Why You Need It
 2 | ![edr security](https://cdn.pixabay.com/photo/2018/04/17/11/02/cyber-3327240_1280.jpg)
 3 | 
 4 | When you think about a cyber attack, you picture an attacker entering a network straight through a computer, right?  Wrong. Nowadays, attackers are entering the networks through connected portable devices such as phones, laptops, and tablets. The number of connected devices to any given network is ever increasing, widening the attack surface. 
 5 | 
 6 | Moreover, many attacks are bypassing traditional antiviruses, requiring solutions that proactively search for indicators of compromise across endpoints. In this article, we will define what is Endpoint Detection and Response (EDR), and give you 4 reasons you should install an [EDR security](https://www.cynet.com/platform/threat-protection/edr-endpoint-detection-and-response/) solution today. 
 7 | ## What Is Endpoint Detection and Response?
 8 | A set of software solutions and cybersecurity technologies that detects and remove malicious activity such as malware on a network’s endpoints. 
 9 | 
10 | EDR solutions typically have the following features: 
11 | * **Monitors endpoints for anomalous behavior**—detecting security threats at the endpoint. 
12 | * **Prioritize alerts**—filtering out false positives. This prevents alert fatigue and helps the security team to focus on real threats. 
13 | * **Blocks advanced threats**—from the moment they are detected. 
14 | * **Contains the security incident on the endpoint**—by, for example, rerouting the malware to a sandbox where it can be detonated
15 | * **Eliminates the threat**—by effectively removing dangerous files or in the case of file-less threats, eliminating the processes to restore the endpoint to safety. 
16 | * **Protects against different threats at the same time**—such as malware, ransomware and memory attacks, for example. 
17 | 
18 | When we talk about protection against advanced threats, endpoint security has the advantage to protect the environment where the attack starts. 
19 | ## Why Do You Need EDR? 
20 | Until recently,  the attackers would try to enter a network through a server or computer. Since the number of endpoints was contained within the company’s network, barriers such as antivirus and firewalls did the trick. The exponential growth of portable connected devices has changed this situation. 
21 | 
22 | With the rise of the Internet of Things (IoT), companies need to deal with a wider spectrum of connected devices, most of them belonging to customers and employees. Therefore, the attackers can have a field day, having a myriad of entry points to try to exploit. 
23 | Wherever you have a device connected to the internet, you have a potential point of entry for an attacker. Organizations need to defend their network perimeter on thousands or laptops, phones and tablets, just to name a few. 
24 | 
25 | Another risk factor is the change in the work structure. Not long ago, employees would log in to the company system using the office computer. Today, remote work and bring-your-own-device (BYOD) policies mean you can work wherever you can connect to the internet.  The point is, not all these networks are secure, with a lot of people connecting from coffee shops, or from pretty much any place with a wi-fi connection. This puts the organization’s network at risk, as innocent employees can get their devices hacked, and not-so-innocent ones can use their devices to perpetrate insider threats. 
26 | 
27 | How can an organization protect all these millions of connected endpoints? Using antivirus and firewall is not enough. EDR security solutions monitor, detect and respond to threats trying to affect the network that a signature-based solution cannot pick up. 
28 | ## Four Reasons to Install an EDR Solution
29 | To actively block and respond to attackers threatening endpoints, more companies are choosing to deploy an EDR security solution across their network. That means every smartphone, laptop or computer connecting to the organization application or network is going to be actively protected by the EDR solution. Following we present you with four reasons to install an EDR solution today.
30 | ### 1. Continuous visibility across endpoints. 
31 | EDR solutions allow the security team to check on the security posture at any moment. No network is 100% secure, and the lack of visibility often causes organizations to overlook attacks. Since the solution is continuously monitoring the network, proactively searching for threats, the security team can draw information about vulnerable areas anytime. Using EDR security provides the visibility to see where the organization’s security posture stands at the moment. Most solutions also generate automatic reports to comply with regulations. 
32 | ### 2. Unknown threats detection. 
33 | Adds an additional layer of detection capabilities to find threats gone unnoticed by the antivirus. Most organizations will rely on passive prevention to defend their network perimeter from attackers. Sadly, this has proven not sufficient, as the more sophisticated the defenses, the more sophisticated the attackers are. Advanced threats will slip under a traditional antivirus or firewall, lurking undetected while causing damage to the systems. An EDR solution searches for indicators of compromise in all endpoints, elevating prioritized alerts to analyze their severity. EDR security solutions can enhance or replace antivirus systems since they look for complex threats, such as fileless attacks, that typically evade traditional antivirus. 
34 | ### 3. Faster incident response.
35 | EDR solutions use behavior analysis to actively search for threats in the environment. Once it detects a security incident, the solution proceeds to contain the threat, by isolating the affected endpoints. This gives the security team the ability to respond quickly to security incidents, being that the EDR solution takes care of containment measures, without disrupting operations. This constant and proactive vigilance also helps organizations to deal faster with zero-day attacks. 
36 | ### 4. Easier visualization of lessons learned
37 | Most EDR security solutions include forensic capabilities that provide a visual representation of the attack chain. The system collects data and generates reports at each step of the killer chain. This facilitates understanding which processes and files were affected by the attack, determining its impact. Moreover, since the system presents the patterns used by the attackers, it can help identify who is behind the attack. This reporting is a crucial step in preventing similar attacks in the future. 
