Podcasts about WhiteSource

Our guest is Gabriel Ehrlich, the founder of Remotion - a LinkedIn Ads agency in Tel Aviv. His mission is to build the best damn LinkedIn Ads agency on planet earth. Very ambitious, right? Since founding Remotion in the summer of 2016, he has worked with over 50 happy clients – including WalkMe, Gong, Yotpo, Monday.com, Cato Networks, Pcysys, Syte, hibob, CHEQ, Pipe, Lawgeex, accessiBe, Whitesource, and many more. And since 2020 he has grown from a one-man show to 14 full-time employees! Here's what we talked about: 0:00 - Intro 2:45 - Gabriel's background story 9:34 - Early days on LinkedIn and the first freelance experience 12:15 - B2B and B2C mentality 14:49 - Attribution in B2B is becoming more difficult 16:39 - Do your clients want what they say they want 20:07 - Realizing who your target customers are 24:44 - Building the structure of the team 30:45 - Choosing the right campaign managers 32:48 - Setting expectations with the clients 34:38 - How to scale companies from startup 37:01 - Recognizing the right leads 39:51 - Marketing automation tools just don't work well 40:58 - Leadership mindset is the most important thing for the company's growth 42:46 - Realizing when things are working well 44:22 - Ads tactics on LinkedIn 49:35 - Growing a LinkedIn ads agency in Israel 54:06 - Building a brand in B2B 58:06 - Outro Connect with Gabriel: LinkedIn: https://www.linkedin.com/in/ehrlichgabriel/ Remotion website: https://www.remotion.io/ --------------------------------------------------------------------------------------------------- Funky Marketing is a podcast in which we're talking with entrepreneurs, marketers, advertisers, designers, artists, and all those people that are doing an amazing job for amazing people. Listen on: Anchor: https://anchor.fm/funky-marketing Spotify: https://open.spotify.com/show/136A3zxZ5JYCukvphVP56M Apple: https://podcasts.apple.com/us/podcast/funky-marketing-show/id1501543408?uo=4 Our website: https://www.funkymarketing.net/ Need help? Go to https://www.funkymarketing.net/contact-us/ and schedule a call with us! We offer free 30-minute consultations! Let's talk and see how we can make your business GROW! #b2bmarketing #demandgen #paidads #advertising #funkymarketing #revenue --- Send in a voice message: https://podcasters.spotify.com/pod/show/funky-marketing/message

Guest Susan St. Clair of WhiteSource discusses increased regulation in the open source community with Dave. Ben looks at a lawsuit against Google targeting location data. and Dave talks about rising cyber insurance costs and the influence they have on best practices.  While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.  Links to stories: Four Attorneys General Claim Google Secretly Tracked People District 87's cybersecurity insurance cost to jump 334% Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you. 

