Thomas Hastings

I published a research paper^[1] titled “Continuous Verification of Open Source Components in a World of Weak Links” available through IEEE.

The paper addresses security risks in open source software, noting that 99% of today’s software utilizes open source. These next-generation supply chain attacks have increased 430% in the last year. The work presents six continuous verification controls that enable organizations to make data-driven decisions and mitigate breaches. In case studies, the controls identified high levels of risk immediately even though the package is widely used and has over 7 million downloads a week.

Abstract:

We are heading for a perfect storm, making open source software poisoning and next-generation supply chain attacks much easier to execute, which could have major im-plications for organizations. The widespread adoption of open source (99% of today’s software utilizes open source), the ease of today’s package managers, and the best practice of implementing continuous delivery for software projects provide an unprece-dented opportunity for attack. Once an adversary compromises a project, they can deploy malicious code into production under the auspicious of a software patch. Downstream projects will ingest the compromised patch, and now those projects are potentially running the malicious code. The impact could be implementing backdoors, gathering intelligence, delivering malware, or denying a service. According to Sonatype, a leading commercial software security company, these next-generation supply chain attacks have increased 430 % in the last year and there is not a good way to vet or monitor an open-source project prior to incorporating the project. In this paper, we analyzed two case studies of compromised open source components. We propose six continuous verification controls that enable organizations to make data-driven decisions and mitigate breaches, such as analyzing community metrics and project hygiene using scorecards and monitoring the boundary of the software in production. In one case study, the controls identified high levels of risk immediately even though the package is widely used and has over 7 million downloads a week. In both case studies we found that the controls could have prevented malicious actions despite the project breaches.

I believe ARM processors will be the future for SaaS based applications. My thoughts at DevArm.io^[1]

Launched a new platform to give devs access to #ARM^[2] hardware utilizing the #AWS^[3] #Graviton^[4] processors. Check out my notes to get started for free. Had my students try it for me tonight and it worked pretty well. https://t.co/M0h1gnBOTN^[5]

— Tom Hastings (@tghastings) January 9, 2022^[6]

Built my first multi-platform Docker project for students who are utilizing Apple’s M1 processor…

My 1st #multiplatform #Docker build. My students are starting to jump on the #M1 train w/ #Apple.

Three years ago, my advisor, Prof. Kristen Walcott^[1], introduced me to an excellent set of software engineering curriculum that she was using and had used, in part, to stand up a software engineering course at UCCS (the first of its kind). The curriculum was developed at UC Berkley by Prof. Armando Fox^[2] and Prof. David Patterson^[3] in partnership with EdX^[4]. More than 20,000 students earned certificates from these online courses since 2012, and more than 100,000 have completed parts of the course. Over the summer, I had the opportunity to collaborate with Dr. Fox and review/update the JavaScript chapter for the 2nd edition. Today, I received the new beta edition of the book in the mail. Thankful for the opportunity.

Students deserve the best education regardless of socioeconomic factors and the pandemic has been widening the equity gaps. Last semester I found many of my CS students relied heavily on school computers to do their assignments. I’ve spent the last two weeks working nights and weekends to build a platform which can run as a #SaaS or on-prem. Students will be able to dev using a web browser on a platform that scales using #Kubernetes. Teachers can create #dev #environments for their students with a few clicks and schools can use their existing infrastructure (yes, even behind a firewall as long as the nodes can reach the internet) with the self hosted application.

Once again, I moved my blog to Ruby on Rails, but this time with a front-end written in React. I love it (minus the mass dependency list)! I still have a big place in my heart for Go, though, and VueJS.

Enjoying Microk8s, Docker, and the TICK Stack.

All the metrics. Monitoring #k8s^[1], #docker^[2], and #baremetal^[3] using the #TICK^[4] stack. Hosting #RocketChat^[5], #GitLab^[6], #Artifactory^[7], #Nginx^[8] (reverse proxy), & #Keyclock^[9] (for SSO across all) in #Docker^[10]. Spinning dev containers on-demand running #RoR^[11] and #Cloud9^[12] using #MicroK8s^[13] & #MetalLB^[14]. pic.twitter.com/tJA9WVHagF^[15]— Tom Hastings (@tghastings)

Today I defended my dissertation proposal at the University of Colorado at Colorado Springs^[1], where I am a Ph.D. candidate in the Computer Science Department^[2]. Below is a snippet from my abstract.

We are heading for a perfect storm, making open source software poisoning and next-generation supply chain attacks much easier to execute, which could have major implications for organizational security postures. The widespread adoption of open source (99% of today’s software utilizes open source)^[3], the ease of today’s package managers, and the best practice of implementing continuous delivery for software projects provide an unprecedented opportunity for attack. Once an adversary compromises a project, they can deploy malicious code into production under the auspicious of a software patch. Downstream projects will ingest the compromised patch, and now those projects are potentially running the malicious code. The impact of which could be implementing backdoors, gathering ingintelligence, delivering malware, denying a service, or destroying hardware, as we witnessed with Stuxnet^[4]. These types of attacks show no sign of slowing down. According to Sonatype, a leading commercial software security company, these next-generation supply chain attacks have increased 430% in the last year^[5].

My parents had been married for 30 years and 8 years ago my dad passed away. I encouraged my mom to get on social media so that we could keep up with each other. Before this, my mom hadn’t been interested in social media but signed up because I asked. My dad took care of the technical aspects of their lives. Growing up, my parents had always asked me not to talk to strangers, not to give out personal information in chatrooms, and never to meet anyone in person whom I had met online. I thought it sounded like good advice, and I didn’t think I’d have to give my mom the same advice almost 15 years later.

I’ve spent the last four years in graduate school and I’ve learned about some interesting tools for research and wanted to share. Many of these would have come in handy for my undergrad program as well.

1. Zotero^[1]
   Zotero provides an easy way to manage bibliographies and includes easy export for Bibtex. It really is a great research assistant.
2. Overleaf^[2]
   Overleaf is a great tool for working with LaTex. It provides a web based editor for individuals or teams to work on documents. Overleaf also provides export capabilities to GitHub for team collaboration.
3. GitHub^[3]
   GitHub provides Git repositories for team collaboration. Microsoft just announced that GitHub will allow unlimited private repos for free.
4. Student Developer Pack^[4]
   The student developer pack from GitHub provides tons of goodies from companies like Amazon Web Services, Data Dog, Digital Ocean and others.
5. Google Scholar^[5]
   Last but definitely not least… Google Scholar provides great resources for researchers. Everything from research papers to H-index and conference rankings. Google Scholar has it all.