38 | ## The Bottom Line
39 | Most security analysts don’t ask if an attack will happen, but when. Failing to detect an attack at its starting point can have dire consequences for organizations, resulting in millions of dollars in damage caused by data breaches. Companies need to be able to control their perimeter wherever there is a device connected to their environment. Be it using their applications or login into their systems. Their best bet is to deploy a solution that can actively protect their network 24/7 across devices and users. Endpoint Detect and Response solutions can be the answer. 
40 | 


--------------------------------------------------------------------------------
/digital-asset-management-what-it-is-and-how-it-can-help-your-business.md:
--------------------------------------------------------------------------------
 1 | # Digital Asset Management: What It Is and How It Can Help Your Business
 2 | ![digital asset management](https://cdn.pixabay.com/photo/2016/10/30/12/11/pdf-1783009_1280.jpg)
 3 | 
 4 | Modern businesses of all sizes use digital assets in their marketing campaigns, website design, and website copy. These digital assets are electronically stored files that provide value and come with the right to use. Examples are numerous⁠—think images, PDF white papers, logos, webinars, and technical documents. 
 5 | 
 6 | Digital assets are only useful when web professionals can access them at all times and use them for their various purposes. As the number of digital assets grows, managing and organizing them in an efficient way becomes more complex and people can’t find assets when needed. 
 7 | 
 8 | Read on to find about DAM solutions, which can help out with effectively managing assets. You’ll find out what DAM software is, its benefits, example solutions, and some challenges and best practices for using this type of software tool.
 9 | 
10 | ## What Is a Digital Asset Management Solution?
11 | A Digital asset management (DAM) solution is a special type of software designed to help businesses store, organize retrieve, and monitor their digital assets and associated usage rights. 
12 | 
13 | A [2019 report](https://www.globenewswire.com/news-release/2019/01/07/1681144/0/en/Global-Digital-Asset-Management-Market-Will-Reach-USD-8-1-Billion-By-2024-Zion-Market-Research.html) predicted the global digital asset management market to reach a value of $.1 billion by 2024 (from $2.5 billion in 2017). This estimated growth reflects huge numbers of digital assets at the average company’s disposal and increased reliance on online marketing. 
14 | 
15 | Some examples of DAM software are:
16 | 
17 | Pimcore open source DAM
18 | Cloudinary [digital asset management solution](https://cloudinary.com/solutions/digital_asset_management)
19 | [WordPress combined with plugins](https://wpbuffs.com/wordpress-digital-asset-management/) can function as a basic DAM solution. 
20 | 
21 | DAM software works by building a centralized, organized media library and associated metadata. Users can quickly find, modify, save, and share digital assets in a DAM system.
22 | ## Benefits of DAM Solutions
23 | There are many reasons to consider DAM software and here are some of them:
24 | 
25 | * **Brand consistency**—everyone on your marketing team has access to the same updated marketing materials (assets). This means delivering consistent branding across different campaigns. 
26 | * **Usability**—search functions, easy sharing of assets, and the ability to track different asset versions combine for a much smoother digital asset workflow. 
27 | * **Improved productivity**—reduced time spent searching for assets and going back and forth between different teams means greater productivity and efficiency. 
28 | * **Reduce litigation issues**—it’s likely your business has some assets from third-parties, such as stock images, which come with usage rights. DAM software tracks these usage rights and reduces the chances of litigation issues due to misuse. 
29 | * **Better security**—digital assets are valuable files, which means they are targets for digital theft and other forms of cybercrime. DAM solutions improve digital asset security using encryption, controlled user-access to files, and multi-factor authentication. Keep in mind that DAM solutions do not replace [network security](https://www.esecurityplanet.com/products/best-enterprise-network-security-products.html). Rather, DAM provide capabilities dedicated to the data that moves in and out of the system.
30 | ## DAM Software Challenges
31 | DAM software has many benefits, however, using it also brings some new challenges, including:
32 | 
33 | * **Selecting the right vendor**—it’s imperative to opt for a solution that best suits your specific business needs. 
34 | * **User adoption**—with any new tool, there’s often an initial struggle as business users become frustrated trying to get used to the software. 
35 | * **Managing user access**—setting permissions and managing user access is complex, particularly in a large enterprise. 
36 | * **Storage scalability**—DAM tools should be able to introduce extra storage locations for growing asset libraries without the need to move existing assets and impact on business users. 
37 | 
38 | ## Best Practices for Using a DAM Solution
39 | Here are some tips and best practices for choosing and using DAM software. 
40 | 
41 | **Perform Thorough Due Diligence**
42 | 
43 | The DAM marketplace is becoming increasingly crowded and thorough research is recommended. There are open source choices, enterprise-grade tools, and DAM as-a-service solutions. 
44 | 
45 | Your research needs to include things like how well the vendor meets business needs, the level of security provided by the tool, and how well it supports cross-functional collaboration.
46 | 
47 | **Be Smart with Metadata**
48 | 
49 | Metadata is information about files and it is what drives the indexability and searchability of assets in a DAM solution. Be smart with your metadata by always entering the most important information about each asset into the system. 