חדש! ביום ראשון 6.12 בשעה 13:00 נקיים ״שאל.י אותי מה שבא לך״ (AMA) עם דני, המרואיין של הפרק בערוץ הדיסקורד הבא https://discord.gg/Nzq4w7hY ההרשמה פשוטה ואין צורך בהתקנה. מוזמנים להצטרף לערוץ ולשאול שאלות (ניתן לשאול בכל עת, דני יהיה שם בשעה הנקובה בלייב)פודקאסט מספר 398 של רברס עם פלטפורמה: כבר הרבה (הרבה) זמן שלא נפגשנו ולא הקלטנו - ובקרוב אנחנו ב-400 . . עוד שניים, אלא אם כן זה בבינארי ואז זה סיפור אחר לגמרי.(אורי) ואנחנו כשבוע לאחר הכנס הוירטואלי הראשון שלנו!(רן) שבוע לאחר הכנס הוירטואלי הראשון - והוידאו כבר יצאו, בניגוד לכנסים אחרים, זה אחד היתרונות של כנסים וירטואליים . . . כמעט ולא פרסמנו את זה פה בפודקאסט כי איכשהו זה יצא, ככה, “אורגני”, לא היה CFP כמו בכל שנה - אבל הכנס התקיים בשבוע שעבר והיה מאוד מוצלח, השתתפו כמה אלפי צופים ומאזינים - והיה כיף.(אורי) וירטואלית, מבחינת השתתפות, יכולנו להגיע לקהל הרבה יותר גדול, כמעט 3,000 איש!(רן) נכוןוהדבר האחרון שלא אמרנו - אנחנו תמיד מקפידים לציין את התאריך, אז היום ה-24 בנובמבר (2020 . . .), והאורח שלנו היום הוא דני מ-Snyk. אמרנו נכון את השם? כן? - מעולה.אז כיף שבאת! יכול להיות שחלק מהמאזינים כבר מכיר - דני דיבר כבר בעבר בכנס שלנו (ב-2018 וב-2019), ואנחנו שמחים לארח שוב - היום נדבר גם על Snyk וגם על כמה ממצאים מעניינים שמצאתם אצלכם.אבל לפני הכל - ספר קצת על עצמך: מניין באת, ואולי גם לאן אתה הולך?(דני) אז דני - אחד ממקימי חברת Snyk, ברקע שלי מגיע מעולמות של מחקר ואבטחת מידע, עוד מהתקופה שלפני הצבא ואח”כ בשירות ב-8200 - ומשם דרך כמה סטארטאפים, שרובם היו סביב מוצרי Security, אבטחת מידע.לפני ההקמה של Snyk ביליתי כ-7 שנים בתפקיד CTO של חברת Gita Technologies - חברת Cyber, סביב מחקר על קריפטוגרפיה ועולמות כאלה.ב-Snyk זה כבר חמש שנים מאז שקמנו - עד לפני מספר חודשים הייתי אחראי על כל תחום ה-Security בחברה, מבחינת המוצר, מבחינת המחקר וכל הצד הזה אז גם ניהלתי את סניף ישראל.לפני שלושה חודשים יצאתי לחופשת לידה - והיום אני חוזר, בפוקוס יותר סביב מחקר וסוג הדברים שגם נדבר עליהם יותר היום.(רן) אז עבור המפתחים שעוד לא יצא להם לפגוש את Snyk - כמה מילים על החברה, מה אתם עושים?(דני) אנחנו חברה שבונה מוצרי Security למפתחיםהתחלנו מעולמות של ה-Security של ה-Open Source, של ספריות קוד פתוח 3rd-party שכולנו צורכים, כשהמוצר הראשון עזר למפתחים לתת איזושהי Visibility על אילו ספריות אנחנו בסוף מושכים לתוך הפרויקט שלנו.בדרך כלל אנחנו מכירים את הספריות המיידיות שאנחנו בוחרים - ה-1st level dependencies - אבל כל ספרייה כזו מושכת עוד, וככה ממשיכים להביא עוד ספריותובסוף יש לנו המון תוכנה שמשכנו לתוך הפרויקט שלנו, והיא הופכת להיות ממש חלק מהאפליקציה שלנו.אז אנחנו בעצם עזרנו ב (א) “להאיר בפנס” את כל העולם הזה ו(ב) בעצם להצביע על חולשות אבטחה ופגיעויות שנמצאות בגרסאות מסויימות - חולשות ידועות בדר”כ, מוכרות, שיש להן את ה-CVE, המזהה של החולשה, שנמצאות באחת הספריות שבסוף נכנסו לתוך פרויקט התוכנה.ודבר אחרון, אחד הדברים המשמעותיים ששונים ב-Snyk לעומת מוצרים אחרים זה שגם עזרנו לתקן את זה - ברמה של Pull Requests שנפתחים מול הפרויקט ה-GitHub-י ממש, למשל כדי לעדכן את הספריה לגרסא לא פגיעה.(אורי) מעניין - אתם בדרך כלל עושים את זה אקטיבית? פרו-אקטיבית? או שהפרויקטים באים אליכם ומבקשים “תסרקו לנו ותגידו לנו מה . . .”(דני) כל מה שאמרתי תקף לפרויקט “שלך”, לא לפרויקט של ה-Open Source.אם אתה למשל בונה פרויקט בNode.js, ומשכת ספרייה בשם left-pad, שמשכה ספרייה בשם אחר כלשהו - אז אני סורק בעצם את הפרוייקט שלך, וכשאני פותח Pull-Request ומתקן לך חולשה בגרסת left-pad 3 ומעדכן לגרסת left-pad 5, כי שם אין חולשה - אז זה קורה בפרויקט שלך.לנו יש את ה-Database שבעצם מכיל את כל החולשות של כל הגרסאות, כשיש המון ב-npm או כל Package manager אחר.(אורי) ויש ממש עבודה צמודה גם עם המפתחים של פרויקטי ה-Open Source?(דני) כן, חד-משמעיתזה משהו שהפך להיות ממש פעילות רחבה - כל חולשה שאנחנו מוצאים (שצוות האנליסטים שלנו מוצא), אנחנו לא רק מוסיפים ל-Database שלנו אלא אנחנו ממש גורמים לכך שתיהיה כמה שיותר מודעות לחולשה הזו, בין היתר גם ע”י להצמיד את המזהה CVE לחולשה.אנחנו היום CVE Numbering Authority -יש לנו מעיין “טווח” של Identifiers שאנחנו יכולים לשייך.אנחנו ממש כותבים את התיאור ועובדים גם עם ה-Maintainer - פונים ל-Maintainer, ולפעמים הם אפילו לא מודעים לכך שיש חולשה, כי מישהו פתח issue על הפרויקט ומישהו שלח להם מייל - לפעמים אין להם זמן לתקן את החולשה . . .אז אנחנו בעצם מדברים עם ה-Maintainers ישירות על מנת לעזור להם לעשות איזשהו Process שמקובל בעולם ה-Security, למשל לשייך את ה-Identifier לחולשה, אבל בין היתר גם ממש לעזור להם לתקן, אם הם צריכים איזשהו Expertise של Security ודברים בסגנון הזה.(רן) וכמו שרמזת, נשמע שאתם נמצאים בעולם ה-Node.js - בגדול אם אני מפתח Node.js אז הבנתי, ואם אני מפתח בטכנולוגיות אחרות אז אתם גם?(דני) לחלוטין - אנחנו תומכים היום בכל השפות - התחלנו מ-Node.js אבל מהר מאוד התרחבנו לכל ה-Ecosystem, אנחנו תומכים בכל השפותבעצם אנחנו מסתכלים על Package Managers - אז זה Maven ו-Gradle ובעצם כל ה-Ecosystems הכי גדולים.אבל מעבר למוצר של ה-3rd-party components יש לנו גם מוצרים אחרים - היום אנחנו עושים את אותו הדבר בעצם לעולם ה-Containers, מסתכלים על ה-Container ואילו רכיבים נמשכים לתוכו ומתריאים שם על חולשות, בעצם אותו הרעיון.ה-Container היום הוא הרחבה של האפליקציה, ה-Docker file יושב ב-Git וזה חלק מאותו העולם - והיום גם נכנסים לעולמות של Infrastructure-as-a-Code לא מזמן רכשנו חברה שהיא בעצם נותנת לנו גם את הכניסה לעולמות של הקוד ה-Proprietary שאתה כותב - ה10-20% של הקוד שאתה כותב - אנחנו מסתכלים גם עליהם, מה שנקרא Static Code Analysisאז אנחנו היום כבר מדברים על ארבעה מוצרים, מה שהופך אותנו לפלטפורמה של ממש כל פתרונות ה-Security שהמפתח צריך.(רן) אז אם אני מפתח, ואני כותב קוד ואולי אני חי באשליה שאני משתמש בספריות קוד פתוח אז הכל בסדר ואני יכול לקרוא את הקוד או שמישהו אחר קרא את הקוד והן Secured- אז כנראה שאני באמת חי באשליה וכדאי שאני אשתמש במוצר כמו Snyk, או מוצר דומה לו, שלפחות יעזור לי לדעת שאני בסדר, שלא שגיתי ושאני לא משתמש ב-Dependency שהוא כבר מסוכן.(אורי) אבל האם יש מצב שבו יש סכנה ב-Dependency, אבל הקוד שלי לא מפעיל אותו?(דני) שאלה מצויינת - זה מצב שקורה לא מעט . . .(אורי) אולי אני לא מכיר את האג’נדה לפני . . .(דני) זה באמת מצב שקורה לא מעט - ויש פה כמה דברים:(א) אם אנחנו מאפשרים לך לתקן את הבעיה בקלות, גם אם היא כרגע לא “בעיה” - אתה משתמש בספריה, שיש בה איזושהי חולשה אבל אתה לא משתמש עכשיו בפונקציונאליות הפגיעה - אז מצד אחד אי אפשר לתקוף את האפליקציה, אבל מצד שני אולי מחר מישהו יתחיל להשתמש בפונקציה הבעייתית, אז יש כאן איזשהו אלמנט שאם זה לא עולה לך הרבה אז אתה רוצה להיפטר ממנו ולהוריד גם את הסיכון הקטן הזה.(אורי) במיוחד אם זה בסה”כ שידרוג גרסא . . .(דני) יש מפתחים שכשאתה אומר להם “זה כולו שדרוג גרסא” יענו לך ש”בטח זה שטויות” - ב-npm למשל זה קורה כל הזמן; ב-Java המפתחים בדר”כ קצת יותר רגישים לשדרוג גרסא, אז זה יכול להיות שונה בין ה-Ecosystems - אבל בגדול . . .(רן) זה גם עניין של גיל . . .(דני) זה גם נכון . . .אז באמת מה שאנחנו שואפים אליו זה שתפתור כמה שיותר בעיות שאתה יכול, כל עוד זה קל - וכשאתה באמת צריך בסוף לבחור ואין לך את כל הזמן שבעולם לתקן ולשדרג את הספריות, אז במצב הזה כן יש לנו כל מיני תוספים שאתה יכול לנסותלמשל אנחנו יכולים גם ממש לנתח את הקוד ולהסתכל ב-Run Time מה נקרא ומה לאלמשל עם היכולות החדשות של ניתוח הקוד הסטטי של הקוד שאתה כותב - זה מאפשר לנו גם לעשות את הההצמדה הזו, של מה שאתה באמת משתמש בו ומה שלא.כל הדברים האלה יכולים לעזור, אבל בהחלט יש פה מעניין “משיכת שמיכה” כזו, של כמה אתה מוכן להשקיע ב”הגיינת ה-Security” שלך - וה-Quality בכלל, לאו דווקא Security, כי זה לא רק חולשות: יש גם באגים ודברים שמותקנים בגרסאות - לעומת כמה סיכון אתה יכול לקחת עם לשדרג דברים ולשנות ולהתעסק בזה.(אורי) לעשות Yak Shaving . . . (רפרנס ל Ren & Stimpy?!)(רן) והמוצר עצמו יושב בדר”כ ,טיפוסית, איפה - ב-CI? ב-IDE?(דני) היום האינטגרציות הן לאורך כל הדרך, החל מה-IDE ועד ל Build ,ל-CI - וחלק מהאלמנטים נמצאים גם ב-Run time.השאיפה היא תמיד לשבת כמה שיותר קרוב וכמה שיותר מוקדם - ושם Source code management כמו GitHub או GitLab אלו האיזורים שהם הכי . . . (רן) אז שתי שאלות, לפני שנמשיך - (1) מאיפה השם? (2) מאיפה הלוגו? מה זה בכלל - שועל? כלב?(דני) זה כלב, דוברמן . . .השם? זה התחיל מזה שמצאנו . . .(רן) רק נגיד איך מאייתים את זה - זה S N Y K (בטקסט זה דווקא עובד יותר טוב . . . )(דני) נכון, זה So Now You Know . . .(אורי) Domain פנוי?(דני) אכן Domain פנוי . . . זה התחיל כמובן, כמו כל סטארטאפ טוב, מ-Domain פנוי(רן) סיפור אמיתי, שמתחיל עם שתי בירות . . .(דני) אז זה Domain של ארבע אותיות, אבל מהר מאוד גילינו שזה גם “So Now You Know”, שזה בדיוק . . . אנחנו התחלנו מהמוצר של להראות לך את הספריות שאתה צורך ושאתה לרוב לא יודע שאתה צורך, וכן - משם זה תפס.הלוגו - ניסינו כמה ניסיונות עם לוגואים וכולם היו כושלים, עד שפגשנו איזשהו מעצב, שאמרנו לו שבגדול אנחנו חברת Security אבל אנחנו כלי למפתחים ואנחנו חברת Security לא קלאסית, לא “סייבר-סייבר” והפחדות וכזה, אלא שאנחנו באים באופן קונסטרוקטיבי וטוב לעזור, ושזה צריך להיות כלב עם רצינות אבל גם חמידות - ואני מקווה שזה יצא טוב . . .אבל באמת - הוא ב One shot הצליח לעשות את הלוגו, ומאז לא . . .(רן) זה דווקא אחלה סלוגן - “חברת Security, אבל באים בטוב”, זה יכול לתפוס . . . (דני) שמע, גם אני מגיע מהעולמות האלה - מהסייבר, וזה קצת כזה . . . מכירה בעולמות האלה נראית הרבה פעמים כמו פרוטקשיין - “יש לך עסק יפה, חבל שמשהו יקרה לו . . .”(אורי) “יש לך פנים יפות, חבל . . .”(דני) אז באמת זה מה שהיה שונה אצלנו כבר מ-Day one בגישה - גם מבחינת המוצר וגם מבחינת ה-DNA של החברה, שבאנו לא בהפחדות.אגב - לא היינו באף כנס Security בשלוש השנים הראשונות של החברה, הלכנו רק לכנסים של מפתחים.(רן) מצויין - אז זה אתה וזה Snyk, ועכשיו בוא נדבר על הנושא של הערב: לפני כמה חודשים . . .(דני) כן - אוגוסט . . . פרסמנו באמצע אוגוסט, אבל הפרויקט התחיל חודש אחד לפני - בעצם מצאנו ספריית תוכנה שהייתה זדונית.אז זה אחד האיומים - דיברנו על חולשות ואבטחת מידע - אבל זה לא האיום היחיד שיש בלמשוך קוד מבחוץ: איום נוסף, שממש רואים איך הוא גדל בשנים האחרונות, הוא בעצם קוד זדוני, שמגיע דרך הספריות האלה.(אורי) דרך ספריות קוד פתוח . . .(דני) ספריות קוד פתוח שמשתמשים בהן - ומעניין לראות גם את הגיוון של איך שזה מגיע - לפעמים זה קוד זדוני שממש נכתב כזדוני, שמו אותו ב-Package Manager ופשוט חיכו שמישהו ישתמש בו, ולפעמים זו השתלטות על Account של מפתח של ספריית קוד מאוד פופולארית, למשל השתלטות על Account ב-GitHub, ואז “שותלים” לשם קודלפעמים אלו טכניקות כמו Typo-squatting - נותנים שם דומה לשם הפופולארי - דוגמא קלאסית זה jQuery.js ב-npm, במקום רק jQuery - או פשוט Typo (ומכאן השם Typo squatting), כשאתה משנה איזשהו תו קטן בשם.ואז הרבה אנשים מתקינים את זה - כמו אגב ההתקפה המקורית שהיא Domain Squatting, שבה אתה במקום לכתוב למשל Google עם שני “O” אתה כותב עם אחת וכו’ומה שמצאנו זו ספריית קוד ב-Package Manager שנקרא CocoaPods - זה SDK של חברת פרסום סינית(רן) ל-iOS(דני) ל-iOS ול-Android, לשתי הסביבותובעצם מה שמצאנו שם זה שה-SDK הזה, שנועד לאפשר למפתחים לעשות מוניטיזציה (Monetization) על הפרסומות באפליקציות שלהם - ועל הדרך הוא עשה עוד מלא מלא דברים רעים . . .בהתחלה, המחקר הראשוני העלה רק ממצאים ב-iOS, ומה שמצאנו שם זה שה-SDK התלבש בעצם על כל התקשורת שהאפליקציה עושה עם ה-Backend - והזליג את זה גם חזרה לחברה סינית . . . זה היה דבר אחד.כדי שלא יזהו את זה, הם השתמשו בכמה טכניקות מאוד מעניינות, שממש מזכירות את עולם ה-Malware הקלאסי - בין היתר ניסו לזהות האם המכשיר פרוץ, ואם הוא פרוץ אז לא פעלו; אם יש Proxy שמאזין לדברים אז הם גם לא הפעילו את הפונקציונאליות הזדונית . . .(רן) רגע . . . למה שלא יפעלו על מכשיר פרוץ? מה הסכנה פה? (דני) בעולמות של iOS ואייפונים, מכשיר פרוץ זה ממש סימן למישהו שיודע מה הוא עושה . . . בהרבה פעמים את צריך לפרוץ למכשיר בכדי בכלל להתחיל לנתח שם את הדברים . . .(רן) … אז כדי לא להתגלות, הם אמרו “אוקיי, בוא לא נתעסק עם החבר’ה שמבינים עניין”?(דני) נכון - וככה הם רצו במשך שנה.אגב, מה שהיה חשוד במה שהם עשו - היו הרבה דברים - אבל קודם כל הם עשו אובפוסקציה (Obfuscation) לכל המידע - למשל כשמסתכלים על Strings של Base 64, שנראים Base 64 encoded, ועושים Base 64 Decoding - וזה פשוט יוצא ג’יבריש . . .ואז רואים ששהם עשו איזשהו variant שלהם של Base 64.אז בעצם מה שמצאנו זה שהיה קודם כל את האלמנט הזה של הזלגת מידע - הם פשוט התלבשו על ה - HTTP Request של האפליקציה ושלחו את זה בחזרה אליהם.אבל - הם גם עשו Attribution Froud - בעולמות של פרסום, כש - User צופה או מקליק על פרסומת, נשלח Event ל-MMP, ה - Mobile Measurement Provider, אני חושב שזה הפירוש . . . רן בטח מכיר מ-Appsflyer(רן) כן . . .אז ה- MMP הוא זה שאחראי בסוף להגיד למי “מגיע” ה - Attribution, וכתוצאה מזה גם התגמול הכספי - ובמקרה הזה החברה פשוט שלחה קליק נוסף, מזויף, ל-MMPהם ידעו על הפעילות כי הם מזליגים את ה-HTTP Request ובעצם את כל ה-Events שקורים באפליקציהאז בעצם ה-Event האורגני הראשון נשלח כרגיל, אבל הם מהצד שלהם שולחים עוד אחד - ואיך שזה עובד זה לפי האחרון ששלח, הוא זה שמקבל את ה-Attribution - וככה הם בעצם עשו גם Fraud מול חברות ה - Advertisement.(רן) “חטפו את הקליק”(דני) “חטפו את הקליק”, ואת זה אנחנו רואים מהדאטה - אבל מעבר לזה גם גנבו את כל המידע, ופה זה גם לא כזה ברור האם הם עשו את זה רק כדי לגנוב את הקליק או שהם עשו עוד דברים עם המידע.(רן) עד כמה זה היה נפוץ ה-SDK הזה?(דני) קודם כל, ה-SDK בסך הכל הותקן בכ-1500 אפליקציות iOS ו-2000 אפליקציות Android - שזה מרגיש אולי קצת מספר לא גבוה, אבל כשמסתכלים על מספר ההורדות, אז מדובר בסך הכל על יותר ממיליארד - 1.2 מיליארד הורדות - בחודש. אלו המספרים.(רן) מתחרים ב-Traffic של Netflix . . .(דני) ממש.כל המשחקים, ממש ברמת שני ה-Vendors הכי גדולים של חברות משחקים, השתמשו ב-SDK הזה.שוב - רוב ה-Publishers ורוב האפליקציות שנפגעו מזה הן אפליקציות משחקים, אבל יש גם כמה אפליקציות Dating ואפליקציות Chat ועוד אפליקציות שונות.אבל באמת משחקים זה העניין - כל המשחקים שאתם מכירים מהטלפונים של הילדים (לא אתם, מה פתאום)(רן) אתה, כמפתח, רוצה עכשיו להתקין איזשהו SDK למוניטיזציה (Monetization), מוצא חברה שעושה את זה - לא תגיד “הלכתי ל GitHub ולקחתי איזשהו Package רנדומלי” - הלכת לחברה, הורדת את ה-SDK שלהם, הרשמי - לך תחשוד שיש שם Malware בתוך כל הסיפור הזה . . .(דני) נכון . . . אז החברה, קוראים לה Mintegral, והיא חברת בת של MobVista - זו חברה ציבורית, נסחרת בהונג-קונג, מדובר בחברות רציניות וגדולות.למרות זאת, הן בחרו להתעסק בדברים האלה - ומה שמעניין זה שכשמסתכלים הסטורית, אז זו לא הפעם הראשונה שמוצאים חברה סינית, או איזושהי חברה אחרת, שעושה כל מיני דברים באיזורים האלה.אבל תמיד היה להם א מה שנקרא Plausible deniability - הם יכלו לבוא ולהגיד “טוב, זו ספריה שלקחנו מבחוץ, וזה בכלל לא אנחנו, וזו בכלל טעות של מפתח, והוא בינתיים גם פוטר אז הכל טוב, סליחה”.פה הקוד נמצא ממש אצלם, הם אפילו לא ממש דאגו להסתיר אותו יותר מדי - ברגע שמצאת אותו זה In your face - ומה שמעניין זה שבעצם כשגילינו את זה - ובהתחלה גילינו את זה רק ב-iOS - הסתכלנו ב-Android ולא מצאנו כלום - לא העמקנו יותר מדי, אבל בהתחלה לא מצאנו כלום - אז פרסמנו.ואז קרו שני דברים מעניינים - (א) קיבלנו טוויט ממישהו שאמר שהוא מסתכל ב-Android וגם רואה שם דברים מוזרים, אז התחלנו גם להסתכל שם, ומצאנו שבכל זאת ב-Android יש איזור חבוי ששם לא הסתכלנו קודם, ומה שהם עושים שם זה מנסים לתפוס את ה-Downloads במכשיר - וספציפית Downloads שמגיעים מ-Google - וכשחושבים על זה מבינים שאלו Downloads שמגיעים מ-Google Play, ושככה הם מנסים לתפוס הורדות של משחקים ושוב - לדווח את זה על עצמם וכנראה, פה אנחנו לא יכולנו לוודא ולסגור את המעגל השלם ולראות שהם גם עושים את ה-Fraud.אבל ב-Downloads האלה הם, בטעות או שלא, תפסו גם Downloads של Google Spreadsheets ו-Google Drive ו-Google Docs וכאלה, אז בעצם אם אני שולח היום הודעת WhatsApp או email עם איזה לינק ל-Google Drive או ל-Google Docs - ואיך שזה עובד ב-Android, בגלל שזה גם גלובאלי, האינטנטים (Intents) נשלחים במכשיר, וכל אפליקציה, במקרה הזה ה-SDK, יכול היה להירשם לאינטנטים של הורדות גלובאלית - מספיק שיש לי אפליקציה אחת שהתקנתי ככה לילד שלי (נניח) ולא פתחתי כבר תקופה (נניח) - היא תתפוס את כל ההורדות Google Docs שלי מהמכשיר, זה - בשונה מ-iOS, ששם זה רק בקונטקסט של האפליקציה, כלומר - “רק” ה-Traffic של האפליקציה באמת זלג. עדיין חמור, אבל שונה מ-Google.(ב) דבר נוסף שקרה זה שהחברה, כדי כנראה להציל את ה-Reputation שלהם, שחררו את הקוד כ-Open Source, את ה-SDK - ואמרו ש”אנחנו בעד Transparency, ואנחנו מבקשים מכל התעשייה שככה תעשה את זה” . . .גם כאן(רן) זה היה לפני הגילוי או אחרי?(דני) אחרי . . . (אורי) וכאילו - “אנחנו משחררים אותו כ-Open Source - כדי שתורידו יותר” . . .(דני) כן - תורידו יותר . . אגב, הם לא התייחסו לעובדה שאת ה-Fraud הם עשו ב-Backend, אז זה שהם משחררים את הקוד כ-Open Source זה לא בדיוק פותח את כל הקלפים, אבל עדיין - זה היה צעד מעניין. מה שאנחנו עשינו . . .(רן) רגע, הם שחררו ממש את הגרסא שהכילה את הקוד הזדוני?(דני) לא, הם ניקו, הוציאו גרסא חדשה - ומה שאתה חושב עליו, זה בדיוק מה שעשינו: אמרנו “רגע, בואו נשווה את מה שהם שיחררו, ונשווה את הגרסא החדשה אל מול הישנה”.ראינו שהם באמת העיפו את כל מה שהצבענו עליו - את כל הדברים הרעים.אגב - הם גם פרסמו פוסט שאמר שהם גם ככה תכננו להוריד את הטכנולוגיה הזאת, ושבגדול - “אתם לא מבינים את הטכנולוגיה המדהימה הזאת, כל זה נועד לפרסומות מדהימות ו-Monetization מדהים ובגלל זה אנחנו המובילים בתחום” וכו’ . . .בכל מקרה - הסתכלנו, והם הורידו באמת את כל הפונקציונאליות שאמרנו שהיא זדונית - אבל היה שם עוד איזשהו קטע קוד, שלא היכרנו, וגם הוא ירד . . . שזה באותה נקודה פשוט זעק ”בואו נסתכל על הקוד הזה” . . .(רן) בטח פיספסנו פה משהו . . .(דני) לחלוטין פיספסנו - כי הקוד הזה בעצם היה Backdoor - דלת אחורית להרצת כל קוד על המכשיר, דרך פרסומת . . . צריך רגע לפרק את זה - קודם כל, Mintegral יכלו . . . נניח שאני פיתחתי אפקליציה והכנסתי את ה-SDK הזה לתוך המשחק שלי, עם הצגת פרסומות, הכל טוב ויפה.האפליקציה עברה Review של Apple, ולא אמור להיות שם קוד דינאמי - Apple “חתמו” על הקוד שסיפקתי להם, כולל ה-SDK הזדוני הזה, שלא הסתכלתי עליו בתור מפתח אבל זה המצב.עכשיו, Mintegral יכולים לשלוח קוד JavaScript ככה “מהונדס” ,שבסופו של דבר יריץ קוד Native-י כרצונם על המכשיראנחנו הדגמנו קוד פשוט שגונב את הClippboard, רק לשם המחשה - אבל זה יכול להיות כל קוד שהם רוצים.אבל יותר חמור מזה - כל Publisher וכל מפרסם . . . אנחנו יכולים עכשיו ללכת ולקנות פרסומות, לעשות Bid אפילו על פרופיל מסויים, למשל אנשים בגיל מסויים שגרים באיזור מסויים בעולם, וממש לדלוור (Deliver) איזשהו Exploit שממש יריץ קוד Native על המכשיר . . .(רן) זאת אומרת שלא רק יראו את ה-Image ואת ה-Creative - אלא גם תוכל להזריק לשם קוד, ובקוד הזה תוכל לעשות מה שאתה רוצה.(דני) נכון . . .(אורי) זה מה שקרה לנו בפריצה של . . .(רן) אתה רואה - זו חשיבה על Scale! אנחנו לא מספיק יצרתיים, אז ניתן לצד השלישי להיות יותר יצירתי!(דני) כן - זה ממש Code Execution as a Service . . . ממש.כשמסתכלים על הכמויות של האפליקציות ועל כמה שה-SDK הזה פופלארי, ובסופו של דבר מה הוא פתח באפליקציות האלה - זה די מטורף.(רן) אז מה - בנאדם קם בבוקר, שותה קפה ואומר - “אוקיי, עכשיו אני הולך למצוא Exploit”? כאילו - איך זה קורה?(דני) אז קודם כל, בצוות המחקר אנחנו עשים את זה כבר שנים, כלומר - אנחנו חוקרים את העולמות של ה-Open Source ואנחנו מחפשים חולשותוכשאנחנו מחפשים חולשות, אנחנו לא מחפשים במוצר מסויים, לא קמים בבוקר ואומרים “בוא נחפש חולשה ב - Apache Storm” ככה, כי זה מעניין אותנו, אלא בדרך כלל מסתכלים על ממש חיפוש ב-Scale.האנלוגיה שאני אוהב לתת היא שאנחנו “זורקים רשת אל הים” והרשת היא כזו שאנחנו בונים אותה ככה שתתפוש דברים מסויימים. ובמקרה הזה זרקנו את הרשת לים של CocoaPods, על כל הספריות שיש ב - CocoaPods, וחיפשנו כל דבר שעושה Method swizzlingאז Method swizzling זה ביטוי מעולם ה-iOS ל - Function Hooking, ל-Interception, ל- Instrumentation של פונקציה - כל אפליקציה שבאה “ומתלבשת” על פונקציית מערכת הפעלה ומנסה להיות “באמצע”, בין האפליקציה שקוראת לה לבין מערכת ההפעלה.וזה משהו שקודם כל לא אמור לקרות הרבה - זה באמת קורה לא מעט בעולם הפרסום, לפעמים SDK-ים מנסים לראות אם האוריינציה של המכשיר היא ככה או ככה ולהציג ולהתאים את הדברים, אבל בגדול זה משהו די חריג - ובמקרה הזה זה מה שעשה ה-SDK.וכשאנחנו “מושכים את הרשת מהים”, אז יש שם כל מיני ג’אנק ובקבוקי פלסטיק ודברים מוזרים - אבל לפעמים גם יש דגים, שאנחנו מסתכלים עליהם - במקרה הזה דג זהב ממש.אם אנחנו מסתכלים על ההיסטוריה אז ממש בצורה דומה מצאנו חולשות - אגב ההרצאה שהצגנו ברברסים על Zip Slip, איזושהי חולשה בת 30 שנה שעד היום קיימת בעולם ה-Java, שפשוט לא מצליחים להיפטר ממנה, וגם אז באותה צורה עשינו חיפוש על כל GitHub ומצאנו אלפי חולשות(רן) טוב, נו - מפתחי Java כבר 30 שנה לא משדרגים גרסא, לך תיפטר מזה . . .(רן) אוקיי - אז הרגשתם שיש פה משהו, ראיתם הרבה מופעים כאלו של Method swizzling, אם הצלחתי להגיד את זה נכון (לכתוב יותר קל) - ואז מה? אמרתם “בואו נתפקס”, ועכשיו איך בודקים? מה אתה מוצא שם? אתה מתחיל לקרוא קוד, לעשות Reverse Engineering לקוד? מתחילים להריץ? מה?(דני) שאלה מעולה - אז זה לא היה בהרבה מופעים, ממש הרצנו את זה שוב כדי לראות אם מישהו . . . אם Mintegral, כל השינויים שהם עשו עדיין נתפסים אצלנו - והם לא נתפסו וזה אומר שהם באמת הם ניקו.בכל מקרה, היו עשרות תוצאות, שמהר מאוד אנחנו עברנו על רובן - וזה הספציפי באמת התחיל להרגיש כמו משהו חריג.בדיוק סיפרתי על ה - Base 64 המוזר שהם קצת שינו אותובסוף אפילו לא עשינו Reverse Engineering ל - Base 64, פשוט השתמשנו בפונקציה שלהם לזה, היינו עצלנים . . .אבל לשאלתך - באמת הספרייה הזו היא Closed Source - אין לה Open Sourceהם פתחו אותה ל - Open source אחר כך, אבל זה לא היה ככה קודםזו באמת פעם ראשונה ב-Snyk שלי יצא ממש לעשות Reverse Engineering, כי בדר”כ זה Reverse Engineering לקוד, לא יודע אם זה נחשב כ- Reverse Engineering, ואלו דווקא עולמות שעסקתי בהם הרבה לפני.וכן - זה ממש להסתכל על האפליקציה, על קוד ה - iOS ו . . .(רן) זאת אומרת שעשיתם לו דה-קומפילציה (De-compilation) . . .(דני) כן, אז דה-קומפילציה זה אפילו ה - Luxury . . . עושים Diss-Assembly מסתכלים על קוד Assembly, והיום יש De-compliers ממש טובים, שלא מחזירים את זה לקוד מקור אבל בקירוב די . . .(רן) לא צריך לזכור בעל פה את המספרים של הריגיסטרים (Registers) . . .(דני) לא . . . אז עלינו לא מעט דברים מעניינים - כמו שאמרתי, את חלקם לא מצאנו; מצאנו כל מיני חריגות, אבל למשל את ה-Backdoor הזה לא מצאנו, מצאנו רק כעשינו . . .(רן) כמה זמן לוקח מחקר כזה? כמה זמן לקח?(דני) אגב, צריך לציין שגם במהלך המחקר התחלנו להתחבר עם חברות, עבדנו גם עם Appsflyer למשל.צד הדאטה למשל - לא היה לנו Visibility אליו: כל הקליקים, מה קורה בצד ה-MMP? -על כל זה עבדנו עם שחקנים בתעשייה.אבל המחקר שלנו, אם אני מזקק את זה לנטו-עבודה, זה ממש עניין של אולי שבוע.מהרגע שהתחלנו את הפרויקט עד הרגע שפרסמנו לקח חודש - אבל אז, ככה, באו הגלגולים הנוספים של הפרויקט.(אורי) זה כי אתם לפעמים מפרסמים עוד לפני שאתם מבינים את כל התמונה?(דני) לא - אני אישית משתדל לכתוב . . . כשאנחנו מדברים על פרסום אז זה בדרך כלל על לכתוב בלוג-פוסט, וכשזה משהו די גדול אז עושים קצת PR ומדברים עם Outlets וכזה.במקרה הזה, בדרך כלל אנחנו שואפים לכתוב משהו כשאנחנו מרגישים בטוחים לגבי כל הפרטים - אז גם עשינו את זה פה.לצורך העניין, לא שינינו שום דבר ממה שפרסמנו, אז כן - השאיפה היא לתת כמה שיותר מידע מהפרסום הראשון.(רן) בדרך כלל, לפחות כשמדובר לא בקוד זדוני אלא מדובר בבאגים נגיד - הדוגמא הקלאסית של Stack Overflow וכו’ - סליחה - Buffer overflow - אז יש את העניין הזה של “גילוי אחראי”, נכון? אתה לא הולך וישר מפרסם, אלא קודם כל מגיע ליצרן של הקוד ונותן לו איזשהו Heads-up וזמן לתקן את זה - ורק אחרי שהוא הבטיח שהכל מתוקן ויש כבר גרסא חדשה, רק אז אתה מפרסם.פה המקרה שונה - פה, מדובר על יצרן זדוני.אז איך פועלים? מה הפרוטוקול במקרה כזה?(דני) אז באמת ה - Responsible disclosure לא תקף פה . . הוא בעצם תקף, אבל לא על השחקן עצמו, כלומר - לא באנו בשום שלב לחברה . . . זה מעניין, אגב - הם פנו אלינו אחרי שפרסמנו, והציעו לנו . . רצו לקנות את Snyk בתמורה לכך שנעזור להם לטפל באירוע הזה . . .כלומר - לקנות את המוצר של Snyk, לא את החברה.אבל כן ה - Responsible disclosure תקף לשחקניות הגדולות - לGoogle ול-Apple - כי הן בעצם מחזיקות ב-Marketplace, ולהן יש גם את האפשרות לתקן - זה שאנחנו נותנים להן Heads-up - יש להן מה לעשות, וזה מה שעשינו.זה מעניין - ל-Apple בהתחלה, כנראה שהדבר הזה לא בא להם כל כך בטוב, כי אנחנו קצת ה - Bad news Messenger, כאילו . . .(אורי) אתם חושפים גם חולשה שלהם.(דני) זה בדיוק בא - איכשהו בלי שתזמנו את זה ככה - אבל זה בדיוק בא בזמן שהיה את הבלגן עם Epic Games והייתה הרבה ביקורת על כל מה שקורה שם עם ה-30% . . .מלא שיח על זה - ופתאום אנחנו באים ואומרים: “טוב, חבר’ה, כאילו יש פה כמה מאות אפליקציות מה-Top-500 שיש בהן דברים רעים ממש” . . .(אורי) כמה מאות מה-Top-500 . . .(דני) כן, קרוב ל-200 מה-Top-500, זה אחוז מאוד גבוהבכל מקרה - הם בהתחלה ניסו . . . לא היו פעילים מדי, אפילו לא הודיעו למפתחי האפליקציות - אז בחרנו לעשות את זה בעצמנו.מן הסתם זה משהו שיותר קל ל-Apple לעשות, יש להם את האי-מיילים של כולם וכו’.אבל מה שמעניין זה של-Google דווקא הייתה את התגובה ההפוכה - הם פשוט קפצו לשיחה, הביאו את כל האנשים הרלוונטיים - חוקרים ואנשי Legal וכו’, וגם אמרו לנו שהם מכירים את . . לא את המקרה הזה, אבל את ההיסטוריה עם השחקניות האלה, וממש הגיבו מהר.כן צריך לציין שברגע שמצאנו את ה-Backdoor, אז בעצם ל-Apple זה כבר . . . זה לא היה רק עצם בגרון, הם ממש היו צריכים לפעול, כי זה משהו שהוא . . . מקודם הם אמרו ש”זו אחריות של המפתחים”, בגדול הם שמו את האחריות על המפתחים - “הם בחרו את ה-SDK, הם שמו את זה באפליקציה - אז שיתמודדו עם זה”.אבל כשיש ממש המון משתמשים שחשופים עכשיו להרצת קוד, אז פה הם כבר נאלצו לשלוח הוראות . . .(רן) זו “פצצה מתקתקת”, שגם אם הם יכולים איכשהו להכחיש שזו אשמתם, זה עדיין הולך לפגוע להם ב-PR(אורי) זה מעניין, כי גם Apple לוקחת Stand בעולם של Privacy - ואם יש להם Backdoor כזה . . .(דני) נכון - ועדיין אני מרגיש ש . . כלומר, בסוף הם פעלו ואז שלחו לכל המפתחים את הבקשה להוריד את ה-SDK הבעייתי, אבל עדיין - התגובה שלהם, לפחות הראשונית, הייתה די חלשההם בעצם בחרו ככה לשים את האחריות על המפתחים, שזה . . . יש בזה משהו חשוב, במסר - אבל הם עצמם יכלו לפתור את הבעיה בעצמם מיד, ולא לחכות עד שמפתחים יתחילו . . . עד שאנחנו (Snyk) נפנה אליהם קודם כל, וזה לוקח המון זמן, ולהסביר להם מה קורה וכו’אז במקרה הזה באמת ה - Responsible disclosure היה לדבר עם החברות הגדולות.אגב - כן פנינו לעשרת ה-Publishers הכי גדולים בצורה ישירה, פשוט כי הם ממש . . .זה כזה Pareto Distribution - עשרה מה-Publishers שולטים ב-90% מהשוק, אז זה כיסה לנו ממש את רוב ה . . .(רן) איך אתה יודע מי הם עשרת ה-Publishers הגדולים?(דני) אז יש דאטה . . .(רן) אה - הכוונה באופן כללי, לא לאותו ה-SDK, עשרת ה-Publishers הגדולים בעולם?(דני) על זה ספציפית יש גם דאטה על SDK - שירותים שנותנים ממש סטטיסטיקות . . .Apple ו-Google לא מפרסמים את זה בעצמם, אבל יש שירותים שנותנים את המספרים האלה, כולל גם איזה SDK נמצא באיזו אפליקציה.(אוקי) כמו . . . טוב, זה יותר ל-Open Source בכלל אבל WhiteSource וכאלה?(דני) WhiteSource היא מתחרה של Snyk אז . . .(אורי) WhiteSource נכנסת לעולם של Security ספציפית?(דני) בעצם היא התחילה מעולמות של Legal, אבל איפשהו כשאנחנו קמנו, אז הם עשו Shift, ואני חושב שהיום הם רואים את עצמם כחברת Security ומשווקים את עצמם כחברת Security - אגב, ככה עשו גם כל השחקניות האחרות, למשל BlackDuck, שהתחילה מעולמות ה-Legal וה-Complience והפכה לחברת Security, ונמכרה אח”כ כחברת Security.(רן) טוב, אז קודם כל זה היה סיפור מתח בשלוש מערכות . . .(אורי) חשבתי שתביא לנו משהו איראני כזה . . .(דני) כן מדובר בחברה סינית . . .(אורי) תמר רביניאן עובדת אצלכם?(רן) כן . . . אז יש עוד, ככה, אנקדוטות או חומרים עסיסיים שלא פורסמו שאתה יכול לחלוק עם המאזינים שלנו בקשר לסיפור הזה?(דני) אני חושב שבאמת העניין הזה של זה שפנה אלינו בכיר מהחברה . . . הוא כתב מייל מאוד נחמד שבו הוא . . .קודם כל - זאת הייתה הפעם הראשונה ששמענו משהו מהחברה, הוא שלח מייל “אישי”, מייל ארוך, שבו הוא אומר “תודה על העבודה שלכם, מאוד חשוב לנו לתקן את הדברים, ואנחנו עובדים על זה” - ומבקש מאיתנו לעזור להם בזה- בתמורה לזה שכל הקבוצה - לא רק החברה, זו קבוצה גדולה - שתשמח לאמץ את מוצרי Snyk . . .אנחנו סירבנו להצעה אז - אבל מה שגילינו ממש אחרי שבוע, בשיחות עם אחד ה-Publishers, זה שהם ממשיכים ומספרים את הסיפור של “Snyk בעצם כן עוזרת להם”, שהם כבר משתפים איתנו פעולה ושהכל מאחוריהם.אז כן - זה קצת העולם שאנחנו . . .(רן) תבדוק אם הלוגו שלך נמצא שם, באתר שלהם . . .(אורי) סוג של אמינות סינית?(רן) חבל, אם זה לא היה קורונה עכשיו היו שולחים לך כרטיס לסין, לעשות לך קצת Good time ושתשכח מכל הסיפור הזה . . .טוב, אחלה - סיפור מאוד מרתק, ודרך אגב - אני מניח שעד היום יש אפליקציות שרצות עם הפגיעות הזאת, זה לא נעלם ביום . . .(דני) נכון . . .(רן) איך עוקבים אחרי דבר כזה? עכשיו זה כבר תפקיד של Apple?(דני) אני חושב ש-Apple במקרה הזה … יש פה שאלה באמת של אפליקציות ומכשירים שפשוט לא מעדכנים את האפליקציות, אז גם אם יש גרסא חדשה, ומישהו פשוט לא דואג לעדכן . . .יהיה מעניין לראות האם Apple יחליטו פשוט להוריד את זה - יש להם את היכולת להוריד את האפליקציות האלה, גם Remotely, אבל הם עוד לא עשו את זה.אני חושב שאחד הדברים המעניינים לראות מכל האירוע הזה זה באמת העלאת המודעות לתופעות האלה בקהילת ה-Mobile, כי היא קצת שונה מה-Ecosystems האחרים.כשמסתכלים באמת על . . . יש פה שני (סוגים של) קורבנות באירוע הזה - יש את המפתחים עצמם, שפשוט משכו איזשהו SDK ורצו להרוויח על האפליקציה שלהם - ובעצם הכניסו משהו שהם לא ידעו . . . אגב, שה-Terms of Service שם כמובן שלא אמר להם את כל מה שהם עושים, ה-SDK, ו . . .(רן) למה, אתה יודע סינית?(דני) כן, אז היה להם . . .(אורי) זה סינית בשבילו . . . (דני) הם, אגב, עידכנו מיד אחרי הפרסום, יום אחרי הפרסום, את כל ה-Terms of Service שלהם, Heavy edits - והוסיפו את כל מה שהיה חסר שם, כולל HTTP Request interception ודברים כאלה . . .(רן) אז תבדוק את ה-Diff-ים, אולי תגלה עוד משהו . . .(דני) אז באמת אלו המפתחים - והקבוצה השנייה הם בעצם הצרכנים - אנחנו, אלו שיש להם ומי שהתקין את כל האפליקציות האלה.ואני חושב שממש היה יפה לראות, לפחות בקבוצה הראשונה, איך המודעות שם עולה, ואיך מבחינת השיח והעניין להכיר בכלל בבעיה הזאת . . . זה, אני חושב, היה הדבר הכי משמעותי שיצא מהפרסום, כי לצערי עדיין יהיו חברות שיעשו את הדברים הרעים האלה ועדיין יהיו לנו את העולמות האלה של ריגול - אבל אני ממש שמח לראות את המודעות עולה לבעיות האלה.(אורי) אז רגע, יש לי שאלה - היום, כל Vulnerability, פגיעות . . .(דני) חולשה(אורי) . . . חולשה שאתם מגלים - אתם מפרסמים בבלוג-פוסט?(דני) לא, ממש לא . . .(אורי) רק את המעניינות?(דני) כן, אני חושב . . כפי שאמרתי, אנחנו מסתכלים על דברים ב-Scaleלמשל, אם אנחנו מוצאים חולשה שנמצאת באלפי פרויקטים, אני חושב שזה סיפור מעניין, וזה סיפור מעניין לא רק עבור ה-Publicity שלנו - זה סיפור מעניין באמת למודעות בקרב הקהילה.אז אותה דוגמא שקראנו לה Zip Slip, אותה חולשה של 30 שנה, ממש חולשה עתיקהאגב - כזו שאני יכול להסביר במשפט וכל המאזינים יבינואותה חולשה עדיין נמצאת . . .כשמצאנו אותה אז מצאנו אותה באלפי פרוייקטי Open Source, ממש פרויקטים של אלפי Stars ב-GitHub, וזו תופעה שאני חושב שהיא מעניינת לדווח עליה.אבל אנחנו כל יום מוצאים חולשות, וזה מתווסף ל-Database שלנו שם באתר, אבל לא בלוג-פוסט . . .(אורי) אמרת “ה-Database שלנו באתר” - זה נגיש? אתה יכול להכניס מספר גרסא של SDK שאתה משתמש בו, או Open Source . . .?(דני) חד משמעית כן - זה קליק שאתה יכול לעשות באתרקודם כל - המוצר שלנו הוא חינמי ל-Open Source, והוא גם חינמי עד Usage מסוייםאז כן - אתה יכול גם פשוט לסרוק את הפרויקט שלך בפקודה אחת: npm install snyk ו - snyk test וזהו.(רן) מעולה - תודה דני, אחלה סיפור, נשמע כמו מוצר באמת מעניין לכל מי שאכפת לו מ-Security .תודה שבאת, היה מאוד מעניין. תודה.הקובץ נמצא כאן, האזנה נעימה ותודה רבה לעופר פורר על התמלול

