GitHub is on a mission to help secure millions of developers through its mandatory two-factor authentication (2FA) policy.

Through the company’s initiative to make the software ecosystem more secure, GitHub has dramatically increased 2FA adoption among code contributors, with a 95% opt-in rate and a 54% increase in overall adoption among active contributors.

Significance of GitHub

GitHub, which hosts a significant portion of the world’s open source software, is an important link in securing the global software supply chain, said Janet Worthington, an analyst at Forrester.

“Implementing mandatory two-factor authentication is a crucial measure to prevent the hijacking of developer user accounts by malicious actors, thereby safeguarding the open source software on which we all depend,” she told The New Stack.

A little more than a year ago (March 2023), GitHub began officially rolling out its initiative – initially introduced in 2022 — to require all developers who contribute code on GitHub.com to enable one or more forms of 2FA by the end of 2023.

“Because strong multi-factor authentication remains one of the best defenses against account takeover and subsequent supply chain compromise, we set an ambitious goal to require users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023,” wrote Michael Hanley, Chief Security Officer and SVP of Engineering at GitHub, in a blog post.

GitHub then invested a year of research and design around the implementation of these requirements, followed by the gradual rollout of user onboarding.

Findings

In retrospect, Hanley said GitHub saw:

• Dramatic increase in 2FA adoption on GitHub.com focused on users who have the most critical impact on the software supply chain.
• Users adopting more secure means of 2FA, including passkeys.
• Net reduction in 2FA-related support ticket volume, something we credit to heavy up-front user research and design as well as Support process improvements.
• Other organizations like RubyGems, PyPI, and AWS join us in raising the bar for the entire software supply chain, proving that large increases in 2FA adoption aren’t an insurmountable challenge.

Moreover, nearly 1.4 million passkeys, a more secure form of 2FA, have been registered on GitHub.com since their introduction in July 2023.

In addition, GitHub has reduced the share of SMS as a second factor by almost 23% and made it 47% more likely for users to configure two or more forms of 2FA.

Also, due to significant investments in user experience and design, GitHub saw a one-third reduction in 2FA-related support tickets and a 54% reduction in 2FA account recovery tickets requiring human intervention.

Measuring Effectiveness

David Vance, an analyst at Enterprise Strategy Group, said while he applauds GitHub for its mandatory enforcement of 2FA last year – which he characterized as “needed and long overdue” — measuring the initiative’s effectiveness is not so simple.

“Anecdotally, you only know if a security control is effective by observing a lack of related incidents (unless the control has a way to measure successful and unsuccessful attempts), Vance said. “Did GitHub have a decrease in account hacking/unauthorized authentication attempts after implementing mandatory 2FA? I honestly don’t know but would like to think (hope) they did.”

Vance noted that GitHub has experienced token leaks over the past year.

“While I think their mandatory enforcement of 2FA was a step in the right direction, I firmly believe they didn’t go far enough,” he told The New Stack. “I think GitHub still has a lot of work to do in terms of security authentication and enforcement. They should increase their usage of 2FA to multifactor authentication using geo-location and/or additional forms of authentication to mitigate incidents such as lost/stolen tokens, keys and certificates. The banks I use online have this capability, so why shouldn’t GitHub?”

However, “GitHub’s campaign has been effective, as evidenced by their reporting of a high opt-in rate for 2FA, and more importantly, the use of passkeys as the second factor, which is more challenging for attackers to circumvent,” Forrester’s Worthington said. “Most organizations utilize open source to power applications and digital experiences and therefore have an obligation to give back to the open source community, by committing developer time, finding and fixing security flaws and making financial contributions to open source projects and communities such as the Apache Foundation, Cloud Native Computing Foundation, or the Linux Foundation.”

Moving forward, GitHub plans to continue expanding 2FA requirements to more users, improve the user experience, and encourage the adoption of more secure factors like passkeys. The company urges other organizations to join their efforts in securing the software ecosystem by implementing similar 2FA requirements on their platforms.

The post GitHub’s 2FA Push Boosts Adoption among Developers appeared first on The New Stack.