50 | 
51 | It should be DAM company policy to enter metadata into your chosen DAM as soon as a team member uploads a new asset. See this resource for more [DAM metadata tips](http://www.digitalclaritygroup.com/wp-content/uploads/2017/07/DCG-DAM-MetadataGuide-Feb2017.pdf). 
52 | 
53 | **Don’t Forget Usage Terms**
54 | 
55 | DAM software can track usage permissions for assets and prevent copyright issues, but only when you specify the usage terms in the metadata. Do not forget this critical step for rights-managed assets. 
56 | 
57 | **Train Business Users**
58 | 
59 | To avoid frustration and make for a smoother transition to the new system, you should train business users in using the software before it goes live. Even a brief half-day course can provide enough familiarity to avoid those initial teething problems. 
60 | 
61 | **Have a Dedicated DAM Admin**
62 | 
63 | Your DAM system needs an administrator if you are going to properly manage user access. The admin can assign role-based permissions to various digital assets. Administrators also create and remove users from the system as needed. 
64 | 
65 | **Choose Good File Naming Conventions**
66 | 
67 | A good file name is easy to understand and makes the asset easy to retrieve from the DAM system. File names should be consistent and accurate across your media library. In file names, use unique identifiers, dates, and concise descriptions. Avoid using special characters, and don’t use spaces as separators; use underscores or hyphens.  
68 | 
69 | **Use DAM Analytics**
70 | 
71 | Most enterprise-grade DAM solutions give you a ton of useful analytics that can influence what assets you procure and create in the future. The data can identify the type of assets used most, when the assets were last used, and what purposes they’ve been used for. You can audit existing assets and decide to move away form infrequently used asset classes to focus more on the types of assets that deliver the most ROI. 
72 | 
73 | ## Conclusion
74 | 
75 | DAM software is essential for properly managing the growing number of digital assets that modern businesses use. Use these tips and best practices as a guideline for successful DAM use, and remember that the tool is only as good as the information you feed it and how you use it. 
76 | 
77 | 
78 | 


--------------------------------------------------------------------------------
/why-your-business-needs-an-incident-response-plan.md:
--------------------------------------------------------------------------------
 1 | # Why Your Business Needs an Incident Response Plan
 2 | ![Image by skeeze from Pixabay](https://cdn.pixabay.com/photo/2015/10/12/17/35/security-response-team-984752_960_720.jpg)
 3 | 
 4 | Incident response refers to the cleanup and recovery from a security attack. Nowadays, attacks such as advanced persistent threats (APTs) are increasing in number and complexity. To deal successfully with these attacks, or other security incidents, you need to have a detailed plan, as well as a dedicated team to manage the incident, minimizing the damage to business operations and reducing the cost of recovery. In this article, I’ll explain what is an incident response plan, why you need one and how to implement it effectively.
 5 | 
 6 | ## What Is An Incident Response Plan?
 7 | An incident response plan is a detailed set of instructions to help information security staff detect, respond to and recover from cyber security incidents. Put simply, the plan is the guide detailing the steps to follow in case of an attack, including who is responsible to search for threats, who is in charge of implementing response measures, and what measures to take. 
 8 | 
 9 | The plan should address all possible attack scenarios depending on the organization’s vulnerabilities, from brute force attacks to ransomware and data breaches. It should also take into consideration service outages that threaten daily work.
10 | 
11 | Successful incident response plans help your team save crucial time in the event of an attack, when every minute counts. When dealing with data breach incidents, it is especially important to have an updated, functional incident response plan, so the security team can act promptly and minimize data loss as much as possible. 
12 | 
13 | ## Why Your Business Needs An Incident Response Plan?
14 | It is important to have an incident response plan in place to avoid being caught unprepared by an attacker, making ad-hoc decisions that end up costing time, data and money. 
15 | Thus, the top three reasons to develop an incident response plan are: 
16 |  
17 | **1. Data protection**
18 | As mentioned above, one of the main benefits of having an incident response plan in place is been able to minimize data loss during an incident. A well laid plan can help your team to proactively protect your data from being stolen or misused. For example, data that falls in the wrong hands can be held for ransom. Since [ransomware](https://www.us-cert.gov/Ransomware) (WannaCry, Petya) is one of the most common types of attack nowadays, it is important to follow proper procedures to ensure no data is leaked. 
19 |  
20 | This involves performing secure backups at scheduled times, leveraging logs and generating security alerts to inform of malicious activities, as well as proper access management to avoid insider threats. 
21 |  
22 | **2. Reputation and customer trust protection**
23 | Most customers will leave a business if they are affected by a data breach. A security breach can make a company lose some or all its customer base, making it very hard to rebuild trust, and staying in business afterward. Furthermore, if the company is publicly traded, it's stock value can drop dramatically after a data breach, as in the case of Equifax, Target, Yahoo, Sony, and many more.
24 | 
25 | **3. Revenue protection**
26 | A detailed incident response saves your organization from the loss of revenue derived from the security incident. The financial effects of a security incident not only involve the loss of customers, but also affect operational time. Then there is the potential economic loss if personal data is stolen, as in the case of the [Home Depot breach](https://www.bankinfosecurity.com/home-depot-confirms-data-breach-a-7288), which involved more than 65 million customer credit and debit card accounts had a total breach cost of $62 million. More than half of small and medium organizations can go out of business after six months following a data breach. 
