Open Source - Tech Wire Asia https://techwireasia.com/tag/open-source/ Where technology and business intersect Fri, 23 Feb 2024 00:53:52 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.4 Google Gemma: An open source AI model for everyone? https://techwireasia.com/02/2024/google-gemma-ai-an-open-source-model-for-everyone/ Fri, 23 Feb 2024 01:45:11 +0000 https://techwireasia.com/?p=238089 Google unveils Gemma, an open source AI model. Gemma models share technical and infrastructure components with capable Gemini AI models. Gemma will be available in two variants: Gemma 2B (2 billion parameters) and Gemma 7B (7 billion parameters). Tech companies continue to give developers more options to develop AI use cases through open source AI... Read more »

The post Google Gemma: An open source AI model for everyone? appeared first on Tech Wire Asia.

]]>
  • Google unveils Gemma, an open source AI model.
  • Gemma models share technical and infrastructure components with capable Gemini AI models.
  • Gemma will be available in two variants: Gemma 2B (2 billion parameters) and Gemma 7B (7 billion parameters).
  • Tech companies continue to give developers more options to develop AI use cases through open source AI models. Developers can access open source AI models to modify and contribute to various projects and tools. The goal of open source AI is to accelerate the development and innovation of AI technologies, as well as to ensure their transparency, accountability, and ethical use.

    Today, open source AI can be used for various tasks and applications, such as content creation, email marketing, ad targeting, natural language processing, computer vision, robotics, and more. Open source AI can also help democratize AI by making it more accessible and affordable to everyone.

    But open source AI also comes with some challenges and risks, such as security, privacy, quality, and governance issues. Therefore, it is important to use open source AI responsibly and ethically and to follow the best practices and guidelines of the community.

    Some examples of open AI models are:

    • OpenAI’s GPT-4 – a large multimodal model that can understand and generate natural language or code.
    • OpenAI’s Sora – a text-to-video model that can create realistic and imaginative scenes from text instructions.
    • Meta’s – PyTorch – a framework for developing and training deep learning models, with a focus on flexibility and dynamic computation graphs.
    • Meta’s LLaMA 2 – a large language model that can generate natural language from text prompts, and is free for anyone to use.
    Gemma - an open source AI model?

    Is Gemma really an open source AI model?

    Google joins the open AI community with Gemma

    Google Gemma is a family of lightweight, state-of-the-art open models built from the same research and technology used to create the Gemini models. According to Burak Gokturk, VP & GM of Cloud AI at Google, Google Cloud customers can start customizing and building with Gemma models in Vertex AI and running them on Google Kubernetes Engine (GKE).

    Gemma will be available in two variants: Gemma 2B (2 billion parameters) and Gemma 7B (7 billion parameters). Each size is released with pre-trained and instruction-tuned variants. There is also a new Responsible Generative AI Toolkit that provides guidance and essential tools for creating safer AI applications with Gemma.

    Other features include:

    Google has also claimed that Gemma outperforms Meta’s LLaMA 2 on several benchmarks as demonstrated in the image below.

    Open source AI Gemma - outperforming LLaMa 2.

    Comparison between Gemma and LLaMA 2. (Source – Google).

    “By using Gemma models on Vertex AI, developers can take advantage of an end-to-end ML platform that makes tuning, managing, and monitoring models simple and intuitive. With Vertex AI, builders can reduce operational overhead and focus on creating bespoke versions of Gemma that are optimized for their use case,” said Gokturk.

    For example, using Gemma models on Vertex AI, developers can:

    • Build generative AI apps for lightweight tasks such as text generation, summarization, and Q&A
    • Enable research and development using lightweight but customized models for exploration and experimentation
    • Support real-time generative AI use cases that require low latency, such as streaming text

    While Google hopes Gemma will be an open source AI model, there have been reports that Gemma stops being fully open source. As such, Google still may have a hand in setting terms of use and ownership.

    A report by Reuters explained that some experts have said open source AI was ripe for abuse, while others have championed the approach for widening the set of people who can contribute to and benefit from the technology.

    Google and Nvidia

    In a blog post, Nvidia stated that teams from both companies worked closely together to accelerate the performance of Gemma with Nvidia TensorRT-LLM. The Nvidia TensorRT-LLM is an open-source library for optimizing large language model inference when running on Nvidia GPUs in the data center, in the cloud and on PCs with Nvidia RTX GPUs.

    This allows developers to target the installed base of over 100 million Nvidia RTX GPUs available in high-performance AI PCs globally.

    Nvidia said Gemma will be supported by Chat with RTX. Chat with RTX is an Nvidia tech demo that uses retrieval-augmented generation and TensorRT-LLM software to give users generative AI capabilities on their local, RTX-powered Windows PCs.

    Chat with RTX lets users personalize a chatbot with their own data by easily connecting local files on a PC to a large language model. As the model runs locally, it will be able to provide fast results while also ensuring user data stays on the device.

    The post Google Gemma: An open source AI model for everyone? appeared first on Tech Wire Asia.

    ]]>
    Here’s how Red Hat is helping Malaysia in its digital economy https://techwireasia.com/10/2023/how-is-red-hat-helping-malaysia-in-its-digital-economy/ Fri, 20 Oct 2023 01:25:07 +0000 https://techwireasia.com/?p=234395 Malaysia’s digital economy is one of the fastest growing in the APAC region. Red Hat is hoping to help Malaysia overcome hurdles and roadblocks in their digitalization journey.   Red Hat is also helping Malaysian businesses reskill and upskill employees.  The digital economy in Southeast Asia is expected to be worth US$ 1 trillion by 2030,... Read more »

    The post Here’s how Red Hat is helping Malaysia in its digital economy appeared first on Tech Wire Asia.

    ]]>
  • Malaysia’s digital economy is one of the fastest growing in the APAC region.
  • Red Hat is hoping to help Malaysia overcome hurdles and roadblocks in their digitalization journey.  
  • Red Hat is also helping Malaysian businesses reskill and upskill employees. 
  • The digital economy in Southeast Asia is expected to be worth US$ 1 trillion by 2030, according to a report by Google, Temasek and Bain & Company. While Indonesia is expected to be the biggest contributor to achieving this, the other countries in the region are also expected to support the growth.

    In a report by CNBC, six countries within the ASEAN block, comprising Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam, are projected to grow 6% annually. While the path has been set, the ASEAN 6 countries still have several hurdles and roadblocks that they will need to overcome.

    Looking specifically at Malaysia, the country’s digital economy growth remains positive, contributing 22.6% to GDP, and is expected to rise to 25.5% by 2025. Yet, the nation still needs to over hurdles such as using the right technology as well as having a sufficient, skilled workforce.

    While there are numerous technology providers in the region partnering with businesses and organizations in their digital transformation journey, the lack of skills remains a roadblock for many. Growing the digital economy can be challenging if these issues are not addressed, especially given the competition between the ASEAN 6 countries in developing and hiring talents.

    Singapore remains a popular destination for tech talents, given the strength of the currency. But other countries in the region are aware of this and are working to provide better opportunities not just for talent, but for businesses as well.

    Malaysia has made significant strides towards its digital economy goals

    Malaysia has made significant strides towards its digital economy goals. (Image by Shutterstock)

    As such, in the first half of 2023 alone, Malaysia has made significant strides towards its digital economy goals through various government initiatives, and up-and-coming foreign investments.

    As part of this, the government is currently focused on transforming the public sector, increasing the competitiveness and resilience of Malaysian SMBs, and promoting the country as a strategic destination for quality investments through the enhancement of digital adoption across industries.

    Following this trajectory, the term “Asian Digital Tiger” has been used by Malaysia’s Communications and Digital Minister Fahmi Fadzil in reference to the country’s potential to be a leader in the digital economy in Asia, to drive growth and innovation in the region. To achieve this, Malaysian businesses should understand that there is a collective responsibility to help the country develop an ecosystem that includes strong digital infrastructure, supportive policies, and a skilled workforce.

    Embracing digital disruption for the benefit of the economy

    Tammy Tan, country manager of Red Hat Malaysia

    Tammy Tan, country manager of Red Hat Malaysia

    According to Tammy Tan, country manager of Red Hat Malaysia, Malaysia’s digital transformation continues to evolve and expand, with new opportunities and challenges emerging in equal measure. According to 2022 data by IDC, a high proportion of organizations in Asia-Pacific overall are still lagging in digital agility.

    In 2 years, 18% of APAC organizations have made the leap to become agility leaders, where technology adoption is integrated and guided by an enterprise strategy and roadmap. However, the majority are still lagging in digital agility with 62% in the slow or tactical stages (i.e., agility followers).

    Looking forward, Tan believes it is now an opportune time for leaders across their respective industries to shift their mindsets to view technology adoption as not just an added cost, but a business driver that can reshape IT and operational gaps, and support digital transformation.

    “At Red Hat, we have seen a diverse range of organizations and enterprises across industries in the region undergo transformation by automating manual processes, in order to free up human capital for more strategic and innovative tasks. A good example is Malaysia’s Petronas Dagangan (PDB), a subsidiary of Petronas, which faced challenges in reducing errors for software processes such as patching and configuration management at its 1,076 petrol stations. With Red Hat, PDB was able to automate its IT operations and run timely patch updates, which led to increased efficiency, scalability, and security,” said Tan.

    Another example highlighted by Tan was Red Hat’s partnership with Bank Muamalat Malaysia Berhad. A pioneer in Islamic banking with 68 branches nationwide, the bank worked with Red Hat to adapt to the evolving fintech landscape. To better meet market demands, the bank created a cloud-native platform that facilitates seamless interaction between software applications and provides access to third-party services. This transformation has positioned Bank Muamalat at the forefront of innovation, ensuring they remain competitive and agile in the digital banking landscape.

    In the digital economy, Red Hat is helping in reskilling and upskilling employees.

    Red Hat is helping in reskilling and upskilling employees.

    Increasing competitiveness starts with the right skills

    While skills shortage remains a global problem, most countries in the region continue to train and upskill their current workforce to meet the demands. At the same time, some organizations are collaborating with tech companies and universities to produce skills that can fill the gap.

    Tan explained that amid a rapidly evolving and competitive business environment, organizations must carefully evaluate their preparedness for transformation, which involves considerations in their workforce capabilities.

