As the holiday season is upon us, we find ourselves reflecting on the past year and those who have supported us and the entire Tendenci community. With your help, we continue to work toward our shared goal – Connect the world’s people and do some good.
For many of us, it’s been a tough year with all the changes happening across the globe – natural disasters, wildfires, shootings, political issues, personal issues, and hardest of all, the loss of our loved ones. All lead us to the greatest lesson—love. It is the action of love that makes our world a better place.
It is why we are sending you our most loving holiday wishes as you embark on your journey into 2019. So Happy Holidays our dear Tendenci friends and we wish you all a Happy New Year!
As leaders in Open Source, we are here for you. Always.
Yet while Tendenci does not do cross site tracking or individual tracking, it is possible that YOUR site does if you are using Google Analytics, DoubleClick or any number of third party add-ons and plugins.
It is up to YOU to reauthorize and comply with the data protection policies associated with third party add-ons on your site.
What DOES Tendenci do that might allow you to make a mistake in GDPR compliance?
If used as designed, it would be hard to become out of compliance as every site is in an isolated database and container. Yet there are security functions that log activity on your Tendenci site, that if you were to use it for tracking with AI or sell your data, it could potentially be against the GDPRs regulations. Talk to your attorney about this.
For example PCI best practices require dual logging and analysis of the logs for security reasons. There is no direct identifying data in web logs, but they would obviously include things like the IP address to block DDoS attacks.
These logs are never sold or accessed by anyone but our security team to trouble shoot the application and provide feedback to the administrators. Remember, you have the same user interface and front end functionality that our team does if you host with us. Zero difference. And the logs do not contain any identifying information such as an email or name.
We are NOT lawyers, Thus it is up to YOU to determine how you manage your data. We do not, nor have we ever, sold client data to third parties.
Cyber Security is based on Prevention, Monitoring, and Incident Response
Associations are part of the fabric of society. We take it seriously. And we also understand there are no “perfect” or “completely secure” systems. Not even air-gapped.
To guard our SaaS AMS clients’s sites we use redundant systems. These include SSL encryption, application isolation, containers, layers of AWS (Amazon Web Services) VPC, Security Groups, ACLs, Route53 DNS, custom AMIs, virus scanners, malware scanners, pentesting, auditing and more. All of these activities generate redundant logs which need to be monitored. To do that we run what is called the “ELK Stack” or now the “Elastic Stack“.
Network Monitoring with OSSEC Logstash ElasticSearch and Kibana
Cyber Security starts with Project Management
A Cyber PM, upon initial completion, never ends. It requires constant vigilance. The process of Cyber Security can be further explained as:
There are many resources available for cyber security training. We encourage you to look them up and take an active role in keeping your web site, company, family and country secure from cyber attacks!
API’s aren’t mutually exclusive after all, right? You have options.
There are legitimate reasons to use an API. Examples include integration between a legacy mainframe system, ecommerce, or a development team that has chosen a different platform such as .NET or PHP.
Tendenci doesn’t meet all of the functional requirements for everyone by design. Instead we work with great technology like machine learning. The open AMS community isn’t focused on reinventing the wheel. It just doesn’t make economic sense for a non-profit, or even a for profit company, to reinvent Amazon.com or Ebay.com. This is particularly true if you are causes-based association or non-profit given the expense.
Does Tendenci AMS work with other providers? Absolutely. Any provider with an API or that supports SSO or RSS or has their own technology like google tag manager.
Non profits don’t have money to waste. Therefore we aligned our product to major industry supported technology.
Our technology stack as of 2018 is:
Tendenci
Django Web Framework
Javascript and jquery
Bootstrap CS
Python Programming Language
Postgres Database with GIS
Docker Containers
Ubuntu
For more on The Open Source AMS integration via API visit our AMS API Helpfile or read up on everything Tendenci Works With. Or if you aren’t into open source, there are definitely alternatives to Tendenci.
If you do pick an alternative, we suggest you consider Security FIRST and go from there.
Developers and programmers are frequently (ok, almost always) asked to accomplish the impossible yesterday. So this post is for the Tendenci developers and anyone else who uses docker containers, cgroups, jailed name spaces or similar.