27 | 
28 | The reality is that the quicker your response to a security incident, the lesser impact it will have on your data, customer trust, reputation and revenues. If your organization doesn't currently have an incident response plan, a good option is to consider a [third-party incident response managed solution](https://www.exabeam.com/incident-response/incident-response-plan/) that can quickly implement a customized plan for you.   
29 | 
30 | ## Six Steps To Build An Incident Response Plan
31 | Typically, an incident response plan has six stages: 
32 | 
33 | **1. Preparation**
34 | The first stage of the incident response plan is to define, analyze, identify, and prepare. As part of this preparation process there are several aspects you should define including: 
35 | * The critical components of your network
36 | * A security corporate policy including protocols for the appropriate usage of company data. 
37 | 
38 | **2. Identification**
39 | At this stage, you should identify what consists of a security threat that activates the incident response team action. There is a difference between an unidentified USB found in the common lunchroom, and an alert of malware detected. You should define clear parameters of what triggers the response plan. 
40 | 
41 | **3. Containment**
42 | Once the threat is detected, you need to immediately contain it. Short-term containment is an immediate response, isolating the affected files to avoid further damage. Long-term containment involves returning systems to production to enable bouncing back to business. 
43 | 
44 | **4. Restore**
45 | The process of restoring affected systems involves reviewing them so you can remove any trace of the security incident. This is usually combined with measures to update your defense systems to prevent similar attacks in the future. 
46 | 
47 | **5. Recovery**
48 | Define how are you going to bring the systems back into production once they are clean. At this stage, an efficient disaster recovery solution could be useful in minimizing data loss. 
49 | 
50 | **6. Lessons Learned**
51 | This is the last stage, where you review the documentation of the incident and update the IR plan based on your findings. 
52 | 
53 | ## Tips for a Succesful Incident Response Plan
54 | Here are some tips that can help you succeed in implementing an incident response plan:
55 | 
56 | **1. Use multi-region replication and storage**—prioritize the backup of critical data and distribute them in several locations. This can help you recover the network quickly in case of disaster or attack. 
57 | 
58 | **2. Identify the single points of failure in your network**—single points of failure can expose the network in the event of an incident. You can minimize the impact of a disaster by establishing redundancies and using software failover features. 
59 | 
60 | **3. Train the rest of your staff for incident response**—everyone, not only IT, needs to understand the importance of the response plan. Create a security culture, where all departments cooperate with IT. This can reduce the impact of disruptions as well as reduce security risks. 
61 | 
62 | **4. Test the plan before you need it**—make a practice drill involving all relevant stakeholders. If necessary, you should inform partners and law enforcement. This can help you practice so when the event is real, everyone is prepared.  
63 | 
64 | ## Conclusion
65 | It’s evident that nowadays, with the ever-increasing threat of security breaches, every company must be prepared to affront an attack. It is not a matter of if an attack will occur, but when it will happen. Having a well laid-out plan, be it designed in-house or by a managed incident response solution, it is imperative to protect your data, your customers and your business. 
66 | 


--------------------------------------------------------------------------------
/what-is-secops-and-how-it-can-benefit-you.md:
--------------------------------------------------------------------------------
 1 | # What Is SecOps and How It Can Benefit You
 2 | ![SecOps](https://cdn.pixabay.com/photo/2018/08/08/12/22/internet-3592023_1280.jpg)
 3 | 
 4 | In today’s technological landscape, entire global economies pour money into innovative ideas willy-nilly. Everyone wants to be ‘in’ on the next big wave of disruptive technologies. As enterprises race to win the next jackpot and individual consumers demand better and improved products, the cybersecurity perimeter is torn apart. 
 5 | 
 6 | The SecOps methodology can help organizations mend fragmented security perimeters by inviting all personnel to increase visibility through a collaborative effort. 
 7 | ## What Is SecOps?
 8 | Security Operations (SecOps) is a methodology that merges security with operations. Traditionally, security teams work independently, and add their input between the testing and deployment stages of the waterfall methodology. In contrast, SecOps turns security into a collaborative process. 
 9 | 
10 | SecOps is often considered a cultural effort, in which everyone shares the responsibility for ensuring the continued security of the organization. You can implement SecOps throughout the entire structure of your organization, or you can apply SecOps practices to one project. 
11 | 
12 | SecOps practices turn your security practices into a dynamic process that integrates tools, practices, goals, and [automation](https://www.networkworld.com/article/3065296/why-automation-is-the-key-to-the-future-of-cyber-security.html) with operations.
13 | ## DevOps vs SecOps - What Is the Difference?
14 | SecOps and Development Operations (DevOps) have different goals, which sometimes contrast each other. While the main aim of DevOps is to deploy and maintain software quickly and efficiently, the SecOps methodology cares for the continued health of the software and the network.
15 | 
16 | Problems arise when the goal to secure the software conflicts with the goal to deliver the software. Sometimes, the only way to maintain security is by introducing network latency. While this solution works for the SecOps team, the DevOps team would worry about the lost time. 
17 | 
18 | Bridging the gap between continual security and fast delivery can be difficult, but possible. When organizations adopt the [SecOps](https://www.exabeam.com/siem-guide/siem-concepts/secops/) mindset, everyone share responsibility for security concerns. Thus, security standards are met at every organizational level.