    “With the emergence of cutting-edge technologies, investing in adequate training should be a priority. This is in line with the Malaysian government’s goal to reach its RM70 billion target for digital investments, while also encouraging multinational corporations and organizations to further invest in upskilling, reskilling and cross-skilling. For 2023 and beyond, it is time to consider models that not only include investing in digital solutions but also in training and skilling to support greater productivity amid ongoing disruption and evolving industry needs,” added Tan.

    Tan said that Red Hat holds itself to the principle of fostering a culture of learning and growth. As such, the company gives employees opportunities to upskill and reskill, and also expands the open learning culture to its customers and partners through various learning resources such as courses, workshops, certifications, and residency programs like Red Hat Open Innovation Labs.

    “Ambank Group, a leading financial services group, engaged Red Hat Open Innovation Labs for a five-week program to learn how to successfully adopt open source practices and Red Hat technologies to maintain its competitive edge, reducing the complexity of processes and automating tasks such as onboarding, minimizing visits to physical branches, and ultimately improving overall business agility,” mentioned Tan.

    With digital skill investments of paramount importance today, Tan also highlighted the role of the Red Hat Academy in providing open-source training and certifications. The open learning initiative partners with academic institutions by equipping individuals and organizations with the necessary skills to thrive in the digital landscape.

    “We lay the foundation for a brighter future filled with innovation. This surge of innovation not only benefits businesses but can also contribute to the overall growth and prosperity of Malaysia, positioning it as a dynamic hub of technological advancement. This is also the intention behind our latest strategic collaboration with APU in accelerating open-source education. This collaboration could have a multiplier effect on knowledge-sharing and solving real-world problems – providing opportunities for individuals to acquire in-demand digital skills,” said Tan.

    The Malaysian digital economy can grow a lot more with right skills and technology. (Image generated by AI)

    The Malaysian digital economy can grow a lot more with right skills and technology. (Image generated by AI)

    Accelerating the future of Malaysia with digital transformation

    With the government making clear its ambition to convert Malaysia’s digital economy’s GDP contribution to 25.5% by 2025, there is a big task ahead for all participants in the technology ecosystem – whether it be private organizations, the public sector, tech partners, students, academics, or other players.

    Tan believes that there continues to be great progress towards digital upskilling and embracing open source technologies to date, as Red Hat’s customers and partners across various sectors have taken up the reins to pilot hybrid cloud and open source to achieve their business goals.

    These are practical examples of how digital transformation is taking place in Malaysia, and supporting the country’s national objectives by broadening access, accelerating development of new applications, and supporting professional development – all through technology.

    “Through our dedicated efforts in digital upskilling and training across our customers, partners, and employees, our ultimate goal is to unleash the full potential of the cloud, enable accelerated business growth, foster innovation, and boost productivity – in line with Malaysia’s goal of achieving the ‘Asian Digital Tiger’ status,” said Tan.

    The post Here’s how Red Hat is helping Malaysia in its digital economy appeared first on Tech Wire Asia.

    ]]>
    How Moodle continues the dialogue about AI in education https://techwireasia.com/10/2023/what-is-moodle-the-open-source-learning-management-system/ Fri, 06 Oct 2023 04:00:39 +0000 https://techwireasia.com/?p=233929 MoodleMoot Global 2023 took place in the vibrant city of Barcelona from the 19th to 21st of September. This year’s themes include how artificial intelligence is changing education and the workplace. Moodle’s 4.3 release is scheduled for the 9th of October and will likely contain more than 300 bug fixes, improvements and new features. In... Read more »

    The post How Moodle continues the dialogue about AI in education appeared first on Tech Wire Asia.

    ]]>
  • MoodleMoot Global 2023 took place in the vibrant city of Barcelona from the 19th to 21st of September.
  • This year’s themes include how artificial intelligence is changing education and the workplace.
  • Moodle’s 4.3 release is scheduled for the 9th of October and will likely contain more than 300 bug fixes, improvements and new features.
  • In recent years, technology has shaken the higher education arena. With a concoction of artificial intelligence (AI) tools available to teachers and students, more needs to be said and done for various players in this industry to navigate the challenges of teaching in our modern era.

    This month, a new UNESCO global survey of over 450 schools and universities found that less than 10% have developed institutional policies or formal guidance concerning the use of generative AI applications.

    Moodle, however, is doing its part to continue the conversation about AI in education — a key theme in this year’s MoodleMoot Global, which wrapped up last week in the vibrant city of Barcelona. Taking place from the 18th to 21st of September, over 700 participants from 56 countries and more than 100 speakers from 24 countries were present at the conference.

    “It’s a place for the community to meet together, learn about what the other people are doing, [and] learn about what Moodle is doing,” event organizer Diego Fabra explains. “They can meet people from the [headquarters and] ask them questions directly. This is something that doesn’t happen in other conferences.”

    Moodle has over 700 participants joining from 56 countries and more than 100 speakers from 24 countries.

    Moodle has over 700 participants joining from 56 countries and more than 100 speakers from 24 countries. (Source – X)

    What is Moodle?

    Moodle’s open-source learning management system (LMS) is free to download, modify and share with others. In their words, it is the “ultimate expression of the values that unite our community of developers, system administrators, educators, and learners.”

    As the world’s most popular LMS, it is used by countless schools, universities, non-profits and companies to respond to their education and training needs. Portsmouth Hospitals University NHS Trust, responsible for running the Queen Alexandra Hospital in Portsmouth, Hampshire, has turned to Titus Learning — a certified, premium Moodle partner — to develop a custom Moodle Workplace solution.

    Core teams at Moodle HQ coordinate with over 1000 developers who are part of Moodle’s development. Moodle LMS also has an ever-growing community of Certified Partners, developers, system administrators, educators and learners who write new features, fix bugs, update documentation, as well as share resources and ideas to continuously improve the platform.

    Since Moodle is a modular system, users can search and download official plugins from the Moodle Plugin Database. They allow users to extend and customize the LMS’s functions beyond what Moodle has envisioned. This flexibility is what makes Moodle collaborative and community-enhanced.

    Here are some examples:

    • WirisQuizzes: A STEM assessment tool that allows teachers to create and evaluate powerful math question types with equations, graphs, or text-based answers that adapt to the student’s needs and automatically correct students’ tests.
    • Adaptable: A highly customizable responsive two-column theme designed for large university installations and small training companies.
    • Panopto: A plugin that allows courses to be connected with multiple Panopto servers. Panopto is a video recording and streaming service that allows teachers to record lectures and embed them directly into Moodle.

    Moodle’s 4.3 release is set to launch on October 9 and will likely contain more than 300 bug fixes, improvements and new features the LMS teams and community developers have been working on over the last six months.

    One standout feature is the new “In Course” communication option that will empower better collaboration. The matrix messaging system will also make working with other messaging systems like Slack and Teams more seamless.

    One of the themes in this year’s MoodleMoot Global was examining the impact of AI in education. Source: Moodle.

    One of the themes in this year’s MoodleMoot Global was examining the impact of AI in education. Source: Moodle.

    Rediscovering the potential of artificial intelligence in eLearning

    MoodleMoot Global 2023 covered a wide range of interests and expertise within the EdTech space, which included:

    • The use of augmented and virtual reality in education and training
    • How AI is changing education and the workplace
    • Building core competencies with Moodle
    • Addressing inclusivity and equity with Moodle courses
    • Soft skills revolution — strengthening learners’ critical thinking, interpersonal & creative skills
    • Using Moodle to support Science, Technology, Engineering, and Mathematics (STEM) delivery

    On the morning of Day Three at MoodleMoot Global 2023, a panel discussion explored the transformative power of AI in education and workplace learning. The session, titled “How Artificial Intelligence is Changing Education and the Workplace” was hosted by Brett Dalto, Head of Education Solutions at Moodle HQ.

    It featured a lineup of experts, including Heikki Wilenius from the University of Helsinki, Elizabeth Dalton from IntelliBoard, Rajnish Kumar from Verificient, Tim Hunt from The Open University UK, and Meghan Mencer of Harnessing Your Potential.

    Dalto posed three questions to the panel: Are our educational institutions equipped or prepared to address potential AI? How will regulating AI impact the education industry? How will AI have the greatest positive impact on education?

    Discussing bias in AI, Dalton suggested that we need to broaden our data to be inclusive of all demographics for AI to be unbiased. Conversely, Kumar from Verificient argued that we should consider the intention behind building an AI system rather than focusing on whether AI is biased.

    The panelists also raised thought-provoking questions. Hunt, for example, questioned whether we understand the implications of AI well enough to draft effective legislation. The conversation also touched on how current and future generations will adapt to the growing impact of AI in society.

    The post How Moodle continues the dialogue about AI in education appeared first on Tech Wire Asia.

    ]]>
    Alibaba Cloud launches two open-source large vision language models https://techwireasia.com/08/2023/alibaba-cloud-launches-two-open-source-large-vision-language-models/ Tue, 29 Aug 2023 01:15:51 +0000 https://techwireasia.com/?p=232372 Alibaba Cloud unveils two open-source large vision language models. The models, Qwen-VL and Qwen-VL-Chat, can comprehend images, texts, and bounding boxes in prompts. The two models have had over 400,000 downloads within a month of their launch. When it comes to technology, Alibaba Cloud has always made it clear that its technology is available for... Read more »

    The post Alibaba Cloud launches two open-source large vision language models appeared first on Tech Wire Asia.

    ]]>
  • Alibaba Cloud unveils two open-source large vision language models.
  • The models, Qwen-VL and Qwen-VL-Chat, can comprehend images, texts, and bounding boxes in prompts.
  • The two models have had over 400,000 downloads within a month of their launch.
  • When it comes to technology, Alibaba Cloud has always made it clear that its technology is available for all. Given the pace of generative AI technology, the open-source community has also been working to develop new use cases and improve the capabilities of the technology.

    While there are some concerns about how open-source code materials are being utilized by some generative AI tools, the general understanding is that everyone can still benefit from and contribute to the technology.

    As such, Alibaba Cloud has launched two open-source large vision language models (LVLM). The models, Qwen-VL and Qwen-VL-Chat, can comprehend images, texts, and bounding boxes in prompts. The LVLM models can also facilitate multi-round question-answering in both English and Chinese.

    What are large vision language models?

    Similar to large language models (LLM), an LVLM is trained extensively on massive datasets containing images and corresponding textual descriptions. The model understands the relationship between visual content and natural language expressions. An extension of computer vision and natural language processing techniques, LVLMs facilitate tasks that involve processing and generating information in both visual and textual forms.