Situation: You have a server that is spiking when it previously did not.
Let’s just assume you already have something like OSSEC and the ElasticSearch Stack (ELK Stack) installed and are using a WAF/IDS/IPS endpoint. You are on top of your game. You see the errors from writing to the file system in dockers using the overlayfs file system (please no aufs, just don’t.) How to diagnose it:
“htop” is very good at showing you the issue. It (htop) is also frequently replaced by malware so double check yourself with “ctop” which most variants of common malware omit. Regardless, in this case, we can clearly see we have a stuck process. Enter “ctop” (open source like Tendenci at https://ctop.sh/ and on github at https://github.com/bcicen/ctop .
Running ctop you can quickly identify the container that is using the resources and then enter that container for further trouble shooting. “ctop” look like this:
The solution to a container over utilizing its resources is up to you and your developers. ctop is however a great way to zero in on at least which container is the problem.
In our case, a quick stop/start of the container removed the load and allowed us to do more debugging to figure out the cause. Tendenci is a mature and large codebase for association management (AMS Software) so it’s an iterative process to zero in on issues. And it can be done with the right tools.
Happy Container Utilization
This is what one of the Tendenci Cloud docker servers looked like after debugging and killing the process causing the problem. “Yes” of course there is no replacement for “grep”. But with containers the debugging is a new art even for experienced programmers.
The following graphs show what a Distributed Denial of Service (DDoS) attack on an association looks like. The names, rates and volume of the association have been blurred for security reasons. We are thankful to AWS for their own defenses in front of ours, which help us mitigate these issues.
active response to mitigate attacks
Note: The graphic above, is filtered for a 24 hour span for one client. The infrastructure is in place, and highly redundant, so we can monitor and keep our clients safe. For clients in the US or hosted in other countries (we have multiple Tendenci clouds as needed.)
Note 2: Make no mistake – If a bad-actor has the budget – they can and will purchase enough bots to take a site down. This is well documented. Even our resources at AWS are limited in what they can handle. Budget (yes BUDGET) accordingly.
Python, the language used to program Tendenci – The Open Source AMS, continues it’s meteoric rise in the world of developers. And where the developers go is where the rest of us go. Thus Python’s rise matters. And it benefits every Tendenci user, self hosted or hosted with our small company (same software either way).
Python has continued its upward trajectory from last year and jumped two places to the No. 1 slot, though the top four—Python, C, Java, and C++—all remain very close in popularity.
June 2017 was the first month that Python was the most visited tag on Stack Overflow within high-income nations. This included being the most visited tag within the US and the UK, and in the top 2 in almost all other high income nations (next to either Java or JavaScript). This is especially impressive because in 2012, it was less visited than any of the other 5 languages, and has grown by 2.5-fold in that time.
They have numerous charts to back up the data, but these two in particular paint a telling picture.
From Stack Overflow – the current tag questions viewed:
The above graphs should give you confidence in your choice of using Tendenci as your AMS as the developers are not only there, but growing. Given Tendenci is fully open source (this is different from “free trial” AMS systems which are NOT actually FOSS (Free and Open Source Software). Wikipedia describes the difference as:
(FOSS means) anyone is freely licensed to use, copy, study, and change the software in any way, and the source code is openly shared so that people are encouraged to voluntarily improve the design of the software.[3] This is in contrast to proprietary software, where the software is under restrictive copyright and the source code is usually hidden from the users.
The good news is with the growth of Python, it only make sense that developers will look at and many will join in to help the community improve the software as they join associations themselves.
We’ve written about why we chose Python over PHP to develop Tendenci open source several times. Correctly choosing the open source stack gives us, and everyone in the community, confidence to see the trends predicted correctly. It wasn’t rocket science – we just listened to our team, we listened to younger developers, and most importantly we listened to our clients on what the future was/is going to be.