In this interview, he chats with Rami Sass, co-founder and CEO at WhiteSource. Unsurprisingly, they discuss all things open source security. They reflect on how open source has changed in the past ten years, the compliance implications of using open source components in software, and the disconnect that can often happen between the tech and legal departments. Finally, Rami shares his thoughts on who should take responsibility for open source security. For more information, check out www.softwaresecuritygurus.com Visit WhiteSource: www.whitesourcesoftware.com --- Send in a voice message: https://anchor.fm/softwaresecuritygurus/message

In episode 54 of JAMstack Radio, Brian speaks with Rami Sass of WhiteSource about securing and managing open source components in your software, and the tools available for identifying vulnerabilities in packages.

In episode 54 of JAMstack Radio, Brian speaks with Rami Sass of WhiteSource about securing and managing open source components in your software, and the tools available for identifying vulnerabilities in packages.

In episode 54 of JAMstack Radio, Brian speaks with Rami Sass of WhiteSource about securing and managing open source components in your software, and the tools available for identifying vulnerabilities in packages. The post Ep. #54, From Crisis to Creation with Rami Sass of WhiteSource appeared first on Heavybit.

In episode 54 of JAMstack Radio, Brian speaks with Rami Sass of WhiteSource about securing and managing open source components in your software, and the tools available for identifying vulnerabilities in packages. The post Ep. #54, From Crisis to Creation with Rami Sass of WhiteSource appeared first on Heavybit.

WhiteSource one of the leaders in the Software Composition Analysis space recently released their annual report on "The State of Open Source Security Vulnerabilities". It is chock full of good data and findings on what is the current state of open source security and how things are trending. I had a chance to sit down with Rhys Arkins, Director, Product at WhiteSource to see what some of the highlights were. Rhys was happy to share and show us some of things you should be mindful of.

The Django project moves to a new governance structure, Tor Browser's latest release includes a JavaScript execution bug, GitLab finally paywalls its build and test pipeline for external repositories, and WhiteSource issues a report on the increase in open source code vulnerabilities.

The Django project moves to a new governance structure, Tor Browser's latest release includes a JavaScript execution bug, GitLab finally paywalls its build and test pipeline for external repositories, and WhiteSource issues a report on the increase in open source code vulnerabilities.

A recent post from WhiteSource identifies the trends in Open Source software licensing and makes predictions on what shape Open Source software will take down the road.Starring Tom Merritt, Richard Stroffolino, Roger Chang   See acast.com/privacy for privacy and opt-out information.

As we enter the New Year, I thought it would be a great idea to go over the state of application security (AppSec), especially how developers are getting more and more involved with their team's security testing efforts. So in this episode, Jeffrey Martin, a Director of Product at WhiteSource, we'll go over some of the reasons why application security will become a top priority for most companies in 2020. He'll also reveal critical insight found in his companies recent report on Why Developers are Taken Over AppSec.

In the Application Security News, GitHub Seeks Security Dominance With Developers, IoT and Agile Framework Partners in Efficacy, WhiteSource acquires & open sources Renovate dependency update tool set, and Java vs. Python: Which should you choose? So stay tuned, for Application Security Weekly! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode88

In the Application Security News, GitHub Seeks Security Dominance With Developers, IoT and Agile Framework Partners in Efficacy, WhiteSource acquires & open sources Renovate dependency update tool set, and Java vs. Python: Which should you choose? So stay tuned, for Application Security Weekly! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode88

This week, we welcome Allan Friedman, Director of Cybersecurity Initiatives at the NTIA US Department of Commerce, to talk about the Software Bill of Materials! In the Application Security News, GitHub Seeks Security Dominance With Developers, IoT and Agile Framework Partners in Efficacy, WhiteSource acquires & open sources Renovate dependency update toolset, and Java vs. Python: Which should you choose?   Show Notes: https://wiki.securityweekly.com/ASWEpisode88 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly  

This week, we welcome Allan Friedman, Director of Cybersecurity Initiatives at the NTIA US Department of Commerce, to talk about the Software Bill of Materials! In the Application Security News, GitHub Seeks Security Dominance With Developers, IoT and Agile Framework Partners in Efficacy, WhiteSource acquires & open sources Renovate dependency update toolset, and Java vs. Python: Which should you choose?   Show Notes: https://wiki.securityweekly.com/ASWEpisode88 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly  

In the enterprise news, discussing how Sysdig supports Google Cloud Run for Anthos to secure serverless workloads in production, StackRox Kubernetes Security Platform 3.0 Introduces Advanced Features and New Workflows for Configuration and Vulnerability Management, and some acquisition and funding updates from CyberCube, 1Password, Docker, WhiteSource, and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode162

In the enterprise news, discussing how Sysdig supports Google Cloud Run for Anthos to secure serverless workloads in production, StackRox Kubernetes Security Platform 3.0 Introduces Advanced Features and New Workflows for Configuration and Vulnerability Management, and some acquisition and funding updates from CyberCube, 1Password, Docker, WhiteSource, and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode162

This week, we talk Enterprise News, discussing how Sysdig supports Google Cloud Run for Anthos to secure serverless workloads in production, StackRox Kubernetes Security Platform 3.0 Introduces Advanced Features and New Workflows for Configuration and Vulnerability Management, and some acquisition and funding updates from CyberCube, 1Password, Docker, WhiteSource, and more! In our second segment, we welcome Reuven Harrison, Chief Technology Officer at Tufin, to discuss the Cloud, Containers, and Microservices! In our final segment, we welcome Jorge Salamero, Director of Product Marketing at Sysdig, to discuss the challenges of implementing security in Kubernetes Environments!   Show Notes: https://wiki.securityweekly.com/ESWEpisode162 To learn more about Sysdig, visit: https://securityweekly.com/sysdig To learn more about Sysdig, visit: https://securityweekly.com/tufin   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly 

This week, we talk Enterprise News, discussing how Sysdig supports Google Cloud Run for Anthos to secure serverless workloads in production, StackRox Kubernetes Security Platform 3.0 Introduces Advanced Features and New Workflows for Configuration and Vulnerability Management, and some acquisition and funding updates from CyberCube, 1Password, Docker, WhiteSource, and more! In our second segment, we welcome Reuven Harrison, Chief Technology Officer at Tufin, to discuss the Cloud, Containers, and Microservices! In our final segment, we welcome Jorge Salamero, Director of Product Marketing at Sysdig, to discuss the challenges of implementing security in Kubernetes Environments!   Show Notes: https://wiki.securityweekly.com/ESWEpisode162 To learn more about Sysdig, visit: https://securityweekly.com/sysdig To learn more about Sysdig, visit: https://securityweekly.com/tufin   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly 

We interview Azi Cohen the Co-founder of WhiteSource. He will be talking about Application security has undergone a transition in recent years, as information security teams testing products before release became irrelevant, developers started playing a leading role in the day-to-day operational responsibility for application security. We then interview Jeff Hudson the CEO of Venafi. He will talk about code signing that has been used to verify the integrity of software, and nearly every organization relies on it to confirm their code has not been corrupted with malware. Full Show Notes: https://wiki.securityweekly.com/ASW_Episode74 Visit https://www.securityweekly.com/asw for all the latest episodes!

We interview Azi Cohen the Co-founder of WhiteSource. He will be talking about Application security has undergone a transition in recent years, as information security teams testing products before release became irrelevant, developers started playing a leading role in the day-to-day operational responsibility for application security. We then interview Jeff Hudson the CEO of Venafi. He will talk about code signing that has been used to verify the integrity of software, and nearly every organization relies on it to confirm their code has not been corrupted with malware. Full Show Notes: https://wiki.securityweekly.com/ASW_Episode74 Visit https://www.securityweekly.com/asw for all the latest episodes!

This week, we welcome Pawan Shankar, Senior Product Marketing Manager of Sysdig! In our second segment, we air two pre-recorded interviews with Azi Cohen, Co-Founder of WhiteSource, and Jeff Hudson, CEO of Venafi from BlackHat USA 2019!   To learn more about Sysdig, visit: https://securityweekly.com/sysdig Full Show Notes: https://wiki.securityweekly.com/ASW_Episode74   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Pawan Shankar, Senior Product Marketing Manager of Sysdig! In our second segment, we air two pre-recorded interviews with Azi Cohen, Co-Founder of WhiteSource, and Jeff Hudson, CEO of Venafi from BlackHat USA 2019!   To learn more about Sysdig, visit: https://securityweekly.com/sysdig Full Show Notes: https://wiki.securityweekly.com/ASW_Episode74   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

"Open source is increasingly being acknowledged as an indispensable means for promoting and driving innovation," says Rami Elron, Senior Director of Product Management at WhiteSource. But at the same time, there's been a proliferation in open source security vulnerabilities.  Elron attributes the phenomenon to both increased adoption of open source and increased attention following publicized data breaches. He joins David to discuss the challenges in prioritizing open source vulnerabilities, the importance of agile DevSecOps practices, and approaches to dealing effectively with the growing number of open source security vulnerabilities. For more security stories, visit SecurityIntelligence.com or follow IBM Security on Twitter and LinkedIn.

WhiteSource has become a force in the security of open source components in your applications. One would think that it would follow that securing these open source components inside of a container would flow from this. But with containers, all is not always as it seems. Containers require a approach that is unique to containers. So the folks at White Source went to the lab and have engineered a solution that is container native and container specific. In this DevOps chat we speak with VP of Product David Habusha about White Source for Containers.