    Hugging Face, an AI platform, breaks down LVLM into three key elements—an image encoder, a text encoder, and a strategy to fuse information from the two encoders. These essential components are intricately interconnected. LVLM continues to undergo significant changes. Prior approaches have utilized manually crafted image descriptors along with pre-trained word vectors or frequency-based TF-IDF features.

    “LLMs have notably accelerated progress towards artificial general intelligence (AGI), with their impressive zero-shot capacity for user-tailored tasks, endowing them with immense potential across a range of applications. However, in the field of computer vision, despite the availability of numerous powerful vision foundation models (VFMs), they are still restricted to tasks in a pre-defined form, struggling to match the open-ended task capabilities of LLMs,” explain researchers on using LLM for vision-centric tasks.

    In a research paper, researchers point out that an LLM-based framework for vision-centric tasks treats images as a foreign language and aligns vision-centric tasks with language tasks that can be flexibly defined and managed using language instructions.

    The researchers also highlight that “an LLM-based decoder can then make appropriate predictions based on these instructions for open-ended tasks. Extensive experiments show that the proposed VisionLLM can achieve different levels of task customization through language instructions, from fine-grained object-level to coarse-grained task-level customization, all with good results.”

    Qwen-VL is the multimodal version of Qwen-7B, Alibaba Cloud’s 7-billion-parameter model of its large language model Tongyi Qianwen

    A Tweet on the new release by Alibaba Cloud.

    Qwen-VL and Qwen-VL-Chat

    Qwen-VL is the multimodal version of Qwen-7B, Alibaba Cloud’s 7-billion-parameter model of its large language model, Tongyi Qianwen. Qwen-VL is also available on ModelScope as open-source. It is capable of understanding both image inputs and text prompts in English and Chinese. Qwen-VL can perform various tasks such as responding to open-ended queries related to different images and generating image captions.

    The features of Qwen-VL include:

    • Strong performance – It significantly surpasses existing open-source LVLMs under similar scale settings on multiple English evaluation benchmarks, including Zero-shot caption, VQA, DocVQA, and Grounding.
    • Multi-lingual LVLM supports text recognition – Qwen-VL naturally supports multi-lingual conversations and promotes end-to-end recognition of bilingual text in images in both Chinese and English.
    • Multi-image interleaved conversations – This feature allows for the input and comparison of multiple images, as well as the ability to specify questions related to the images and engage in multi-image storytelling.
    • First generalist model supports grounding in Chinese – Detecting bounding boxes through open-domain language expressions in both Chinese and English.
    • Fine-grained recognition and understanding – Compared to the 224 resolution currently used by other open-source LVLMs, the 448 resolution promotes fine-grained text recognition, document QA, and bounding box annotation.

    A demo of Qwen-VL. (Source – Alibaba Cloud)

    Compared to other open-source large vision language models that can process and understand images in 224×224 resolution, Qwen-VL can handle image input at a resolution of 448×448, resulting in better image recognition and comprehension. Qwen-VL also recorded outstanding performance on several visual language tasks, including zero-shot captioning, general visual question-answering, text-oriented visual question-answering, and object detection.

    Additionally, Qwen-VL-Chat caters to more complex interactions, such as comparing multiple image inputs and engaging in multi-round question-answering. The AI assistant leverages alignment techniques and exhibits a range of creative capabilities. This includes writing poetry and stories based on input images, summarizing the content of multiple pictures, and solving mathematical questions displayed in images.

    In the benchmark test of Alibaba Cloud, Qwen-VL-Chat has also achieved leading results in both Chinese and English for text-image dialogue and alignment levels with humans. This test involved over 300 images, 800 questions, and 27 categories.

    Alibaba Cloud unveils two new open source AI tools.

    Multi-round question answering via the Qwen-VL-Chat model. (Source – Alibaba Cloud)

    Alibaba Cloud and open source

    In an interesting move by Alibaba Cloud, the tech company has shared the model’s code, weights, and documentation with academics, researchers, and commercial institutions worldwide. With democratizing AI technology on the agenda for most AI companies, the code is available to the open-source community via ModelScope and Hugging Face.

    The introduction of these models, with their ability to extract meaning and information from images, holds the potential to revolutionize interactions with visual content. For instance, leveraging their image comprehension and question-answering capabilities, these models could provide informational assistance to visually impaired individuals during online shopping in the future.

    Since these models have been open-sourced, the two models have garnered over 400,000 downloads within a month of their launch. For commercial uses, companies with over 100 million monthly active users can request a license from Alibaba Cloud.

    The official repo of Qwen-VL (通义千问-VL) chat & pretrained large vision language model proposed by Alibaba Cloud.

    The post Alibaba Cloud launches two open-source large vision language models appeared first on Tech Wire Asia.

    ]]>
    GitHub: AI for developers boosts global productivity https://techwireasia.com/07/2023/github-ai-for-developers-boosts-global-productivity/ Thu, 06 Jul 2023 01:05:51 +0000 https://techwireasia.com/?p=230435 AI for developers productivity could boost global GDP by over US$1.5 trillion by 2030. GitHub anticipates that approximately 80% of code will be written with AI. Some developers are concerned about where the code is coming from. AI for developers is reportedly boosting productivity levels much more than initially expected. Today, there are more than... Read more »

    The post GitHub: AI for developers boosts global productivity appeared first on Tech Wire Asia.

    ]]>
  • AI for developers productivity could boost global GDP by over US$1.5 trillion by 2030.
  • GitHub anticipates that approximately 80% of code will be written with AI.
  • Some developers are concerned about where the code is coming from.
  • AI for developers is reportedly boosting productivity levels much more than initially expected. Today, there are more than a million developers using AI to generate code. In fact, GitHub Copilot has been adopted by over 20,000 organizations with more than three billion lines of code developed.

    GitHub Copilot is an AI pair programmer that offers autocomplete-style suggestions as developers code. Developers can receive suggestions from GitHub Copilot either by starting to write the code they want to use or by writing a natural language comment describing what they want the code to do. GitHub Copilot analyzes the context in the file they are editing, as well as related files, and offers suggestions from within the text editor. GitHub Copilot is powered by OpenAI Codex, a new AI system created by OpenAI.

    With the release of OpenAI’s GPT-4, GitHub Copilot X was launched, providing evolved chat and voice interfaces as well as support pull requests, answer questions on docs and offer a more personalized developer experience.

    As the world’s most widely adopted AI tool for developers, GitHub has released new research detailing the potential economic impact and productivity benefits of generative AI. The study found that AI developer productivity benefits could boost global GDP by over US$1.5 trillion by 2030.

    Here’s a summary of the findings from the Sea Change in Software Development report:

    • Less than a year after its general availability, GitHub Copilot is turbocharging developers writing software. Analysis of a large sample of GitHub Copilot users (n = 934,533) reveals a sizable productivity impact. On average, users accept nearly 30% of code suggestions and report increased productivity from these acceptances. Furthermore, this productivity impact increases with time, and the benefits are greatest for less experienced users.
    • The research estimates that these generative AI developer productivity benefits could boost global GDP by over US$1.5 trillion by 2030 by helping to meet the growing demand for software. GitHub acknowledges that these estimates are conservative as they are moment-in-time projections that do not account for the increased demand for software development due to its greater efficiency and continued digital transformation that will arise from generative AI adoption.
    • Another interesting finding is that the global landscape of players working on generative AI is diverse, including big tech, start-ups, academia, and individuals. Open source activity on generative AI has seen an exponential increase compared to previous years, based on an analysis of GitHub repositories and commits. Findings suggest that the open-source ecosystem, particularly in the United States, is driving generative AI software innovation. Individual developers are leading the majority of such repositories on GitHub.

    According to Thomas Dohmke, GitHub CEO, the economic impact of generative AI over the next decade will be profound and the world is already seeing large-scale adoption of AI coding tools like GitHub Copilot by developers and companies. In a recent survey, 92% of developers said they use AI tools both in and outside of work, which underscores how quickly these tools are redefining the overall developer experience.

    “What we draw from all this is that generative AI is turbocharging developer productivity with gains that will ultimately drive a boom in GDP for the global economy and, in turn, a surge in demand for software developers. We’ve seen this throughout the history of developer tool innovations from compilers to open source, and we’re already seeing that again with GitHub Copilot and soon GitHub Copilot X. One year later, we’ve realized this collision of AI and the software developer will not lead to a decrease in developer jobs — it will lead to AI augmenting developer potential and accelerating human progress,” commented Dohmke.

    Can AI for developers make coding faster?

    The open-source ecosystem is driving generative AI software innovation. (Image source – Shutterstock)

    Less experienced developers benefit more from GitHub Copilot

    GitHub’s study found that less experienced developers have a greater advantage with tools like GitHub Copilot, which is corroborated by other studies, including GitHub’s previous experiments on the impact of AI on developer productivity. As developers use these tools to upskill, they will become more fluent in prompting and interacting with AI to power the development lifecycle.

    As a matter of fact, by examining GitHub Copilot telemetry, the study found that users accept an average of 30% of code suggestions, representing real productivity gains. Over time, developers overcome the learning curves and get comfortable with the tool. This leads them to use it for an even greater impact and accept more code suggestions. They are also consistent with and extend previous experiments and related productivity research on generative AI.

    “Accepting code completion suggestions is beneficial for developers as it allows them to finish writing a code block faster and can save time searching for less-commonly used syntaxes. Acceptance rate captures code immediately adopted from GitHub Copilot suggestions based on the active choice of the developer. This is confirmed in survey research, which finds that developers’ statements of productivity are closely tied to acceptance rate,” the report stated.

    In terms of productivity gains, the data from the study indicates that AI for developers is most likely going to be the way forward. As developers continue to become fluent in prompting and interacting with AI, particularly with new models that allow natural language to power the development lifecycle, GitHub anticipates that approximately 80% of code will be written with AI.

    Put simply, GitHub believes that this will help democratize software development, allowing more people from non-technical backgrounds to build and shape the software that will continue to power the global economy.

    Where is the code AI for developers coming from?

    A Tweet by GitHub asking developers on what’s holding them back from contributing.

    Where is the code for AI for developers being developed from?

    Here is where it does get a bit interesting. As GitHub clearly indicates that AI for developers is becoming increasingly common, there are some questions as to the legitimacy of the codes being developed.