GraphQL is a query language that allows users to find and request data from servers in a way that they can specify the type of data they want through the API in a more precise way than through other types of API structures. A federated GraphQL platform allows for different sub-GraphQL schemas to be used in a decoupled way but through a single API interface of the GraphQL platform. They both have and will continue to become enormously popular.

Statistics recently released by the Gartner report reveal how more than 60% of enterprises will use GraphQL in production, up from less than 30% in 2024. By 2027, 30% of enterprises using GraphQL will use GraphQL federation, up from less than 5% in 2024, Gartner reported.

So, federated GraphQL adoption will, according to Gartner, increase fivefold during the next three years while GraphQL adoption will “only” double.

Why?

Because Federated GraphQL solves a major problem: so-called GraphQL sprawl. This phenomenon, known as GraphQL sprawl, occurs when numerous GraphQL and other APIs proliferate throughout an organization.

Gartner’s statistics highlight the effectiveness of GraphQL as a very clever and reliable way to conduct queries via an API. However, a potential issue arises when users within an enterprise begin to utilize their own GraphQL or other APIs for various legitimate purposes in parallel, leading to the unwieldiness the sprawl causes. Before delving further, let’s establish clear definitions for GraphQL and a federated GraphQL platform.

Gartner defines GraphQL thusly:

“GraphQL is an open specification for implementing APIs, which allows consumers to specify the content they request from a service. It provides developers with a type system to define data and a server-side engine for querying specific data elements they need. The specification also provides a query language for API consumers to define queries and mutations to update, and subscriptions to request notifications of changed data.”

Federated and Less Sprawl

Returning to the issue of GraphQL sprawl, Federated GraphQL offers a solution by consolidating disparate instances. Take Netflix, for example; after adopting GraphQL, they discovered numerous instances scattered across their infrastructure. Concurrently, they utilized various other API types, such as GRPC and REST APIs. Initially, they attempted to centralize GraphQL within a single API or monolith, which proved restrictive. However, the GraphQL federated gateway, provided by Apollo, effectively addressed this challenge.

As Geoff Schmidt, CEO and co-founder of Apollo GraphQL explained to me during KubeCon + CloudNativeCOn, GraphQL — like SQL — is a query language and specification rather than a specific piece of software. While there are implementations of GraphQL, such as Apollo Federation, GraphQL itself is a standard that defines how clients can request data from servers, Schmidt said. It’s akin to how SQL is a language used to interact with databases, but various database management systems implement SQL, such as PostgreSQL or MySQL. So, GraphQL can be implemented by different platforms and frameworks, but it’s not a standalone software project in the same sense as a database management system, he said.

“The adoption of GraphQL, especially with the concept of GraphQL federation, has helped streamline data access across various microservices within enterprises, promoting self-service platforms and API efficiency,” Schmidt said.

A lot of miscomprehension exists about not only what federated GraphQL is, but also what GraphQL does or is in its source. What GraphQL is not is an open source project. It is often erroneously reported that Facebook open-sourced GraphQL, but it does not really exist as an open source project.

At the same time, GraphQL does not compete with or replace REST APIs. This is because they can be used in conjunction with each other. As reported, GraphQL’s schema definition language can be used in conjunction with REST in a few ways. For example, a federated GraphQL layer can abstract REST endpoints and be integrated as a separate GraphQL schema.

This architecture is often called a supergraph or a federated graph — which was introduced by Apollo in 2019. It creates an abstraction layer that can replace most backend or frontend Backend-for-Frontend (BFFs) APIs or experience APIs.

As Schmidt explained: “There’s a distinction to be made. GraphQL isn’t akin to a piece of software like SQL; instead, it functions as a feature or language. SQL, in contrast, operates as a standard means of querying databases, with various SQL databases such as Postgres being tangible software entities. It’s essential to understand that GraphQL, much like SQL, serves as a method of querying data rather than a standalone software product.”

Regarding GraphQL’s inception, Facebook didn’t release actual GraphQL code but rather a specification similar to IBM’s release of SQL in an academic paper. “Despite this, the adoption of GraphQL soared, especially with the concept of GraphQL federation gaining traction. This approach emphasizes the need to integrate disparate microservices seamlessly, promoting a self-service platform within enterprises,” Schmidt said. “The essence lies in creating an API platform that optimizes API usage, countering the prevalent issue of disjointed APIs plaguing many organizations.”

