CAll Us: +1 888-999-8231 Submit Ticket

Responsible Disclosure Only Works If Software Is Updated

Responsible Disclosure Only Works If Software Is UpdatedWhat should happen when a security researcher discovers a vulnerability in a popular software project? Should details of the vulnerability be released so that users can protect themselves? Or should it be kept secret so that bad actors can’t exploit it?

There are drawbacks to both approaches. Immediate full disclosure puts users at risk. Bad actors find out about the vulnerability too, and there isn’t a lot users can do to protect themselves until patches are released. In contrast, secrecy allows software developers to ignore vulnerabilities, and there is no guarantee that bad actors don’t know about them already.

The industry has, for the most part, settled on a hybrid approach called responsible disclosure. When a security researcher finds a vulnerability, they inform the software’s developers but they don’t go public immediately. The developer is given time to release patches. Once the patches are released, the vulnerability is publicized so that users know to update. If the developer fails to release a patch in a reasonable amount of time, the vulnerability is disclosed to users so they can protect themselves. The amount of time given to developers varies; Google’s Project Zero allows 90 days.

Responsible disclosure attempts to balance competing goods. Users who are in the dark about vulnerabilities can’t respond to the threat, but immediate disclosure gives bad actors an advantage. Secrecy might prevent widespread exploitation of a vulnerability before it’s been patched, but developers, especially developers of proprietary software, may not be inclined to invest time and money into bug fixes for vulnerabilities no one knows about. Responsible disclosure is the golden mean between complete transparency and security by obscurity.

Responsible disclosure depends on the assumption that software is updated when patches are released. Secrecy following discovery is justified by the risk disclosure poses to users. They would be exposed without any way to fix the problem. Delayed disclosure is justified by the belief that once patches are available, users are safe.

But what happens when users don’t update? They are in as much peril as if the vulnerability had been exposed without patches having been released. Bad actors know all about the vulnerability, including, in the case of open source software, exactly which code was vulnerable and how to exploit it. Unfortunately, failing to patch isn’t rare: many recent data leaks and security breaches were the result of the exploitation of known vulnerabilities for which patches were widely available.

The point is this: over many years, a system for handling vulnerabilities has evolved, a system which aims to keep software users as safe as possible. Developers, security researchers, and corporations cooperate to minimize the risk to users. But users — businesses, server administrators, hosting providers — have a vital role to play. They have to update their software when patches become available. If they don’t, they put their business, their customers, and the wider population at risk.

Posted in:
Hostdedi

Source link

Uncovering the Benefits of Elasticsearch, SOLR, Sphinx, and MySQL

Magento Search- Uncovering the Benefits of Elasticsearch, SOLR, Sphinx, and MySQLFor 74% of consumers, the quality and relevancy of search results on an ecommerce site is the difference between whether they do or don’t make a purchase. Storefronts can no longer rely on good navigation alone. Search has become a primary purchasing path, with consumers that use search 200% more likely to make a purchase than those who don’t.

Powerful on-site search provides more than just a direct purchasing path. It also provides customers with the ability to research and further define desired products and attributes. This not only means consumers are able to research their choices more effectively, it also positions you as an industry leader and an invaluable consumer resource.

This article looks at the search options available to Magento merchants, and outlines four of the main tools available; including Elasticsearch, SOLR, Sphinx, and MySQL. It examines the pros and cons of each, and provides a recommendation of what option is best.

Keep reading to see which Magento search option is right for your storefront.

Consumers who use search are 200% more likely to convert.

Note: this article will not be taking a detailed look at the multiple Magento search extensions available on the marketplace, but instead focuses on more powerful, external solutions.

How Magento Search Works

How Magento search works depends on what search option you choose and how you configure it. In some cases, it’s possible to simply connect a search engine to your Magento store and it will do the rest automatically. In other cases, proper implementation requires either a developer or expert. 

Regardless of which path you choose, once a search engine has been implemented, it will index your site. This provides an easy to search through directory of your products and their attributes. Depending on the size of your store, this can take a few minutes to a few days. 