    According to several blogs and posts in forums, many developers feel that while GitHub’s Copilot is making things easier, what it is actually doing is just scanning different projects on it and giving developers code that already exists. Put simply, some developers feel that the AI is not really learning how to code or create new code but instead, it just steals existing code.

    And what makes it more annoying is the owner of GitHub, which is Microsoft. As a profit-driven company, developers feel the code should be generated and not taken from other projects. At the same time, as the code is from Copilot, they would need to have the right to use the code.

    While there are also arguments that Copilot is open-source, when it comes to AI for developers, the understanding is that attribution needs to be given. Tech Wire Asia also uncovered several blogs that are discussing similar issues. While this is not going to slow the use of AI for developers, some would still be reluctant to fully use the code unless they can see its source.

    The end goal  

    GitHub’s study also acknowledges that the economic value of open-source activity will continue to grow, and will only be further accelerated by AI. But this would mean a growing need for both developers. Currently, there are only an estimated 27 million professional software developers in the world. But these figures are far from the amount of developers actually needed.

    In Europe, the shortage of IT jobs is estimated at over 500,000, with Germany exceeding 100,000, and countries like Denmark, Norway, and Sweden are expected to face growing demand. Latin America faces a similar shortage as well, with a deficit of IT workers in Brazil growing to an estimated 25,000 per year. An estimate by Korn Ferry states that the shortage of tech talent could be 85.2 million in 2030 across various sectors.

    GitHub believes this is where Generative AI tools can make a difference. Not only can it be used to skill more developers, but also to make each developer more productive. It thus holds promise to meet the exploding demand for software that will only accelerate as AI adoption continues.

    “From clear gains in productivity to improved acceptance rates as time goes on, to the explosion of generative AI in open source repositories, to the potential US$ 1.5 trillion to the global GDP, these findings signify a sea change in software development. As more developers adopt these tools and become fluent in the skill set of prompting with generative AI, it is clear that this new way of software development has created an inextricable link between humankind and artificial intelligence that could well define how the world’s software is built for generations to come,” concluded the study.

    The post GitHub: AI for developers boosts global productivity appeared first on Tech Wire Asia.

    ]]>
    What generative AI means for Singapore businesses https://techwireasia.com/05/2023/what-generative-ai-means-for-singapore-businesses/ Tue, 30 May 2023 23:00:45 +0000 https://techwireasia.com/?p=229219 Article written by Pierluigi Cau, Regional Director of Field Services, APAC, GitHub AI is already impacting people’s daily lives in countless ways, gripping the world as its impact accelerates. But for the first time, businesses, not just consumers, are now feeling the power of generative AI. Undoubtedly, the convergence of open-source software and AI will power a... Read more »

    The post What generative AI means for Singapore businesses appeared first on Tech Wire Asia.

    ]]>
    Article written by Pierluigi Cau, Regional Director of Field Services, APAC, GitHub

    AI is already impacting people’s daily lives in countless ways, gripping the world as its impact accelerates. But for the first time, businesses, not just consumers, are now feeling the power of generative AI.

    Undoubtedly, the convergence of open-source software and AI will power a new era of software development that will fast-track business innovation in every sector. The transformative potential AI can deliver has opened business leaders’ minds even more to the power of software development on business growth. We’re on the brink of a new era of enterprise innovation.

    This could not be more timely for Singapore, with the 2023 budget outlining measures for business innovation that encourage leaders to think about ways to transform their organizations in tandem with upskilling their people. Businesses in Singapore are rightly asking themselves how this fusion of open source and AI will benefit them, educating themselves on the impact and how to embrace and implement it.

    From speaking with major enterprises in Singapore, I am curious about what generative AI can deliver for them. This is exactly the right mindset – while we’ve only just scratched the surface of what we can achieve with generative AI, its true potential is yet to be realized. Preparing for this new future has rapidly become vital to business planning.

    We know that software development will never be the same again, and there are some major incentives in ensuring organizations have the right foundation from which to capitalize on the opportunity generative AI will deliver. From my vantage point, AI will impact Singapore’s businesses in three critical ways:

    Accelerated innovation

    AI can make businesses significantly more productive at a fundamental level, removing much of the dry, mundane work that typically occupies so much of a developer’s time. Empowering them to stay “in flow” frees them to focus on the bigger picture – resulting in faster innovation.

    What generative AI means for Singapore businesses

    Pierluigi Cau, Regional Director of Field Services, APAC, GitHub

    So much so that research shows that GitHub Copilot helps developers code up to 55% faster, with 75% feeling more fulfilled and able to focus on more satisfying work. When you quantify the impact of that organization-wide, it’s virtually unimaginable what it will do for enterprises.

    Unsurprisingly, developers intuitively recognize that the introduction of AI in the development process is a generational shift. For sectors like financial services (FS), where Singapore has traditionally punched above its weight on a global scale, generative AI represents a major opportunity.

    While embracing AI requires a careful long-term approach, AI can almost instantly deliver productivity advantages. In a highly competitive market like FS, with skyrocketing customer expectations for digital services, that’s an extremely attractive prospect – particularly against a challenging macroeconomic backdrop.

    A solution to tech skills shortages

    Singapore has a well-publicized shortfall in tech talent, which poses a challenge to the future of innovation. As with almost all nations, demand for tech skills is growing faster than businesses can source and retain the right talent.

    The scale of the challenge is significant. The government’s Smart Nation Initiative predicts that the ICT sector will need another 60,000 workers by 2023 – but Singapore only produces 2,800 ICT graduates annually. Plus research commissioned by AWS indicates that Singapore will need 1.2 million additional digital workers by 2025 to remain competitive – an increase of 55% on current levels.

    But by leaning into open source and AI, Singapore businesses can plug the gap.

    Firstly, the productivity advantages of AI empower developers to maximize their time, helping them achieve more with fewer resources. Secondly, capitalizing on the AI opportunity requires organizations to implement a progressive open-source approach – and by definition, open source enables organizations to access a global pool of ambitious developers. There are no geographical boundaries to finding the right talent.

    Lastly, developers want to work in environments that prioritize their working conditions and fuel their ambition. By embracing AI, businesses set themselves up to attract top developers and retain existing talent.

    Democratization of software development

    Historically, software development has been the preserve of technically-trained career developers. While there will always be a strong element of technical know-how required in developing cutting-edge software, AI indeed lowers the barrier to entry for people from different backgrounds and experiences.

    Almost anyone can transform themselves into a junior developer, even with little existing knowledge, if they are clear on what they want to achieve. That can only be a positive development when you consider growing Singapore’s digital economy requires growing its developer community.

    Of course, generative AI is no substitute for developer’s experience and skills. While AI is changing how developers work – enabling them to do so faster, better and happier – developers are still in charge and own the resulting code.

    The latest tools empower users to focus more on the bigger picture of design and strategy than on actual coding. In many ways, it changes what it means to be a developer, enabling greater contributions from a wider cross-section of the business community. AI will complement how developers work and empower them to write code more easily with greater focus and creativity. That can only benefit innovation.

    While no business in Singapore can justifiably claim to grasp the precise impact of AI on their business at this stage, there is no getting away from the transformational impact AI and open source will deliver. It will enable new competitors to fast-forward their growth and skip lengthy R&D phases, potentially placing even more pressure on established enterprises.

    What’s critical for businesses in Singapore to assess now is how quickly they can take their first steps into a new era of AI-powered software development, supporting the country’s aims to maintain its position as a competitive global business hub. While change is always challenging, the risk of not making such a crucial move has the potential to be far more disruptive.

    The views in the article are that of the author and may not reflect the views of this publication. 

    The post What generative AI means for Singapore businesses appeared first on Tech Wire Asia.

    ]]>
    Could open-source chatbots be a cheaper ChatGPT alternative? https://techwireasia.com/03/2023/could-open-source-chatbots-be-a-cheaper-chatgpt-alternative/ Tue, 28 Mar 2023 00:00:23 +0000 https://techwireasia.com/?p=227317 As big tech companies continue to perfect generative AI, the open-source community may now have a chance to work with the technology as well. Big data analytics company Databricks has unveiled its version of a generative AI that is available for anyone to use for any purpose. Called Dolly, the Databricks team proved that anyone... Read more »

    The post Could open-source chatbots be a cheaper ChatGPT alternative? appeared first on Tech Wire Asia.

    ]]>
    As big tech companies continue to perfect generative AI, the open-source community may now have a chance to work with the technology as well. Big data analytics company Databricks has unveiled its version of a generative AI that is available for anyone to use for any purpose.

    Called Dolly, the Databricks team proved that anyone can take a dated off-the-shelf open-source large language model (LLM) and provide it with ChatGPT-like instruction by training it in just 30 minutes on one machine using high-quality training data. The team also pointed out that the instruction-following does not seem to require the latest or the largest models.

    “Our model is only 6 billion parameters, compared to 175 billion for GPT-3. We open-source the code for our model (Dolly) and show how it can be re-created on Databricks. We believe models like Dolly will help democratize LLMs, transforming them from something very few companies can afford into a commodity every company can own and customize to improve their products,” the team stated in a blog post.

    Diving deeper, the team at Databricks explained that Dolly is pretty much a cheaper-to-build LLM that has similar capabilities as exhibited by ChatGPT. The tech behind it is based on the work from the Alpaca model built by Standford which is based on Meta’s LLaMA. Simply put, Dolly is an open-source clone of an Alpaca and inspired by a LLaMA.

    While the Alpaca model works on a small dataset of 50,000 human-like questions and answers, Databricks discovered that even years-old open-source models with much earlier architectures exhibit striking behaviors when fine-tuned on a small corpus of instruction training data.

    “Dolly works by taking an existing open source six billion parameter model from Eleuther AI and modifying it ever so slightly to elicit instruction following capabilities such as brainstorming and text generation not present in the original model, using data from Alpaca,” Databricks explained.

    For organizations, building their own model instead of sending data to a centralized LLM provider could eventually have some risks. This includes the datasets being most likely to benefit from AI representing their most sensitive and proprietary data. Also, organizations would not want their data being held by a third-party company.

    As such, Databricks believes that organizations would eventually want to have models that are owned and operated by them. However, just like all the other big tech companies as well, Databricks acknowledges that generative AI is still an emerging technology. There are still concerns about factual accuracy, bias, offensive responses, general toxicity and hallucinations in LLMs for Dolly, just like in other language models as well.

