Hi everyone,
as Wayne and myself had a small talk yesterday about the security of
the current software build chain in Folio, and today this topic was
covered in a hackers blog in Germany, I've translated the article (with
Googles helping hand) and put it down there for everyone to read. Just
so you know: This is by no means a FOLIO problem, it's a common
software problem with every software build with the current
understanding of 'agile' methods:

# Fefe's blog - https://blog.fefe.de/?ts=a3cf6498 >>>>> #
A Devsecops propaganda wave is currently rolling across the country.
Let me make one thing clear: Devsecops does not create secure software.
With Devsecops software is created that is too volatile, and where the
developers are too overloaded and distracted to be even able to make
statements about security.
The whole idea is ridiculous! Imagine somebody wanted to sell you a
safe. And that did not come about on the basis of planning by competent
experts and implementation according to plan, but was fumbled together
by a few "retrained" ("the actual training comes later, atm we have a
deadline") low-wage jobbers recruited from the web-botcher multimedia-
shithole environment. And they say: Yeah, we did not have a plan, but
we've always done a nice job!!1! Would you trust such a safe with your
valuables? OF COURSE NOT!

I meanwhile represent the thesis that one should not talk about the
security of code, but the metric should be whether the security is not
only there but obviously measurable (ie not "nobody has reported bugs"
but you look at the code and see that it is obviously safe and secure).
That's one half. The other half is that you have a design that
minimizes the impact of bugs.

Devsecops is marketing bullshit of people who want to tell you that
their dysfunctional multi-stakeholder team is somehow still able to
deliver good code, although none of them can cover the range of skills
attributed to the team, nor does the product have a thought-out design,
and even if there were any design rudiments they'd be thrown away and
rescheduled in the short-term, if anyone feels it's necessary.

That's no way to good products. That's exactly the way to get a Boeing
737 Max.

In other words, security is not something you retrofit. Not even in a
process that makes retrofitting as easy as possible. Security is
something that you think about before.
# <<<<< Fefe's Blog #

About Fefe:
Felix von Leitner is a software engineer specialized on IT security and
 a prominent yet polarizing figure in Germanys hacker scene. He's an
advocate against bloatware and antivirus software (he calls them
snakeoil), as it opens quite a lot of security holes while only closing
some which could be entirely avoided with sensible permission
management. His blog is frequently cited by IT newspapers and covers IT
security, political content (mostly internet, domestic and economic)
and MINT science topics. It runs on a self-developed small webserver
named gatling, tinyldap and only serves pure HTML. Fefe is also famous
for his dietlibc. Some people joke he's one of the few guys who's
munching Linux Kernel code for breakfast.
https://en.wikipedia.org/wiki/Felix_von_Leitner

That doesn't mean EBSCO does a shitty job. It just sheds light on the
state of currently developed software and the problems we as sysops
will have with that approach in the future (and for that matter already
have with quite a lot of stuff, e. g. mongodb in AWS environments).
--
Viele Grüße
Jo

--------------
Drexl Johannes

Leibniz-Rechenzentrum
der Bayerischen Akademie der Wissenschaften
Boltzmannstraße 1
85748 Garching