When looking for a search engine, there are several different features that should stand out. These include:

  • Fast and accurate results
  • Natural language processing for longtail and complex search queries
  • Filtered results pages for more accurate results (Faceted search)
  • Error-tolerance (this needs to be high to provide better, more relevant results) 
  • Synonym management (especially important for niche stores)

Elasticsearch

Elasticsearch (ES) is currently the most popular and the default option for Magento search. 

As a java-based document store, Elasticsearch is engineered to store large numbers of JSON documents and speak to them natively. So in addition to being able to handle text-based queries, it can also understand advanced analytical queries too, including interpreting numeric and geo data. 

Where Elasticsearch really shines is in its full support for Apache Lucene’s real-time search. From a customer’s perspective, this means ES is able to provide faster and more relevant search experiences. For store owners, this means faster conversions. 

Adding Elasticsearch to the Magento Catalog Interface

Currently, Elasticsearch is recommended by both us and Magento. Part of the reason for this is that it’s easy to set up. On Hostdedi accounts, it can be turned on under the Environment tab in your Client Portal. The endpoint can then be transferred into Magento by following this guide

At the moment, both Foursqaure and Github use Elasticsearch.

A Faster, More Accurate Search Option

Elasticsearch makes use of Fuzzy searching, a technique which allows for stores to interpret customer queries even when they mistype or aren’t 100% sure what they are looking for. Combined with synonym and stop word interpretation, this places ES as one of the more capable search engines available to merchants. 

Elasticsearch is able to provide faster and more relevant search experiences leading to more conversions. 

ES also allows for merchants to customize search results based on defined parameters. One of the technologies used to do this is finite state transducers. In English, this means that ES can handle search queries that consider both the input and output, and that can then provide results based on the relationship between these two pieces of data. 

Complex Search Query Support

While both Elasticsearch and SOLR (below) are based on Lucene query parsing, Elasticsearch provides support for structured query DSL. This allows for more complex search queries not supported by a just-Lucene search engine. 

Elasticsearch also support scoring scripts, which can be written and implemented through JavaScript. At this point in time, SOLR does not offer this functionality.

Official and Community Library Support

Official: Java, PHP, Javascript, Python, Groovy, Ruby, Perl, .NET, 

Community:  Java, JavaScript, PHP, Python, R, Ruby, Clojure, Cold Fusion, Erlang, Go, Groovy, Haskell,.NET, OCaml, Perl, Scala, Smalltalk, Vert.x 

Elasticsearch Pros

  • Has become the default replacement for the default Magento MySQL Search Engine 
  • A little faster than SOLR
  • More aligned with modern web development practices (so likely easier to use)
  • Ready to go out of the box with the Hostdedi Elasticsearch Container solution

Elasticsearch Cons

  • Will take up space due to indexing
  • Can cost extra for hosting space
  • Requires indexing

SOLR

Another standalone, scalable search option for Magento. For a long time, SOLR dominated the Magento search market for high-traffic sites. Not only does it offer a number of important features search admins are looking for, it’s also a scalable solution capable of handling heavy traffic loads.

Some of the features you’ll find with SOLR search include:

  • Search term suggestions based on misspelling
  • Weighted search results
  • Layered navigation
  • Powerful autocomplete
  • Relevancy management
  • Support for synonyms and stop words

At the moment, Cnet and Netflix use SOLR. 

Near Real-Time Search Speeds

Where SOLR shines is when it comes to group searches. This is because SOLR supports distributed groups (including grouped sorted, filtering, and faceting). For ecommerce store owners, this allows for their customers to go through better, more relevant search experiences. At this point in time, the main competitor, Elasticsearch, does not support this in the same way. 

SOLR offers a number of important features search admins are looking for.

When compared to alternatives, SOLR is a more complicated search engine to implement. Not only does SOLR’s interface take longer to learn than Elasticsearch’s, its deployment also requires a little more knowledge than Elasticsearch’s. 