    “We’re in the earliest days of democratization of AI for the enterprise, and much work remains to be done, but we believe the technology underlying Dolly represents an exciting new opportunity for companies that want to cheaply build their own instruction-following models,” stated Databricks.

    The post Could open-source chatbots be a cheaper ChatGPT alternative? appeared first on Tech Wire Asia.

    ]]>
    GitHub puts developers first with 2FA initiative and powerful Copilot updates https://techwireasia.com/03/2023/github-puts-developers-first-with-2fa-initiative-and-powerful-copilot-updates/ Tue, 14 Mar 2023 04:00:02 +0000 https://techwireasia.com/?p=226842 GitHub is implementing 2FA to enhance software security. GitHub prioritizes account security and considers strong authentication and 2FA essential for safeguarding the software supply chain. GitHub, which now has over 100 million developers, is prioritizing security by implementing a two-factor authentication (2FA) initiative. Starting March 13, all developers who contribute code on GitHub.com will be... Read more »

    The post GitHub puts developers first with 2FA initiative and powerful Copilot updates appeared first on Tech Wire Asia.

    ]]>
  • GitHub is implementing 2FA to enhance software security.
  • GitHub prioritizes account security and considers strong authentication and 2FA essential for safeguarding the software supply chain.
  • GitHub, which now has over 100 million developers, is prioritizing security by implementing a two-factor authentication (2FA) initiative. Starting March 13, all developers who contribute code on GitHub.com will be required to enable one or more forms of 2FA by the end of 2023.

    The software supply chain’s security is crucial, and GitHub understands that developers have a significant role in ensuring its protection. Therefore, the platform-wide 2FA initiative aims to improve account security and protect developers and consumers from social engineering and account takeover attacks. GitHub will gradually roll out this initiative to smaller groups of developers and administrators to allow for adjustments before expanding to larger groups throughout the year.

    Securing GitHub has never been easier with 2FA

    To ensure that enrolling in 2FA is an easy and reliable process, GitHub has enhanced the experience with a few key features:

    • After setting up 2FA, GitHub.com users will receive a prompt after 28 days to perform 2FA and confirm their second-factor settings. This prompt is designed to prevent account lockout caused by misconfigured authenticator applications (TOTP apps).
    • To ensure continued access to their account, users can now simultaneously enroll multiple 2FA methods, such as an authenticator app (TOTP) and an SMS number.
    • Users can now choose their preferred 2FA method for account login and use of the sudo prompt, so their favorite method is always prompted first during sign-in.
    • To address the issue of locked out users having difficulty creating a new account with their preferred email address, GitHub now allows users to unlink their email address from a two-factor enabled account in case of 2FA lockout.
    • GitHub is testing passkeys internally as a potential new authentication method that combines ease of use with strong protection to phishing attacks. Watch out for updates on this feature.

    GitHub has developed a gradual rollout plan to minimize disruptions and prevent account lockouts while asking groups of users to enable 2FA over time. These groups will be selected based on their actions or code contributions. 

    GitHub puts developers first with 2FA initiative and powerful Copilot updates

    Source – Shutterstock

    Open source software is widely used, with 90% of companies reporting its use, and GitHub is a critical part of this ecosystem. As a result, GitHub takes account security seriously and sees strong authentication and 2FA as best practices to ensure software supply chain protection. 

    However, GitHub cannot improve software supply chain security alone and relies on user support to enroll their accounts in 2FA, thereby contributing to the overall security of open source software.

    Building a home for the developer community

    Developers today come from diverse backgrounds and work on various projects, including open-source contributions and scientific research. With a global exchange of ideas, developers are democratizing who they are, what they work on, and where they live. GitHub is committed to putting developers first and providing them with the necessary tools to build the next big thing, accelerate human progress, and solve unknown problems.

    GitHub has launched updates for Copilot for Individuals and Copilot for Business, making the tool more powerful and responsive for developers by improving its AI capabilities. The updates include simple sign-ups for organizations and an updated Codex model, resulting in significant improvements to code quality and faster response time. GitHub Copilot now generates up to 61% of a developer’s code in Java and 46% in all programming languages. The enhancements include upgrades to the AI Codex model and improved context understanding through the Fill-In-the-Middle (FIM) paradigm. 

    A lightweight client-side model was also developed to improve overall code acceptance rates and reduce unwanted suggestions. These technical improvements allow GitHub Copilot to provide developers with more accurate and responsive code suggestions.

    The post GitHub puts developers first with 2FA initiative and powerful Copilot updates appeared first on Tech Wire Asia.

    ]]>
    หลีกเลี่ยงองค์ประกอบที่เป็นพิษต่อห่วงโซ่อุปทานโอเพ่นซอร์ส https://techwireasia.com/02/2023/open-source-software-oss-foss-development-security-ci-cd-pipeline-secure-bom-reviews-best-2/ Mon, 13 Feb 2023 08:01:55 +0000 https://techwireasia.com/?p=225975 ข่าวเกี่ยวกับจุดอ่อนของซอฟต์แวร์ซัพพลายเชนหลายที่ตกเป็นข่าวครึกโครมในช่วงที่ผ่านมา จากจุดเริ่มต้นของความขัดแย้งระหว่างยูเครน-รัสเซียเริ่มปะทุขึ้น นักพัฒนาโมดูล node-ipc ตัดสินใจใช้การแบนแบบครอบคลุมทั้งหมดกับ IP ใดๆ ก็ตามที่อยู่ในรัสเซียที่ใช้งานโค้ดของพวกเขา โดยไม่ทันเฉลียวใจว่าจะส่งผลกระทบต่อองค์กรเพื่อสิทธิมนุษยชนและองค์กรการกุศลที่ดำเนินงานอยู่ในประเทศดังกล่าวด้วย นอกจากนี้ยังมีเหตุการณ์อื่นๆ เช่น นักพัฒนาที่รู้สึกคับแค้นใจที่มีการนำโค้ดของพวกเขาไปใช้กันอย่างแพร่หลายกับผลิตภัณฑ์ที่สร้างผลกำไร และจึงได้วางยา GitHub ของตัวเองเพื่อจะเรียกร้องให้ทุกคนหันมาสนใจปัญหาการขาดการสนับสนุนทางการเงินจากผู้ใช้และชุมชนในวงกว้าง ปฏิเสธไม่ได้เลยว่าแหล่งข้อมูล สำหรับนักพัฒนานั้นกำลังถูกโจมตีโดยผู้ประสงค์ร้ายซึ่งตระหนักอยู่เต็มอกว่าแค่การจดชื่อโดเมนเนมแบบสะกดผิดๆ แบบง่ายๆ ก็สามารถแจกจ่ายโค้ดแบบพังๆ ไปยังโปรเจ็กต์นับพันทั่วโลกได้แล้ว แต่เหตุการณ์ที่ซัพพลายเชนต้องเผชิญกับมัลแวร์แบบรุนแรงส่วนใหญ่นั้นมักไม่มีการแจ้งรายงาน ซึ่งก็อาจเพราะว่ามีจำนวนมากจนนับไม่ถ้วน การสแกนอย่างต่อเนื่องโดยผู้ให้บริการความปลอดภัยไซเบอร์สำหรับซัพพลายเชน OSS ชื่อ Sonatype พบ 102,930 เหตุการณ์ที่เป็นอันตรายหรืออาจเป็นอันตรายของโค้ดทั่วระบบนิเวศ npm โดยเมื่อผสานเข้ากับไปป์ไลน์การพัฒนาแล้ว แอปพลิเคชันที่เป็นภัยเหล่านี้จะเข้าสู่ขั้นตอน QA, การทดสอบ หรือแม้แต่การผลิตได้ง่ายๆ จากนั้นก็สามารถล้วงข้อมูลยืนยันตัวตนบนคลาวด์ ควบคุมรอบการทำงานของโปรเซสเซอร์เพื่อทำเหมืองคริปโต เจาะที่อยู่ IP ของบริษัท และกิจกรรมอื่นๆ ที่ไม่พึงประสงค์ที่พบได้บ่อยๆ อีกนับไม่ถ้วนจากมัลแวร์ ชุมชนนักพัฒนาได้โพสต์แหล่งข้อมูลและโค้ดเพื่อให้สาธารณชนทั่วไปใช้งาน ตั้งแต่มีประเด็นกรรมสิทธิ์ UIX ที่กลายเป็นฟางเส้นสุดท้ายที่เกิดจากการที่นำ Linux kernel เวอร์ชันแรกๆ มาใช้ ถึงแม้อุดมคติของ OSS (Open Source... Read more »

    The post หลีกเลี่ยงองค์ประกอบที่เป็นพิษต่อห่วงโซ่อุปทานโอเพ่นซอร์ส appeared first on Tech Wire Asia.

    ]]>
    ข่าวเกี่ยวกับจุดอ่อนของซอฟต์แวร์ซัพพลายเชนหลายที่ตกเป็นข่าวครึกโครมในช่วงที่ผ่านมา จากจุดเริ่มต้นของความขัดแย้งระหว่างยูเครน-รัสเซียเริ่มปะทุขึ้น นักพัฒนาโมดูล node-ipc ตัดสินใจใช้การแบนแบบครอบคลุมทั้งหมดกับ IP ใดๆ ก็ตามที่อยู่ในรัสเซียที่ใช้งานโค้ดของพวกเขา โดยไม่ทันเฉลียวใจว่าจะส่งผลกระทบต่อองค์กรเพื่อสิทธิมนุษยชนและองค์กรการกุศลที่ดำเนินงานอยู่ในประเทศดังกล่าวด้วย นอกจากนี้ยังมีเหตุการณ์อื่นๆ เช่น นักพัฒนาที่รู้สึกคับแค้นใจที่มีการนำโค้ดของพวกเขาไปใช้กันอย่างแพร่หลายกับผลิตภัณฑ์ที่สร้างผลกำไร และจึงได้วางยา GitHub ของตัวเองเพื่อจะเรียกร้องให้ทุกคนหันมาสนใจปัญหาการขาดการสนับสนุนทางการเงินจากผู้ใช้และชุมชนในวงกว้าง