What alternatives do people have apart from manually piecing these together? Schmidt said: “Well, they end up writing extensive code,” Schmidt said. “It could be termed an experience API, integration API or a Backend for Frontend.” Regardless of the label, the code-writing process typically involves crafting a Java, .NET, or Node.js process, custom-built to serve as a processor server, Schmidt said. Essentially, it receives API requests from the client, instructing it to fetch data for various functionalities. Subsequently, it calls numerous backend services, consolidates the data, and delivers it as an API-to-API proxy or integration. “This approach consumes an increasing amount of enterprise resources and often results in a multitude of disjointed solutions, each addressing only part of the problem,” Schmidt said.

Consequently, disillusionment sets in as the complexity grows exponentially. As an analyst aptly put it, this process resembles a continuous mess spiraling out of control. However, there’s hope. “I recently heard a customer remark that adopting GraphQL transformed their situation from spaghetti code to well-structured layers, likening it to moving from spaghetti to lasagna — a significant improvement,” Schmidt said.

Apollo has emerged as a leader thanks to its pioneering work in developing the Apollo Federation, “the premier federated GraphQL platform,” Schmidt said. “While others attempt to replicate our success, creating a viable federated GraphQL solution is no easy feat. It necessitates a robust query planner and significant investment, akin to the challenges faced by Oracle in establishing SQL as the standard. Such endeavors require substantial resources and are beyond the scope of small or medium-sized teams funding to complete.”

It’s not really something you can do as a 20-person team or even a 100-person team, Smith noted. It’s not really something you can do as an extracurricular while also trying to serve other API use cases.

The post GraphQL Growth Explodes but so Do Problems Federated Graphs Solve appeared first on The New Stack.

Automotive software development moves to the cloud

We are at an inflection point for automotive embedded development to move to the cloud. In an era where software has not just eaten the world but is continuously redefining it through AI, the cloud emerges not just as a platform but as the foundational fabric for software engineering. With AI’s increasing demand for computational power driving unprecedented changes in silicon, both at the edge and in the cloud, the need for agile, scalable, and continuously optimized development environments has never been more critical. As the home of the world’s developers, GitHub is the platform to build the next generation of automotive and embedded development environments in the cloud.

Traditional embedded development challenges

Improving the developer experience is at the heart of what GitHub does. We’re dedicated to making coding as smooth as possible by reducing unnecessary complexity. The traditional process for developers working with embedded systems has plenty of friction to remove. Historically, software development has been very hardware-dependent with developers maintaining some combination of test hardware connected to their development machines or an in-house testing farm. There weren’t many alternatives because so much was proprietary.

In recent years, a series of technical advancements have significantly influenced the foundational architectures within the field. Despite these changes, many traditional methods and operational processes remain in use. Key developments include the adoption of more powerful multipurpose processors, the establishment of open standards for the lower-level software stack such as SOAFEE.io for cloud native architecture at the edge, and the increased reliance on open-source resources, facilitating reuse across different domains. These innovations have provided developers with the opportunity to fundamentally rethink their approaches to development, enabling more efficient and flexible strategies.

As the rate of these technical trends and foundational change increases, teams are finding it increasingly difficult to deliver application commitments without significant cost of maintaining these in-house development and test environments.

Virtualization for embedded and automotive development

While virtualization has become a cornerstone of enterprise development, its integration into embedded systems has proceeded at a more cautious pace. The complexities inherent in embedded systems—spanning a vast array of processors, operating systems, and specialized software—pose unique challenges not encountered in the more homogeneous environments of data centers and IT networks. Embedded systems require a nuanced approach to virtualization that goes beyond simply accommodating mainstream operating systems like Windows and Linux on standard Intel architectures.