If you’re looking for some added functionality that comes with additional work, then SOLR may work for you. However, in 99 cases out of 100, we would recommend Magento store owners opt for Elasticsearch. 

Official and Community Library Support

Official: Java

Community: PHP, Python, Javascript, Ruby, Erlang, Perl, Scala, Go, Clojure, .NET

SOLR Pros

  • A popular search option for Magento 1 stores
  • Does not require a massive indexing process
  • Truly open source

SOLR Cons

  • Harder to implement
  • No longer the latest and greatest in Magento Search

Sphinx

Sphinx is a powerful Magento search tool capable of searching multiple content types, with support for multiple languages. While not as powerful as the options above, its favored by a lot of Magento 1 stores due to the ease of integration. 

Sphinx is currently used by Mozilla, Craiglist, and Dailymotion.

Fast Search From a Premium Module

By default, Sphinx doesn’t run through an external container but an extension that can be downloaded through the Magento Marketplace. Despite this, it’s still capable of holding its own when pitted against the other options on this list. 

From their own documentation, Sphinx is able to deliver over 500 queries/second when a product catalog consists of over 1,000,000 skus. 

In terms of its actual search capabilities, Sphinx includes a number of features you see with most of the other search engines listed here, including:

  • Synonym and plural form support
  • Long tail search 
  • Stop word support

Sphinx also allows for multiple search types, including products, categories, attributes, and blog content. Its morphology preprocessors allow for different word forms to be replaced with their base form. In Sphinx’s example, this means translating Dogs into Dog. There are, of course, much more complicated use cases where this helps to provide unique and highly-relevant results for customers. 

Sphinx is able to deliver over 500 queries/second when a product catalog consists of over 1,000,000 skus.

A Magento 1 Search Tool

While we always recommend using Elasticsearch, we’ve found that when Sphinx is used it tends to be with Magento 1 stores. If you’re running a Magento 2 store, Elasticsearch is a better option – especially if you’re just getting started or are in the process of replatforming from magento 1

If you’re interested in how to configure search on Magento 1, then we recommend checking out this article from Shero.

Sphinx Pros

  • A powerful search engine used by a lot of large, popular sites
  • Years of development have made it stable

Sphinx Cons

  • Not as well supported as alternatives
  • Lacks the speed of Elasticsearch and SOLR

MySQL

The original default search engine for Magento. While competent in its own right, it doesn’t compare to the enterprise options available. Moreover, the MySQL search option for Magento has now been deprecated. Instead, Magento 2 is now configured to use the Elasticsearch search option by default. 

The default MySQL search is also missing some other features you’ll find with SOLR or Elasticsearch, including suggestions, clustering, attribute weights, and tips when zero results are returned.

MySQL search options through the Magento Catalog

For this reason, we recommend avoiding the default MySQL search option. With the current ease of integration afforded by Elasticsearch, why wouldn’t you want more powerful search powering your Magento store?

MySQL Pros

MySQL Cons

  • It’s not nearly as powerful as other options
  • It has been deprecated 

Expanding Magento Search Functionality Through Extensions

If you own a smaller Magento store and don’t want to invest in a dedicated search engine, then it’s also possible to expand the search functionality of Magento through extensions. These can be found and downloaded from the Magento Marketplace

The Best Magento Search Engine

We recommend that all merchants make the move to Elasticsearch. Not only because it’s easy to integrate with your Magento store, but also because it provides numerous improvements over the alternatives. 

While speed and performance is comparable to SOLR, Elasticsearch does have a slight edge. It also allows for consumers to make more complex searches with more relevant results, thanks to a number of additional features such as fuzzy searching, full indexing, and DSL query support.

In terms of development, Elasticsearch also provides much more in terms of official and community client libraries. This means that your developer is more likely to be able to handle and scale it efficiently. Combine this with its out of the box readiness on the Hostdedi container platform, and it becomes the clear search engine choice for most Magento stores. 

Posted in:
Hostdedi

Source link