Benutzersekretariat-Tel.: 	089-35831-8000
Servicedesk-Tel.: 		089-35831-8800

Am Donnerstag, den 18.07.2019, 15:22 -0400 schrieb Ian Walls:
> I've got to drop by the Community Outreach SIG tomorrow at the same
> time.... will check the notes and get caught up for next week's
> meeting.
>
> Cheers,
>
>
> Ian
>
> On Thu, Jul 18, 2019 at 1:52 PM Harry Kaplanian <hkaplanian@ebsco.com
> > wrote:
> > Hello everyone,
> > I will not be able to attend tomorrow’s meeting.
> > Looking forward to talk to all of you next week.
> >  
> > Harry
> >  
> > From: <sysops-sig@ole-lists.openlibraryfoundation.org> on behalf of
> > Ingolf Kuss <KUSS@hbz-nrw.de>
> > Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-
> > sig@ole-lists.openlibraryfoundation.org>
> > Date: Thursday, July 18, 2019 at 12:47 PM
> > To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-sig@ol
> > e-lists.openlibraryfoundation.org>
> > Subject: Sys Ops SIG meets tomorrow, 10 AM EST (9 AM CST, 4 PM CET;
> > 2 PM UTC)
> >  
> > CAUTION: External E-mail
> >  
> > Hi all,
> >  
> > we meet tomorrow at the regular time, 10 A.M. Eastern.
> >  
> > Let's prioritize topics for the next sessions. I have heard that
> > integrations prerequisites need to be picked up by us in order to
> > influence development priorities. If you have any new requirements
> > for integrations for your institution please consider to report
> > them to the group tomorrow.
> >  
> > We will also follow up on the security issues.
> >  
> > Here is the agenda: https://wiki.folio.org/display/SYSOPS/2019-07-1
> > 9+-+System+Operations+and+Management+SIG+Agenda+and+Notes
> >  
> > I hope to meet you tomorrow,
> >  
> > Ingolf
> >  
> >  
> > ----------------------------
> >  
> > Here are as usual the connection details:
> > Meetings are held on Fridays at 10:00am Eastern U.S. time. A
> > Meeting will last 1 hour.
> > Please join us via Zoom:
> > Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/5919342
> > 20
> > Or iPhone one-tap (US Toll): +16465588656,591934220# or
> > +14086380968,591934220#
> > Or Telephone:
> > Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)
> > Meeting ID: 591 934 220
> > International numbers available: https://zoom.us/zoomconference?m=U
> > z8gOxV-yqHRNcWlZKa4trK_0dP7WPfp
> >  
> >
> >
> > Dr. Ingolf Kuss
> > hbz - Hochschulbibliothekszentrum NRW
> > Postfach 270451
> > 50510 Köln
> > Germany
> > Tel.: (+49) (0) 221 400 75-161
> > e-mail: kuss@hbz-nrw.de
> > www.hbz-nrw.de
> > ------------------------------------------
> >  
> >  
> >
> >
> > Dr. Ingolf Kuss
> > hbz - Hochschulbibliothekszentrum NRW
> > Postfach 270451
> > 50510 Köln
> > Tel.: (+49) (0) 221 400 75-161
> > e-mail: kuss@hbz-nrw.de
> > www.hbz-nrw.de
> > ------------------------------------------
> >  
> >  
> >       
> >  
> > ------------------------------------------------------
> > You received this message because you are subscribed to OLE Mailing
> > List
> > "sysops-sig".
> > To unsubscribe from this list and stop receiving emails from it,
> > follow
> > this link: http://archives.simplelists.com.
> > To post to this group, send email to
> > sysops-sig@ole-lists.openlibraryfoundation.org
> > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> > Visit this group at
> > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openl
> > ibraryfoundation.org>;
> > .
> > ------------------------------------------------------
> > You received this message because you are subscribed to OLE Mailing
> > List
> > "sysops-sig".
> > To unsubscribe from this list and stop receiving emails from it,
> > follow
> > this link: http://archives.simplelists.com.
> > To post to this group, send email to
> > sysops-sig@ole-lists.openlibraryfoundation.org
> > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> > Visit this group at
> > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openl
> > ibraryfoundation.org>;
> > .
> >
>
>
> -- 
> Ian Walls
> FOLIO Implementation Lead
> ByWater Solutions
> Phone: (888) 900-8944
> pronouns: (he/him/his)
> timezone: Eastern
>
> 
> ------------------------------------------------------
> You received this message because you are subscribed to OLE Mailing
> List
> "sysops-sig".
> To unsubscribe from this list and stop receiving emails from it,
> follow
> this link: http://www.simplelists.com/confirm.php?u=xOeiObKwZgKzzxNXG
> LMSHPWP6w4wQyXt.
> To post to this group, send email to
> sysops-sig@ole-lists.openlibraryfoundation.org
> <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> Visit this group at
> https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlib
> raryfoundation.org>;
> .