    ปฏิเสธไม่ได้เลยว่าแหล่งข้อมูล สำหรับนักพัฒนานั้นกำลังถูกโจมตีโดยผู้ประสงค์ร้ายซึ่งตระหนักอยู่เต็มอกว่าแค่การจดชื่อโดเมนเนมแบบสะกดผิดๆ แบบง่ายๆ ก็สามารถแจกจ่ายโค้ดแบบพังๆ ไปยังโปรเจ็กต์นับพันทั่วโลกได้แล้ว แต่เหตุการณ์ที่ซัพพลายเชนต้องเผชิญกับมัลแวร์แบบรุนแรงส่วนใหญ่นั้นมักไม่มีการแจ้งรายงาน ซึ่งก็อาจเพราะว่ามีจำนวนมากจนนับไม่ถ้วน การสแกนอย่างต่อเนื่องโดยผู้ให้บริการความปลอดภัยไซเบอร์สำหรับซัพพลายเชน OSS ชื่อ Sonatype พบ 102,930 เหตุการณ์ที่เป็นอันตรายหรืออาจเป็นอันตรายของโค้ดทั่วระบบนิเวศ npm โดยเมื่อผสานเข้ากับไปป์ไลน์การพัฒนาแล้ว แอปพลิเคชันที่เป็นภัยเหล่านี้จะเข้าสู่ขั้นตอน QA, การทดสอบ หรือแม้แต่การผลิตได้ง่ายๆ จากนั้นก็สามารถล้วงข้อมูลยืนยันตัวตนบนคลาวด์ ควบคุมรอบการทำงานของโปรเซสเซอร์เพื่อทำเหมืองคริปโต เจาะที่อยู่ IP ของบริษัท และกิจกรรมอื่นๆ ที่ไม่พึงประสงค์ที่พบได้บ่อยๆ อีกนับไม่ถ้วนจากมัลแวร์

    ชุมชนนักพัฒนาได้โพสต์แหล่งข้อมูลและโค้ดเพื่อให้สาธารณชนทั่วไปใช้งาน ตั้งแต่มีประเด็นกรรมสิทธิ์ UIX ที่กลายเป็นฟางเส้นสุดท้ายที่เกิดจากการที่นำ Linux kernel เวอร์ชันแรกๆ มาใช้ ถึงแม้อุดมคติของ OSS (Open Source Software หรือซอฟต์แวร์โอเพ่นซอร์ส) จะยังคงอยู่ต่อไปเพราะประโยชน์ที่ เหลือคณานับ มากมายสำหรับนักพัฒนาและซอฟต์แวร์ทั้งหมด แต่ตัวกลางในการส่งมอบคุณประโยชน์ที่ว่านั้นกลับกำลังถูกองค์ประกอบมุ่งร้ายเข้าครอบงำ นี่เป็นด้านมืดของพฤติกรรมมนุษย์และคงหลีกเลี่ยงไม่ได้ นอกเสียจากว่าทุกโปรเจ็กต์จะถูกเขียนอยู่ใหม่ตั้งแต่แรกเริ่มโดยไม่มีการอ้างอิงถึงไลบราลี่ เฟรมเวิร์ก หรือโค้ดที่ใช้ร่วมกันเลย

    องค์กรต่างๆ ได้แก้ไขปัญหาความปลอดภัยและการควบคุมคุณภาพหลายๆ ปัญหาด้วยการสร้างคลังของตัวเองที่ประกอบด้วยองค์ประกอบ “ที่ผ่านการอนุมัติแล้ว” สำหรับใช้ภายใน หรืออย่างน้อยๆ ก็เป็นการยืนยันความปลอดภัยของแพ็กเกจทั้งหมดที่เข้ามาในไปป์ไลน์ CI/CD ของตน การควบคุมนั้นเรียกได้ว่าเป็นข้อดีสำหรับการผลิตซอฟต์แวร์โดยรวม ซึ่งรวมถึงการควบคุมเวอร์ชันและการเข้ากันได้, อัตราความละเอียดของ Dependency, การทำงานอัตโนมัติของ CI/CD และผลิตที่ค่อนข้างง่ายของ BOM (Bills of Material หรือ รายการส่วนประกอบหรือสูตรการผลิต) ทั้งหมดสำหรับแอปพลิเคชันใดๆ ก็ตาม และนี่เป็นเพียงตัวอย่างส่วนหนึ่งเท่านั้น คลังส่วนตัวของบริษัทนั้นเริ่มกลายเป็นส่วนสำคัญที่ขาดไม่ได้ในการบริหารการเปลี่ยนแปลง การพัฒนาใหม่ และทุกสิ่งที่เกี่ยวข้องอย่างรวดเร็ว แต่ก็แน่นอนว่า การบริหารจัดการด้านความปลอดภัยของแหล่งข้อมูลเช่นนี้ต้องอาศัยการทำงานที่ซับซ้อนซึ่งต้องใช้ทรัพยากรบุคคล (ค่าแรงสูง) ตามไปด้วย

    Open source

    Source: Shutterstock

    ทีมนักพัฒนาที่ถูกกดดันให้ทำได้ตามเป้านั้นไม่เพียงแต่จะทำพลาด แต่ยังมีแรงจูงใจอยากยิ่งที่จะปล่อยปละละเลยประเด็นด้านการรักษาความปลอดภัยเพื่อลดค่าใช้จ่ายด้วย สิ่งแรกที่มักจะถูกลืมก็คือการตรวจสอบไลบราลี่และฟังก์ชันทั้งหมดอย่างเหมาะสม นี่เป็นปัญหาที่มักทำให้นักพัฒนาและเพื่อนร่วมงานที่โฟกัสด้านความปลอดภัยต้องปะทะกันอยู่เสมอ มีหลายวิธีการและโซลูชันที่พยายามจะผสานรวมแนวทางที่ดีที่สุดในการรักษาความปลอดภัยทางไซเบอร์ให้เข้ากับทุกส่วนของซอฟต์แวร์ซัพพลายเชนและวัฏจักร CI/CD

    องค์ประกอบหลักตลอดทั้งกระบวนการพัฒนาและการอัปเดตอื่นๆ ที่ตามมาของทุกแอปพลิเคชันจะต้องได้รับการตรวจสอบว่าผ่านเกณฑ์ด้านการปลอดภัยและการปฏิบัติตาม นั่นหมายถึงปราศจากมัลแวร์หรือข้อกำหนดและเงื่อนไขใดๆ ที่ไม่รองรับ ณ เวลาที่ถูกดาวน์โหลด และมีการตรวจสอบอย่างต่อเนื่องในกรณีที่เกิดพบว่ามี CVE หรือความเสี่ยงใดๆ (หรือมีการเปลี่ยนแปลงข้อกำหนดในการให้สิทธิ์ใช้งาน) สำหรับแอปพลิเคชันที่ซับซ้อน นี่อาจหมายถึงการพิจารณาและบริหารจัดการองค์ประกอบหลายพันรายการ ซึ่งเป็นสิ่งที่เกินกำลังองค์กรส่วนใหญ่ไปมาก

    นี่เป็นสถานการณ์ที่คงไม่มีการเปลี่ยนแปลง และแน่นอนว่าคงจะต้องเลวร้ายลงกว่าเดิมเมื่อต้องอาศัยพึ่งพาซอฟต์แวร์มากขึ้น ทุกบริษัทและองค์กรบนโลกนี้ ไม่ว่าจะขนาดใหญ่หรือเล็ก ก็ยังคงเดินหน้าเข้าสู่ระบบดิจิทัลและใช้งานเทคโนโลยีมากขึ้นเรื่อยๆ ดังนั้น จึงคาดเดาได้เลยว่ากิจกรรมภัยร้ายเหล่านี้ก็ย่อมจะต้องเพิ่มขึ้นเป็นเงาตามตัวด้วยเช่นกัน สรุปสั้นๆ ก็คือ ปัญหานั้นเพิ่มมากขึ้นไปพร้อมๆ กับที่การพัฒนาซอฟต์แวร์โอเพ่นซอร์สนั้นจะต้องเร่งสร้างนวัตกรรม ผลิตโซลูชันใหม่ๆ และอัปเดตบริการและแอปทุกแห่งด้วย

    Sonatype

    ตัวเลขที่ยกมาข้างต้น (แพ็กเกจที่มุ่งร้าย 192,000+ ที่แพร่กระจายอยู่ทั่วไป) ถูกรวบรวมโดยนักวิเคราะห์พฤติกรรมและการสแกนความปลอดภัยอัตโนมัติ Nexus Firewall จาก Sonatype นี่เป็นวิธีที่แผนกพัฒนาขององค์กรจะสามารถปกป้องตัวเองจากความเสี่ยงต่างๆ อาทิจากกรณีเหตุการณ์ Log4J ซึ่งยังส่งผลกระทบอยู่จนถึงทุกวันนี้ โดย SCA (Software Composition Analysis หรือการวิเคราะห์องค์ประกอบซอฟต์แวร์) เป็นกระบวนการที่องค์กรสามารถนำไปใช้เพื่อประเมินความปลอดภัยขององค์ประกอบซอฟต์แวร์ จัดการเวอร์ชัน ช่วยลดปัญหา Dependency และดูแลจัดการประเภทการให้สิทธิ์ใช้งานต่างๆ เป็นไปอย่างถูกต้อง

    Nexus Firewall จะทำการ quarantine (และปล่อยออก หลังตรวจสอบแล้ว) ส่วนประกอบ ต่างๆ ที่ดาวน์โหลดมา เพื่อให้บริษัทสามารถควบคุมได้อย่างเต็มที่ว่าอะไรบ้างที่อนุญาตให้เข้าสู่ SDLC (Software Development Lifecycle หรือ วงจรชีวิตการพัฒนาซอฟต์แวร์) สามารถปรับนโยบายให้เบาลงตามความต้องการ และสามารถใส่ระดับการควบคุมโดยอิงตามความนิยม อายุ แหล่งที่มา เวอร์ชัน และสิทธิ์การใช้งานของแพ็กเกจหรือไลบราลี่ได้ (โดยสิทธิ์การใช้งานยังมีประโยชน์ในการช่วยให้แน่ใจว่าจะไม่มีการละเมิดที่อาจกลายเป็นปัญหาทางกฎหมายในภายหลังอีกด้วย)

    Open source

    Source: Shutterstock

    นักพัฒนาจะสามารถใช้ได้เฉพาะองค์ประกอบที่ปลอดภัยภายในขอบเขตเวอร์ชันที่กำหนดไว้เท่าน้น ทำให้ตัวเลือกของเวอร์ชันน้อยลงและการละเมิด Dependency ลดลงด้วย เวอร์ชันใหม่จะถูกบล็อกโดยค่าเริ่มต้น จนกว่าจะได้รับการตรวจสอบและปล่อยออกมาโดยคลังของตน ไม่ว่าจะเป็น Nexus Repository หรือ JFrog Artifactory Enterprise