Sponsors: KendoUI Sentry use the code "devchat" for $100 credit Clubhouse Panel: Charles Max Wood Special Guests: Ed Thomson In this episode, the Charles speaks with Ed Thomson who is a Program Manager at Azure through Microsoft, Developer, and Open Source Maintainer. Ed and Chuck discuss in full detail about Azure DevOps! Check out today’s episode to hear its new features and other exciting news! Show Topics: 0:59 – Live at Microsoft Ignite 1:03 – Ed: Hi! I am a Program Manager at Azure. 1:28 – Rewind 2 episodes to hear more about Azure DevOps! 1:51 – Ed: One of the moves from Pipelines to DevOps – they could still adopt Pipelines. Now that they are separate services – it’s great. 2:38 – Chuck talks about features he does and doesn’t use. 2:54 – Ed. 3:00 – Chuck: Repos and Pipelines. I am going to dive right in. Let’s talk about Repos. Microsoft just acquired GitHub. 3:18 – Ed: Technically we have not officially acquired GitHub. 3:34 – Chuck: It’s not done. It’s the end of September now. 3:55 – Ed: They will remain the same thing for a while. GitHub is the home for open source. Repos – we use it in Microsoft. Repositories are huge. There are 4,000 engineers working in these repositories. Everyone works in his or her own little area, and you have to work together. You have to do all this engineering to get there. We bit a tool and it basically if you run clone... Ed continues to talk about this topic. He is talking about One Drive and these repositories. 6:28 – Ed: We aren’t going to be mixing and matching. I used to work through GitHub. It’s exciting to see those people work close to me. 6:54 – Chuck. 6:59 – Ed: It has come a long way. 7:07 – Chuck: Beyond the FSF are we talking about other features or? 7:21 – Ed: We have unique features. We have branch policies. You can require that people do pole request. You have to use pole request and your CI has to pass and things like that. I think there is a lot of richness in our auditing. We have enterprise focus. At its core it still is Git. We can all interoperate. 8:17 – Chuck. 8:37 – Ed: You just can’t set it up with Apache. You have to figure it out. 8:51 – Chuck: The method of pushing and pulling. 9:06 – Chuck: You can try DevOps for free up to 5 users and unlimited private repos. People are interested in this because GitHub makes you pay for that. 9:38 – Ed and Chuck continue to talk. 9:50 – Ed: Pipelines is the most interesting thing we are working on. We have revamped the entire experience. Build and release. It’s easy to get started. We have a visual designer. Super helpful – super straightforward. Releases once your code is built – get it out to production say for example Azure. It’s the important thing to get your code out there. 10:55 – Chuck: How can someone start with this? 11:00 – Ed: Depends on where your repository is. It will look at your code. “Oh, I know what that is, I know how to build that!” Maybe everyone isn’t doing everything with JavaScript. If you are using DotNet then it will know. 12:05 – Chuck: What if I am using both a backend and a frontend? 12:11 – Ed: One repository? That’s when you will have to do a little hand packing on the... There are different opportunities there. If you have a bash script that does it for you. If not, then you can orchestrate it. Reduce the time it takes. If it’s an open source project; there’s 2 – what are you going to do with the other 8? You’d be surprised – people try to sneak that in there. 13:30 – Chuck: It seems like continuous integration isn’t a whole lot complicated. 13:39 – Ed: I am a simple guy that’s how I do it. You can do advanced stuff, though. The Cake Build system – they are doing some crazy things. We have got Windows, Lennox, and others. Are you building for Raspberries Pies, then okay, do this... It’s not just running a script. 15:00 – Chuck: People do get pretty complicated if they want. It can get complicated. Who knows? 15:26 – Chuck:  How much work do you have to do to set-up a Pipeline like that? 15:37 – Ed answers the question in detail. 16:03 – Chuck asks a question. 16:12 – Ed: Now this is where it gets contentious. If one fails... Our default task out of the box... 16:56 – Chuck: If you want 2 steps you can (like me who is crazy). 17:05 – Ed: Yes, I want to see if it failed. 17:17 – Chuck: Dude, writing code is hard. Once you have it built and tested – continuous deployment. 17:33 – Ed: It’s very easy. It’s super straightforward, it doesn’t have to be Azure (although I hope it is!). Ed continues this conversation. 18:43 – Chuck: And it just pulls it? 18:49 – Ed: Don’t poke holes into your firewall. We do give you a lot of flexibility 19:04 – Chuck: VPN credentials? 19:10 – Ed: Just run the... 19:25 – Chuck comments. 19:36 – Ed: ...Take that Zip... 20:02 – Ed: Once the planets are finely aligned then...it will just pull from it. 20:25 – Chuck: I host my stuff on Digital Ocean. 20:46 – Ed: It’s been awhile since I played with... 20:55 – Chuck. 20:59 – Ed and Chuck go back and forth with different situations and hypothetical situations. 21:10 – Ed: What is Phoenix? 21:20 – Chuck explains it. 21:25 – Ed: Here is what we probably don’t have is a lot of ERLANG support. 22:41 – Advertisement. 23:31 – Chuck: Let’s just say it’s a possibility. We took the strip down node and... 23:49 – Ed: I think it’s going to happen. 23:55 – Ed: Exactly. 24:02 – Chuck: Testing against Azure services. So, it’s one thing to run on my machine but it’s another thing when other things connect nicely with an Azure set-up. Does it connect natively once it’s in the Azure cloud? 24:35 – Ed: It should, but there are so many services, so I don’t want to say that everything is identical. We will say yes with an asterisk. 25:07 – Chuck: With continuous deployment... 25:41 – Ed: As an example: I have a CD Pipeline for my website. Every time I merge into master... Ed continues this hypothetical situation with full details. Check it out! 27:03 – Chuck: You probably can do just about anything – deploy by Tweet! 27:15 – Ed: You can stop the deployment if people on Twitter start complaining. 27:40 – Chuck: That is awesome! IF it is something you care about – and if it’s worth the time – then why not? If you don’t have to think about it then great. I have mentioned this before: Am I solving interesting problems? What projects do I want to work on? What kinds of contributions do I really want to contribute to open source? That’s the thing – if you have all these tools that are set-up then your process, how do you work on what, and remove the pain points then you can just write code so people can use! That’s the power of this – because it catches the bug before I have to catch it – then that saves me time. 30:08 – Ed: That’s the dream of computers is that the computers are supposed to make OUR lives easier. IF we can do that and catch those bugs before you catch it then you are saving time. Finding bugs as quickly as possible it avoids downtime and messy deployments. 31:03 – Chuck: Then you can use time for coding style and other things. I can take mental shortcuts. 31:37 – Ed: The other thing you can do is avoiding security problems. If a static code analysis tool catches an integer overflow then... 32:30 – Chuck adds his comments. Chuck: You can set your policy to block it or ignore it. Then you are running these tools to run security. There are third-party tools that do security analysis on your code. Do you integrate with those? 33:00 – Ed: Yep. My favorite is WhiteSource. It knows all of the open source and third-party tools. It can scan your code and... 34:05 – Chuck: It works with a lot of languages. 34:14 – Ed. 34:25 – Chuck: A lot of JavaScript developers are getting into mobile development, like Ionic, and others. You have all these systems out there for different stages for writing for mobile. Android, windows Phone, Blackberry... 35:04 – Ed: Let’s throw out Blackberry builds. We will ignore it. Mac OS dies a fine job. That’s why we have all of those. 35:29 – Chuck: But I want to run my tests, too! 35:36 – Ed: I really like to use App Center. It is ultimately incredible to see all the tests you can run. 36:29 – Chuck: The deployment is different, though, right? 36:40 – Ed: I have a friend who clicks a button in... Azure DevOps. 37:00 – Chuck: I like to remind people that this isn’t a new product. 37:15 – Ed: Yes, Azure DevOps. 37:24 – Chuck: Any new features that are coming out? 37:27 – Ed: We took a little break, but... 37:47 – Ed: We will pick back up once Ignite is over. We have a timeline on our website when we expect to launch some new features, and some are secret, so keep checking out the website. 39:07 – Chuck: What is the interplay between Azure DevOps and Visual Studio Code? Because they have plugins for freaking everything. I am sure there is something there that... 39:30 – Ed: I am a VI guy and I’m like 90% sure there is something there. You are an eMac’s guy? The way I think about it is through Git right out of the box. Yes, I think there are better things out there for integration. I know we have a lot of great things in Visual Code, because I worked with it. 40:45 – Chuck: Yes, people can look for extensions and see what the capabilities are. Chuck talks about code editor and tools.  41:28 – Ed: ... we have been pulling that out as quickly as possible. We do have IE extensions, I am sure there is something for VS Code – but it’s not where I want to spend my time. 42:02 – Chuck: Yes, sure. 42:07 – Ed: But everyone is different – they won’t work the way that I work. So there’s that. 42:30 – Ed: That Chuck. 42:36 – Chuck: Where do people get news? 42:42 – Ed: Go to here! 42:54 – Chuck: Where do people find you? 43:00 – Ed: Twitter! 43:07 – Chuck: Let’s do Picks! 43:20 – Advertisement – Fresh Books! Links: GitHub Microsoft’s Azure Microsoft’s Pipeline Azure DevOps Erlang WhiteSource Chuck’s Twitter Ed Thomson’s Twitter Ed Thomson’s GitHub Ed Thomson’s Website Ed Thomson’s LinkedIn Picks: Ed Podcast - All Things Git

Sponsors: KendoUI Sentry use the code "devchat" for $100 credit Clubhouse Panel: Charles Max Wood Special Guests: Ed Thomson In this episode, the Charles speaks with Ed Thomson who is a Program Manager at Azure through Microsoft, Developer, and Open Source Maintainer. Ed and Chuck discuss in full detail about Azure DevOps! Check out today’s episode to hear its new features and other exciting news! Show Topics: 0:59 – Live at Microsoft Ignite 1:03 – Ed: Hi! I am a Program Manager at Azure. 1:28 – Rewind 2 episodes to hear more about Azure DevOps! 1:51 – Ed: One of the moves from Pipelines to DevOps – they could still adopt Pipelines. Now that they are separate services – it’s great. 2:38 – Chuck talks about features he does and doesn’t use. 2:54 – Ed. 3:00 – Chuck: Repos and Pipelines. I am going to dive right in. Let’s talk about Repos. Microsoft just acquired GitHub. 3:18 – Ed: Technically we have not officially acquired GitHub. 3:34 – Chuck: It’s not done. It’s the end of September now. 3:55 – Ed: They will remain the same thing for a while. GitHub is the home for open source. Repos – we use it in Microsoft. Repositories are huge. There are 4,000 engineers working in these repositories. Everyone works in his or her own little area, and you have to work together. You have to do all this engineering to get there. We bit a tool and it basically if you run clone... Ed continues to talk about this topic. He is talking about One Drive and these repositories. 6:28 – Ed: We aren’t going to be mixing and matching. I used to work through GitHub. It’s exciting to see those people work close to me. 6:54 – Chuck. 6:59 – Ed: It has come a long way. 7:07 – Chuck: Beyond the FSF are we talking about other features or? 7:21 – Ed: We have unique features. We have branch policies. You can require that people do pole request. You have to use pole request and your CI has to pass and things like that. I think there is a lot of richness in our auditing. We have enterprise focus. At its core it still is Git. We can all interoperate. 8:17 – Chuck. 8:37 – Ed: You just can’t set it up with Apache. You have to figure it out. 8:51 – Chuck: The method of pushing and pulling. 9:06 – Chuck: You can try DevOps for free up to 5 users and unlimited private repos. People are interested in this because GitHub makes you pay for that. 9:38 – Ed and Chuck continue to talk. 9:50 – Ed: Pipelines is the most interesting thing we are working on. We have revamped the entire experience. Build and release. It’s easy to get started. We have a visual designer. Super helpful – super straightforward. Releases once your code is built – get it out to production say for example Azure. It’s the important thing to get your code out there. 10:55 – Chuck: How can someone start with this? 11:00 – Ed: Depends on where your repository is. It will look at your code. “Oh, I know what that is, I know how to build that!” Maybe everyone isn’t doing everything with JavaScript. If you are using DotNet then it will know. 12:05 – Chuck: What if I am using both a backend and a frontend? 12:11 – Ed: One repository? That’s when you will have to do a little hand packing on the... There are different opportunities there. If you have a bash script that does it for you. If not, then you can orchestrate it. Reduce the time it takes. If it’s an open source project; there’s 2 – what are you going to do with the other 8? You’d be surprised – people try to sneak that in there. 13:30 – Chuck: It seems like continuous integration isn’t a whole lot complicated. 13:39 – Ed: I am a simple guy that’s how I do it. You can do advanced stuff, though. The Cake Build system – they are doing some crazy things. We have got Windows, Lennox, and others. Are you building for Raspberries Pies, then okay, do this... It’s not just running a script. 15:00 – Chuck: People do get pretty complicated if they want. It can get complicated. Who knows? 15:26 – Chuck:  How much work do you have to do to set-up a Pipeline like that? 15:37 – Ed answers the question in detail. 16:03 – Chuck asks a question. 16:12 – Ed: Now this is where it gets contentious. If one fails... Our default task out of the box... 16:56 – Chuck: If you want 2 steps you can (like me who is crazy). 17:05 – Ed: Yes, I want to see if it failed. 17:17 – Chuck: Dude, writing code is hard. Once you have it built and tested – continuous deployment. 17:33 – Ed: It’s very easy. It’s super straightforward, it doesn’t have to be Azure (although I hope it is!). Ed continues this conversation. 18:43 – Chuck: And it just pulls it? 18:49 – Ed: Don’t poke holes into your firewall. We do give you a lot of flexibility 19:04 – Chuck: VPN credentials? 19:10 – Ed: Just run the... 19:25 – Chuck comments. 19:36 – Ed: ...Take that Zip... 20:02 – Ed: Once the planets are finely aligned then...it will just pull from it. 20:25 – Chuck: I host my stuff on Digital Ocean. 20:46 – Ed: It’s been awhile since I played with... 20:55 – Chuck. 20:59 – Ed and Chuck go back and forth with different situations and hypothetical situations. 21:10 – Ed: What is Phoenix? 21:20 – Chuck explains it. 21:25 – Ed: Here is what we probably don’t have is a lot of ERLANG support. 22:41 – Advertisement. 23:31 – Chuck: Let’s just say it’s a possibility. We took the strip down node and... 23:49 – Ed: I think it’s going to happen. 23:55 – Ed: Exactly. 24:02 – Chuck: Testing against Azure services. So, it’s one thing to run on my machine but it’s another thing when other things connect nicely with an Azure set-up. Does it connect natively once it’s in the Azure cloud? 24:35 – Ed: It should, but there are so many services, so I don’t want to say that everything is identical. We will say yes with an asterisk. 25:07 – Chuck: With continuous deployment... 25:41 – Ed: As an example: I have a CD Pipeline for my website. Every time I merge into master... Ed continues this hypothetical situation with full details. Check it out! 27:03 – Chuck: You probably can do just about anything – deploy by Tweet! 27:15 – Ed: You can stop the deployment if people on Twitter start complaining. 27:40 – Chuck: That is awesome! IF it is something you care about – and if it’s worth the time – then why not? If you don’t have to think about it then great. I have mentioned this before: Am I solving interesting problems? What projects do I want to work on? What kinds of contributions do I really want to contribute to open source? That’s the thing – if you have all these tools that are set-up then your process, how do you work on what, and remove the pain points then you can just write code so people can use! That’s the power of this – because it catches the bug before I have to catch it – then that saves me time. 30:08 – Ed: That’s the dream of computers is that the computers are supposed to make OUR lives easier. IF we can do that and catch those bugs before you catch it then you are saving time. Finding bugs as quickly as possible it avoids downtime and messy deployments. 31:03 – Chuck: Then you can use time for coding style and other things. I can take mental shortcuts. 31:37 – Ed: The other thing you can do is avoiding security problems. If a static code analysis tool catches an integer overflow then... 32:30 – Chuck adds his comments. Chuck: You can set your policy to block it or ignore it. Then you are running these tools to run security. There are third-party tools that do security analysis on your code. Do you integrate with those? 33:00 – Ed: Yep. My favorite is WhiteSource. It knows all of the open source and third-party tools. It can scan your code and... 34:05 – Chuck: It works with a lot of languages. 34:14 – Ed. 34:25 – Chuck: A lot of JavaScript developers are getting into mobile development, like Ionic, and others. You have all these systems out there for different stages for writing for mobile. Android, windows Phone, Blackberry... 35:04 – Ed: Let’s throw out Blackberry builds. We will ignore it. Mac OS dies a fine job. That’s why we have all of those. 35:29 – Chuck: But I want to run my tests, too! 35:36 – Ed: I really like to use App Center. It is ultimately incredible to see all the tests you can run. 36:29 – Chuck: The deployment is different, though, right? 36:40 – Ed: I have a friend who clicks a button in... Azure DevOps. 37:00 – Chuck: I like to remind people that this isn’t a new product. 37:15 – Ed: Yes, Azure DevOps. 37:24 – Chuck: Any new features that are coming out? 37:27 – Ed: We took a little break, but... 37:47 – Ed: We will pick back up once Ignite is over. We have a timeline on our website when we expect to launch some new features, and some are secret, so keep checking out the website. 39:07 – Chuck: What is the interplay between Azure DevOps and Visual Studio Code? Because they have plugins for freaking everything. I am sure there is something there that... 39:30 – Ed: I am a VI guy and I’m like 90% sure there is something there. You are an eMac’s guy? The way I think about it is through Git right out of the box. Yes, I think there are better things out there for integration. I know we have a lot of great things in Visual Code, because I worked with it. 40:45 – Chuck: Yes, people can look for extensions and see what the capabilities are. Chuck talks about code editor and tools.  41:28 – Ed: ... we have been pulling that out as quickly as possible. We do have IE extensions, I am sure there is something for VS Code – but it’s not where I want to spend my time. 42:02 – Chuck: Yes, sure. 42:07 – Ed: But everyone is different – they won’t work the way that I work. So there’s that. 42:30 – Ed: That Chuck. 42:36 – Chuck: Where do people get news? 42:42 – Ed: Go to here! 42:54 – Chuck: Where do people find you? 43:00 – Ed: Twitter! 43:07 – Chuck: Let’s do Picks! 43:20 – Advertisement – Fresh Books! Links: GitHub Microsoft’s Azure Microsoft’s Pipeline Azure DevOps Erlang WhiteSource Chuck’s Twitter Ed Thomson’s Twitter Ed Thomson’s GitHub Ed Thomson’s Website Ed Thomson’s LinkedIn Picks: Ed Podcast - All Things Git

