CodeIsGo.com

The automotive industry is well known for its security standards regarding the road safety of vehicles. All processes regarding vehicle development – from drawing board to sales – were standardized and refined over the years. Both internal tests, as well as globally renowned companies like NHTSA or EuroNCAP, are working hard on making the vehicle safe in all road conditions – for both passengers and other participants of road traffic. By Adam Kozłowski and by Marcin Wiśniewski.

Safety engineering is currently an important part of automotive engineering and safety standards, for example, ISO 26262 and IEC 61508. Techniques regarding safety assessment, like FTA (Fault Tree Analysis), or FMEA (Failure Mode and Effects Analysis) are also standardized and integrated into the vehicle development lifecycle.

But the security is not limited to crash tests and driver safety. In parallel to the new ADAS systems, the connected car concept, remote access, and in general, vehicle connectivity moved forward. Secure access to the car does not only mean car keys but also network access and defense against cybersecurity threats.

And the threat is real. 6 years ago, in 2015, two security researchers hacked Jeep Cherokee driving 70mph on a highway by effectively disabling its breaks, changing the climate control and the infotainment screen display. The zero-day exploit allowing that is now fixed, but the situation immediately caught the public eye and changed the OEMs mindset from “minor, unrealistic possibility” to “very important topic”.

All of these resulted in the definition of the new standard called ISO 21434 Road vehicles — cybersecurity engineering. The work started last year, but currently, it’s at the “Approval” phase, so we can quickly go through the most important topics it tackles.

The document also lists the best practices regarding cybersecurity design:

• Principle of least privilege
• Authentication and authorization
• Audit
• E2E security
• Architectural Trust Levels
• Segregation of interfaces
• Protection of Maintainability during service
• Testability during development (test interface) and operations10
• Security by default

The requirements do not end on the architectural and design level. They can go as low as the hardware (identification of security-related elements, documentation, and verification for being safe, as they are potential entry points for hackers), and source code, where specific principles are also listed. Nice one!

A web server is a piece of software that accepts a network request from a user agent, typically a web browser, and returns either the appropriate response for the request or an error message. Two dominant solutions for HTTP servers today are Apache and Nginx. However, a new player in the space, Caddy Web Server, is gaining traction for its ease of use. By Ayooluwa Isaiah.

Nginx is currently being utilized on over 40 percent of the top 10,000 websites. When you consider that Cloudflare Server also utilizes Nginx under the hood for content delivery, the figure is even higher. Caddy is an open source web server platform designed to be simple, easy to use, and secure. Written in Go with zero dependencies, Caddy is easy to download and runs on almost every platform that Go compiles on. In terms of performance, Caddy has been shown to be competitive with Apache but behind Nginx both in terms of requests handled per second and stability under load.

The article then compares configuration and performance of Apache, Nginx and Caddy.

If your primary concern is performance, or you plan to serve a large amount of static content, Nginx is likely your best option. While Caddy is easy to configure and performant for most use cases, if you need flexibility and customization, Apache is your best bet. Easy read!

Using the microservices architecture has many benefits. It has become the norm for many large-scale applications. However, Microservices also comes with several challenges. One such challenge is handling transactions that span across multiple services. By Chameera Dulanga.

Therefore, we need a centralized communication and coordination mechanism to ensure all the transactions are completed successfully, and that’s where the Saga pattern comes in.

So, in this article, author will discuss how we can overcome this by using Saga Pattern:

• Why we need Saga Pattern?
• Introduction to Saga Pattern
• What is Saga Execution Controller?
• Implementing Saga Pattern
  • Orchestration-based Saga
  • Choreography-based Saga
• Build with independent components, for speed and scale

In this article, author discussed what is Saga pattern is and different approaches for implement it. The Saga pattern’s main advantage is to maintain data consistency when transactions span across Microservices. Good read!

If you’re making an HTTP request in Node.js there’s a good chance you’ll want to cancel it if it takes too long to receive a response. Or perhaps you have a slightly more complex situation where you’re making multiple requests in parallel, and if one request fails you want to cancel all of them. By Simon Plenderleith.

const controller = new AbortController();
const signal = controller.signal;

signal.addEventListener("abort", () => {
  console.log("The abort signal was triggered");
}, { once: true });

controller.abort();

Fortunately there’s a JavaScript API which gives us a standard way to cancel asynchronous tasks such as an in-flight HTTP request: the Abort API.

The article then goes and describes:

• The Abort API
• Cancelling an HTTP request with an AbortSignal
• Support for cancelling HTTP requests
• Libraries
• Node.js core API methods

An interesting note from author: I’m pretty sure we’re going to see a lot more of the Abort API as other libraries, as well as methods in Node.js core, add support for it. Good read!

Older but still valid article by Jason Kitcat. Business cases are not a good way to make decisions. They give us false certainty and almost invariably mislead some or all of an organisation’s leadership.

Business cases are lies. Not wilful lies usually, but they end up with the same results: misleading, misinforming and hiding reality.

The ability to observe, orient, decide and act continuously is not the norm when business cases live among us. Let’s unpack our example:

• The Requirements – The idea that we can capture all our requirements and then share them with suppliers to get answers is fantastical, and wrong.
• The Cost – Software should not be a capital expenditure. It is a continuously changing, living thing that needs constant care and maintenance.
• The Time – Building a bridge or a school? Then a fixed timeline (with padding for slippage) makes sense. Trying to change complex systems issues like integrating health and social care? Then a fixed time business case is the wrong tool for the job.