Why are associations unwilling to accept apps that meet only minimal requirements? Um… because they started as Guilds and go back to Medieval times. From Britannica on Guilds and Trade Associations:
Guild, also spelled gild , an association of craftsmen or merchants formed for mutual aid and protection and for the furtherance of their professional interests. Guilds flourished in Europe between the 11th and 16th centuries and formed an important part of the economic and social fabric in that era.
and Britannica goes on….
… associations are known to have existed in ancient Rome, however, where they were called collegia. These craft guilds seem to have emerged in the later years of the Roman Republic. They were sanctioned by the central government and were subject to the authority of the magistrates.
This is a huge topic of course. Just know that Tendenci is the ONLY top ranked AMS system that is truly FOSS. Unlimited admins, users, contacts – you can self host or if hosted with us we only charge for processing power. Got 1M users and contacts and 50 admins? No problem. And the growth of Python assures your continued freedom from vendor lock-in no matter what.
Written specifically for the NPO/Association market, Tendenci has continued to grow and adapt to meet the specific needs of these groups. From building on an open source framework that allows complete freedom – to mobile responsive software design – to online forums and newsletter features that keep the community involved, Tendenci continues to invest in the NPO sector. And the NPO’s have responded!
We are pleased to continue our relationship with the following organizations that have recently released upgraded websites and extend a warm welcome to those that are new to the Tendenci community.
So why did our team choose to rewrite TendenciOpen Source and in the Python Programming language? It is a question I get asked a lot. We’ve never been a company that likes to talk in the negative if at all possible, yet it is important to talk about the megatrends going on given we work with associations and nonprofits.
Popularity of a language is a trend, and what you want is as many developers familiar and liking the language of your open source project as possible. This means you have a better chance to have a secure web site and therefore a more secure future.
To be fair – as Disraeli said – “lies, damn lies and statistics” – so there is no one perfectly secure language any more than there is a perfectly “safe” hammer. There will always be operator error and programmers make mistakes.
So we’re not saying Python is perfect, and all of us have used most of the other languages on those charts at some point. We’re just saying we are pleased so many other programmers also like Python and Open Source. THAT is the best that can be done to secure your future online. Secure code that you can examine yourself and even host yourself!
Addendum: As I post this on the Tendenci Blog. Given we focus on non-profits, associations, memberships, education, medical, religious – basically the do-good cause-based organizations, I believe it is particularly important that the project is as transparent as possible. Sometimes it is healthy to inform everyone of WHY we made a decision seven years ago. Python was the right call.
Today’s Tendenci community knowledge share. Here are three very easy free or low cost methods of making a static copy a web site. Use with caution, just know you have the power.
If you are on version 5 and want to “kick the tires” on Tendenci version 7, use https://demo.tendenci.com – you can login here https://demo.tendenci.com/accounts/login/ using “admin/admin” or “user/user”. It does reset every hour or so because of spammers but you can still get a feel for it. A HUGE upgrade from version 5.
Why do we point out all of the ways to copy your Tendenci site (or most sites really)? Doesn’t that make it easier to leave?
Yes. Yes it does. BUT people rarely leave. Or if they do, they typically stay on Tendenci and self host. They’re still part of the Tendenci community which helps us all.
Another reason we promote exports and offsite backups is because we know the more freedom you have, realizing you have that freedom especially on the Tendenci open source platform, makes it less likely for clients to leave.
Think about it. Why would anyone who actually understands their product is open, does far more than other options, is lower cost, and they can self host if they want… why would that person make the decision to leave? It’s illogical.
I mean, who wants to be the President of an Association that takes it backwards in time to proprietary technology or an older open source software built on an unpopular programming language? That’s not in the best interests of the association long term.
Tendenci is written in Python and uses Java and Javascript libraries. This linked chart says it all.
THE 8 MOST IN-DEMAND PROGRAMMING LANGUAGES OF 2016
Popular programming languages means more coders for open source projects written in that language. And more capable people to modify and customize your install if you choose.
One of our goals is FREEDOM from the tyranny of per-user-licensing, proprietary products that want to own YOUR DATA, long term contracts, sites that post your events on THEIR site so if you leave then the history of that event is gone in the blink of an eye. Companies don’t own your data and they shouldn’t trap you.