In a significant development that reflects the evolving landscape of embedded systems, in March 2024, Arm unveiled its new Automotive Enhanced (AE) processors. These cutting-edge processors are designed to boost AI capabilities within the automotive sector, ensuring ISA (Instruction Set Architecture) compatibility. This advancement is poised to revolutionize the way applications are developed and deployed, enabling developers to create software in the cloud and seamlessly transition it to the edge, such as in vehicles, without the need for extensive reconfiguration or modification. This leap forward promises to accelerate the time-to-market for new applications, bridging the gap between cloud development environments and the nuanced world of embedded systems .

This transition exemplifies how advancements in processor technology and virtualization are converging to address the unique challenges of embedded development, paving the way for more integrated and efficient systems across industries. Developers will be able to write, build, and test code in the cloud and then run their applications in virtualized environments with digital twins that mirror their processor targets, even if those targets haven’t even been delivered in the silicon.

Cloud-based continuous integration platform

Continuous integration (CI), a cornerstone of agile methodologies for over two decades, automates the build, test, and deployment processes. This automation accelerates feedback loops, enabling timely verification that the software meets the intended requirements. It also minimizes integration risks and enhances the early detection of defects and security vulnerabilities. While surveys indicate that many embedded development teams have adopted CI as a practice, managing the development environments across multiple hardware configurations and deployment targets is costly and complex.

Implementing CI/CD in a cloud environment leverages the well-established advantages of cloud computing for embedded engineering teams, significantly enhancing their ability to deliver high-quality products within tight market timelines.

• Enhanced Scalability. Cloud-based CI allows teams to dynamically allocate resources and optimize compute spend. Teams can execute workloads in parallel in order to support multiple hardware and software configurations simultaneously. Developers can also participate across geographic regions or even across organizational boundaries within the supply chain.
• Reduced Complexity. Standardizing on cloud-based CI reduces environment setup and tear down times and promotes consistency. Workflows can easily be shared across teams.
• Improved Quality. When compute resources are too constrained or managing the CI environment is brittle, teams may optimize locally onto too narrow a piece of the development. Reducing this friction and thereby increasing the end to end feedback loops can improve quality.

To deliver cloud-based embedded developer environments for the design and build time that feed into the runtime virtualized and simulated targets, GitHub needed to update our infrastructure. In October 2023, GitHub announced native Arm64 support for our hosted CI/CD workflow engine, GitHub Actions. Supporting this platform is important because Arm’s family of processor designs are central to many uses in the embedded and automotive world.

This promises to free embedded developers from being tied to the desktop. By moving jobs to the cloud, development teams will be able to focus more on coding time and less on infrastructure management. We also recently announced the public beta of GPU hosted runners that will enable teams building machine learning models to do complete application testing, including the ML components within GitHub Actions.

Conclusion

The convergence of cloud technologies, advanced virtualization, and cutting-edge processor innovations represents a transformative shift in automotive software development. To further advance and support these transformations across the industry, GitHub has recently joined SOAFEE.io, as well as maintaining our membership in the Connected Vehicle Systems Alliance (COVESA) and supporting Microsoft’s commitment to the Eclipse Software Defined Vehicle project.

GitHub Enterprise Cloud, along with Arm’s latest AE processors, heralds a new era where development and testing transcend traditional boundaries, leveraging the cloud’s vast resources for more efficient, scalable, and flexible software creation. This paradigm shift towards cloud-based development and virtualized testing environments not only addresses the complexities and limitations of embedded system design but also dramatically reduces the overhead associated with physical hardware dependencies. By enabling developers to seamlessly transition applications from the cloud to the edge without extensive rework, the automotive industry stands on the brink of a significant acceleration in innovation and time-to-market for new technologies.

GitHub’s introduction of native Arm64 support and the public beta of GPU hosted runners on its CI/CD platform, GitHub Actions, further underscores this transition. These advancements ensure that the embedded and automotive development communities can fully harness the cloud’s potential, facilitating a shift from local, hardware-constrained development processes to a more agile, cloud-centric approach. As a result, developers can focus more on innovation and less on the intricacies of hardware management, propelling the automotive sector into a future where software development is more integrated, dynamic, and responsive to the rapidly evolving demands of technology and consumers. This transition not only signifies a leap forward in how automotive software is developed but also reflects a broader trend towards the cloud as the backbone of modern software engineering across industries.

