Archive | August, 2011

Protect Your Brand: A Warning to FOSS Project Admins

Those of us in the open source community know firsthand what an exciting time it is. Open source is growing by leaps and bounds, and is being adopted more and more every year. While this is awesome news for open source project admins, it also means that open source will be more of a target for malicious and dishonest activity. Recently, we have seen a disturbing trend and more evidence of those trying to capitalize on your hard work. As an open source developer, this should be something of the utmost concern.

We care deeply about the future of open source, so we offer these words of advice for project admins, to protect yourselves and your end users. Remember, your reputation is everything. It’s all you have, and it only takes a moment for that to be ruined.

1. Know where your project is being distributed, and only use trusted distribution partners. Do a regular search or sign yourself up for a Google Alert on your project name, and see what comes up. If your project is being downloaded from a site that you believe is not in compliance with your open source license, ask them to remove it immediately.

2. Know who might be infringing on your copyrights, or using your name to package harmful malware. We have seen this happen before. Again, regularly searching for your project name can help turn up some of these cases.

3. Speaking of intellectual property protection, if you haven’t taken the time to trademark your project name or logo, do it. This can make or break you if you ever need to take an infringement case to court. Copyright laws vary from country to country, and they can be pretty complicated, but there are resources out there that can help. The Software Freedom Law Center is a great place to start.

4. Clearly communicate to your end users where they can find the official version of your software. Make sure they know what they’re getting. If they download a piece of malware with your name on it, they will only blame you, and the trust you’ve worked so hard to achieve will be destroyed.

As a project admin, maintaining the integrity of the brand around your software can seem like a daunting task. But it’s also one of the most important tasks you face. It’s *your* project, made with *your* blood, sweat and tears. Remember that “open source” does not have to mean “open season.”

Easier Security Code Reviews with Agnitio


These days, creating secure applications is of the utmost importance, and as crackers improve their skills, security is becoming more and more challenging. Developers who are responsible for this area are only as good as the tools available to them. If this is you, and you work on Windows, then you might want to have a look at Agnitio. This security review tool assists you in conducting manual security reviews, and provides code review metrics and reporting for static analysis.

Agnitio’s lone developer is a man who takes security *very* seriously, David Rook. He recently received a Microsoft Security MVP award, and his expert Security Ninja blog has been nominated for five awards, including the Computer Weekly IT Security blog award. I had the distinct pleasure of talking with David about the Agnitio project.

How did the project get started?

Two main reasons really, firstly my application security team was growing fast and I needed to make sure that our security code review process was structured and exactly the same regardless of who completed the review. This was achieved by creating a checklist that covers the root causes of common web application vulnerabilities. The decision to have a checklist driven approach was influenced by the Checklist Manifesto book and the fact that checklists help engineers, doctors and pilots do their jobs better so why can’t it do the same for security code reviewers? What I also wanted to do was to understand that humans can be good code reviewers but only with the right help, guidance and tools. Agnitio is designed to make the most use of the limited time that humans are “useful” for code reviews. Humans get tired, emotional and distracted so Agnitio is there to try and keep them on track with the guidance they need when they need it the most – during the review itself.

The second reason was to deal with a bit of laziness on my behalf initially I suppose. I hated the report creation part of code reviews, the need to make sure we had audit trails and metrics so I wanted to make all of these things happen automatically. Basically what I can now say is that if you use Agnitio to do your security code reviews you get your audit trails, integrity checks, reports and metrics automatically without any additional work on top of completing the review itself.

Have you contributed to open source before?

I hadn’t actually, what better way to start than making your own project?

Do you have plans for the project, such as expanding the functionality or growing the dev team?

I have lots and lots of ideas in mind for future versions of Agnitio. I plan to increase the amount of rules for the code analysis module to include languages such as PHP and Java on top of the Android and iOS rules that I added in v2.0. Some of the other changes I have in mind are having dynamic checklists so that users aren’t stuck using one checklist – if you are reviewing an application that is Java using Spring and Microsoft SQL Server you get a checklist that focuses on specific issues associated with that stack for example. I love the user suggested changes and my list of user suggested changes include things like notes per checklist question in the review rather than one overall notes box and the ability to compare/access previous review results for an application whilst you are doing a new review.

Growing the dev team is something I have in mind. We have demand for adding lots of new functionality in the Windows version, people want a Linux version and we have even had a request for an Android tablet version. I’d certainly encourage people to get in touch if they think they can help with anything associated with taking Agnitio forward.

Why do you personally contribute to open source?

Mainly because I’ve worked in companies where application security budgets were non existent and even where budgets are available commercial application security tools are out of reach for most people. I wanted to make a solution that anyone could pickup and use regardless or their application security understanding and budget.

How can people help you? What are your main needs right now?

One of the things I really need right now is for people who use Agnitio to tell me what they see as the biggest problems with the tool. I’d love to know what the users would like to change or add to the tool to address issues they have and really push the project forward. If anyone wants to contribute more than ideas I’m always looking for people to help write code or even test Agnitio when I’m close to releasing a new version, especially people using non English versions of Windows!

Agnitio is a very useful and well developed tool, and has a very bright future ahead. We encourage you to check it out!

To download Agnitio:

Open Source is Ready for Prime Time

Welcome to another edition of Take Five. In today’s edition I talk open source software development in today’s enterprise world with Clay Loveless, currently founder at Jexy and formerly of Mashery (where he was a co-founder).

Stephen Wellman (SW): Hello, Clay, welcome to Take Five, a new feature on the SourceForge blog where we discuss the pressing issues facing today’s IT professionals. It’s a pleasure to have with us. As someone who works with developers, how has the role of open source software development changed in today’s business world? Are larger businesses more amendable to open source now than they were a few years ago?