Sponsors: KendoUI Sentry use the code "devchat" for $100 credit Clubhouse Panel: Charles Max Wood Special Guests: Ed Thomson In this episode, the Charles speaks with Ed Thomson who is a Program Manager at Azure through Microsoft, Developer, and Open Source Maintainer. Ed and Chuck discuss in full detail about Azure DevOps! Check out today’s episode to hear its new features and other exciting news! Show Topics: 0:59 – Live at Microsoft Ignite 1:03 – Ed: Hi! I am a Program Manager at Azure. 1:28 – Rewind 2 episodes to hear more about Azure DevOps! 1:51 – Ed: One of the moves from Pipelines to DevOps – they could still adopt Pipelines. Now that they are separate services – it’s great. 2:38 – Chuck talks about features he does and doesn’t use. 2:54 – Ed. 3:00 – Chuck: Repos and Pipelines. I am going to dive right in. Let’s talk about Repos. Microsoft just acquired GitHub. 3:18 – Ed: Technically we have not officially acquired GitHub. 3:34 – Chuck: It’s not done. It’s the end of September now. 3:55 – Ed: They will remain the same thing for a while. GitHub is the home for open source. Repos – we use it in Microsoft. Repositories are huge. There are 4,000 engineers working in these repositories. Everyone works in his or her own little area, and you have to work together. You have to do all this engineering to get there. We bit a tool and it basically if you run clone... Ed continues to talk about this topic. He is talking about One Drive and these repositories. 6:28 – Ed: We aren’t going to be mixing and matching. I used to work through GitHub. It’s exciting to see those people work close to me. 6:54 – Chuck. 6:59 – Ed: It has come a long way. 7:07 – Chuck: Beyond the FSF are we talking about other features or? 7:21 – Ed: We have unique features. We have branch policies. You can require that people do pole request. You have to use pole request and your CI has to pass and things like that. I think there is a lot of richness in our auditing. We have enterprise focus. At its core it still is Git. We can all interoperate. 8:17 – Chuck. 8:37 – Ed: You just can’t set it up with Apache. You have to figure it out. 8:51 – Chuck: The method of pushing and pulling. 9:06 – Chuck: You can try DevOps for free up to 5 users and unlimited private repos. People are interested in this because GitHub makes you pay for that. 9:38 – Ed and Chuck continue to talk. 9:50 – Ed: Pipelines is the most interesting thing we are working on. We have revamped the entire experience. Build and release. It’s easy to get started. We have a visual designer. Super helpful – super straightforward. Releases once your code is built – get it out to production say for example Azure. It’s the important thing to get your code out there. 10:55 – Chuck: How can someone start with this? 11:00 – Ed: Depends on where your repository is. It will look at your code. “Oh, I know what that is, I know how to build that!” Maybe everyone isn’t doing everything with JavaScript. If you are using DotNet then it will know. 12:05 – Chuck: What if I am using both a backend and a frontend? 12:11 – Ed: One repository? That’s when you will have to do a little hand packing on the... There are different opportunities there. If you have a bash script that does it for you. If not, then you can orchestrate it. Reduce the time it takes. If it’s an open source project; there’s 2 – what are you going to do with the other 8? You’d be surprised – people try to sneak that in there. 13:30 – Chuck: It seems like continuous integration isn’t a whole lot complicated. 13:39 – Ed: I am a simple guy that’s how I do it. You can do advanced stuff, though. The Cake Build system – they are doing some crazy things. We have got Windows, Lennox, and others. Are you building for Raspberries Pies, then okay, do this... It’s not just running a script. 15:00 – Chuck: People do get pretty complicated if they want. It can get complicated. Who knows? 15:26 – Chuck:  How much work do you have to do to set-up a Pipeline like that? 15:37 – Ed answers the question in detail. 16:03 – Chuck asks a question. 16:12 – Ed: Now this is where it gets contentious. If one fails... Our default task out of the box... 16:56 – Chuck: If you want 2 steps you can (like me who is crazy). 17:05 – Ed: Yes, I want to see if it failed. 17:17 – Chuck: Dude, writing code is hard. Once you have it built and tested – continuous deployment. 17:33 – Ed: It’s very easy. It’s super straightforward, it doesn’t have to be Azure (although I hope it is!). Ed continues this conversation. 18:43 – Chuck: And it just pulls it? 18:49 – Ed: Don’t poke holes into your firewall. We do give you a lot of flexibility 19:04 – Chuck: VPN credentials? 19:10 – Ed: Just run the... 19:25 – Chuck comments. 19:36 – Ed: ...Take that Zip... 20:02 – Ed: Once the planets are finely aligned then...it will just pull from it. 20:25 – Chuck: I host my stuff on Digital Ocean. 20:46 – Ed: It’s been awhile since I played with... 20:55 – Chuck. 20:59 – Ed and Chuck go back and forth with different situations and hypothetical situations. 21:10 – Ed: What is Phoenix? 21:20 – Chuck explains it. 21:25 – Ed: Here is what we probably don’t have is a lot of ERLANG support. 22:41 – Advertisement. 23:31 – Chuck: Let’s just say it’s a possibility. We took the strip down node and... 23:49 – Ed: I think it’s going to happen. 23:55 – Ed: Exactly. 24:02 – Chuck: Testing against Azure services. So, it’s one thing to run on my machine but it’s another thing when other things connect nicely with an Azure set-up. Does it connect natively once it’s in the Azure cloud? 24:35 – Ed: It should, but there are so many services, so I don’t want to say that everything is identical. We will say yes with an asterisk. 25:07 – Chuck: With continuous deployment... 25:41 – Ed: As an example: I have a CD Pipeline for my website. Every time I merge into master... Ed continues this hypothetical situation with full details. Check it out! 27:03 – Chuck: You probably can do just about anything – deploy by Tweet! 27:15 – Ed: You can stop the deployment if people on Twitter start complaining. 27:40 – Chuck: That is awesome! IF it is something you care about – and if it’s worth the time – then why not? If you don’t have to think about it then great. I have mentioned this before: Am I solving interesting problems? What projects do I want to work on? What kinds of contributions do I really want to contribute to open source? That’s the thing – if you have all these tools that are set-up then your process, how do you work on what, and remove the pain points then you can just write code so people can use! That’s the power of this – because it catches the bug before I have to catch it – then that saves me time. 30:08 – Ed: That’s the dream of computers is that the computers are supposed to make OUR lives easier. IF we can do that and catch those bugs before you catch it then you are saving time. Finding bugs as quickly as possible it avoids downtime and messy deployments. 31:03 – Chuck: Then you can use time for coding style and other things. I can take mental shortcuts. 31:37 – Ed: The other thing you can do is avoiding security problems. If a static code analysis tool catches an integer overflow then... 32:30 – Chuck adds his comments. Chuck: You can set your policy to block it or ignore it. Then you are running these tools to run security. There are third-party tools that do security analysis on your code. Do you integrate with those? 33:00 – Ed: Yep. My favorite is WhiteSource. It knows all of the open source and third-party tools. It can scan your code and... 34:05 – Chuck: It works with a lot of languages. 34:14 – Ed. 34:25 – Chuck: A lot of JavaScript developers are getting into mobile development, like Ionic, and others. You have all these systems out there for different stages for writing for mobile. Android, windows Phone, Blackberry... 35:04 – Ed: Let’s throw out Blackberry builds. We will ignore it. Mac OS dies a fine job. That’s why we have all of those. 35:29 – Chuck: But I want to run my tests, too! 35:36 – Ed: I really like to use App Center. It is ultimately incredible to see all the tests you can run. 36:29 – Chuck: The deployment is different, though, right? 36:40 – Ed: I have a friend who clicks a button in... Azure DevOps. 37:00 – Chuck: I like to remind people that this isn’t a new product. 37:15 – Ed: Yes, Azure DevOps. 37:24 – Chuck: Any new features that are coming out? 37:27 – Ed: We took a little break, but... 37:47 – Ed: We will pick back up once Ignite is over. We have a timeline on our website when we expect to launch some new features, and some are secret, so keep checking out the website. 39:07 – Chuck: What is the interplay between Azure DevOps and Visual Studio Code? Because they have plugins for freaking everything. I am sure there is something there that... 39:30 – Ed: I am a VI guy and I’m like 90% sure there is something there. You are an eMac’s guy? The way I think about it is through Git right out of the box. Yes, I think there are better things out there for integration. I know we have a lot of great things in Visual Code, because I worked with it. 40:45 – Chuck: Yes, people can look for extensions and see what the capabilities are. Chuck talks about code editor and tools.  41:28 – Ed: ... we have been pulling that out as quickly as possible. We do have IE extensions, I am sure there is something for VS Code – but it’s not where I want to spend my time. 42:02 – Chuck: Yes, sure. 42:07 – Ed: But everyone is different – they won’t work the way that I work. So there’s that. 42:30 – Ed: That Chuck. 42:36 – Chuck: Where do people get news? 42:42 – Ed: Go to here! 42:54 – Chuck: Where do people find you? 43:00 – Ed: Twitter! 43:07 – Chuck: Let’s do Picks! 43:20 – Advertisement – Fresh Books! Links: GitHub Microsoft’s Azure Microsoft’s Pipeline Azure DevOps Erlang WhiteSource Chuck’s Twitter Ed Thomson’s Twitter Ed Thomson’s GitHub Ed Thomson’s Website Ed Thomson’s LinkedIn Picks: Ed Podcast - All Things Git

Panel: Charles Max Wood Special Guests: Ed Thomson In this episode, the Charles speaks with Ed Thomson who is a Program Manager at Azure through Microsoft, Developer, and Open Source Maintainer. Ed and Chuck discuss in full detail about Azure DevOps! Check out today’s episode to hear its new features and other exciting news! Show Topics: 0:59 – Live at Microsoft Ignite 1:03 – Ed: Hi! I am a Program Manager at Azure. 1:28 – Rewind 2 episodes to hear more about Azure DevOps! 1:51 – Ed: One of the moves from Pipelines to DevOps – they could still adopt Pipelines. Now that they are separate services – it’s great. 2:38 – Chuck talks about features he does and doesn’t use. 2:54 – Ed. 3:00 – Chuck: Repos and Pipelines. I am going to dive right in. Let’s talk about Repos. Microsoft just acquired GitHub. 3:18 – Ed: Technically we have not officially acquired GitHub. 3:34 – Chuck: It’s not done. It’s the end of September now. 3:55 – Ed: They will remain the same thing for a while. GitHub is the home for open source. Repos – we use it in Microsoft. Repositories are huge. There are 4,000 engineers working in these repositories. Everyone works in his or her own little area, and you have to work together. You have to do all this engineering to get there. We bit a tool and it basically if you run clone... Ed continues to talk about this topic. He is talking about One Drive and these repositories. 6:28 – Ed: We aren’t going to be mixing and matching. I used to work through GitHub. It’s exciting to see those people work close to me. 6:54 – Chuck. 6:59 – Ed: It has come a long way. 7:07 – Chuck: Beyond the FSF are we talking about other features or? 7:21 – Ed: We have unique features. We have branch policies. You can require that people do pole request. You have to use pole request and your CI has to pass and things like that. I think there is a lot of richness in our auditing. We have enterprise focus. At its core it still is Git. We can all interoperate. 8:17 – Chuck. 8:37 – Ed: You just can’t set it up with Apache. You have to figure it out. 8:51 – Chuck: The method of pushing and pulling. 9:06 – Chuck: You can try DevOps for free up to 5 users and unlimited private repos. People are interested in this because GitHub makes you pay for that. 9:38 – Ed and Chuck continue to talk. 9:50 – Ed: Pipelines is the most interesting thing we are working on. We have revamped the entire experience. Build and release. It’s easy to get started. We have a visual designer. Super helpful – super straightforward. Releases once your code is built – get it out to production say for example Azure. It’s the important thing to get your code out there. 10:55 – Chuck: How can someone start with this? 11:00 – Ed: Depends on where your repository is. It will look at your code. “Oh, I know what that is, I know how to build that!” Maybe everyone isn’t doing everything with JavaScript. If you are using DotNet then it will know. 12:05 – Chuck: What if I am using both a backend and a frontend? 12:11 – Ed: One repository? That’s when you will have to do a little hand packing on the... There are different opportunities there. If you have a bash script that does it for you. If not, then you can orchestrate it. Reduce the time it takes. If it’s an open source project; there’s 2 – what are you going to do with the other 8? You’d be surprised – people try to sneak that in there. 13:30 – Chuck: It seems like continuous integration isn’t a whole lot complicated. 13:39 – Ed: I am a simple guy that’s how I do it. You can do advanced stuff, though. The Cake Build system – they are doing some crazy things. We have got Windows, Lennox, and others. Are you building for Raspberries Pies, then okay, do this... It’s not just running a script. 15:00 – Chuck: People do get pretty complicated if they want. It can get complicated. Who knows? 15:26 – Chuck:  How much work do you have to do to set-up a Pipeline like that? 15:37 – Ed answers the question in detail. 16:03 – Chuck asks a question. 16:12 – Ed: Now this is where it gets contentious. If one fails... Our default task out of the box... 16:56 – Chuck: If you want 2 steps you can (like me who is crazy). 17:05 – Ed: Yes, I want to see if it failed. 17:17 – Chuck: Dude, writing code is hard. Once you have it built and tested – continuous deployment. 17:33 – Ed: It’s very easy. It’s super straightforward, it doesn’t have to be Azure (although I hope it is!). Ed continues this conversation. 18:43 – Chuck: And it just pulls it? 18:49 – Ed: Don’t poke holes into your firewall. We do give you a lot of flexibility 19:04 – Chuck: VPN credentials? 19:10 – Ed: Just run the... 19:25 – Chuck comments. 19:36 – Ed: ...Take that Zip... 20:02 – Ed: Once the planets are finely aligned then...it will just pull from it. 20:25 – Chuck: I host my stuff on Digital Ocean. 20:46 – Ed: It’s been awhile since I played with... 20:55 – Chuck. 20:59 – Ed and Chuck go back and forth with different situations and hypothetical situations. 21:10 – Ed: What is Phoenix? 21:20 – Chuck explains it. 21:25 – Ed: Here is what we probably don’t have is a lot of ERLANG support. 22:41 – Advertisement. 23:31 – Chuck: Let’s just say it’s a possibility. We took the strip down node and... 23:49 – Ed: I think it’s going to happen. 23:55 – Ed: Exactly. 24:02 – Chuck: Testing against Azure services. So, it’s one thing to run on my machine but it’s another thing when other things connect nicely with an Azure set-up. Does it connect natively once it’s in the Azure cloud? 24:35 – Ed: It should, but there are so many services, so I don’t want to say that everything is identical. We will say yes with an asterisk. 25:07 – Chuck: With continuous deployment... 25:41 – Ed: As an example: I have a CD Pipeline for my website. Every time I merge into master... Ed continues this hypothetical situation with full details. Check it out! 27:03 – Chuck: You probably can do just about anything – deploy by Tweet! 27:15 – Ed: You can stop the deployment if people on Twitter start complaining. 27:40 – Chuck: That is awesome! IF it is something you care about – and if it’s worth the time – then why not? If you don’t have to think about it then great. I have mentioned this before: Am I solving interesting problems? What projects do I want to work on? What kinds of contributions do I really want to contribute to open source? That’s the thing – if you have all these tools that are set-up then your process, how do you work on what, and remove the pain points then you can just write code so people can use! That’s the power of this – because it catches the bug before I have to catch it – then that saves me time. 30:08 – Ed: That’s the dream of computers is that the computers are supposed to make OUR lives easier. IF we can do that and catch those bugs before you catch it then you are saving time. Finding bugs as quickly as possible it avoids downtime and messy deployments. 31:03 – Chuck: Then you can use time for coding style and other things. I can take mental shortcuts. 31:37 – Ed: The other thing you can do is avoiding security problems. If a static code analysis tool catches an integer overflow then... 32:30 – Chuck adds his comments. Chuck: You can set your policy to block it or ignore it. Then you are running these tools to run security. There are third-party tools that do security analysis on your code. Do you integrate with those? 33:00 – Ed: Yep. My favorite is WhiteSource. It knows all of the open source and third-party tools. It can scan your code and... 34:05 – Chuck: It works with a lot of languages. 34:14 – Ed. 34:25 – Chuck: A lot of JavaScript developers are getting into mobile development, like Ionic, and others. You have all these systems out there for different stages for writing for mobile. Android, windows Phone, Blackberry... 35:04 – Ed: Let’s throw out Blackberry builds. We will ignore it. Mac OS dies a fine job. That’s why we have all of those. 35:29 – Chuck: But I want to run my tests, too! 35:36 – Ed: I really like to use App Center. It is ultimately incredible to see all the tests you can run. 36:29 – Chuck: The deployment is different, though, right? 36:40 – Ed: I have a friend who clicks a button in... Azure DevOps. 37:00 – Chuck: I like to remind people that this isn’t a new product. 37:15 – Ed: Yes, Azure DevOps. 37:24 – Chuck: Any new features that are coming out? 37:27 – Ed: We took a little break, but... 37:47 – Ed: We will pick back up once Ignite is over. We have a timeline on our website when we expect to launch some new features, and some are secret, so keep checking out the website. 39:07 – Chuck: What is the interplay between Azure DevOps and Visual Studio Code? Because they have plugins for freaking everything. I am sure there is something there that... 39:30 – Ed: I am a VI guy and I’m like 90% sure there is something there. You are an eMac’s guy? The way I think about it is through Git right out of the box. Yes, I think there are better things out there for integration. I know we have a lot of great things in Visual Code, because I worked with it. 40:45 – Chuck: Yes, people can look for extensions and see what the capabilities are. Chuck talks about code editor and tools.  41:28 – Ed: ... we have been pulling that out as quickly as possible. We do have IE extensions, I am sure there is something for VS Code – but it’s not where I want to spend my time. 42:02 – Chuck: Yes, sure. 42:07 – Ed: But everyone is different – they won’t work the way that I work. So there’s that. 42:30 – Ed: That Chuck. 42:36 – Chuck: Where do people get news? 42:42 – Ed: Go to here! 42:54 – Chuck: Where do people find you? 43:00 – Ed: Twitter! 43:07 – Chuck: Let’s do Picks! 43:20 – Advertisement – Fresh Books! Links: GitHub Microsoft’s Azure Microsoft’s Pipeline Azure DevOps Erlang WhiteSource Chuck’s Twitter Ed Thomson’s Twitter Ed Thomson’s GitHub Ed Thomson’s Website Ed Thomson’s LinkedIn Sponsors: Angular Boot Camp Fresh Books Get a Coder Job Course Picks: Ed Podcast - All Things Git