19 | ## What Are the Goals of SecOps?
20 | The SecOps methodology was established in order to ensure that security concerns are met during: 
21 | * **Every stage of the development** - whether you’re using the waterfall methodology, the agile method, or DevOps, you can apply SecOps to your pipeline. It might be easier for organizations that have already transitioned to DevOps, because they’re used to a collaborative effort. Waterfall practitioners might need a period of adjustment, as many personnel will find themselves in charge with the additional responsibilities of security.
22 | * **At every organizational level** - applying SecOps to your organization or project means ensuring all the parties involved become accountable to security standards. That includes non-IT personnel who use company assets and visitors who use your Wi-Fi. Create a straightforward policy and ensure that your personnel gain the knowledge and skills necessary to uphold it.
23 | * **By any foreign entity that comes into contact with the organization** - the days of desktop software are slowly and surely disappearing. As cloud computing gains track, companies use third-party resources more often. When you introduce third-party tools into your technological ecosystem, especially if you’re enabling integration - make sure that the third-party entity meets your security standards. 
24 | 
25 | To ensure that your SecOps approach is practiced, you will need the cooperation of all parties involved. Make sure that your team has clear guidelines, and make adjustments along the way. Provide your personnel with tools that enable collaboration, like [project management](https://project-management.com/top-10-project-management-software/) or [task management software](https://project-management.com/task-management-software/).
26 | ## What Are the Benefits of SecOps?
27 | According to [Statista](https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/), the global cybersecurity market is expected to jump from $167 billion in 2019 to $248 billion in 2023. Every year, new forms of technology disrupt the global economy. Advancements and innovations integrate swiftly into the life of the individual and the infrastructure of the organization. The traditional security perimeter has been breached the moment cloud computing entered the business sphere. 
28 | 
29 | Nowadays, every time employees use a smartphone to access a cloud-hosted document, they breach the security perimeter. The main benefit of adopting the SecOps methodology is the ability to cover more security ground. When employees are educated in proper security protocols, they can serve as security agents - protecting the organization from their own personal devices.
30 | 
31 | Once you achieve holistic security practices in your organization, you’ll be able to see improvements in the following areas:
32 | * **Improved productivity** - when security is integrated at every level, employees can work more efficiently. Collaboration helps pass the information faster, reducing the response and mitigation time.
33 | * **Higher Return On Investment (ROI)** - when security is distributed throughout all channels, you get the chance to cut back on overhead. You can reduce expenses because everyone shares the same tools, and expensive third-party services can be consolidated into one or two in-house roles.
34 | * **Increased efficiency via shared resources** - appropriate tools are key to enabling efficient collaboration between all teams. You can use tools with granular access control to ensure that relevant personnel gains appropriate access and authorization. Sharing resources help provide everyone with what they need at key moments.
35 | * **Reduced application and service disruptions** - when all of the organization is united under a dynamic security endeavor, the collaborative effort ensures quick response time. As all relevant personnel join forces to fix the issue, they reduce the application and service disruptions.
36 | * **Streamlined security audit** - whether you’re using manual audits, automation tools, or exercise a double-sword practice that covers both bases - you can streamline the audit process by distributing auditing tasks. This will ensure there’s no backlog and issues can be caught on a timely manner.  
37 | * **Enhance visibility of security vulnerabilities** - when everyone is set to the task of securing the organization, you can catch vulnerabilities faster. Nowadays, there are so many vulnerabilities, we need [vulnerability libraries](https://blog.bitsrc.io/open-source-security-risks-and-vulnerabilities-to-know-in-2019-8354058f6ad3) to keep track of everything. When everyone keeps an eye for vulnerabilities, you gain more visibility.
38 | ## The Future of SecOps: DevSecOps
39 | The DevSecOps methodology unifies the practices of DevOps and SecOps under one umbrella. By adopting DevSecOps, you can make sure that security concerns are met at every stage of the software lifecycle. The most important aspect of DevSecOps is that it settles the inherent conflicts between SecOps and DevOps.
40 | 
41 | By merging the two methodologies together, you get a cohesive security and development cycle. Say goodbye to the battles waged about the importance of fixing security issues vs the importance of fast software delivery. When security and development unite under DevSecOps, you can expect more collaborative solutions, born out of a dynamic and healthy work environment.
42 | 


--------------------------------------------------------------------------------
/optimizing-cloud-pricing:-aws-vs-azure.md:
--------------------------------------------------------------------------------
 1 | # Optimizing Cloud Pricing: AWS vs Azure
 2 | ![](https://cdn.pixabay.com/photo/2017/01/17/12/45/money-1986779_1280.jpg)
 3 | 
 4 | When it comes to cloud computing services, many companies spend more than they need to. For the big vendors like Amazon Web Services and Microsoft Azure, the difficulty resides in the complexity of understanding and estimating the costs. That being said, there are several tools and tips to help you optimize your budget for the cloud. In this article, we explain the pricing scheme for both giants and provide tips for managing your cloud costs effectively. 
 5 | ## The Dilemma: Reducing Your Cloud Costs Without Affecting Performance
 6 | Most companies move to the cloud because they want to take advantage of a flexible IT infrastructure while saving on the costs of computing power and storage space. However, once they’ve moved, the cloud budget often grows to a point where they wonder if it is profitable at all. Many companies pay an average of 35% more on cloud services than they should. 
