Expanding Red Hat's Product Security Efforts

nospam@example.com (Josh Bressers) — Mon, 21 Nov 2011 07:17:00 -0500

I'm rather excited to announce an expansion of Red Hat's product security efforts. I've been tasked with creating a team inside Red Hat to formalize our product security work. There is already a lot of really good work happening inside Red Hat in the security space. Technologies such as SELinux, ExecShield, secure development principals, and hardening in the toolchain have come a long way. However as happens with all decent sized companies, the left hand doesn't always know what the right hand is doing. Rather than letting good work go unnoticed, we're going to start formalizing some of these efforts to leverage what's being done, expand existing efforts into other product areas, and develop new programs.

Some additional efforts I would like to further are areas such as secure design principals, developer security training initiatives, secure coding practices, and security testing.

If you're interested in being a part of this effort, I have a number of open positions scattered around the world, feel free to apply directly or contact me if you have any questions. I'm quite happy to discuss location, so don't let that scare you off.

Please note these positions are no longer open. If you want to view open positions, please visit
http://careers.redhat.com

Software Engineer - Security Best Practices Development
Software Engineer - Tool Development
Software Engineer - New Security Technologies Development
Software Engineer - Code Audit Development
Developer Training

I don't expect any of this to be easy, but nothing worth doing is ever easy. I expect many challenges and rewards to come from this. Red Hat is in a unique and great position to take on such a task. Stay tuned for more updates.

Why should we pay attention to Google Wave?

nospam@example.com (Josh Bressers) — Fri, 06 Aug 2010 08:00:00 -0400

As most people have likely heard, Google Wave is going away. I never really understood Wave myself, but the story here is that it will vanish, and there is nothing you can do about it. Up until this whole explosion of "cloud computing", if a vendor killed a product or went out of business, you still had your product. It probably came in a box, with some floppies and a manual nobody read. You could keep running your application pretty much as long as your operating system let you. There would of course be various support issues to deal with, but if you're clever, you could get by.

The cloud changes this. Google has decided that Wave isn't the future, so it's going to go away. If you like Wave and think it's great, you're out of luck. You can't keep running it, Google says it goes, so it's gone. This is sort of scary. Welcome to vendor lock in 2.0.

This is probably going to happen to other things. I'm not sure which ones, but if you think things like Twitter, Facebook, and Gmail are never going to change, you are sadly mistaken.

This is where it's quite easy to add a positive note for the open source concept. One of the single biggest advantages to open source is getting to control your own destiny. You can help add features, fix bugs, keep features you like. Even if all you ever do is run the application, you don't have to worry about it going away. If you have the source code, you (or some other clever person) can make it run.

But it's the future, and all cloudy and magic, open source doesn't work with this new paradigm!
If you have a hard time "thinking outside the box" where I really mean, wet paper bag, then this is might be a true statement. When you're dealing with open source in a services like atmosphere, you get an added goal of playing nicely with others, and getting to control your data. Identi.ca is a good example of Twitter done right. Look at how XMPP is designed; it's a real distributed instant messaging platform. Unfortunately these services have a huge uphill fight as the money is in keeping users trapped on one service. Many people have never even heard of these things.

Consider things like email and the web. They still exist because they are public standards anyone can use to communicate with anyone else. There is no vendor control. The power is in the two endpoints, not the machines in the middle. Anytime you try to make the middle bits more important than the endpoints, you eventually fail. It can take a while, but it will always happen.

The problem with Wave was that the emphasis was put on Wave, not the users. Wave was really just the string between the tin cans, except it's not my string, it was painted bright orange, and the owner came to take it back. Now all I have are two tin cans. Luckily there's plenty of string.

Josh's Blog - Open Source

Expanding Red Hat's Product Security Efforts

Why should we pay attention to Google Wave?