Clay Loveless (CL): Hi Stephen, thanks for having me on your blog!

It’s rare that I encounter customers at large or small companies who aren’t leveraging open source software in some significant way. Gone are the old days of programming languages driven by big companies, commercially licensed web servers, and in light of the NoSQL movement, there’s even less going on with commercially licensed databases than there used to be.

There’s still a desire among many to have a support contract with someone associated with an open source product. No one likes to find that their company is dependent upon an open source tool that no one understands but the guy who left the company last month… and typically the company will often discover that when that one piece breaks.

There’s hardly any reason for a new company to build on anything *but* open source, which is a big part of what’s driving this “lower barrier to entry than ever” theme that’s been floating around the startup entrepreneur and investment community for a couple years.

More established companies, however, will still gravitate toward the support contract and/or the commercial solution, simply to get an SLA that they can back their OWN SLA with. I don’t think that trend will continue, but the decline of that practice will be slow.

SW: What in your personal opinion, Clay, are the top three technology rends shaping today’s IT market?

CL: Mobile, commodity computing, and social media/customer support.

Mobile: I can hardly believe that just four years ago I was toting a Treo 650 and thinking it kicked serious a**. The rapid advancement of mobile technology is obviously something unlike anything we’ve ever seen, and we’ve barely begun seeing and understanding the ramifications of that growth. When entire regions leapfrog over technology evolution milestones we experienced in the US, there’s something that can’t be ignored going on. The real shaping of the IT market there lies with who’s paying attention to this trend, and who’s not. Those to don’t devote resources to mobile are those who aren’t going to be around too long.

Commodity computing: The REAL “cloud computing,” before marketing departments and windbags hijacked the term, was commodity computing. Infrastructure as a Service. It legitimized the whole burgeoning field of DevOps, where clever coders with sysadmin skills can conduct orchestras of computing resources all over the world from any Starbucks. When you step back from all the hype and look at what’s possible today with API-enabled computing resources, and it’s truly staggering. When I decided to build Mashery’s entire architecture around Amazon EC2 in 2006, people thought I was crazy. Now look at what’s possible. You’re crazy these days if you DON’T use commodity API-controlled infrastructure.

Social media/customer support: The increasing interconnectedness of geeks around the world is having a serious impact on the IT market. I wish I could see a show of hands of who’s still looking to InformationWeek (or similar print publications) for their IT news (A *weekly*? Seriously? And on paper?). Influencers have direct connection to the masses, as do the companies that want to reach those same folks. It’s possible now to see who *really* cares about their customers, and who’s just milking them. Just as with mobile, the tech companies who don’t realize that customer service is critically important in these transparent times aren’t long for this world.

SW: Is open source now more of a go-to for businesses looking to run commercially viable Web services and applications? Why do you think this is?

CL: Absolutely. After Yahoo, Facebook, and Twitter have demonstrated that you can certainly build a top 10 internet property on the back of open source — AND contribute *back* to open source, as they all have — it’s hard to argue that you really need commercial tools to make it big. The proof is right there, and now that it’s been proven day in and day out for so many years, it’s finally sinking in for people and becoming much more of a go-to option for businesses of any size.

Turbocharge Your File Manager with DropIt


We all use the file manager nearly every day to view, move and sort files/folders. Admittedly, the file manager is limited in its functionality, and doesn’t allow much for batch processing of files, or matching of patterns in file or folder names. So what if we turbocharged our standard file manager? We would have DropIt!

DropIt is a small Windows app that floats on your desktop, allowing you to drag and drop files and folders for batch processing. From their site:

You can configure DropIt to do 9 different actions to your files and folders (Move, Copy, Compress, Extract, Rename, Open With, List, Delete and Ignore), filtering files by name, extension, location, size and/or date. You can even save sets of patterns in profiles and associate a profile to each desired folder, to scan monitored folders at a defined time interval.

This software boasts a host of other features, such as logging, multi-language and Unicode support, password protection, and much more. I was able to speak with Andrea Luparia, one of the lead devs on this project.

The idea for the project came from a user requst from the website (another project of Andrea’s). From there, other users jumped in to help with improving it. Andrea has learned a lot from working on DropIt, mostly with regard to writing clean code, using Autoit, and keeping the code portable.

While his newest release included some major improvements, Andrea is now working on implementing other features, such as a “list” action (to create lists of dropped files) and support for multiple actions.

When I asked Andrea why he personally contributes to open source he said, “I think it’s possible to do free good software of any kind, for all users that desire to use them.. and I think the best way is to offer also the source code, to improve it also with the collaboration of other users.”

Andrea is always looking for help with coding new features, testing releases, translation, creating clones for other operating systems, and coming up with ideas for new features.

If you are a Windows user, or if you’re looking for a great open source project to contribute to, you should definitely give DropIt a look!

Thanks Andrea!

Showcase Your App at OWASP AppSec USA


OWASP (The Open Web Application Security Project) has announced their 2011 Open Source Showcase as a part of the OWASP AppSec USA Conference. The conference itself is September 20-23 in Minneapolis, MN, with the Open Source Showcase running Sept 22-23. The Open Source Showcase is designed to let you spread the word about your open source project. Although there is a focus on security-related apps, the showcase is open to everyone. From their site:

“The OWASP Open Source Showcase is open to ANY project, not just OWASP projects. The only requirement is that the project must be licensed under an approved Open Source License.”

What a perfect place to let people know about the open source project you work so hard on! To apply for inclusion in the Open Source Showcase, visit the OSS section of the OWASP AppSec Site.

The AppSec USA Conference is a fantastic opportunity to learn from, and network and collaborate with fellow developers interested in security best practices on the Web. At ticket prices starting at just $75 for students, it’s a steal! For more information, we encourage you to visit the AppSec USA site.