Software Change Management Starts – And Ends – With Security
August 30, 2021 Alan Brown
In science fiction, the problem with networked computers is that eventually they get smart. In the real world, and at least so far in the 21st century, the problem with network computers is that the very act of networking them means that they can be hacked into, and then ransomware and other kinds of malware can wreak their havoc.
There is a lot to be said for open source software and the comfort that comes from having lots of eyes looking over the code for any potential weirdness. While we acknowledge that not all open source software is written by an “off duty trash collector,” the quality and security of open source software varies widely.
When you pick an open source tool or application to run on your systems, someone has to verify who designs and writes the source code and assess the maturity of the development process. This includes verifying if eliminating security attack vectors will be accomplished through better design, code reviews, and testing. Are these core values of the open source project? Do the programmers on the project take security awareness training classes? Can you even find out? With open source, you need to reckon how long have the volunteers been with the project, how long will they stay, and what happens if they leave? The continuity of the quality of the programming and the attitude toward security is as important as an assessment at any given time. And then you have to ask yourself: How dependent is my organization going to be on software that could no longer be maintained?
(By the way, you have to ask the same questions about closed source code, if you want to be honest about it.)
The fact is, every open TCP port, every command line flag, and every library is a potential attack vector for a hacker. Whether it is closed source or open source software.
To that end, PTC is dedicated to ensuring we are not the cause of some calamity as we hear about every other day on the news – ransomware, malware, and data thefts. We have security awareness training for all developers, and operational processes that encourage thinking about security and vulnerabilities at all stages of application development – architecture, design, coding, code reviews, and testing. This includes, but is not limited to, tracking all open source software that is used in our tools, watching for reported vulnerabilities, and proactively patching released software.
But watching for vulnerabilities is not the end. Source code is run though automated tools and libraries picked up from the open source community are scanned. We track all open source code that the company uses, and have a team to analyze each report and compare to what is in use and what hot fixes/patches to update as needed. Each build of Java code is scanned for vulnerabilities as part of the automated build process.
It is probably impossible to completely remove all vulnerabilities, but we take the possibilities seriously and make every effort within our power to be sure you are as safe using our software as we can humanly make it.
This is a key aspect of an upcoming release of PTC Implementer, which is a software change management (SCM) tool for the IBM i platform that can keep track of your libraries, environments, and objects throughout the development lifecycle and simplify the release process for your team. Combining the power and stability of the PTC Implementer solution for IBM i with the enterprise capabilities of the PTC Integrity global development solution is the right mix for organizations that have introduced cross platform development or are growing in size and complexity.
In the coming weeks, PTC is releasing Implementer v12.5, the latest version of this venerable SCM tool. PTC Implementer v12.5 has a variety of improvements to ease the stress of critical change management and development processes.
As the need for IBM i development grows, there is more risk at every step in the lifecycle – more projects, new and changing requirements, and an enhanced need for collaboration across the IT team from initial requests, development, test, and releases. To combat the risk at every step of the process, Implementer v12.5 has enhanced the security in the Implementer server. Importantly, third party Java libraries used in Implementer Server have been updated to recent secured versions. Also, the Tomcat server has been updated within Implementer Server to version 8.5.65.
Implementer v12.5 also includes RDi Enhancements. For example, RDi plugin open-source jar files have been updated to more recent versions with no reported vulnerabilities, and when browsing to select items to add to the Reject Wizard panel in RDi, the default list of items will only display items that are currently locked.
OS release 7.3 is required for Implementer v12.5 as 7.2 is no longer supported by IBM as of April 30, 2021. You can download the upgrade using Implementer Update. The latest version of Implementer Update can be found on the eSupport Portal. Additionally, the Release Notes and all documentation for Implementer v12.5 can also be found on the eSupport Portal – located in the Browse Documentation button.
Alan Brown is director of software development at PTC.
This content was sponsored by PTC.