The post GitHub Actions, Arm64, and the future of automotive software development appeared first on The GitHub Blog.

Paul Jarvis: The Enthusiastic Product Owner, and How it Affects Agile Team Performance

Read the full Show Notes and search through the world’s largest audio library on Scrum directly on the Scrum Master Toolbox Podcast website: http://bit.ly/SMTP_ShowNotes.

The Great Product Owner: The Enthusiastic Product Owner, and How it Affects Agile Team Performance

Celebrating a Product Owner who embodies enthusiasm for the product and excellent team collaboration, Paul outlines the essential qualities of an outstanding PO. This episode provides insights into building mutual trust between the team and the PO, emphasizing the PO's role as a part of the team and the importance of collective effort in refining and executing product vision.

The Bad Product Owner: The Isolated Product Owner Anti-pattern

Paul shares a cautionary tale of a Product Owner who, despite being good at their job, fell into the trap of working in isolation from the team. This episode explores the detrimental effects of isolation on the Agile process and offers tips on how Product Owners can foster collaboration and harness the collective power of their teams to unlock Agile's full potential.

 

[IMAGE HERE] Are you having trouble helping the team work well with their Product Owner? We’ve put together a course to help you work on the collaboration team-product owner. You can find it at bit.ly/coachyourpo. 18 modules, 8+ hours of modules with tools and techniques that you can use to help teams and PO’s collaborate.

 

About Paul Jarvis

Paul is a seasoned Enterprise Lean Agile Coach, Trainer, RTE, and Scrum Master with a decade of experience in the FinTech sector, focusing on banking, payments, and e-commerce. Recently, he completed a 3.5-year tenure at a key player in investment banking.

You can link with Paul Jarvis on LinkedIn and connect with Paul Jarvis on Twitter.

Download audio: https://traffic.libsyn.com/secure/scrummastertoolbox/20240426_Paul_Jarvis_F.mp3?dest-id=246429

Yonatan Eldar is the Co-Founder and CTO at Apiiro. They discuss the evolution in application security strategies, the importance of using the right tools for the job, and the significance of prioritizing and contextualizing security issues for developers.  They touch on various aspects of security, including the potential vulnerabilities in code, understanding attack vectors, and managing the inventory of software and services for security. Additionally, they delve into the importance of marketing and educating teams about security and the potential malicious tactics used in the aftermath of security incidents.

Sponsors

• Chuck's Resume Template
• Developer Book Club
• Become a Top 1% Dev with a Top End Devs Membership

Links

• Apiiro | Secure your development and delivery to the cloud

Socials

• LinkedIn: Yonatan Eldar 

Picks

• Warren - TLDR newsletter
• Will - PlatformCon 

Become a supporter of this podcast: https://www.spreaker.com/podcast/adventures-in-devops--6102036/support.



Download audio: https://dts.podtrac.com/redirect.mp3/api.spreaker.com/download/episode/59658284/devops_198.mp3

Tony Alicea is a Udemy and Pluralsight Instructor. They delve into the crucial topic of understanding and mastering technology, featuring insightful discussions and experiences from our speakers. From the shift in focus from technical problems to effective communication and marketing to the significance of deeply understanding a system rather than just focusing on coding, they provide valuable perspectives on building strong foundations, navigating challenges, and staying current in the ever-evolving tech landscape. They also touch on the importance of curiosity, learning by doing, and the potential impact of AI-generated code. Join them as they explore the nuances of learning and understanding technology in this engaging and thought-provoking episode.
Sponsors

• Chuck's Resume Template
• Developer Book Club
• Become a Top 1% Dev with a Top End Devs Membership

Socials

• Tony Alicea
• Twitter: @AnthonyPAlicea

Picks

• Charles - Doomlings
• Charles - Finch
• Charles - Training Peaks
• Charles - 75 Hard
• Dan - Ripley
• Tony - Forbidden Island
• Tony - Tales from the Loop

Become a supporter of this podcast: https://www.spreaker.com/podcast/javascript-jabber--6102064/support.



Download audio: https://dts.podtrac.com/redirect.mp3/api.spreaker.com/download/episode/59657556/jsj_629.mp3