Ever since Redux was released, we've seen a steady stream of tools and frameworks that manage state in slightly different ways, each with a different set of trade-offs. However, React state management seems resistant to this common tendency. Improved supply chain security is a critical piece of our response as we work to keep systems secure.īurgeoning categories of frameworks appear to be a common pattern in the Radar: a foundational framework becomes popular, followed by a raft of tools creating an ecosystem for common deficiencies and enhancements, ending with consolidation around a few popular tools. Hackers are increasingly taking advantage of the asymmetrical nature of offense and defense in the security arena - they only need to find one vulnerability, whereas defenders must secure the entire attack surface - while employing increasingly sophisticated hacking techniques. We also feature concrete tools such as Syft, which generates a Software Bill of Materials (SBOM) from container images. Entries include checklists and standards such as Supply chain Levels for Software Artifacts (SLSA), a Google-backed consortium to provide guidance on standard threats to the supply chain, and CycloneDX, another set of standards driven by the OWASP community. Teams now realize that responsible engineering practices include validating and governing project dependencies, and this drives a number of blips in this edition of the Radar. Public instances of severe problems - the Equifax data breach, SolarWinds attack, Log4J remote zero-day vulnerability and so on - were caused by poor governance of the software supply chain. We continue to be strong supporters of open-source software but recognize that the economics are becoming increasingly bizarre, and there are no easy solutions to finding the right balance. In some cases, funding hobbyist maintainers through GitHub or Patreon provides enough lift to make a difference in others it simply creates an additional feeling of responsibility on top of their day job and contributes to burnout. The situation is further muddied by the amount of critical infrastructure that isn't corporate-sponsored, where companies usually only notice how reliant they are on unpaid labor when a critical security bug is discovered (as recently happened with Log4J). (The same concern applies with free closed-source software, as we witnessed some companies exploring Docker Desktop alternatives because of Docker's ongoing effort to find the right commercial model.) Sometimes the power dynamics work in reverse: because Facebook funded Presto as an open-source product, the maintainers were able to keep the IP and rebrand it as Trino after they left the company, in effect benefiting from Facebook's investment. This shows how difficult it can be for commercial open-source software to maintain a competitive moat. See, for example, AWS forking Elasticsearch to OpenSearch in September 2021 in response to Elastic changing their license to require cloud service providers who profit off their work to contribute back. However, attempts at commercialization demonstrate the enormous economic complexity of the current ecosystem. At Thoughtworks, we've long been fans of open-source software, popularized in part by Eric Raymond's famous essay "The Cathedral and the Bazaar." Open-source software improves developer mobility and crowdsources both bug fixes and innovation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |