DEV Community: dcrane604

Our Software Supply Chain Security Survey Is Back. See How You Stack Up!

dcrane604 — Tue, 06 Jun 2023 22:32:05 +0000

It’s back! In 2021 we asked you to help us assess the state of software supply chain security, and we would love it if you could help us do it again by joining our 2-minute/10-question 2023 survey:

Take the 2023 Software Supply Chain Security Survey

This time around we’ve changed a few questions and added one more to focus on emerging threats and new solutions. At the end of the survey, you’ll be given a score that reflects how far along the journey your organization is toward creating a secure software supply chain.

Thanks in advance for your help!

If you want to understand how things have changed since our last survey, read on.

The Problems with Securing the Software Supply Chain

Two years ago, ActiveState took the barometer of where more than 1500 companies of every shape and size around the globe stood when it came to implementing software supply chain security.

Unfortunately, the results were not encouraging.

Of course, back then, the concept of supply chain security was little known. It was primarily exemplified by the Solarwinds hack, which effectively undermined the trust in signed software and kicked off a tidal wave of copycats. The result has been >740% increase in software supply chain attacks over the past three years.

Nowadays, the term “software supply chain security” is more of a buzzword. Thanks to President Biden’s Executive Order 14028, US government supplier requirements, and worldwide pending software supply chain legislation, more and more software vendors have become aware of the need to address weaknesses in their software supply chain.

Unfortunately, that awareness has not extended to those that matter the most: open source software maintainers. According to a recent survey by Tidelift, less than half of all maintainers have even heard of (let alone plan to implement) software supply chain security standards:

Maintainer Awareness

That’s the good guys. The bad guys are continuing to try and take advantage of supply chain weaknesses to the degree that this past week the Python Package Index (PyPI) was forced to suspend the creation of new projects:

PyPI suspends new projects
And as SAP has highlighted, the vectors of attack used by bad actors just keep expanding:

The attack tree shown above organizes attacks and techniques that inject malicious code into open-source software projects, starting from abstract, top-level goals and drilling down to known/ attack techniques.

Software Supply Chain Security in 2023

All of which leads us back to the purpose of this post: to understand where the industry now stands with respect to securing their software supply chain.

The good news is that in 2023, there are a number of market drivers that have recently been gaining strength. For example:

SLSA – the security framework known as “Secure Levels for Supply chain Artifacts” or SLSA has reached version 1.0, providing organizations with a roadmap to help them implement supply chain security for the software artifacts they import and build.

SBOMs – Software Bill Of Materials (SBOMs) seem to be everywhere nowadays. Multiple vendors of traditional AppSec software have embraced SBOMs, and now offer it as part of their solution. This is an important step, because these vendors have a large install base of organizations that have adopted traditional Secure Software Development Frameworks (SSDFs), and are now looking to identify and repair weaknesses in their software supply chain.

Provenance – software attestations are a new concept that can help organizations understand the security and integrity (and thus the risk) of the artifacts they import, such as open source software. While attestation specifications (such as in-toto) are also still very new, a number of vendors are already generating attestations, including:

Given all these initiatives, as well as the continued rise in supply chain attacks – for better or worse – there really is nowhere to hide from software supply chain security these days.

Customer Support Chatbots: Easier & More Effective Than You Think

dcrane604 — Mon, 29 Jul 2019 21:25:30 +0000

At the end of this post, you'll be able to use Python to create your own chatbot with just a few commands. But first, you might want to understand why customer service chatbots are so hot right now.

Opinions are divided over the corporate use of chatbots: surprisingly, most people seem to love them (see below), while others find them annoying. What’s not up for debate is the cost savings and 24×7 customer service chatbots enable.

Some key points to consider:

The top benefits of chatbots are 24/7 service, instant responses, and answers to simple questions.
63% of people prefer online bots to interacting with a company’s human resources.
Chatbots will power 85% of customer service by 2020.
Chatbots are expected to cut business costs by $8 billion by 2022.

While the Machine Learning (ML) technology on which chatbots are based has come a long way, it can’t yet fully replicate natural language comprehension. But there are still many potential applications for chatbots where complete comprehension is not required. It’s becoming commonplace to pay a bill, check an account balance or, as shown in figure 1, track a package with a chatbot. More and more companies turn over simple, routine consumer interactions to bots.

Figure 1: chatbot interaction for tracking package delivery

It’s now possible to complete most routine transactions without having to speak to a real person. Food companies like Subway, Dominos and Starbucks are all experimenting with letting people place orders using chatbots in Facebook Messenger (like MobileMonkey), or by verbally telling Amazon’s Alexa to order them a frappuccino.

And advances in natural language processing are being used to great effect today in relatively simplistic virtual assistants like Amazon’s Alexa, Apple Siri and Microsoft’s Cortana. Erica, a Bank of America chatbot goes a step further, leveraging “predictive analytics and cognitive messaging” to provide financial guidance to their customers.

Of course, chatbots aren’t infallible, especially when it comes to things like problem-solving, intuition, and empathy, which is where human interaction can make a tremendous difference to the outcome for a customer. In these cases, chatbots can be used for routine interactions, and then escalate to a real person for more complex interactions.

Figure 2: chatbot escalation/de-escalation to a real person

How Do Chatbots Work?

A chatbot is simply an application that is governed by Machine Learning (ML) models in conjunction with a set of specified rules. Like most applications, chatbots are comprised of an application layer, a database and a set of APIs.

Chatbots simulate a real-life, two-way conversation when humans interact with it using either a chat or voice interface. Responses are based on the “knowledge” available to it at that point in time. If an interaction introduces a new concept, chatbots are typically trained to either deflect the conversation, or else escalate to a human operator. Logs of discussions between chatbots and customers are saved and dissected by researchers in order to retrain the chatbot. Thus, a chatbot’s interactions will gradually grow in scope and relevance.

There are generally three types of chatbots based on different classification methods and uses:

Pattern Matching Bots – these bots parse an input phrase and try to match keywords or key phrases to an entry in its database. If found, the bot can then provide the corresponding response.
- Best suited for FAQ responses to common customer inquiries
Natural Language Understanding Bots – these bots link entities (such as “ordering” or “purchasing”) with context (such as pattern matched keywords like “pizza types”) with expectations, which are what the customer is expecting in response to their interaction, such as “a list of toppings.”
- Best suited for simple transactional inquiries, such as ordering food
Natural Language Processing (NLP) Bots – these bots convert the user’s speech or text into structured data through a series of processes that parse the language into grammatical entities (verbs, subjects, objects, etc), extract recognized words or phrases (such as product names), identify misspellings, and may even attempt sentiment analysis to understand the customer’s attitude.
- Best suited to complex customer service interactions

While it sounds complex, you may be surprised to learn that implementing a fully functioning chatbot is significantly cheaper than building a cross-platform app, and substantially less expensive than the human alternative (i.e., customer service reps).

Make Your Own Chatbot

Now that you understand the importance and utility of chatbots, you may be inspired to see if you can create one for yourself. Daniel Kukiela has a Python-based implementation of a chatbot on Github that you can try “out of the box” with just a few commands to setup your environment and clone the repo.

The Requirements.txt is pretty basic, and includes:

tensorflow-gpu>=1.4.0
- Utilizes TensorFlow’s Neural Machine Translation (seq2seq) capabilities to perform natural language processing
tqdm
- Implements a progress bar
colorama
- For producing colored terminal text and cursor positioning
regex
- For parsing text
python-Levenshtein
- For manipulating strings, including determining string similarity, median and average
requests
- The de facto standard for making HTTP requests in Python

All of these packages are supported on the ActiveState Platform (except for the GPU-based version of TensorFlow which is replaced with the standard CPU version). If you’d like to try making Kukiela’s chatbot, the easiest way to set up your development environment is to:

Fork my “Chatbot” runtime environment on the ActiveState Platform into your account (you’ll be prompted to create an account if you don’t already have one)
Install the State Tool
Install the runtime on your system with ActiveState’s State Tool, which will automatically:
- Create a virtual environment, and then
- Install the chatbot’s Python runtime into it (i.e., all 6 packages in Kukiela’s Requirements.txt plus their 50 dependencies)

To install the runtime, follow the instructions listed under the “Use via Command Line” heading. For example:

Now that your chatbot project’s environment is ready to go, you can grab Kukiela’s code and use the included training data to give it a try. Just issue the following commands from your new virtual environment:

$ git clone --branch v0.1 --recursive https://github.com/daniel-kukiela/nmt-chatbot.git
$ cd nmt-chatbot/
$ cd setup
$ python3 prepare_data.py
$ cd ..
$ python3 train.py

And now the hard part: waiting. Eventually the chatbot will chew through the training data and you’ll have a trained demo that’s ready to deploy and test out.

Happy chatting!

Got a Github project you’d like to simplify the setup for by offering a pre-built environment? Sign up for a free ActiveState Platform account and see how easy it can be.

How To Learn Python Without First Needing To Learn Python

dcrane604 — Fri, 19 Jul 2019 17:03:43 +0000

When it comes to driving, we don’t make the student assemble the car before learning how to drive. Yet when it comes to learning Python, users first need to learn how to:

Install Python, preferably in a virtual environment
Use pip to install all requirements
Resolve any dependency conflicts, as needed

Before they can even begin to start their Python course. This approach assumes the user has some familiarity with Python before they’ve even installed it, which can be both a false assumption by the course creator, and intimidating for the student. For example:

Which Python version should I use? The Readme for the course doesn’t look like it’s been updated in a while and is recommending an older version, but shouldn’t I use the latest version?
Which distribution should I use? The older one that’s pre-installed on my OS? Or should I download a newer version from python.org, or just get Anaconda? Will these conflict with my OS-installed one?
I heard I should be using a virtual environment – how do I do that?

All good arguments why new users should get a good Python book or else a teacher/adviser before you start. But there’s another way to lower the barrier to entry for new users of Python: ActiveState’s State Tool.

Simple Python Installations

The State Tool can install a Python runtime into a virtual environment on Linux or Windows with a single command, simplifying the deployment of Python:

On a developer’s workstation
On any/all instances across your CI/CD chain
In production

It’s also ideal for first time users since it automates the creation of their Python environment without requiring any previous knowledge. For example, take the popular “Learn Python” repository created by Oleksii Trekhleb on Github trekhleb/learn-python. The Readme has this to say about environment setup:

“Make sure that you have Python3 installed on your machine” with a link to RealPython’s website to explain the process in detail.
“You might want to use venv standard Python library to create virtual environments…”
“Install all dependencies that are required for the project by running:” pip install -r requirements.txt

Alternatively, you could install the State Tool and run the “state activate” command to get started in just a few seconds without requiring any prior knowledge of Python.

In fact, you can do just that right here: https://github.com/shnewto/learn-python. That link goes to a fork of Trekhleb’s repo that we’ve created to show off the simple yet powerful capabilities of the State Tool. In this case, you just need to:

Download the State Tool
Clone the Repo and cd into it
Type state activate

From the point of view of an end user, the State Tool dramatically reduces the amount of language-specific knowledge you require in order to set up your environment before you can get to what you really want to do: coding.

But for Github repository owners, it also means your users and contributors get started working with your project much faster, which may result in a lot more code contributions.

Reducing The Readme

To simplify the environment setup for your project, you can do exactly what we did for the Learn Python project: create a Python runtime on the ActiveState Platform, and include a YAML file in your repo that points to it. Let’s take it one step at a time:

Create a free ActiveState Platform account
Create a new project for Python on Linux or Windows
Add the packages required for your project, and let the Platform automatically pull in all the dependencies, resolve them, and create an installer for you in just a few minutes
Create an activestate.yaml file and add it to your repository. The file contains four lines:

name: (enter the name of your project from step 2)
owner: (enter the username you entered during step 1)
languages: (this line is currently left blank)
name: (enter python if it's a Python project)

Don’t forget to add a link in your Readme to download the State Tool, as well as the instructions to clone your repo, cd into it and issue the “state activate” command.

While there may be other steps you require in your Readme, such as setting up a database, the State Tool lets you dramatically reduce the number of hoops your users have to jump through before they can start working on your project. Or if you’re an educator, it can make setting up a classroom full of Python environments every semester as simple as writing a script to delete the old virtual environment and “state activate” a new one on each system.

Want to see how the ActiveState Platform allows developers to build Python distros in minutes instead of weeks? Watch this short video or create a free account.