Panel: Charles Max Wood Special Guests: Ed Thomson In this episode, the Charles speaks with Ed Thomson who is a Program Manager at Azure through Microsoft, Developer, and Open Source Maintainer. Ed and Chuck discuss in full detail about Azure DevOps! Check out today’s episode to hear its new features and other exciting news! Show Topics: 0:59 – Live at Microsoft Ignite 1:03 – Ed: Hi! I am a Program Manager at Azure. 1:28 – Rewind 2 episodes to hear more about Azure DevOps! 1:51 – Ed: One of the moves from Pipelines to DevOps – they could still adopt Pipelines. Now that they are separate services – it’s great. 2:38 – Chuck talks about features he does and doesn’t use. 2:54 – Ed. 3:00 – Chuck: Repos and Pipelines. I am going to dive right in. Let’s talk about Repos. Microsoft just acquired GitHub. 3:18 – Ed: Technically we have not officially acquired GitHub. 3:34 – Chuck: It’s not done. It’s the end of September now. 3:55 – Ed: They will remain the same thing for a while. GitHub is the home for open source. Repos – we use it in Microsoft. Repositories are huge. There are 4,000 engineers working in these repositories. Everyone works in his or her own little area, and you have to work together. You have to do all this engineering to get there. We bit a tool and it basically if you run clone... Ed continues to talk about this topic. He is talking about One Drive and these repositories. 6:28 – Ed: We aren’t going to be mixing and matching. I used to work through GitHub. It’s exciting to see those people work close to me. 6:54 – Chuck. 6:59 – Ed: It has come a long way. 7:07 – Chuck: Beyond the FSF are we talking about other features or? 7:21 – Ed: We have unique features. We have branch policies. You can require that people do pole request. You have to use pole request and your CI has to pass and things like that. I think there is a lot of richness in our auditing. We have enterprise focus. At its core it still is Git. We can all interoperate. 8:17 – Chuck. 8:37 – Ed: You just can’t set it up with Apache. You have to figure it out. 8:51 – Chuck: The method of pushing and pulling. 9:06 – Chuck: You can try DevOps for free up to 5 users and unlimited private repos. People are interested in this because GitHub makes you pay for that. 9:38 – Ed and Chuck continue to talk. 9:50 – Ed: Pipelines is the most interesting thing we are working on. We have revamped the entire experience. Build and release. It’s easy to get started. We have a visual designer. Super helpful – super straightforward. Releases once your code is built – get it out to production say for example Azure. It’s the important thing to get your code out there. 10:55 – Chuck: How can someone start with this? 11:00 – Ed: Depends on where your repository is. It will look at your code. “Oh, I know what that is, I know how to build that!” Maybe everyone isn’t doing everything with JavaScript. If you are using DotNet then it will know. 12:05 – Chuck: What if I am using both a backend and a frontend? 12:11 – Ed: One repository? That’s when you will have to do a little hand packing on the... There are different opportunities there. If you have a bash script that does it for you. If not, then you can orchestrate it. Reduce the time it takes. If it’s an open source project; there’s 2 – what are you going to do with the other 8? You’d be surprised – people try to sneak that in there. 13:30 – Chuck: It seems like continuous integration isn’t a whole lot complicated. 13:39 – Ed: I am a simple guy that’s how I do it. You can do advanced stuff, though. The Cake Build system – they are doing some crazy things. We have got Windows, Lennox, and others. Are you building for Raspberries Pies, then okay, do this... It’s not just running a script. 15:00 – Chuck: People do get pretty complicated if they want. It can get complicated. Who knows? 15:26 – Chuck:  How much work do you have to do to set-up a Pipeline like that? 15:37 – Ed answers the question in detail. 16:03 – Chuck asks a question. 16:12 – Ed: Now this is where it gets contentious. If one fails... Our default task out of the box... 16:56 – Chuck: If you want 2 steps you can (like me who is crazy). 17:05 – Ed: Yes, I want to see if it failed. 17:17 – Chuck: Dude, writing code is hard. Once you have it built and tested – continuous deployment. 17:33 – Ed: It’s very easy. It’s super straightforward, it doesn’t have to be Azure (although I hope it is!). Ed continues this conversation. 18:43 – Chuck: And it just pulls it? 18:49 – Ed: Don’t poke holes into your firewall. We do give you a lot of flexibility 19:04 – Chuck: VPN credentials? 19:10 – Ed: Just run the... 19:25 – Chuck comments. 19:36 – Ed: ...Take that Zip... 20:02 – Ed: Once the planets are finely aligned then...it will just pull from it. 20:25 – Chuck: I host my stuff on Digital Ocean. 20:46 – Ed: It’s been awhile since I played with... 20:55 – Chuck. 20:59 – Ed and Chuck go back and forth with different situations and hypothetical situations. 21:10 – Ed: What is Phoenix? 21:20 – Chuck explains it. 21:25 – Ed: Here is what we probably don’t have is a lot of ERLANG support. 22:41 – Advertisement. 23:31 – Chuck: Let’s just say it’s a possibility. We took the strip down node and... 23:49 – Ed: I think it’s going to happen. 23:55 – Ed: Exactly. 24:02 – Chuck: Testing against Azure services. So, it’s one thing to run on my machine but it’s another thing when other things connect nicely with an Azure set-up. Does it connect natively once it’s in the Azure cloud? 24:35 – Ed: It should, but there are so many services, so I don’t want to say that everything is identical. We will say yes with an asterisk. 25:07 – Chuck: With continuous deployment... 25:41 – Ed: As an example: I have a CD Pipeline for my website. Every time I merge into master... Ed continues this hypothetical situation with full details. Check it out! 27:03 – Chuck: You probably can do just about anything – deploy by Tweet! 27:15 – Ed: You can stop the deployment if people on Twitter start complaining. 27:40 – Chuck: That is awesome! IF it is something you care about – and if it’s worth the time – then why not? If you don’t have to think about it then great. I have mentioned this before: Am I solving interesting problems? What projects do I want to work on? What kinds of contributions do I really want to contribute to open source? That’s the thing – if you have all these tools that are set-up then your process, how do you work on what, and remove the pain points then you can just write code so people can use! That’s the power of this – because it catches the bug before I have to catch it – then that saves me time. 30:08 – Ed: That’s the dream of computers is that the computers are supposed to make OUR lives easier. IF we can do that and catch those bugs before you catch it then you are saving time. Finding bugs as quickly as possible it avoids downtime and messy deployments. 31:03 – Chuck: Then you can use time for coding style and other things. I can take mental shortcuts. 31:37 – Ed: The other thing you can do is avoiding security problems. If a static code analysis tool catches an integer overflow then... 32:30 – Chuck adds his comments. Chuck: You can set your policy to block it or ignore it. Then you are running these tools to run security. There are third-party tools that do security analysis on your code. Do you integrate with those? 33:00 – Ed: Yep. My favorite is WhiteSource. It knows all of the open source and third-party tools. It can scan your code and... 34:05 – Chuck: It works with a lot of languages. 34:14 – Ed. 34:25 – Chuck: A lot of JavaScript developers are getting into mobile development, like Ionic, and others. You have all these systems out there for different stages for writing for mobile. Android, windows Phone, Blackberry... 35:04 – Ed: Let’s throw out Blackberry builds. We will ignore it. Mac OS dies a fine job. That’s why we have all of those. 35:29 – Chuck: But I want to run my tests, too! 35:36 – Ed: I really like to use App Center. It is ultimately incredible to see all the tests you can run. 36:29 – Chuck: The deployment is different, though, right? 36:40 – Ed: I have a friend who clicks a button in... Azure DevOps. 37:00 – Chuck: I like to remind people that this isn’t a new product. 37:15 – Ed: Yes, Azure DevOps. 37:24 – Chuck: Any new features that are coming out? 37:27 – Ed: We took a little break, but... 37:47 – Ed: We will pick back up once Ignite is over. We have a timeline on our website when we expect to launch some new features, and some are secret, so keep checking out the website. 39:07 – Chuck: What is the interplay between Azure DevOps and Visual Studio Code? Because they have plugins for freaking everything. I am sure there is something there that... 39:30 – Ed: I am a VI guy and I’m like 90% sure there is something there. You are an eMac’s guy? The way I think about it is through Git right out of the box. Yes, I think there are better things out there for integration. I know we have a lot of great things in Visual Code, because I worked with it. 40:45 – Chuck: Yes, people can look for extensions and see what the capabilities are. Chuck talks about code editor and tools.  41:28 – Ed: ... we have been pulling that out as quickly as possible. We do have IE extensions, I am sure there is something for VS Code – but it’s not where I want to spend my time. 42:02 – Chuck: Yes, sure. 42:07 – Ed: But everyone is different – they won’t work the way that I work. So there’s that. 42:30 – Ed: That Chuck. 42:36 – Chuck: Where do people get news? 42:42 – Ed: Go to here! 42:54 – Chuck: Where do people find you? 43:00 – Ed: Twitter! 43:07 – Chuck: Let’s do Picks! 43:20 – Advertisement – Fresh Books! Links: GitHub Microsoft’s Azure Microsoft’s Pipeline Azure DevOps Erlang WhiteSource Chuck’s Twitter Ed Thomson’s Twitter Ed Thomson’s GitHub Ed Thomson’s Website Ed Thomson’s LinkedIn Sponsors: Angular Boot Camp Fresh Books Get a Coder Job Course Picks: Ed Podcast - All Things Git

Panel: Charles Max Wood Special Guests: Ed Thomson In this episode, the React Round Up Charles speaks with Ed Thomson who is a Program Manager at Azure through Microsoft, Developer, and Open Source Maintainer. Ed and Chuck discuss in full detail about Azure DevOps! Check out today’s episode to hear its new features and other exciting news! Show Topics: 0:59 – Live at Microsoft Ignite 1:03 – Ed: Hi! I am a Program Manager at Azure. 1:28 – Rewind 2 episodes to hear more about Azure DevOps! 1:51 – Ed: One of the moves from Pipelines to DevOps – they could still adopt Pipelines. Now that they are separate services – it’s great. 2:38 – Chuck talks about features he does and doesn’t use. 2:54 – Ed. 3:00 – Chuck: Repos and Pipelines. I am going to dive right in. Let’s talk about Repos. Microsoft just acquired GitHub. 3:18 – Ed: Technically we have not officially acquired GitHub. 3:34 – Chuck: It’s not done. It’s the end of September now. 3:55 – Ed: They will remain the same thing for a while. GitHub is the home for open source. Repos – we use it in Microsoft. Repositories are huge. There are 4,000 engineers working in these repositories. Everyone works in his or her own little area, and you have to work together. You have to do all this engineering to get there. We bit a tool and it basically if you run clone... Ed continues to talk about this topic. He is talking about One Drive and these repositories. 6:28 – Ed: We aren’t going to be mixing and matching. I used to work through GitHub. It’s exciting to see those people work close to me. 6:54 – Chuck. 6:59 – Ed: It has come a long way. 7:07 – Chuck: Beyond the FSF are we talking about other features or? 7:21 – Ed: We have unique features. We have branch policies. You can require that people do pole request. You have to use pole request and your CI has to pass and things like that. I think there is a lot of richness in our auditing. We have enterprise focus. At its core it still is Git. We can all interoperate. 8:17 – Chuck. 8:37 – Ed: You just can’t set it up with Apache. You have to figure it out. 8:51 – Chuck: The method of pushing and pulling. 9:06 – Chuck: You can try DevOps for free up to 5 users and unlimited private repos. People are interested in this because GitHub makes you pay for that. 9:38 – Ed and Chuck continue to talk. 9:50 – Ed: Pipelines is the most interesting thing we are working on. We have revamped the entire experience. Build and release. It’s easy to get started. We have a visual designer. Super helpful – super straightforward. Releases once your code is built – get it out to production say for example Azure. It’s the important thing to get your code out there. 10:55 – Chuck: How can someone start with this? 11:00 – Ed: Depends on where your repository is. It will look at your code. “Oh, I know what that is, I know how to build that!” Maybe everyone isn’t doing everything with JavaScript. If you are using DotNet then it will know. 12:05 – Chuck: What if I am using both a backend and a frontend? 12:11 – Ed: One repository? That’s when you will have to do a little hand packing on the... There are different opportunities there. If you have a bash script that does it for you. If not, then you can orchestrate it. Reduce the time it takes. If it’s an open source project; there’s 2 – what are you going to do with the other 8? You’d be surprised – people try to sneak that in there. 13:30 – Chuck: It seems like continuous integration isn’t a whole lot complicated. 13:39 – Ed: I am a simple guy that’s how I do it. You can do advanced stuff, though. The Cake Build system – they are doing some crazy things. We have got Windows, Lennox, and others. Are you building for Raspberries Pies, then okay, do this... It’s not just running a script. 15:00 – Chuck: People do get pretty complicated if they want. It can get complicated. Who knows? 15:26 – Chuck:  How much work do you have to do to set-up a Pipeline like that? 15:37 – Ed answers the question in detail. 16:03 – Chuck asks a question. 16:12 – Ed: Now this is where it gets contentious. If one fails... Our default task out of the box... 16:56 – Chuck: If you want 2 steps you can (like me who is crazy). 17:05 – Ed: Yes, I want to see if it failed. 17:17 – Chuck: Dude, writing code is hard. Once you have it built and tested – continuous deployment. 17:33 – Ed: It’s very easy. It’s super straightforward, it doesn’t have to be Azure (although I hope it is!). Ed continues this conversation. 18:43 – Chuck: And it just pulls it? 18:49 – Ed: Don’t poke holes into your firewall. We do give you a lot of flexibility 19:04 – Chuck: VPN credentials? 19:10 – Ed: Just run the... 19:25 – Chuck comments. 19:36 – Ed: ...Take that Zip... 20:02 – Ed: Once the planets are finely aligned then...it will just pull from it. 20:25 – Chuck: I host my stuff on Digital Ocean. 20:46 – Ed: It’s been awhile since I played with... 20:55 – Chuck. 20:59 – Ed and Chuck go back and forth with different situations and hypothetical situations. 21:10 – Ed: What is Phoenix? 21:20 – Chuck explains it. 21:25 – Ed: Here is what we probably don’t have is a lot of ERLANG support. 22:41 – Advertisement. 23:31 – Chuck: Let’s just say it’s a possibility. We took the strip down node and... 23:49 – Ed: I think it’s going to happen. 23:55 – Ed: Exactly. 24:02 – Chuck: Testing against Azure services. So, it’s one thing to run on my machine but it’s another thing when other things connect nicely with an Azure set-up. Does it connect natively once it’s in the Azure cloud? 24:35 – Ed: It should, but there are so many services, so I don’t want to say that everything is identical. We will say yes with an asterisk. 25:07 – Chuck: With continuous deployment... 25:41 – Ed: As an example: I have a CD Pipeline for my website. Every time I merge into master... Ed continues this hypothetical situation with full details. Check it out! 27:03 – Chuck: You probably can do just about anything – deploy by Tweet! 27:15 – Ed: You can stop the deployment if people on Twitter start complaining. 27:40 – Chuck: That is awesome! IF it is something you care about – and if it’s worth the time – then why not? If you don’t have to think about it then great. I have mentioned this before: Am I solving interesting problems? What projects do I want to work on? What kinds of contributions do I really want to contribute to open source? That’s the thing – if you have all these tools that are set-up then your process, how do you work on what, and remove the pain points then you can just write code so people can use! That’s the power of this – because it catches the bug before I have to catch it – then that saves me time. 30:08 – Ed: That’s the dream of computers is that the computers are supposed to make OUR lives easier. IF we can do that and catch those bugs before you catch it then you are saving time. Finding bugs as quickly as possible it avoids downtime and messy deployments. 31:03 – Chuck: Then you can use time for coding style and other things. I can take mental shortcuts. 31:37 – Ed: The other thing you can do is avoiding security problems. If a static code analysis tool catches an integer overflow then... 32:30 – Chuck adds his comments. Chuck: You can set your policy to block it or ignore it. Then you are running these tools to run security. There are third-party tools that do security analysis on your code. Do you integrate with those? 33:00 – Ed: Yep. My favorite is WhiteSource. It knows all of the open source and third-party tools. It can scan your code and... 34:05 – Chuck: It works with a lot of languages. 34:14 – Ed. 34:25 – Chuck: A lot of JavaScript developers are getting into mobile development, like Ionic, and others. You have all these systems out there for different stages for writing for mobile. Android, windows Phone, Blackberry... 35:04 – Ed: Let’s throw out Blackberry builds. We will ignore it. Mac OS dies a fine job. That’s why we have all of those. 35:29 – Chuck: But I want to run my tests, too! 35:36 – Ed: I really like to use App Center. It is ultimately incredible to see all the tests you can run. 36:29 – Chuck: The deployment is different, though, right? 36:40 – Ed: I have a friend who clicks a button in... Azure DevOps. 37:00 – Chuck: I like to remind people that this isn’t a new product. 37:15 – Ed: Yes, Azure DevOps. 37:24 – Chuck: Any new features that are coming out? 37:27 – Ed: We took a little break, but... 37:47 – Ed: We will pick back up once Ignite is over. We have a timeline on our website when we expect to launch some new features, and some are secret, so keep checking out the website. 39:07 – Chuck: What is the interplay between Azure DevOps and Visual Studio Code? Because they have plugins for freaking everything. I am sure there is something there that... 39:30 – Ed: I am a VI guy and I’m like 90% sure there is something there. You are an eMac’s guy? The way I think about it is through Git right out of the box. Yes, I think there are better things out there for integration. I know we have a lot of great things in Visual Code, because I worked with it. 40:45 – Chuck: Yes, people can look for extensions and see what the capabilities are. Chuck talks about code editor and tools.  41:28 – Ed: ... we have been pulling that out as quickly as possible. We do have IE extensions, I am sure there is something for VS Code – but it’s not where I want to spend my time. 42:02 – Chuck: Yes, sure. 42:07 – Ed: But everyone is different – they won’t work the way that I work. So there’s that. 42:30 – Ed: That Chuck. 42:36 – Chuck: Where do people get news? 42:42 – Ed: Go to here! 42:54 – Chuck: Where do people find you? 43:00 – Ed: Twitter! 43:07 – Chuck: Let’s do Picks! 43:20 – Advertisement – Fresh Books! Links: GitHub Microsoft’s Azure Microsoft’s Pipeline Azure DevOps Erlang WhiteSource Chuck’s Twitter Ed Thomson’s Twitter Ed Thomson’s GitHub Ed Thomson’s Website Ed Thomson’s LinkedIn Sponsors: Angular Boot Camp Fresh Books Get a Coder Job Course Picks: Ed Podcast - All Things Git

Panel: Charles Max Wood Special Guests: Ed Thomson In this episode, the React Round Up Charles speaks with Ed Thomson who is a Program Manager at Azure through Microsoft, Developer, and Open Source Maintainer. Ed and Chuck discuss in full detail about Azure DevOps! Check out today’s episode to hear its new features and other exciting news! Show Topics: 0:59 – Live at Microsoft Ignite 1:03 – Ed: Hi! I am a Program Manager at Azure. 1:28 – Rewind 2 episodes to hear more about Azure DevOps! 1:51 – Ed: One of the moves from Pipelines to DevOps – they could still adopt Pipelines. Now that they are separate services – it’s great. 2:38 – Chuck talks about features he does and doesn’t use. 2:54 – Ed. 3:00 – Chuck: Repos and Pipelines. I am going to dive right in. Let’s talk about Repos. Microsoft just acquired GitHub. 3:18 – Ed: Technically we have not officially acquired GitHub. 3:34 – Chuck: It’s not done. It’s the end of September now. 3:55 – Ed: They will remain the same thing for a while. GitHub is the home for open source. Repos – we use it in Microsoft. Repositories are huge. There are 4,000 engineers working in these repositories. Everyone works in his or her own little area, and you have to work together. You have to do all this engineering to get there. We bit a tool and it basically if you run clone... Ed continues to talk about this topic. He is talking about One Drive and these repositories. 6:28 – Ed: We aren’t going to be mixing and matching. I used to work through GitHub. It’s exciting to see those people work close to me. 6:54 – Chuck. 6:59 – Ed: It has come a long way. 7:07 – Chuck: Beyond the FSF are we talking about other features or? 7:21 – Ed: We have unique features. We have branch policies. You can require that people do pole request. You have to use pole request and your CI has to pass and things like that. I think there is a lot of richness in our auditing. We have enterprise focus. At its core it still is Git. We can all interoperate. 8:17 – Chuck. 8:37 – Ed: You just can’t set it up with Apache. You have to figure it out. 8:51 – Chuck: The method of pushing and pulling. 9:06 – Chuck: You can try DevOps for free up to 5 users and unlimited private repos. People are interested in this because GitHub makes you pay for that. 9:38 – Ed and Chuck continue to talk. 9:50 – Ed: Pipelines is the most interesting thing we are working on. We have revamped the entire experience. Build and release. It’s easy to get started. We have a visual designer. Super helpful – super straightforward. Releases once your code is built – get it out to production say for example Azure. It’s the important thing to get your code out there. 10:55 – Chuck: How can someone start with this? 11:00 – Ed: Depends on where your repository is. It will look at your code. “Oh, I know what that is, I know how to build that!” Maybe everyone isn’t doing everything with JavaScript. If you are using DotNet then it will know. 12:05 – Chuck: What if I am using both a backend and a frontend? 12:11 – Ed: One repository? That’s when you will have to do a little hand packing on the... There are different opportunities there. If you have a bash script that does it for you. If not, then you can orchestrate it. Reduce the time it takes. If it’s an open source project; there’s 2 – what are you going to do with the other 8? You’d be surprised – people try to sneak that in there. 13:30 – Chuck: It seems like continuous integration isn’t a whole lot complicated. 13:39 – Ed: I am a simple guy that’s how I do it. You can do advanced stuff, though. The Cake Build system – they are doing some crazy things. We have got Windows, Lennox, and others. Are you building for Raspberries Pies, then okay, do this... It’s not just running a script. 15:00 – Chuck: People do get pretty complicated if they want. It can get complicated. Who knows? 15:26 – Chuck:  How much work do you have to do to set-up a Pipeline like that? 15:37 – Ed answers the question in detail. 16:03 – Chuck asks a question. 16:12 – Ed: Now this is where it gets contentious. If one fails... Our default task out of the box... 16:56 – Chuck: If you want 2 steps you can (like me who is crazy). 17:05 – Ed: Yes, I want to see if it failed. 17:17 – Chuck: Dude, writing code is hard. Once you have it built and tested – continuous deployment. 17:33 – Ed: It’s very easy. It’s super straightforward, it doesn’t have to be Azure (although I hope it is!). Ed continues this conversation. 18:43 – Chuck: And it just pulls it? 18:49 – Ed: Don’t poke holes into your firewall. We do give you a lot of flexibility 19:04 – Chuck: VPN credentials? 19:10 – Ed: Just run the... 19:25 – Chuck comments. 19:36 – Ed: ...Take that Zip... 20:02 – Ed: Once the planets are finely aligned then...it will just pull from it. 20:25 – Chuck: I host my stuff on Digital Ocean. 20:46 – Ed: It’s been awhile since I played with... 20:55 – Chuck. 20:59 – Ed and Chuck go back and forth with different situations and hypothetical situations. 21:10 – Ed: What is Phoenix? 21:20 – Chuck explains it. 21:25 – Ed: Here is what we probably don’t have is a lot of ERLANG support. 22:41 – Advertisement. 23:31 – Chuck: Let’s just say it’s a possibility. We took the strip down node and... 23:49 – Ed: I think it’s going to happen. 23:55 – Ed: Exactly. 24:02 – Chuck: Testing against Azure services. So, it’s one thing to run on my machine but it’s another thing when other things connect nicely with an Azure set-up. Does it connect natively once it’s in the Azure cloud? 24:35 – Ed: It should, but there are so many services, so I don’t want to say that everything is identical. We will say yes with an asterisk. 25:07 – Chuck: With continuous deployment... 25:41 – Ed: As an example: I have a CD Pipeline for my website. Every time I merge into master... Ed continues this hypothetical situation with full details. Check it out! 27:03 – Chuck: You probably can do just about anything – deploy by Tweet! 27:15 – Ed: You can stop the deployment if people on Twitter start complaining. 27:40 – Chuck: That is awesome! IF it is something you care about – and if it’s worth the time – then why not? If you don’t have to think about it then great. I have mentioned this before: Am I solving interesting problems? What projects do I want to work on? What kinds of contributions do I really want to contribute to open source? That’s the thing – if you have all these tools that are set-up then your process, how do you work on what, and remove the pain points then you can just write code so people can use! That’s the power of this – because it catches the bug before I have to catch it – then that saves me time. 30:08 – Ed: That’s the dream of computers is that the computers are supposed to make OUR lives easier. IF we can do that and catch those bugs before you catch it then you are saving time. Finding bugs as quickly as possible it avoids downtime and messy deployments. 31:03 – Chuck: Then you can use time for coding style and other things. I can take mental shortcuts. 31:37 – Ed: The other thing you can do is avoiding security problems. If a static code analysis tool catches an integer overflow then... 32:30 – Chuck adds his comments. Chuck: You can set your policy to block it or ignore it. Then you are running these tools to run security. There are third-party tools that do security analysis on your code. Do you integrate with those? 33:00 – Ed: Yep. My favorite is WhiteSource. It knows all of the open source and third-party tools. It can scan your code and... 34:05 – Chuck: It works with a lot of languages. 34:14 – Ed. 34:25 – Chuck: A lot of JavaScript developers are getting into mobile development, like Ionic, and others. You have all these systems out there for different stages for writing for mobile. Android, windows Phone, Blackberry... 35:04 – Ed: Let’s throw out Blackberry builds. We will ignore it. Mac OS dies a fine job. That’s why we have all of those. 35:29 – Chuck: But I want to run my tests, too! 35:36 – Ed: I really like to use App Center. It is ultimately incredible to see all the tests you can run. 36:29 – Chuck: The deployment is different, though, right? 36:40 – Ed: I have a friend who clicks a button in... Azure DevOps. 37:00 – Chuck: I like to remind people that this isn’t a new product. 37:15 – Ed: Yes, Azure DevOps. 37:24 – Chuck: Any new features that are coming out? 37:27 – Ed: We took a little break, but... 37:47 – Ed: We will pick back up once Ignite is over. We have a timeline on our website when we expect to launch some new features, and some are secret, so keep checking out the website. 39:07 – Chuck: What is the interplay between Azure DevOps and Visual Studio Code? Because they have plugins for freaking everything. I am sure there is something there that... 39:30 – Ed: I am a VI guy and I’m like 90% sure there is something there. You are an eMac’s guy? The way I think about it is through Git right out of the box. Yes, I think there are better things out there for integration. I know we have a lot of great things in Visual Code, because I worked with it. 40:45 – Chuck: Yes, people can look for extensions and see what the capabilities are. Chuck talks about code editor and tools.  41:28 – Ed: ... we have been pulling that out as quickly as possible. We do have IE extensions, I am sure there is something for VS Code – but it’s not where I want to spend my time. 42:02 – Chuck: Yes, sure. 42:07 – Ed: But everyone is different – they won’t work the way that I work. So there’s that. 42:30 – Ed: That Chuck. 42:36 – Chuck: Where do people get news? 42:42 – Ed: Go to here! 42:54 – Chuck: Where do people find you? 43:00 – Ed: Twitter! 43:07 – Chuck: Let’s do Picks! 43:20 – Advertisement – Fresh Books! Links: GitHub Microsoft’s Azure Microsoft’s Pipeline Azure DevOps Erlang WhiteSource Chuck’s Twitter Ed Thomson’s Twitter Ed Thomson’s GitHub Ed Thomson’s Website Ed Thomson’s LinkedIn Sponsors: Angular Boot Camp Fresh Books Get a Coder Job Course Picks: Ed Podcast - All Things Git

