We use Apache Casssandra and want to be able to keep abreast of any security updates so that we can jump on them and update ASAP. I'm happy to go in search of feature and patch releases periodically, but I'd like security fixes to come and find me.
Is there a dedicated mailing list?
An RSS feed?
Its not very often, but they do come up on the dev mailing list. I don't know of anywhere else so it might be a lot to filter through. Your best bet is probably following events on Jira or creating a subscription on it to notify you. ie:
https://issues.apache.org/jira/issues/?jql=project%20%3D%20CASSANDRA%20AND%20labels%20%3D%20security
Related
In my current company, we are sometimes approving our own pull requests for the sake of bugfixing. If it's a small bug, or someone has breakdown service, they are required to be able to fix things quickly.
Because some people abuse this functionality to approve their own 'features', I wish to remove the ability to do this, except if the there are only 'bug' workitems linked to the PR.
As far as I have seen, I can only check some marks regarding the policy of the masterbranch.
Can I create a policy to enable people to approve their own pull requests, if no work-items other than bug items are linked to it?
That's not supported in Azure Pipelines - it's either allowed or not based on your branch policies. Everything that follows is opinion, so take it with a grain of salt - I'm not convinced that such a feature would solve your problem.
You said that you currently allow developers to approve their changes because, if there's an urgent bug they need to be able to move quickly. That's understandable. Also, developers can "game the system" by PR'ing features.
If you were to restrict branch policy to allow developers to merge PR's only if bugs are attached, what prevents the developer from putting new feature functionality into bug fixes?
In other words, your PR policies work by convention, and that convention can be broken. Your proposed solution is another convention that can be broken.
I am building a website for a client. He's asking me to do security audit of the website. I don't have expertise in security audits and the budget is low. However, I am trying to give the best value to my client. Is there any tool using which I can perform security audit of the website at a low cost?
There are also a few SaaS vulnerability scanning tools that I personally use for my website. Some are free or have subscription-based plans according to users' budgets. Providing you with a detailed report along with consultation from a security expert if required.
I have faced similar issues in the past, it's difficult to find an all in one solution as it is and usually the clients don't even know what they want, also they don't realize that getting security audits done will subsequently increase the cost from the original budget by a huge margin.
I did however, go through the comments and found https://reconwithme.com mentioned, will have a look and provide feed back after using it. I have tried acunetix and they're good but is extremely expensive for start ups who are just entering the game.
Forgot to mention the tool I use, its called ReconwithMe.
Hello everyone: I was giving the responsibility of a Qualys WAS. There are around 30 sites I need to monthly scan, and check alerts. I need to automate all this process so I'm thinking on this
1- Create an script or application that could easily schedule and start the scan of the sites
2- The same app will also pull the reports from Qualys WAS
Now it comes to the issue:
I need to report on the issues found. And have those reports where they could be accessible for compliance reasons.
I'm assuming a lot of other security engineer here have the same issue. So my question is what do you do about this?
I was thinking about what to do and thought that these could be some options, but I want to hear from people that have already faced the same issue:
Is the best option to create an application that pulls the issues found from Qualys and later, presents them in a system or DB, with a web interface easy to be validated and share with people who need to access that info?
Is there any system that already solve my issue(see above in black), that maybe we can buy?
Could you talk about your experience with this?
I have another question. Do you think that having 30 sites, scanned monthly, validating issues found, and doing some other administrative stuff to keep this part working as perfect as possible, do you think just one skilled engineer is enough 100% on this? Or do you think I will need to ask for more people?
Thanks
Thanks to #Kapish M for his response
In order to help the community and anyone who faces the same issue, I will post here an answer but will leave the question open just in case some else have other options.
Qualys has no connector/plugin, for direct JIRA integration but API can make any similar integrations possible. While downloading data from Qualys via API, most times it is NOT very possible to make this communication 2 way unless the other vendor (JIRA etc) be willing to do it.
So it is possible to take one of these two routes to solve this issue:
1- Look for a 2-way integration system, like Service Now, that should make possible to integrate the system much more easier. Today, ServiceNow has 2-way integration.
2- Take care programmatically of
- Downloading Qualys report in CSV format
- Modify the CSF format to adapt it to JIRA as per [2]
- Analyze the issues in JIRA and move the ticket to other groups or close them
3- Because of the high demand of integration of this Security Tool, Qualys has created a Qualys-JIRA integration whitepaper available in [3]
Took information for this answer from:
[1]-Importing CSV into Jira
[2]-Qualys integration
[3]-Qualys Jira integration whitepaper
At the moment support requests / bug reports made by customers are coming in by mail. It is getting harder to organize priorities and stay at the helm of all this. So I am looking for bugtracking(?) tools. Not all reports are bugs of course, sometimes it's just feature request or support requests.
So my question is: whicht open source bugtracker / support request handling tool do you recommend? I know Mantis which seems to be my front runner for a more elaborate evaluation, but I already worked with it (as a reporter / contributor) and found the GUI a little cumbersome. Another issue is that I thought about using the tool for multiple website projects of different customers.
Intuitively I would prefer to run only one instance of the tool for all projects to have a better overview of all critical issues (independently of the project). Of course customer A should not be able to see customer Bs request (but every customer can have multiple reporting accounts) Is Mantis able to handle that? Can you recommend any other alternatives?
P.S.: I heard about Jira, but I will try to find a free tool for my first try.
It's possible to use email with Mantis, so that you can get incoming email (directly or by forwarding) to Mantis.
Then you can have a workflow in Mantis, f.ex. have an incoming project and customer projects, and you can send email with bcc Mantis and subject containing issue number (I use [1234] as a pattern).
I haven't used other issue trackers as much, but my experience with a customized Mantis is good regarding different kinds of issues and using with email.
Since you're turned to Open source, I'd say install a project management platform like Launchpad, redmine... etc and then create a project for each of your clients (of course you can have multiple accounts for only one client). The bug tracker in these platforms can serve as a support request service.
I'd go for Launchpad because it also has the Q/A feature and blueprints, and is also nice looking and very very user-friendly. And also damn easy to install on a Ubuntu Server.
Kind regards
My company is planning to start a forum for our software product which the clients can refer for general FAQ's, problems etc.
Right now we are planning to have:-
User manuals.
Best practices for different section's of the application
Frequently faced problems.
Forum where user can discuss issues with development team.
Any other ideas?
Edit:-
We have RSS and E-mail notification subscription to the forum.
Forum where user can discuss issues
with development team.
I don't know if this is a euphemism for "issue tracker" but if not, make sure you include a way for people to submit bug/feature/enhancement reports and track them to completion. Nothing is worse than not being able to submit a bug report or being able to submit a bug report but only into a black hole.
Communication is key.
If you add an issue tracker as suggested by Kevin, your list seems pretty ok to me.
I'd also suggest that you do not start out with too many different services that require interaction from your side (e.g. your developers) at first - I've seen (too) many good initiatives die simply because nobody in the company had enough time e.g. for regular answering of the forum questions.
In your case, I guess "best practices", "frequent problems" and the forum will all consume regular time from your dev team if you want to keep them alive and up-to-date, especially in the beginning. So I would not add more services at the beginning but make sure to get these right (and you can always add more services later on if you find that the users need them :-).
You.
Show that you care about your customers.
Many useful tips at Creating passionate users blog.