 7 | 
 8 | Tackling the complexity of both AWS and Azure pricing is not for the faint of heart. It is difficult to understand the pricing schemes, which factor in the region, volume, and products utilized. Companies tend to accumulate resources, fearing that minimizing costs can affect their performance.
 9 | 
10 | Without understanding how much you are consuming of which services and how much the platform charges for that usage, is impossible to manage those costs. Both companies have tools and information to help consumers. For instance, Azure has an “[Understanding your bill](https://docs.microsoft.com/en-us/azure/billing/billing-understand-your-bill)” section on their website. A calculator can help estimate the costs for the resources you use.
11 | 
12 | 
13 | Screenshot of Azure Pricing Calculator
14 | 
15 | ## What’s in Your Bill? Quick Price Scheme Comparison
16 | Both cloud vendors use a pay-as-you-go pricing model, charging for the actual usage per hour of their virtual machine resources. They also offer a range of subscription-based alternatives, with various combinations of models. These include:
17 | ### Pay-as-you-go
18 | **Amazon Web Services**
19 | AWS has 5 main billing categories: 
20 | * **Storage and content delivery*—the category includes services such as Amazon S3, CloudFront, [AWS Elastic Block Store (EBS)](https://cloud.netapp.com/blog/ebs-volumes-5-lesser-known-functions), and Amazon Glacier. 
21 | * **Databases—the platform includes products such as managed relational and NoSQL databases data warehousing and migration services in this category. 
22 | * **Code deployment and management*—including automated code deployment, building, and testing code and continuous delivery of released software
23 | * **Compute and Networking*—this category includes services such as EC2, distributing traffic across virtual servers, automatically scaling servers, and Docker containers. 
24 | * **Application services*—including converting digital media into end-device formats, storing queued data for retrieval, hosting streaming applications and coordinating tasks between them. 
25 | 
26 | Each category has a different pricing structure. Some are priced per hourly usage, others are calculated per volume in GB, or charged a monthly fee. EC2 computing services, for example, are charged per instance-per-hour. 
27 | 
28 | **Microsoft Azure**
29 | Each Azure service is priced differently, but the bottom line is that the more resources you use, the more you pay. The platform has pricing tiers for each service, for example, for hosting there are four: Free, Shared, Basic and Standard. 
30 | 
31 | Each service charges according to the resources used per hour. Databases, for example, allow the user to provision the number, type and generation of instances they will use. 
32 | ## Reserve and Subscription Options
33 | 
34 | **Amazon Web Services**
35 | AWS has another pricing scheme that allows to reserve capacity for particular products. It is called Reserved Instance (RI). A user can reserve capacity on a resource and get discounted hourly rates which can amount to 75% on savings of the total billing costs. Consumers can reserve instances for 1 or 3 years terms.
36 | 
37 | **Microsoft Azure**
38 | Users can save up to 72% of their billing costs if they subscribe for one- to three-year terms for Linux or Windows Virtual Machines. 
39 | ## Useful Tools and Tips to Reduce Costs
40 | Now that you understand the price scheme better, it is time to learn a few tricks to reduce your billing costs. 
41 | ### 1. What About a Free Tier?
42 | Both vendors offer free plans. If you are a small company, you can take advantage of these features, and use these tiers until you need to scale up. Let’s take a look at what you can get for free.
43 | 
44 | **Azure**
45 | There are some products that are free for the first 12 months, and others that are always free. Azure products that offer a 12-month free trial include: 
46 | 
47 | | Linux Virtual Machines | Windows Virtual Machines | Managed Disks | Blob Storage | File Storage | Azure Cosmos DB | Bandwidth  | SQL Database |
48 | |------------------------|--------------------------|---------------|--------------|--------------|-----------------|------------|--------------|
49 | | 750 hs                 | 750 hs                   | 64 GB X 2     | 5 GB         | 5 GB         | 5 GB            | 15 GB      | 250 GB       |
50 | 
51 | Other products including artificial intelligence such as Face API and containers such as the Azure Kubernetes Service (AKS) are always free.
52 | 
53 | **Amazon Web Services**
54 | There are three types of products available for the free tier: Free for 12 months, always free and trials. The products that are free for 12 months include 5 GB of storage, 750 hs of Amazon EC2 and machine learning such as Amazon Comprehend. Security and compliance products such as Amazon Macie are always free up to 1 GB in the free tier. 
55 | ### 2. Use a Calculator
56 | Estimating how much you will pay and manage your costs is much easier with a calculator. There are several pricing calculators available for AWS and Azure. Some of them include:
57 | * **Unigma Cloud Calculator*—the solution compares computing costs between AWS and Azure. Provides an estimate based on the number of instances required, the GB provisioned, and average hours per day the instances will run. You can adjust this estimate to a different timeframe to compare costs. 
58 | * **NetApp Azure Calculator*—the app estimates Azure costs providing details and a per-gigabyte cost breakdown. It also shows a comparison with their own service. 
59 | * **Azure Pricing Calculator*—this calculator is featured on the platform website to help consumers estimate and configure features based on their needs. 
60 | * **AWS Pricing Calculator*—this platform calculator helps you generate a cost estimate based on your architecture needs. 