Is your organization struggling with the paradox of open source? Open source vulnerabilities are gaining publicity, data breaches are on the rise, and data privacy is paramount. And yet, at the same time, open source accelerates productivity in a way that's impossible with proprietary software. Rami Elron, senior director of product management at WhiteSource, and David Marshak, senior offering manager for application security at IBM Security, discuss this paradox in today’s podcast. Listen in to hear their take on the future of open source and discover why companies need to embrace new strategies to ensure open source security. To learn more, check out the “State of Open Source Vulnerabilities Management” infographic [http://bit.ly/2P6o3zF] and watch the on-demand webinar, “Know What You Don’t Know: Gain Visibility Into Your Open Source Risk” [https://ibm.co/2DfnJs8].

In the Enterprise Security News, Avast launches AI-based software for phishing attacks, Carbon Black and Secureworks apply Red Cloak Analytics to Carbon Blacks Cloud, ShieldX integrates intention engine into Elastic Security Platform, and we have updates from Imperva, WhiteSource, BlackBerry, and more!   Full Show Notes: https://wiki.securityweekly.com/ES_Episode111   Visit https://www.securityweekly.com/esw for all the latest episodes! 

In the Enterprise Security News, Avast launches AI-based software for phishing attacks, Carbon Black and Secureworks apply Red Cloak Analytics to Carbon Blacks Cloud, ShieldX integrates intention engine into Elastic Security Platform, and we have updates from Imperva, WhiteSource, BlackBerry, and more!   Full Show Notes: https://wiki.securityweekly.com/ES_Episode111   Visit https://www.securityweekly.com/esw for all the latest episodes! 

This week, John Strand and Paul discuss some companies Paul got a chance to catch up with! They discuss GuardiCore and their Application Segmentation, Cyxtera and their Network Security and Software Defined Perimeters, PreVeil’s Encrypted Email and File Sharing, and more! In the Enterprise News this week, Avast launches AI-based software for phishing attacks, Carbon Black and Secureworks apply Red Cloak Analytics to Carbon Blacks Cloud, ShieldX integrates intention engine into Elastic Security Platform, and we have updates from Imperva, WhiteSource, BlackBerry, and more on this episode of Enterprise Security Weekly!   Full Show Notes: https://wiki.securityweekly.com/ES_Episode111   Visit https://www.securityweekly.com/esw for all the latest episodes!   Visit https://www.activecountermeasures/esw to sign up for a demo or buy our AI Hunter!   →Follow us on Twitter: https://www.twitter.com/securityweekly →Like us on Facebook: https://www.facebook.com/secweekly

This week, John Strand and Paul discuss some companies Paul got a chance to catch up with! They discuss GuardiCore and their Application Segmentation, Cyxtera and their Network Security and Software Defined Perimeters, PreVeil’s Encrypted Email and File Sharing, and more! In the Enterprise News this week, Avast launches AI-based software for phishing attacks, Carbon Black and Secureworks apply Red Cloak Analytics to Carbon Blacks Cloud, ShieldX integrates intention engine into Elastic Security Platform, and we have updates from Imperva, WhiteSource, BlackBerry, and more on this episode of Enterprise Security Weekly!   Full Show Notes: https://wiki.securityweekly.com/ES_Episode111   Visit https://www.securityweekly.com/esw for all the latest episodes!   Visit https://www.activecountermeasures/esw to sign up for a demo or buy our AI Hunter!   →Follow us on Twitter: https://www.twitter.com/securityweekly →Like us on Facebook: https://www.facebook.com/secweekly

Panel: Charles Max Wood Special Guests: Ed Thomson In this episode, the Adventures in Angular panel talks with Ed Thomson who is a Program Manager at Azure through Microsoft, Developer, and Open Source Maintainer. Ed and Chuck discuss in full detail about Azure DevOps! Check out today’s episode to hear its new features and other exciting news! Show Topics: 0:59 – Live at Microsoft Ignite 1:03 – Ed: Hi! I am a Program Manager at Azure. 1:28 – Rewind 2 episodes to hear more about Azure DevOps! 1:51 – Ed: One of the moves from Pipelines to DevOps – they could still adopt Pipelines. Now that they are separate services – it’s great. 2:38 – Chuck talks about features he does and doesn’t use. 2:54 – Ed. 3:00 – Chuck: Repos and Pipelines. I am going to dive right in. Let’s talk about Repos. Microsoft just acquired GitHub. 3:18 – Ed: Technically we have not officially acquired GitHub. 3:34 – Chuck: It’s not done. It’s the end of September now. 3:55 – Ed: They will remain the same thing for a while. GitHub is the home for open source. Repos – we use it in Microsoft. Repositories are huge. There are 4,000 engineers working in these repositories. Everyone works in his or her own little area, and you have to work together. You have to do all this engineering to get there. We bit a tool and it basically if you run clone... Ed continues to talk about this topic. He is talking about One Drive and these repositories. 6:28 – Ed: We aren’t going to be mixing and matching. I used to work through GitHub. It’s exciting to see those people work close to me. 6:54 – Chuck. 6:59 – Ed: It has come a long way. 7:07 – Chuck: Beyond the FSF are we talking about other features or? 7:21 – Ed: We have unique features. We have branch policies. You can require that people do pole request. You have to use pole request and your CI has to pass and things like that. I think there is a lot of richness in our auditing. We have enterprise focus. At its core it still is Git. We can all interoperate. 8:17 – Chuck. 8:37 – Ed: You just can’t set it up with Apache. You have to figure it out. 8:51 – Chuck: The method of pushing and pulling. 9:06 – Chuck: You can try DevOps for free up to 5 users and unlimited private repos. People are interested in this because GitHub makes you pay for that. 9:38 – Ed and Chuck continue to talk. 9:50 – Ed: Pipelines is the most interesting thing we are working on. We have revamped the entire experience. Build and release. It’s easy to get started. We have a visual designer. Super helpful – super straightforward. Releases once your code is built – get it out to production say for example Azure. It’s the important thing to get your code out there. 10:55 – Chuck: How can someone start with this? 11:00 – Ed: Depends on where your repository is. It will look at your code. “Oh, I know what that is, I know how to build that!” Maybe everyone isn’t doing everything with JavaScript. If you are using DotNet then it will know. 12:05 – Chuck: What if I am using both a backend and a frontend? 12:11 – Ed: One repository? That’s when you will have to do a little hand packing on the... There are different opportunities there. If you have a bash script that does it for you. If not, then you can orchestrate it. Reduce the time it takes. If it’s an open source project; there’s 2 – what are you going to do with the other 8? You’d be surprised – people try to sneak that in there. 13:30 – Chuck: It seems like continuous integration isn’t a whole lot complicated. 13:39 – Ed: I am a simple guy that’s how I do it. You can do advanced stuff, though. The Cake Build system – they are doing some crazy things. We have got Windows, Lennox, and others. Are you building for Raspberries Pies, then okay, do this... It’s not just running a script. 15:00 – Chuck: People do get pretty complicated if they want. It can get complicated. Who knows? 15:26 – Chuck:  How much work do you have to do to set-up a Pipeline like that? 15:37 – Ed answers the question in detail. 16:03 – Chuck asks a question. 16:12 – Ed: Now this is where it gets contentious. If one fails... Our default task out of the box... 16:56 – Chuck: If you want 2 steps you can (like me who is crazy). 17:05 – Ed: Yes, I want to see if it failed. 17:17 – Chuck: Dude, writing code is hard. Once you have it built and tested – continuous deployment. 17:33 – Ed: It’s very easy. It’s super straightforward, it doesn’t have to be Azure (although I hope it is!). Ed continues this conversation. 18:43 – Chuck: And it just pulls it? 18:49 – Ed: Don’t poke holes into your firewall. We do give you a lot of flexibility 19:04 – Chuck: VPN credentials? 19:10 – Ed: Just run the... 19:25 – Chuck comments. 19:36 – Ed: ...Take that Zip... 20:02 – Ed: Once the planets are finely aligned then...it will just pull from it. 20:25 – Chuck: I host my stuff on Digital Ocean. 20:46 – Ed: It’s been awhile since I played with... 20:55 – Chuck. 20:59 – Ed and Chuck go back and forth with different situations and hypothetical situations. 21:10 – Ed: What is Phoenix? 21:20 – Chuck explains it. 21:25 – Ed: Here is what we probably don’t have is a lot of ERLANG support. 22:41 – Advertisement. 23:31 – Chuck: Let’s just say it’s a possibility. We took the strip down node and... 23:49 – Ed: I think it’s going to happen. 23:55 – Ed: Exactly. 24:02 – Chuck: Testing against Azure services. So, it’s one thing to run on my machine but it’s another thing when other things connect nicely with an Azure set-up. Does it connect natively once it’s in the Azure cloud? 24:35 – Ed: It should, but there are so many services, so I don’t want to say that everything is identical. We will say yes with an asterisk. 25:07 – Chuck: With continuous deployment... 25:41 – Ed: As an example: I have a CD Pipeline for my website. Every time I merge into master... Ed continues this hypothetical situation with full details. Check it out! 27:03 – Chuck: You probably can do just about anything – deploy by Tweet! 27:15 – Ed: You can stop the deployment if people on Twitter start complaining. 27:40 – Chuck: That is awesome! IF it is something you care about – and if it’s worth the time – then why not? If you don’t have to think about it then great. I have mentioned this before: Am I solving interesting problems? What projects do I want to work on? What kinds of contributions do I really want to contribute to open source? That’s the thing – if you have all these tools that are set-up then your process, how do you work on what, and remove the pain points then you can just write code so people can use! That’s the power of this – because it catches the bug before I have to catch it – then that saves me time. 30:08 – Ed: That’s the dream of computers is that the computers are supposed to make OUR lives easier. IF we can do that and catch those bugs before you catch it then you are saving time. Finding bugs as quickly as possible it avoids downtime and messy deployments. 31:03 – Chuck: Then you can use time for coding style and other things. I can take mental shortcuts. 31:37 – Ed: The other thing you can do is avoiding security problems. If a static code analysis tool catches an integer overflow then... 32:30 – Chuck adds his comments. Chuck: You can set your policy to block it or ignore it. Then you are running these tools to run security. There are third-party tools that do security analysis on your code. Do you integrate with those? 33:00 – Ed: Yep. My favorite is WhiteSource. It knows all of the open source and third-party tools. It can scan your code and... 34:05 – Chuck: It works with a lot of languages. 34:14 – Ed. 34:25 – Chuck: A lot of JavaScript developers are getting into mobile development, like Ionic, and others. You have all these systems out there for different stages for writing for mobile. Android, windows Phone, Blackberry... 35:04 – Ed: Let’s throw out Blackberry builds. We will ignore it. Mac OS dies a fine job. That’s why we have all of those. 35:29 – Chuck: But I want to run my tests, too! 35:36 – Ed: I really like to use App Center. It is ultimately incredible to see all the tests you can run. 36:29 – Chuck: The deployment is different, though, right? 36:40 – Ed: I have a friend who clicks a button in... Azure DevOps. 37:00 – Chuck: I like to remind people that this isn’t a new product. 37:15 – Ed: Yes, Azure DevOps. 37:24 – Chuck: Any new features that are coming out? 37:27 – Ed: We took a little break, but... 37:47 – Ed: We will pick back up once Ignite is over. We have a timeline on our website when we expect to launch some new features, and some are secret, so keep checking out the website. 39:07 – Chuck: What is the interplay between Azure DevOps and Visual Studio Code? Because they have plugins for freaking everything. I am sure there is something there that... 39:30 – Ed: I am a VI guy and I’m like 90% sure there is something there. You are an eMac’s guy? The way I think about it is through Git right out of the box. Yes, I think there are better things out there for integration. I know we have a lot of great things in Visual Code, because I worked with it. 40:45 – Chuck: Yes, people can look for extensions and see what the capabilities are. Chuck talks about code editor and tools.  41:28 – Ed: ... we have been pulling that out as quickly as possible. We do have IE extensions, I am sure there is something for VS Code – but it’s not where I want to spend my time. 42:02 – Chuck: Yes, sure. 42:07 – Ed: But everyone is different – they won’t work the way that I work. So there’s that. 42:30 – Ed: That Chuck. 42:36 – Chuck: Where do people get news? 42:42 – Ed: Go to here! 42:54 – Chuck: Where do people find you? 43:00 – Ed: Twitter! 43:07 – Chuck: Let’s do Picks! 43:20 – Advertisement – Fresh Books! Links: GitHub Microsoft’s Azure Microsoft’s Pipeline Azure DevOps Erlang WhiteSource Chuck’s Twitter Ed Thomson’s Twitter Ed Thomson’s GitHub Ed Thomson’s Website Ed Thomson’s LinkedIn Sponsors: Angular Boot Camp Fresh Books Get a Coder Job Course Picks: Ed Podcast - All Things Git