And author notes: I understand that the ‘certainty’ and ‘process’ surrounding business cases can be comforting for colleagues. But we’re fooling ourselves, we need to be courageous and hold the uncertainty as we explore the problems we face in open, collaborative ways. How interesting!

Border Gateway Protocol (BGP) is an enormous protocol with a nearly endless list of features, knobs and capabilities. BGP’s mechanism for choosing the best path is complex but also well known. You should brush up on that algorithm if you’re out of practice. By Nicholas Russo.

The article covers following topics:

• Use the Multi Exit Discriminator (MED)
• Use AS-path prepending
• Use longest-match routing
• Reference configurations

This blog explores a lesser-known but powerful traffic engineering technique using BGP communities and the local-preference value. You should have basic familiarity with BGP and IP routing in general to realize the most value from this blog. Good read!

In this post author will cover different tunneling features as supported by OpenSSH, which helps achieve security use cases such as remote web service access without exposing port on the internet, accessing server behind NAT, exposing local port to the internet. OpenSSH is the most widely used open-source SSH server. It comes pre-installed by default with the vast majority of Linux distributions. By Sakshyam Shah.

If you are looking for a modern open-source alternative to OpenSSH that is optimized for elastic multi-cloud environments and supports other access protocols in addition to SSH, make sure to check out Teleport.

The article then pays attention to:

• What is SSH tunnelling?
• Local port forwarding
• Dynamic port forwarding
• SSH TUN/TAP tunneling
• Bonus - SSH tunnel over TOR
• Security concerns of SSH tunnelling

Source: @goteleport.com https://goteleport.com/blog/ssh-tunneling-explained/

Although the default behavior of an SSH server is to return a remote server’s shell over an encrypted channel, SSH supports sending and receiving binary data over SSH. Transporting arbitrary data streams over SSH sessions is also known as SSH tunneling. Very good!

Security operations has seen non-stop evolution and growth for many years, but the past 18 months has been particularly impactful on security operations teams. In addition to the drastic transformation brought on by the COVID-19 pandemic, there have also been some significant breaches that have shifted perspectives and highlighted some key areas of concern. By pwheiler.

The report is based off the experiences of 520 security operations executives, managers and decision makers, hailing from seven different countries across North America, Europe, Asia, and Australia.

The report identifies Major SOC Challenges:

• Monitoring security across a growing attack surface
• Expanding workloads to cloud/hybrid environments
• Pre-emptively detecting threats to reduce exposure

In addition to these challenges, the report found that 97% of organizations are reporting a need for additional skilled staff on their security operations teams, suggesting that the long-standing talent war in security operations has continued.

Overall, the current state of SecOps globally suggests a need for greater cyber resilience in the face of expanding attack surfaces, significant workforce transformation, ever-evolving threats and other drastic changes. Organizations should invest the necessary resources to identify gaps in their cybersecurity posture and evaluate their overall cyber resilience. Interesting read!

I’ve used F# a lot in the last 3 years and for quite some time I wanted to collect a few good starting points to venture into F# in one place. I also wanted to collect some of those random things that I felt weren’t easily available anywhere because they fall through the cracks of the official language reference and library documentation. By Justine Kavanaugh-Brown.

The article then describes:

• Why would I want to use F#?
• Why would I not want to use F#?
• How am I supposed to be writing this?
• Debugging and the REPL
• The standard library
• Code formatting
• Packaging
• Testing

Worth a special mention is the SAFE stack. This is a preconfigured template that sets up F# on the backend (using ASP.NET core via either the straight forward Giraffe library or the more opinionated Saturn library), and on the frontend (using Fable 2 as of late 2020). The SAFE template can either be used in a barebones configuration or in a more opinionated, fully fledged version that comes with frontend and backend testing libraries, Bulma preselected as a style framework, a choice of type safe automated communication between frontend and backend and so forth. Good read for anybody who wants to learn Fsharp!

Pattern matching for switch follows logically from pattern matching for instanceof, which was delivered as part of JDK 16. By Justine Kavanaugh-Brown.

A pattern is something you can test a value against. A value will either match a pattern or not match a pattern. If a value matches the specified pattern, the pattern variable is initialized with the value it matched.

The pattern itself can contain holes because you don’t want to specify all the details of every part of the value. So, sometimes a developer puts placeholders in certain places within the pattern. We use variables to represent those holes. We call them pattern variables, but they’re really just local variables.

Prior to JEP 406, switch had a very important design feature: It threw a null pointer exception if the value of the selector expression was null—without looking at any of the body of the switch block. Null simply wasn’t permitted as an option. Now that we’re enhancing switch to do pattern matching and more-complicated things coming in the future, forbidding null seems like an unsustainable design decision.

static String formatterPatternSwitch(Object o) {
    return switch (o) {
        case Integer i -> String.format("int %d", i);
        case Long l    -> String.format("long %d", l);
        case Double d  -> String.format("double %f", d);
        case String s  -> String.format("String %s", s);
        default        -> o.toString();
    };
}

This is the next step in pattern matching for Java, where patterns are not just solely asking about types but rather do more work by deconstructing the value for you. Good read!