61 | ### 3. Set up a “Storage Lifecycle”
62 | Each storage category has a different price level depending on redundancy and speed. Archive storage is the cheapest and database storage the most expensive. Therefore, data that you don’t use can often be moved to a cheaper category. 
63 | 
64 | For example, object stores and archives store raw data, while block and database storage services contain metadata. Setting up a lifecycle policy that moves automatically old files to a cheaper category is a good strategy to cut costs. This option is available both in AWS and Azure.  
65 | ### 4. Use Autoscaling and Serverless Features
66 | You can save costs by adjusting the number of working servers according to the workload. Thus, when the demand is low, the number of servers can scale down automatically, shutting down what is not in use. Another option is to go serverless, which allows functions to run only as needed. Azure offers Kubernetes to allocate resources in a cost-effective way, while AWS provides serverless container platforms such as AWS Fargate. 
67 | ### 5. Control Server Utilization
68 | Since server usage is the largest component of your bill, you should use tools and implement strategies to minimize costs. A good rule of thumb is to switch off unused servers and resize the servers you use to support your workload.  
69 | 
70 | There are tools such as [Azure Cost Advisor](https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations), or [Cloudyn](https://www.cloudyn.com/), that work with Azure to optimize costs. For AWS you can use tools such as AWS Trusted Advisor. These solutions can detect servers when they become available and recommend that they are turned off. 
71 | ### 6. Reserve Instances
72 | Using reserved instances, a company can reduce the cost of servers is going to use long term. Discounts vary from forty to sixty percent according to the time of the commitment. In the instance you want to stop using a committed server, you can replace the commitment with a different type of server or cancel the RI and pay a fine.
73 | ## Conclusion
74 | Managing the cost of the cloud can be a hassle even for the most experienced organizations. Whether you are a small startup or a medium-sized company, there are ways to cut costs. You can take advantage of the free tier options or utilize RIs or serverless functions, and you can estimate your workload needs to efficiently manage your cloud costs.
75 | 


--------------------------------------------------------------------------------
/evaluating-cloud-backup-solutions.md:
--------------------------------------------------------------------------------
 1 | # Evaluating Cloud Backup Solutions (AWS vs. Azure vs. Google Cloud)
 2 | ![aws vs. azure vs. google backup](https://cdn.pixabay.com/photo/2018/04/19/16/47/cloud-3333628_1280.png)
 3 | 
 4 | When an attack happens, the most important thing is to restore the systems as soon as possible. The staggering costs of a data breach are driving organizations to choose backup and recovery solutions to ensure they can bounce back after an attack. 
 5 | 
 6 | There are several solutions for backup and recovery, some on-premises and others cloud-based. Although they provide similar core services, each platform has its own strengths and weaknesses. 
 7 | 
 8 | In this article, we will cover what is a cloud backup and recovery solution, why it is important and will analyze the three top vendors, [Google](https://cloud.google.com/storage/archival/), [Azure](https://azure.microsoft.com/en-us/services/backup/) and [Amazon Web Services](https://aws.amazon.com/backup-restore/). We aim to highlight their key features, pricing, and support to help you choose the right solution for your organization.  
 9 | ## What Is a Cloud Backup and Recovery Solution?
10 | Cloud Backup automates the backing up and storing your data from your servers to a secure private or public cloud service. Backup and recovery solutions allow you to restore the critical systems of your environment in the event of a disaster such as a data breach. Let’s take a look at the differences between having your backup on-premises or on the cloud.
11 |  
12 | The key differences between the two systems lie in the recovery time and the security they offer. 
13 | * **Recovery time**—On-premise backups usually take longer, from hours to weeks to recover and upload the data. This will depend on the type of storage chosen and its location. On the other hand, cloud backups are much faster, taking from minutes to hours to fully recover. Since it is already stored in the cloud there is no retrieving and uploading time.  
14 | * **Security**—The public or private cloud hosting the backup leverages from security solutions such as threat intelligence systems that monitor the environment and prevent threats. 
15 | *Top Three Cloud-Based Recovery Solutions Compared
16 | There are several could vendors that offer an array of features and disaster recovery solutions. The top three cloud platforms are Google, Azure and Amazon Web Services (AWS). Let’s have a look at what they have to offer. 
17 | ## Amazon Web Services
18 | The oldest of the three platforms, AWS is an Infrastructure-As-A-Service (IaaS) cloud services platform. The platform offers over 140 services, among them security features such as data encryption, access control, and a firewall system. AWS leverages from Amazon’s shopping platform data center regions’ network, allowing users to select a region close to their traffic origin. This enables for fast transfers of data from and to the cloud, speeding recovery in case of disaster. 
19 | *Features*
20 | * **Data durability**—copies of all data uploaded to AWS S3 are stored on three devices in a single AWS region. 
21 | * **Flexibility and scalability**—scales up backup resources in minutes. 
22 | * **Cost-efficient**—with pay-as-you-go pricing. It provides a range of storage classes,  (Object Storage Classes)  so you can choose the right storage for your use cases and adjust your costs accordingly.
23 | * **Support for all data types**—offers backup for all data types. Includes storage services for blocks, files and objects. 
24 | * **Security and compliance**— AWS security platform use built-in network firewalls to control access to applications and instances. The system keeps its customers data secure by automatically encrypting all traffic. It also manages compliance programs in its infrastructure, providing compliance reports. 
