I’m skeptical about measuring open-source package quality with metrics alone. • Low commit/update cadence: Doesn’t indicate low quality. It might signal a stable, well-functioning package that needs minimal maintenance. • High number of historical CVEs: Not a sign of low quality. It could show that the package has undergone thorough security scrutiny. • Many open issues: Not a reliable indicator. Many issues are more like support tickets, and there are often many duplicates. Quality assessment requires more than just metrics!
Martin Torp’s Post
More Relevant Posts
-
Freelance Full Stack Engineer | Devops | 2x AWS Certified | Problem Solver | Software Crafter | ex-Head of Engineering | 16+ Years of Experience
If you're struggling to resolve bugs or having difficulty understanding the problem, please read the documentation. Sometimes, the simplest actions can be very helpful.
-
When it comes to technical troubleshooting, confirming what ISNT the problem is as helpful as trying to think through what is. Ruling things out narrows down the list of potential issues. So when your technical support team asks you to validate simple steps that you’re 100% sure you did correctly, cut them some slack. That is a version of trying to help you. Be proactive to narrow down the time to a solution by providing them the list of things you’ve ruled out and tried. Tell them why resetting your password isn’t the issue. It’s helpful to use that strategy in a lot of other areas of life as well. Where can you rule things out to more quickly get to a root cause or goal? Validate the basics first, then you can blame the bogeyman in the code.
-
Is your Spring-based system resilient against HTTP status failures? Steadybit’s Spring HTTP Client Status Attack allows you to simulate HTTP response status codes (like 500 or 404) to test how your application handles failures during HTTP client requests. This experiment helps you identify vulnerabilities in service-to-service communication, ensuring your system remains robust in the face of unreliable responses. Learn how to implement this in your environment and improve service resilience: https://hubs.li/Q02QcJf30
-
Co-Founder & CTO/CPO Cyberjuice | Founder of Security Scientist | Creator of the Cybersecurity Canvas | Information Security Specialist
NIST released the document for security in CI/CD pipelines. 𝗞𝗲𝘆 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆𝘀: - Learn to integrate security across various phases of the software development lifecycle, particularly focusing on cloud-native applications. - Insight into potential risk factors, threat actors, attack vectors, and practical mitigation measures. -Recommendations for securing CI/CD workflows, including secure builds and trusted repository operations. What do you think?
-
“The Ultimate Guide to JFrog Security” is a comprehensive white paper designed to fortify your DevSecOps practices. https://lnkd.in/egKdRxTP #devsecops #securityawareness #riskmanagement #opensourcesecurity #supplychainsecurity
The Ultimate Guide to JFrog Security
jfrog.com
-
📣 Endor Labs Third-Annual Dependency Management Report is now live! 📣 We break down the complexities of dependency management into four easy-to-digest sections: - Identifying Dependencies & Their Vulnerabilities - Discrepancies in Vulnerability Databases - Challenges in Remediating Known Vulnerabilities - The Role of Software Composition Analysis Best part? It's super easy to access, no form to fill in! We've got an interactive report, a downloadable PDF, and even a live recap session on September 24th. 🔗https://lnkd.in/eMJEJjpW #SoftwareSecurity #AppSec #OpenSource
-
-
Life is too short to make all the mistakes however you can be proactive taking steps in comprehending the case studies and real world experiences. 1. Any code change (IaC, Feature, Config) should follow entire the CICD with stages for build, test suite execution, integration test, sonar, security, sandbox deployment and alert monitoring 2. Always do staged canary deployments with minimal blast radius 3. Use feedback metrics for incremental rollouts 4. Always guard any pushes from the third party dependencies https://lnkd.in/g_qjrvQq
The biggest-ever global outage: lessons for software engineers
newsletter.pragmaticengineer.com
-
I don't know if anyone else will find this helpful, but I converted the new CMMC Rule XML file into HTML and DOCX so I could more conveniently excerpt and copy/paste it. Here is the step-by-step of how to do it yourself, or you can just download the files from my server: https://lnkd.in/gVqt-SrM
H3T LLC
h3tllc.com
-
Webinar next week on on Wed, April 10th @ 12:00 PM Eastern Protecting Source Code from leakage, loss, & theft can be a tough challenge. We are helping customers answer these questions... Is my Source Code being taken to competitors? Are my devs pushing code to personal repos? Pushing to Open Source Repos that I am unaware of? How do we protect our Source Code without inhibiting our devs?
CEO and CISO Perspectives: Securing Source Code with Your Software Developers
essentials.code42.com
-
DevSecOps vs. SSDLC: Which approach is right for your organization? In the fast-paced world of software development, security can’t just be an afterthought—it must be woven into every step. But which approach is best for integrating security: DevSecOps or SSDLC? One of our latest blogs dives deep into the key differences between these two powerful frameworks, helping you understand when and how to leverage each to maximize security, efficiency, and adaptability. From the collaborative focus of DevSecOps to the structured processes of SSDLC, find out which approach best fits your organization’s goals and needs. Stay ahead of the curve and make informed decisions for a secure future. 💼🔒 👉 Read the full article here: https://lnkd.in/gcdWN5Nj
-