    Nexus Firewall นั้นยังรองรับหลายภาษา (Java, JS, Ruby, .NET, Python, Go) จึงเป็นวิธีที่ดีที่สุดในการยกระดับไปสู่เป้าหมายการผสานรวมการรักษาความปลอดภัย การดำเนินงาน และการพัฒนา หรือ DevSecOps ที่ใครๆ ก็มักจะกล่าวถึง หากต้องการข้อมูลเพิ่มเติม ดูราคา และแหล่งข้อมูลที่เฉพาะเจาะจง โปรดนัดหมายการสาธิตกับ Sonatype

    Qualys

    Qualys เป็นที่รู้จักกันดีในฐานะผู้ให้บริการด้านความปลอดภัยของข้อมูลและการปฏิบัติตามสำหรับโซลูชันการพัฒนา โดยสามารถทำงานร่วมกันได้ดีกับแพลตฟอร์ม CI/CD ที่ใช้กันทั่วไป เช่น Jenkins และ Puppet ทั้งยังสามารถเชื่อมต่อเข้ากับแพลตฟอร์ม SIEM ยอดนิยม เช่น Splunk ได้อีกด้วย

    นี่เป็นหนึ่งในแพลตฟอร์มซอฟต์แวร์สำหรับนักพัฒนาโดยเฉพาะรายแรกๆ ที่นำเอาบริการย่อยๆ ที่สร้างขึ้นมาเพื่อใช้กับ Podman และ Docker และเพื่อให้แน่ใจว่านักพัฒนาที่ใช้คอนเทนเนอร์เหล่านั้น (แม้แต่ในสภาพแวดล้อมการทดลองก่อนการผลิตจริง) จะปลอดภัยไร้กังวล มีหลายครั้งที่ภาพลักษณ์ที่เสียหายของ Docker นั้นบ่งบอกถึงแนวคิดเชิงอนุรักษ์นิยมของบริษัท แต่สำหรับผู้ใช้ที่ชื่นชอบ แพลตฟอร์มนี้ช่วยให้สามารถตรวจสอบยืนยันพฤติกรรมของคอนเทนเนอร์กับการนำไปใช้งานในชีวิตจริงเพื่อแจ้งเตือนความผิดปกติที่อาจบ่งบอกว่ามีสิ่งอันตรายแปลกปลอมแฝงอยู่

    แพลตฟอร์ม Qualys สามารถสแกนแอสเซ็ตทั้งหมดที่มีได้ ตั้งแต่ที่เก็บบนคลาวด์ (ซึ่งมีการเชื่อมต่อในตัวไปยังบริการปรับขยายขนาดยอดนิยม) ไปจนถึงปลายทางของแต่ละบุคคลที่ทำงานโดยนักพัฒนาคนเดียว

    อ่านข้อมูลเพิ่มเติมที่นี่เกี่ยวกับโซลูชันการรักษาความปลอดภัย DevOps โดย Qualys

    Micro Focus

    แอปส่วนใหญ่นั้นใช้ซอฟต์แวร์โอเพ่นซอร์สบุคคลที่สามซึ่งถูกสร้างขึ้นจากเครื่องมือต่างๆ ที่อาจจะผสานอยู่ในกระบวนการธุรกิจมานานมากแล้ว

    Micro Focus Fortify ช่วยมอบความสามารถให้บริษัทต่างๆ สามารถย้อนกลับผ่านแต่ละขั้นตอนของ CI/CD ที่มีอยู่เดิมเพื่อให้วิศวกรสามารถตรวจสอบความปลอดภัยในแต่ละขั้นตอนของ SDLC ได้ดีขึ้น

    ซอฟต์แวร์นี้ช่วยให้การพัฒนาแอปพลิเคชันไม่ต้องหยุดชะงักในช่วงเวลาสำคัญเพื่อตรวจสอบความปลอดภัย แต่จะเป็นกระบวนการแบบต่อเนื่องซึ่งสร้างมูลค่าในแง่ของระยะเวลาไปสู่การผลิตและ ROI ของการลงทุนในแอปพลิเคชันใหม่

    บริษัทมุ่งเน้นไปที่สาม กลุ่มหลักด้านการรักษาความปลอดภัย หรือที่เรียกว่าสามองค์ประกอบที่จำเป็นต้องให้ความสำคัญเพื่อให้แน่ใจว่า BOM จะเป็นระเบียบเรียบร้อยมากที่สุด นั่นก็คือ พนักงาน กระบวนการ และเทคโนโลยี

    ในขณะที่แต่ละแผนกนั้นต้องเผชิญแรงกดดันที่มากขึ้นในการออกอัปเดตใหม่ๆ และเพิ่มฟีเจอร์ รวมถึงวางตลาดแอปพลิเคชันและบริการใหม่ๆ อยู่เสมอ Fortify สามารถช่วยให้มั่นใจได้ว่าเวิร์กโฟลว์การทำงานจะเป็นอย่างรวดเร็วแต่ปลอดภัย

    คลิกที่นี่เพื่อดูเพิ่มเติมว่า Micro Focus Fortify สามารถช่วยให้องค์กรต่างๆ รักษาความปลอดภัยซอฟต์แวร์ซัพพลายเชนได้อย่างไร

    The post หลีกเลี่ยงองค์ประกอบที่เป็นพิษต่อห่วงโซ่อุปทานโอเพ่นซอร์ส appeared first on Tech Wire Asia.

    ]]>
    >>]]>
    避免毒害開源供應鏈的因素 https://techwireasia.com/02/2023/open-source-software-oss-foss-development-security-ci-cd-pipeline-secure-bom-reviews-best-4/ Mon, 13 Feb 2023 08:00:41 +0000 https://techwireasia.com/?p=225959 多起重大的軟體供應鏈漏洞事件已儼然成為近期焦點新聞,在烏俄衝突爆發之初,node-ipc的開發人員就決定全面禁止俄羅斯境內任何IP位址使用自家程式碼,此舉在不知不覺之中間接影響了許多在該國運作的人道救援與慈善組織。在其他事件當中,開發人員對於自家原始碼充斥在盈利產品之中而感到不滿,開始藉由對自家GitHub投毒攻擊,來吸引使用者與廣大社群對他們缺乏金援現況的關注。 不可否認的是,公開的開發者資源資料庫正遭駭客竊取,他們已完全意識到一個簡單的誤植域名就有可能會將他們改寫的程式碼傳播到全球數千個專案之中。但大多數惡意供應鏈的惡意軟體案例都未被上報 – 可能是因為罄竹難書,開放原始碼軟體供應鏈網路安全供應商Sonatype在一次主動掃描時發現,光是整個npm生態系,就有102,930個惡意或潛在的惡意程式碼案例。一旦整合到開發管道中,被改寫的應用程式將隨即進入產品品質測試、測試、甚至是生產階段。接著,他們就能夠破壞雲端認證、劫持加密貨幣挖礦的處理週期、竊取公司的智慧資產,以及令人心煩的一連串惡意軟體攻擊事件。 因Linux核心初版的部署即引發專有UNIX的垂死掙扎,開發人員社群為大眾利益著想,已發布相關的資源與程式碼。雖然開放原始碼軟體的意識形態將延續下去,因為它對所有開發人員與軟體都具有壓倒性的優勢,但提供這類優勢的手段正在被犯罪分子破壞。這是相當不樂見的人為行動之一,也是無法避免的,除非每項專案皆是從頭編寫,且無須參考公開資料庫、架構與程式碼。 各組織已透過建立自家資料庫,僅能在內部使用包含「已批准」的元素,或至少確保所有進入CI/CD管道軟體套件的真實性,來彌補許多安全性與品質管控問題。控管通常能為軟體的生產帶來優勢,包括版本管控、相容性、依賴解析、CI/CD自動化,以及為任何應用程式(相對)簡單地生產整體BOM(物料清單),以上只是列舉幾個例子。本地資料庫迅速地成為變更管理、新開發與兩者中間所有程序任何交付管道不可或缺的一項工具,但這項資源的安全性維護必定是一項相當繁瑣的工作,亦需消耗(成本極高的)資源。 在業績達標壓力山大的迫使之下,DevOps團隊不僅容易出錯,且極有可能會為了降低成本而忽視安全性相關疑慮,首先被拋諸腦後的可能是對每個資料庫或功能的適當審查。這是使得開發人員與他們聚焦於安全性議題同事們之所以出現對立立場最根本的原因之一,有許多方法與解決方案試圖將網路安全最佳實踐導入軟體供應鏈與CI/CD生命週期各階段。 任何應用程式的核心元素在其整體開發與後續更新流程中都必須進行安全性與認證合規性檢查。這代表著在下載時沒有惡意軟體或不合乎條款及細則的情況出現,並在漏洞披露或其他敏感性議題變得顯而易見時(或認證條款變更時)不斷反覆檢查。在一個極為複雜的應用程式中,這可能代表著需要觀察與控管數千個的組件,這顯然已超出了大多數組織的負荷。 這樣的情況是無法改變的,事實上,隨著對軟體依賴程度的日益增加,這樣的情況還可能會跟著惡化。全球每間公司與組織,無論規模大小,都正朝著數位化與部署更多技術邁進。因此,可以肯定的是,惡意攻擊事件也將隨之增加。簡而言之,在問題日益加劇的同時,開放原始碼軟體的開發亦需加速創新,擬定全新的解決方案,並更新全球各地的服務與應用程式。 Sonatype 上述引用的數字(192,000多個惡意軟體套件)是透過Sonatype Nexus防火牆執行的行為分析與自動安全掃描整理出的數據。這是一種方法,組織的開發功能得以協助他們保護自身避免遭受Log4J事件所呈現漏洞類型的影響 – 該事件的影響仍持續加劇。 透過SCA(軟體組成分析)程序,組織能夠評估自身軟體組成的安全性、管控版本、確保減少依賴性問題的存在,並在眾多認證類型中維持準確性。 Nexus防火牆能夠隔離(並於審查後釋出)任何下載的組件,讓企業得以完全管控允許進入SDLC(軟體開發生命週期)的內容。政策亦得以根據需求進行調整,包括根據套件或資料庫的流行程度、年代、來源、版本與認證進行管控。 (後者還擁有一個附加的優勢,也就是確保沒有任何後續可能會引起法律問題違規行為的發生。) 開發人員僅能使用設定版本範圍內的安全組件,進而降低版本選擇問題,亦減少了對破壞性的依賴程度。在預設情況下,新的版本將被封鎖,直至它們再經審查後並釋出至本地資料庫之中,無論是Nexus Repository或是JFrog Artifactory Enterprise。 因為支援多種程式語言(Java、JS、Ruby、.NET、Python、Go),Nexus防火牆是加強實現人們經常提起整合安全性、操作與開發目標的絕佳途徑: DevSecOps。欲瞭解更多相關資訊、探索價格以及以社區為重心的相關資源,請造訪Sonatype預約展示。 Qualys Qualys是著名的資訊安全與合規開發解決方案供應商,完美無縫地適用於Jenkins及Puppet等常見的CI/CD平台,此外,還能在Splunk等熱門SIEM平台中安裝外掛。 這是首批以開發者為中心設計的軟體平台之一,採用Podman與Docker為主建構出的微型服務,並確保使用容器進行開發(即使在實驗性的預備生產環境之中)是安全且可靠的。Docker鏡像損壞的眾多案例證明該企業在這領域的保守態度,對滿懷感謝之意使用者而言,這樣的作法能夠將預期的容器行為與實際上的部署進行交叉驗證,以便標記出可能出現存在不良反應的異常情況。 Qualys平台能夠掃描所有可用的資產,從雲端資料庫(內建設定連接至熱門超大規模服務平台)到由單一開發人員操作的個別端點。 欲瞭解與Qualys DevOps安全解決方案更多的相關資訊,請閱讀此篇文章。 Micro Focus 絕大多數使用某種第三方開放原始碼軟體的應用程式都是運用現有工具鏈建立的,這些工具鏈可能長期嵌入業務流程之中。 Micro Focus Fortify為企業提供了透過現有的CI/CD堆棧向後移植的能力,以便在SDLC的各個階段建構出更全面的安全性。 它的軟體有效清除了在關鍵時刻暫停應用程式開發以便進行安全掃描的需求 – 流程轉變為連續且不中斷的,生產效率進而大幅提升,也就帶動了新應用程式的投資報酬率。 該公司專注於影響安全性的三大核心理念,或許最合適的形容詞是需特別注意的三大要素,來確保獲取潔淨的BOM:人、流程與技術。 隨著各部門面臨推動更新、增加功能,以及將全新的應用程式與服務上市等各項目標的壓力日益加劇,Fortify在能夠確保迅速工作流程的同時,又能維持安全性。 點擊此處,即可瞭解更多Micro Focus Fortify協助企業維持軟體供應鏈安全性的方法。