25 | *Pricing*
26 | The platform offers a pricing scheme on a per-hour payment basis. Provides a free plan with limited storage and computing capability that is useful for start-ups or individuals. The on-demand pricing model allows paying monthly for per-hour billed usage.   
27 | *Support*
28 | Amazon S3 offers 24/7 free support for basic troubleshooting. General inquiries usually are answered within 24 hrs. However, the platform charges monthly for more advanced technical support, with response times varying according to the chosen plan, from twelve hours on the developer plan to fifteen minutes on the enterprise plan. Several features such as third-party software support are available only for the business and enterprise plan. 
29 | *Benefits of AWS Backup*
30 | * **Centrally manages backups**—from a central console allowing to backup and restore data. 
31 | * **Automates backup processes**—provides automated backup schedules. The system is easy to implement. You can apply backup policies by tagging your AWS resources.
32 | ## Microsoft Azure
33 | A hybrid cloud platform that focuses on the Internet of Things (IoT) DevOps and app development. Azure offers Platform-As-A-Service (PaaS) resources such as [Azure backup](https://cloud.netapp.com/blog/5-considerations-before-you-backup-on-azure) and Azure Site Recovery (ASR). The platform allows for data encryption and offsite storage.  
34 | *Features*
35 | * **Security and Availability**—Azure backup stores the data in three separated servers at the primary data center and another three copies in an alternative location. Provides data encryption across all traffic and while at rest. 
36 | * **Efficient Bandwidth Utilization**—The platform generates an initial full backup that is updated periodically on a schedule. This minimizes bandwidth consumption. 
37 | * **Integration with Data Protection Manager (DPM)**—allows Microsoft users to create a hybrid backup service.
38 | * **Virtual Machines replication automation**—using ASR, allowing to replicate even on-premises virtual machines and physical servers to Azure. 
39 | * **Varied operating systems support**—from Windows to Linux based, ASR supports a variety of applications and operating systems. 
40 | 
41 | Additional features include:
42 | * Automatic Storage Management
43 | * Unlimited Scaling
44 | * Unlimited Data Transfer
45 | * Long-Term Retention
46 | *Pricing*
47 | The solution offers pre-paid or monthly payment options. Azure rates are calculated factoring the amount of storage provisioned, the geographical location, the usage frequency and the type of data redundancy you choose. The price is calculated per minute of usage. While it seems complicated at first, the platform’s pricing model helps users to manage costs when appropriately managed. 
48 | *Support*
49 | Azure offers free, basic support, with three paid tiers for advanced support.  Response times range from business hours for the Developer tier to 24/7 for the Standard and Professional Direct tiers. For critical issues, the response time goes from up to eight hours to up to one hour. 
50 | 
51 | Account management and advisory services are only available for the top layer. In addition, there is a ‘Premier Support’ layer boasting a response time of up to 15 minutes besides account management and advisory services. 
52 | *Benefits of Azure Backup and Recovery*
53 | * High performance
54 | * High computing capability 
55 | * Integration with the other Microsoft services 
56 | ## Google Cloud
57 | Google Cloud Storage is a service within the Google Cloud Platform (GCP), enabling unified object storage and archived data. Like AWS, the platform offers users the option to choose the geographical region to store their data. For backup and recovery services, Google relies on third-party service providers that integrate seamlessly with the platform.
58 | *Features*
59 | * **Third-party providers**—allow users to choose what backup service fits best their needs. For example, Coldline and Nearline manage cold and warm storage, respectively, and are available for all GCP regions. 
60 | * **Guaranteed 99.99% SLA**—that means that downtime is kept to a minimum. 
61 | * **High scalability**—to exabytes of data.
62 | * **Automatic backup scheduling**—several providers offer automated backup scheduling, retention and storage tiering. 
63 | 
64 | Additional features include:
65 | * Persistent storage for snapshots
66 | * Regional storage for backups 
67 | * Nearline/Coldline storage for archives. 
68 | *Pricing*
69 | Pay-as-you-go billed per-minute or per-second of usage. Several partners offer a 1 cent per GB/month for warm data storage and 0.7 cents per GB/month for cold data storage. 
70 | *Support*
71 | Google Cloud Storage features a free tutorial support center, with an active community that can help solve most basic troubleshooting. It provides three paid tiers of advanced support with a monthly cost. For critical issues, the time goes from four business hours to 15 min for the top tier. Consultations and technical account management are available only for the top tiers. 
72 | *Benefits of Google Backup*
73 | Better prices than other providers
74 | Excellent networking speed
75 | Fastest recovery times.
76 | Providers integrate with Google Cloud Storage. 
77 | ## Which One Should You Choose? 
78 | Although it is not an easy feat to choose the best cloud backup service provider for your organization, we aimed to provide you with the information to make a choice. Different types of companies will match with different cloud vendors. 
79 | 
80 | For example, if your organization already uses a lot of Microsoft products, Azure can be a natural choice. If your company is a small startup looking for cost-effective pricing and fast scalability, you can consider Google Cloud Platform. Companies looking for a wide catalog of services and multi-region scope can look into AWS. It will depend on your company’s needs to check which provider addresses them best. 
81 | 


--------------------------------------------------------------------------------