Panel: Charles Max Wood Special Guests: Ed Thomson In this episode, the Adventures in Angular panel talks with Ed Thomson who is a Program Manager at Azure through Microsoft, Developer, and Open Source Maintainer. Ed and Chuck discuss in full detail about Azure DevOps! Check out today’s episode to hear its new features and other exciting news! Show Topics: 0:59 – Live at Microsoft Ignite 1:03 – Ed: Hi! I am a Program Manager at Azure. 1:28 – Rewind 2 episodes to hear more about Azure DevOps! 1:51 – Ed: One of the moves from Pipelines to DevOps – they could still adopt Pipelines. Now that they are separate services – it’s great. 2:38 – Chuck talks about features he does and doesn’t use. 2:54 – Ed. 3:00 – Chuck: Repos and Pipelines. I am going to dive right in. Let’s talk about Repos. Microsoft just acquired GitHub. 3:18 – Ed: Technically we have not officially acquired GitHub. 3:34 – Chuck: It’s not done. It’s the end of September now. 3:55 – Ed: They will remain the same thing for a while. GitHub is the home for open source. Repos – we use it in Microsoft. Repositories are huge. There are 4,000 engineers working in these repositories. Everyone works in his or her own little area, and you have to work together. You have to do all this engineering to get there. We bit a tool and it basically if you run clone... Ed continues to talk about this topic. He is talking about One Drive and these repositories. 6:28 – Ed: We aren’t going to be mixing and matching. I used to work through GitHub. It’s exciting to see those people work close to me. 6:54 – Chuck. 6:59 – Ed: It has come a long way. 7:07 – Chuck: Beyond the FSF are we talking about other features or? 7:21 – Ed: We have unique features. We have branch policies. You can require that people do pole request. You have to use pole request and your CI has to pass and things like that. I think there is a lot of richness in our auditing. We have enterprise focus. At its core it still is Git. We can all interoperate. 8:17 – Chuck. 8:37 – Ed: You just can’t set it up with Apache. You have to figure it out. 8:51 – Chuck: The method of pushing and pulling. 9:06 – Chuck: You can try DevOps for free up to 5 users and unlimited private repos. People are interested in this because GitHub makes you pay for that. 9:38 – Ed and Chuck continue to talk. 9:50 – Ed: Pipelines is the most interesting thing we are working on. We have revamped the entire experience. Build and release. It’s easy to get started. We have a visual designer. Super helpful – super straightforward. Releases once your code is built – get it out to production say for example Azure. It’s the important thing to get your code out there. 10:55 – Chuck: How can someone start with this? 11:00 – Ed: Depends on where your repository is. It will look at your code. “Oh, I know what that is, I know how to build that!” Maybe everyone isn’t doing everything with JavaScript. If you are using DotNet then it will know. 12:05 – Chuck: What if I am using both a backend and a frontend? 12:11 – Ed: One repository? That’s when you will have to do a little hand packing on the... There are different opportunities there. If you have a bash script that does it for you. If not, then you can orchestrate it. Reduce the time it takes. If it’s an open source project; there’s 2 – what are you going to do with the other 8? You’d be surprised – people try to sneak that in there. 13:30 – Chuck: It seems like continuous integration isn’t a whole lot complicated. 13:39 – Ed: I am a simple guy that’s how I do it. You can do advanced stuff, though. The Cake Build system – they are doing some crazy things. We have got Windows, Lennox, and others. Are you building for Raspberries Pies, then okay, do this... It’s not just running a script. 15:00 – Chuck: People do get pretty complicated if they want. It can get complicated. Who knows? 15:26 – Chuck:  How much work do you have to do to set-up a Pipeline like that? 15:37 – Ed answers the question in detail. 16:03 – Chuck asks a question. 16:12 – Ed: Now this is where it gets contentious. If one fails... Our default task out of the box... 16:56 – Chuck: If you want 2 steps you can (like me who is crazy). 17:05 – Ed: Yes, I want to see if it failed. 17:17 – Chuck: Dude, writing code is hard. Once you have it built and tested – continuous deployment. 17:33 – Ed: It’s very easy. It’s super straightforward, it doesn’t have to be Azure (although I hope it is!). Ed continues this conversation. 18:43 – Chuck: And it just pulls it? 18:49 – Ed: Don’t poke holes into your firewall. We do give you a lot of flexibility 19:04 – Chuck: VPN credentials? 19:10 – Ed: Just run the... 19:25 – Chuck comments. 19:36 – Ed: ...Take that Zip... 20:02 – Ed: Once the planets are finely aligned then...it will just pull from it. 20:25 – Chuck: I host my stuff on Digital Ocean. 20:46 – Ed: It’s been awhile since I played with... 20:55 – Chuck. 20:59 – Ed and Chuck go back and forth with different situations and hypothetical situations. 21:10 – Ed: What is Phoenix? 21:20 – Chuck explains it. 21:25 – Ed: Here is what we probably don’t have is a lot of ERLANG support. 22:41 – Advertisement. 23:31 – Chuck: Let’s just say it’s a possibility. We took the strip down node and... 23:49 – Ed: I think it’s going to happen. 23:55 – Ed: Exactly. 24:02 – Chuck: Testing against Azure services. So, it’s one thing to run on my machine but it’s another thing when other things connect nicely with an Azure set-up. Does it connect natively once it’s in the Azure cloud? 24:35 – Ed: It should, but there are so many services, so I don’t want to say that everything is identical. We will say yes with an asterisk. 25:07 – Chuck: With continuous deployment... 25:41 – Ed: As an example: I have a CD Pipeline for my website. Every time I merge into master... Ed continues this hypothetical situation with full details. Check it out! 27:03 – Chuck: You probably can do just about anything – deploy by Tweet! 27:15 – Ed: You can stop the deployment if people on Twitter start complaining. 27:40 – Chuck: That is awesome! IF it is something you care about – and if it’s worth the time – then why not? If you don’t have to think about it then great. I have mentioned this before: Am I solving interesting problems? What projects do I want to work on? What kinds of contributions do I really want to contribute to open source? That’s the thing – if you have all these tools that are set-up then your process, how do you work on what, and remove the pain points then you can just write code so people can use! That’s the power of this – because it catches the bug before I have to catch it – then that saves me time. 30:08 – Ed: That’s the dream of computers is that the computers are supposed to make OUR lives easier. IF we can do that and catch those bugs before you catch it then you are saving time. Finding bugs as quickly as possible it avoids downtime and messy deployments. 31:03 – Chuck: Then you can use time for coding style and other things. I can take mental shortcuts. 31:37 – Ed: The other thing you can do is avoiding security problems. If a static code analysis tool catches an integer overflow then... 32:30 – Chuck adds his comments. Chuck: You can set your policy to block it or ignore it. Then you are running these tools to run security. There are third-party tools that do security analysis on your code. Do you integrate with those? 33:00 – Ed: Yep. My favorite is WhiteSource. It knows all of the open source and third-party tools. It can scan your code and... 34:05 – Chuck: It works with a lot of languages. 34:14 – Ed. 34:25 – Chuck: A lot of JavaScript developers are getting into mobile development, like Ionic, and others. You have all these systems out there for different stages for writing for mobile. Android, windows Phone, Blackberry... 35:04 – Ed: Let’s throw out Blackberry builds. We will ignore it. Mac OS dies a fine job. That’s why we have all of those. 35:29 – Chuck: But I want to run my tests, too! 35:36 – Ed: I really like to use App Center. It is ultimately incredible to see all the tests you can run. 36:29 – Chuck: The deployment is different, though, right? 36:40 – Ed: I have a friend who clicks a button in... Azure DevOps. 37:00 – Chuck: I like to remind people that this isn’t a new product. 37:15 – Ed: Yes, Azure DevOps. 37:24 – Chuck: Any new features that are coming out? 37:27 – Ed: We took a little break, but... 37:47 – Ed: We will pick back up once Ignite is over. We have a timeline on our website when we expect to launch some new features, and some are secret, so keep checking out the website. 39:07 – Chuck: What is the interplay between Azure DevOps and Visual Studio Code? Because they have plugins for freaking everything. I am sure there is something there that... 39:30 – Ed: I am a VI guy and I’m like 90% sure there is something there. You are an eMac’s guy? The way I think about it is through Git right out of the box. Yes, I think there are better things out there for integration. I know we have a lot of great things in Visual Code, because I worked with it. 40:45 – Chuck: Yes, people can look for extensions and see what the capabilities are. Chuck talks about code editor and tools.  41:28 – Ed: ... we have been pulling that out as quickly as possible. We do have IE extensions, I am sure there is something for VS Code – but it’s not where I want to spend my time. 42:02 – Chuck: Yes, sure. 42:07 – Ed: But everyone is different – they won’t work the way that I work. So there’s that. 42:30 – Ed: That Chuck. 42:36 – Chuck: Where do people get news? 42:42 – Ed: Go to here! 42:54 – Chuck: Where do people find you? 43:00 – Ed: Twitter! 43:07 – Chuck: Let’s do Picks! 43:20 – Advertisement – Fresh Books! Links: GitHub Microsoft’s Azure Microsoft’s Pipeline Azure DevOps Erlang WhiteSource Chuck’s Twitter Ed Thomson’s Twitter Ed Thomson’s GitHub Ed Thomson’s Website Ed Thomson’s LinkedIn Sponsors: Angular Boot Camp Fresh Books Get a Coder Job Course Picks: Ed Podcast - All Things Git

Panel: Charles Max Wood Special Guests: Ed Thomson In this episode, the Adventures in Angular panel talks with Ed Thomson who is a Program Manager at Azure through Microsoft, Developer, and Open Source Maintainer. Ed and Chuck discuss in full detail about Azure DevOps! Check out today’s episode to hear its new features and other exciting news! Show Topics: 0:59 – Live at Microsoft Ignite 1:03 – Ed: Hi! I am a Program Manager at Azure. 1:28 – Rewind 2 episodes to hear more about Azure DevOps! 1:51 – Ed: One of the moves from Pipelines to DevOps – they could still adopt Pipelines. Now that they are separate services – it’s great. 2:38 – Chuck talks about features he does and doesn’t use. 2:54 – Ed. 3:00 – Chuck: Repos and Pipelines. I am going to dive right in. Let’s talk about Repos. Microsoft just acquired GitHub. 3:18 – Ed: Technically we have not officially acquired GitHub. 3:34 – Chuck: It’s not done. It’s the end of September now. 3:55 – Ed: They will remain the same thing for a while. GitHub is the home for open source. Repos – we use it in Microsoft. Repositories are huge. There are 4,000 engineers working in these repositories. Everyone works in his or her own little area, and you have to work together. You have to do all this engineering to get there. We bit a tool and it basically if you run clone... Ed continues to talk about this topic. He is talking about One Drive and these repositories. 6:28 – Ed: We aren’t going to be mixing and matching. I used to work through GitHub. It’s exciting to see those people work close to me. 6:54 – Chuck. 6:59 – Ed: It has come a long way. 7:07 – Chuck: Beyond the FSF are we talking about other features or? 7:21 – Ed: We have unique features. We have branch policies. You can require that people do pole request. You have to use pole request and your CI has to pass and things like that. I think there is a lot of richness in our auditing. We have enterprise focus. At its core it still is Git. We can all interoperate. 8:17 – Chuck. 8:37 – Ed: You just can’t set it up with Apache. You have to figure it out. 8:51 – Chuck: The method of pushing and pulling. 9:06 – Chuck: You can try DevOps for free up to 5 users and unlimited private repos. People are interested in this because GitHub makes you pay for that. 9:38 – Ed and Chuck continue to talk. 9:50 – Ed: Pipelines is the most interesting thing we are working on. We have revamped the entire experience. Build and release. It’s easy to get started. We have a visual designer. Super helpful – super straightforward. Releases once your code is built – get it out to production say for example Azure. It’s the important thing to get your code out there. 10:55 – Chuck: How can someone start with this? 11:00 – Ed: Depends on where your repository is. It will look at your code. “Oh, I know what that is, I know how to build that!” Maybe everyone isn’t doing everything with JavaScript. If you are using DotNet then it will know. 12:05 – Chuck: What if I am using both a backend and a frontend? 12:11 – Ed: One repository? That’s when you will have to do a little hand packing on the... There are different opportunities there. If you have a bash script that does it for you. If not, then you can orchestrate it. Reduce the time it takes. If it’s an open source project; there’s 2 – what are you going to do with the other 8? You’d be surprised – people try to sneak that in there. 13:30 – Chuck: It seems like continuous integration isn’t a whole lot complicated. 13:39 – Ed: I am a simple guy that’s how I do it. You can do advanced stuff, though. The Cake Build system – they are doing some crazy things. We have got Windows, Lennox, and others. Are you building for Raspberries Pies, then okay, do this... It’s not just running a script. 15:00 – Chuck: People do get pretty complicated if they want. It can get complicated. Who knows? 15:26 – Chuck:  How much work do you have to do to set-up a Pipeline like that? 15:37 – Ed answers the question in detail. 16:03 – Chuck asks a question. 16:12 – Ed: Now this is where it gets contentious. If one fails... Our default task out of the box... 16:56 – Chuck: If you want 2 steps you can (like me who is crazy). 17:05 – Ed: Yes, I want to see if it failed. 17:17 – Chuck: Dude, writing code is hard. Once you have it built and tested – continuous deployment. 17:33 – Ed: It’s very easy. It’s super straightforward, it doesn’t have to be Azure (although I hope it is!). Ed continues this conversation. 18:43 – Chuck: And it just pulls it? 18:49 – Ed: Don’t poke holes into your firewall. We do give you a lot of flexibility 19:04 – Chuck: VPN credentials? 19:10 – Ed: Just run the... 19:25 – Chuck comments. 19:36 – Ed: ...Take that Zip... 20:02 – Ed: Once the planets are finely aligned then...it will just pull from it. 20:25 – Chuck: I host my stuff on Digital Ocean. 20:46 – Ed: It’s been awhile since I played with... 20:55 – Chuck. 20:59 – Ed and Chuck go back and forth with different situations and hypothetical situations. 21:10 – Ed: What is Phoenix? 21:20 – Chuck explains it. 21:25 – Ed: Here is what we probably don’t have is a lot of ERLANG support. 22:41 – Advertisement. 23:31 – Chuck: Let’s just say it’s a possibility. We took the strip down node and... 23:49 – Ed: I think it’s going to happen. 23:55 – Ed: Exactly. 24:02 – Chuck: Testing against Azure services. So, it’s one thing to run on my machine but it’s another thing when other things connect nicely with an Azure set-up. Does it connect natively once it’s in the Azure cloud? 24:35 – Ed: It should, but there are so many services, so I don’t want to say that everything is identical. We will say yes with an asterisk. 25:07 – Chuck: With continuous deployment... 25:41 – Ed: As an example: I have a CD Pipeline for my website. Every time I merge into master... Ed continues this hypothetical situation with full details. Check it out! 27:03 – Chuck: You probably can do just about anything – deploy by Tweet! 27:15 – Ed: You can stop the deployment if people on Twitter start complaining. 27:40 – Chuck: That is awesome! IF it is something you care about – and if it’s worth the time – then why not? If you don’t have to think about it then great. I have mentioned this before: Am I solving interesting problems? What projects do I want to work on? What kinds of contributions do I really want to contribute to open source? That’s the thing – if you have all these tools that are set-up then your process, how do you work on what, and remove the pain points then you can just write code so people can use! That’s the power of this – because it catches the bug before I have to catch it – then that saves me time. 30:08 – Ed: That’s the dream of computers is that the computers are supposed to make OUR lives easier. IF we can do that and catch those bugs before you catch it then you are saving time. Finding bugs as quickly as possible it avoids downtime and messy deployments. 31:03 – Chuck: Then you can use time for coding style and other things. I can take mental shortcuts. 31:37 – Ed: The other thing you can do is avoiding security problems. If a static code analysis tool catches an integer overflow then... 32:30 – Chuck adds his comments. Chuck: You can set your policy to block it or ignore it. Then you are running these tools to run security. There are third-party tools that do security analysis on your code. Do you integrate with those? 33:00 – Ed: Yep. My favorite is WhiteSource. It knows all of the open source and third-party tools. It can scan your code and... 34:05 – Chuck: It works with a lot of languages. 34:14 – Ed. 34:25 – Chuck: A lot of JavaScript developers are getting into mobile development, like Ionic, and others. You have all these systems out there for different stages for writing for mobile. Android, windows Phone, Blackberry... 35:04 – Ed: Let’s throw out Blackberry builds. We will ignore it. Mac OS dies a fine job. That’s why we have all of those. 35:29 – Chuck: But I want to run my tests, too! 35:36 – Ed: I really like to use App Center. It is ultimately incredible to see all the tests you can run. 36:29 – Chuck: The deployment is different, though, right? 36:40 – Ed: I have a friend who clicks a button in... Azure DevOps. 37:00 – Chuck: I like to remind people that this isn’t a new product. 37:15 – Ed: Yes, Azure DevOps. 37:24 – Chuck: Any new features that are coming out? 37:27 – Ed: We took a little break, but... 37:47 – Ed: We will pick back up once Ignite is over. We have a timeline on our website when we expect to launch some new features, and some are secret, so keep checking out the website. 39:07 – Chuck: What is the interplay between Azure DevOps and Visual Studio Code? Because they have plugins for freaking everything. I am sure there is something there that... 39:30 – Ed: I am a VI guy and I’m like 90% sure there is something there. You are an eMac’s guy? The way I think about it is through Git right out of the box. Yes, I think there are better things out there for integration. I know we have a lot of great things in Visual Code, because I worked with it. 40:45 – Chuck: Yes, people can look for extensions and see what the capabilities are. Chuck talks about code editor and tools.  41:28 – Ed: ... we have been pulling that out as quickly as possible. We do have IE extensions, I am sure there is something for VS Code – but it’s not where I want to spend my time. 42:02 – Chuck: Yes, sure. 42:07 – Ed: But everyone is different – they won’t work the way that I work. So there’s that. 42:30 – Ed: That Chuck. 42:36 – Chuck: Where do people get news? 42:42 – Ed: Go to here! 42:54 – Chuck: Where do people find you? 43:00 – Ed: Twitter! 43:07 – Chuck: Let’s do Picks! 43:20 – Advertisement – Fresh Books! Links: GitHub Microsoft’s Azure Microsoft’s Pipeline Azure DevOps Erlang WhiteSource Chuck’s Twitter Ed Thomson’s Twitter Ed Thomson’s GitHub Ed Thomson’s Website Ed Thomson’s LinkedIn Sponsors: Angular Boot Camp Fresh Books Get a Coder Job Course Picks: Ed Podcast - All Things Git

The security of open source components have been in the spotlight especially since the Equifax breach last year. In this DevOps Chat we speak with WhiteSource Software co-founder Azi Cohen about the challenges that DevOps and DevSecOps teams are facing in trying to keep their applications secure. A big part of this is making sure your open source components are up to date and secure. This is where WhiteSource Software plays. Azi had some great insights on this subject

David Habusha, Vice President of Product at WhiteSource Software, explains to host, Andre Pino, how he first got into cybersecurity by chance after starting his career in open source. As the founder of a privacy company, David discusses the intersection of security and open source, as well as DevSecOps.

Rami Sass is CEO and Co-Founder of WhiteSource. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity. He joins Keith and Paul this week for an interview! Full Show Notes: https://wiki.securityweekly.com/ASW_Episode13 Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.comsecurityweekly

This week, Paul and Keith discuss Drupal 7 and 8 core critical releases, Irony of Leaky App at RSAC not lost on attendees, avoiding XSS in React is still hard, and more! In our Pre-Recorded interview, Paul and Keith sit down with Rami Sass, CEO and Co-Founder of WhiteSource, and more on this episode of Application Security Weekly!   Full Show Notes: https://wiki.securityweekly.com/ASW_Episode13   Visit https://www.securityweekly.com/asw for all the latest episodes!

This week, Paul and Keith discuss Drupal 7 and 8 core critical releases, Irony of Leaky App at RSAC not lost on attendees, avoiding XSS in React is still hard, and more! In our Pre-Recorded interview, Paul and Keith sit down with Rami Sass, CEO and Co-Founder of WhiteSource, and more on this episode of Application Security Weekly!   Full Show Notes: https://wiki.securityweekly.com/ASW_Episode13   Visit https://www.securityweekly.com/asw for all the latest episodes!

Rami Sass is CEO and Co-Founder of WhiteSource. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity. He joins Keith and Paul this week for an interview! Full Show Notes: https://wiki.securityweekly.com/ASW_Episode13 Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.comsecurityweekly

Josh and Kurt talk to Rami Saas, the CEO of WhiteSource about 3rd party open source security as well as open source licensing.

1:05 - Introducing Sam Guckenheimer Twitter Microsoft Devops 2:45 - Continuous integration with Visual Studio 4:15 - Visual Studio on Macs Download link 5:55 - Is Visual Studio just for C#? Chris Dias JSJ Episode 8:45 - Container support and the Cloud 14:20 - Docker and Visual Studio 17:40 - Communicating with multiple services 24:15 - Talking to clients about change and working with transformation 33:00 - Telemetry and collecting data 37:50 - Xamarin forms 47:50 - Deployment with changed endpoints Picks: Daplie Wefunder (AJ) Unroll.Me (Charles) Focused Inbox on Outlook (Sam) WhiteSource (Sam) The Girl On The Train (Sam) The Pigeon Tunnel by John le Carre (Sam)

1:05 - Introducing Sam Guckenheimer Twitter Microsoft Devops 2:45 - Continuous integration with Visual Studio 4:15 - Visual Studio on Macs Download link 5:55 - Is Visual Studio just for C#? Chris Dias JSJ Episode 8:45 - Container support and the Cloud 14:20 - Docker and Visual Studio 17:40 - Communicating with multiple services 24:15 - Talking to clients about change and working with transformation 33:00 - Telemetry and collecting data 37:50 - Xamarin forms 47:50 - Deployment with changed endpoints Picks: Daplie Wefunder (AJ) Unroll.Me (Charles) Focused Inbox on Outlook (Sam) WhiteSource (Sam) The Girl On The Train (Sam) The Pigeon Tunnel by John le Carre (Sam)

1:05 - Introducing Sam Guckenheimer Twitter Microsoft Devops 2:45 - Continuous integration with Visual Studio 4:15 - Visual Studio on Macs Download link 5:55 - Is Visual Studio just for C#? Chris Dias JSJ Episode 8:45 - Container support and the Cloud 14:20 - Docker and Visual Studio 17:40 - Communicating with multiple services 24:15 - Talking to clients about change and working with transformation 33:00 - Telemetry and collecting data 37:50 - Xamarin forms 47:50 - Deployment with changed endpoints Picks: Daplie Wefunder (AJ) Unroll.Me (Charles) Focused Inbox on Outlook (Sam) WhiteSource (Sam) The Girl On The Train (Sam) The Pigeon Tunnel by John le Carre (Sam)