    The post 避免毒害開源供應鏈的因素 appeared first on Tech Wire Asia.

    ]]>
    多起重大的軟體供應鏈漏洞事件已儼然成為近期焦點新聞,在烏俄衝突爆發之初,node-ipc的開發人員就決定全面禁止俄羅斯境內任何IP位址使用自家程式碼,此舉在不知不覺之中間接影響了許多在該國運作的人道救援與慈善組織。在其他事件當中,開發人員對於自家原始碼充斥在盈利產品之中而感到不滿,開始藉由對自家GitHub投毒攻擊,來吸引使用者與廣大社群對他們缺乏金援現況的關注。

    不可否認的是,公開的開發者資源資料庫正遭駭客竊取,他們已完全意識到一個簡單的誤植域名就有可能會將他們改寫的程式碼傳播到全球數千個專案之中。但大多數惡意供應鏈的惡意軟體案例都未被上報 – 可能是因為罄竹難書,開放原始碼軟體供應鏈網路安全供應商Sonatype在一次主動掃描時發現,光是整個npm生態系,就有102,930個惡意或潛在的惡意程式碼案例。一旦整合到開發管道中,被改寫的應用程式將隨即進入產品品質測試、測試、甚至是生產階段。接著,他們就能夠破壞雲端認證、劫持加密貨幣挖礦的處理週期、竊取公司的智慧資產,以及令人心煩的一連串惡意軟體攻擊事件。

    因Linux核心初版的部署即引發專有UNIX的垂死掙扎,開發人員社群為大眾利益著想,已發布相關的資源與程式碼。雖然開放原始碼軟體的意識形態將延續下去,因為它對所有開發人員與軟體都具有壓倒性的優勢,但提供這類優勢的手段正在被犯罪分子破壞。這是相當不樂見的人為行動之一,也是無法避免的,除非每項專案皆是從頭編寫,且無須參考公開資料庫、架構與程式碼。

    各組織已透過建立自家資料庫,僅能在內部使用包含「已批准」的元素,或至少確保所有進入CI/CD管道軟體套件的真實性,來彌補許多安全性與品質管控問題。控管通常能為軟體的生產帶來優勢,包括版本管控、相容性、依賴解析、CI/CD自動化,以及為任何應用程式(相對)簡單地生產整體BOM(物料清單),以上只是列舉幾個例子。本地資料庫迅速地成為變更管理、新開發與兩者中間所有程序任何交付管道不可或缺的一項工具,但這項資源的安全性維護必定是一項相當繁瑣的工作,亦需消耗(成本極高的)資源。

    Open source

    Source: Shutterstock

    在業績達標壓力山大的迫使之下,DevOps團隊不僅容易出錯,且極有可能會為了降低成本而忽視安全性相關疑慮,首先被拋諸腦後的可能是對每個資料庫或功能的適當審查。這是使得開發人員與他們聚焦於安全性議題同事們之所以出現對立立場最根本的原因之一,有許多方法與解決方案試圖將網路安全最佳實踐導入軟體供應鏈與CI/CD生命週期各階段。

    任何應用程式的核心元素在其整體開發與後續更新流程中都必須進行安全性與認證合規性檢查。這代表著在下載時沒有惡意軟體或不合乎條款及細則的情況出現,並在漏洞披露或其他敏感性議題變得顯而易見時(或認證條款變更時)不斷反覆檢查。在一個極為複雜的應用程式中,這可能代表著需要觀察與控管數千個的組件,這顯然已超出了大多數組織的負荷。

    這樣的情況是無法改變的,事實上,隨著對軟體依賴程度的日益增加,這樣的情況還可能會跟著惡化。全球每間公司與組織,無論規模大小,都正朝著數位化與部署更多技術邁進。因此,可以肯定的是,惡意攻擊事件也將隨之增加。簡而言之,在問題日益加劇的同時,開放原始碼軟體的開發亦需加速創新,擬定全新的解決方案,並更新全球各地的服務與應用程式。

    Sonatype

    上述引用的數字(192,000多個惡意軟體套件)是透過Sonatype Nexus防火牆執行的行為分析與自動安全掃描整理出的數據。這是一種方法,組織的開發功能得以協助他們保護自身避免遭受Log4J事件所呈現漏洞類型的影響 – 該事件的影響仍持續加劇。 透過SCA(軟體組成分析)程序,組織能夠評估自身軟體組成的安全性、管控版本、確保減少依賴性問題的存在,並在眾多認證類型中維持準確性。

    Nexus防火牆能夠隔離(並於審查後釋出)任何下載的組件,讓企業得以完全管控允許進入SDLC(軟體開發生命週期)的內容。政策亦得以根據需求進行調整,包括根據套件或資料庫的流行程度、年代、來源、版本與認證進行管控。 (後者還擁有一個附加的優勢,也就是確保沒有任何後續可能會引起法律問題違規行為的發生。)

    Open source

    Source: Shutterstock

    開發人員僅能使用設定版本範圍內的安全組件,進而降低版本選擇問題,亦減少了對破壞性的依賴程度。在預設情況下,新的版本將被封鎖,直至它們再經審查後並釋出至本地資料庫之中,無論是Nexus Repository或是JFrog Artifactory Enterprise。

    因為支援多種程式語言(Java、JS、Ruby、.NET、Python、Go),Nexus防火牆是加強實現人們經常提起整合安全性、操作與開發目標的絕佳途徑: DevSecOps。欲瞭解更多相關資訊、探索價格以及以社區為重心的相關資源,請造訪Sonatype預約展示

    Qualys

    Qualys是著名的資訊安全與合規開發解決方案供應商,完美無縫地適用於Jenkins及Puppet等常見的CI/CD平台,此外,還能在Splunk等熱門SIEM平台中安裝外掛。

    這是首批以開發者為中心設計的軟體平台之一,採用Podman與Docker為主建構出的微型服務,並確保使用容器進行開發(即使在實驗性的預備生產環境之中)是安全且可靠的。Docker鏡像損壞的眾多案例證明該企業在這領域的保守態度,對滿懷感謝之意使用者而言,這樣的作法能夠將預期的容器行為與實際上的部署進行交叉驗證,以便標記出可能出現存在不良反應的異常情況。

    Qualys平台能夠掃描所有可用的資產,從雲端資料庫(內建設定連接至熱門超大規模服務平台)到由單一開發人員操作的個別端點。

    欲瞭解與Qualys DevOps安全解決方案更多的相關資訊,請閱讀此篇文章

    Micro Focus

    絕大多數使用某種第三方開放原始碼軟體的應用程式都是運用現有工具鏈建立的,這些工具鏈可能長期嵌入業務流程之中。

    Micro Focus Fortify為企業提供了透過現有的CI/CD堆棧向後移植的能力,以便在SDLC的各個階段建構出更全面的安全性。

    它的軟體有效清除了在關鍵時刻暫停應用程式開發以便進行安全掃描的需求 – 流程轉變為連續且不中斷的,生產效率進而大幅提升,也就帶動了新應用程式的投資報酬率。

    該公司專注於影響安全性的三大核心理念,或許最合適的形容詞是需特別注意的三大要素,來確保獲取潔淨的BOM:人、流程與技術。

    隨著各部門面臨推動更新、增加功能,以及將全新的應用程式與服務上市等各項目標的壓力日益加劇,Fortify在能夠確保迅速工作流程的同時,又能維持安全性。

    點擊此處,即可瞭解更多Micro Focus Fortify協助企業維持軟體供應鏈安全性的方法。

    The post 避免毒害開源供應鏈的因素 appeared first on Tech Wire Asia.

    ]]>
    >]]>