SYS-CON MEDIA Authors: Yeshim Deniz, Roger Strukhoff, Jason Bloomberg, Pat Romanski, Liz McMillan

Blog Feed Post

A Security Twist.

https://www.ingrainedtech.com/wp-content/uploads/2018/01/ship-661630_192... 768w, https://www.ingrainedtech.com/wp-content/uploads/2018/01/ship-661630_192... 1024w, https://www.ingrainedtech.com/wp-content/uploads/2018/01/ship-661630_192... 1600w" sizes="(max-width: 300px) 100vw, 300px" />
USS Constitution

Like most of you, I am not a dedicated security person, but security duties have fallen to me in one form or another at almost every role I’ve filled. The fact is that all of IT is involved in security, whether we acknowledge that fact or not. This was true before DevOps, and it is more true in a DevOps environment, where an already overtaxed security group needs to show developers and ops members of the DevOps teams what to do, rather than do it all themselves. Because DevOps creates more work for security, just by virtue of releasing more often and speeding the rate of change.

If you are like me, the last year or two of your security mind-share has been focused on the crazy rate of change in the average IT environment. There seems to be something new to worry about just about every month, and there have been some spectacular failures to show that we really do have to worry about them.

So the announcement of ages old pre-execution bugs in just about every chip on the market was an unwelcome surprise, no doubt for you as well as me. And it’s a surprise we were highly unlikely to have discovered independently, no matter how good our security team. I’m an architecture aficionado. I like to write compilers and linkers as a hobby, so knowledge of the workings of CPUs is kind of part of the pool of required knowledge. And I had zero reason to suspect this was an issue.

Which brings me to the current direction my thoughts are taking. What else do we not know? How can we plan for such broad issues?

I fear the answers to those questions are a whole lot (feel free to insert an expletive here), and Not much (feel free to sigh when you say that). We are dependent upon an insane number of other engineers/developers and their security practices, simply in the process of keeping the IT lights on. From chips to OS to VMs and containers to libraries to apps to hosting providers… You name it, our infrastructure relies on others. And we don’t really know the level of security acumen they applied most of the time. If you’ve been in IT for very long, you’ve seen an instance of a vendor doing something that is definitively unsafe, and that’s just the ones you see.

So what can you do? I honestly don’t have an answer to that at this point, but it’s a problem that we are increasingly going to have to deal with. Internal configuration and coding errors create vulnerabilities, but so do internal coding errors for the products we use. I’m beginning to suspect we only think our devs are creating more of them because we can actually see when our devs create them. In this regard, at least Open Source lets us look, but even the much touted “anyone can look at and update the code” is not reality. How many open source products do you use? How many of those have you done a thorough code review for? A small number of orgs can claim “all the critical ones”. I don’t think any org can claim 100% coverage of source for 100% of Open Source apps in use. So again, you are counting on others and their acumen. “Someone looked at the Open Source”, you tell yourself. I would argue that Heartbleed proves that is not always true.

I guess the best you can do is prepare to be boarded. Arm the troops and watch the main sail, so rigging doesn’t get snagged. In other words, expect a vulnerability you are not aware of in someone else’s code will eventually get you, and have a reaction plan in place. That’s about the best we have, for now.

Read the original blog entry...

More Stories By Don MacVittie

Don MacVittie is founder of Ingrained Technology, A technical advocacy and software development consultancy. He has experience in application development, architecture, infrastructure, technical writing,DevOps, and IT management. MacVittie holds a B.S. in Computer Science from Northern Michigan University, and an M.S. in Computer Science from Nova Southeastern University.

Latest Stories
With the introduction of IoT and Smart Living in every aspect of our lives, one question has become relevant: What are the security implications? To answer this, first we have to look and explore the security models of the technologies that IoT is founded upon. In his session at @ThingsExpo, Nevi Kaja, a Research Engineer at Ford Motor Company, discussed some of the security challenges of the IoT infrastructure and related how these aspects impact Smart Living. The material was delivered interac...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
In his session at 23rd International CloudEXPO, Raju Shreewastava, founder of Big Data Trunk, will provide a fun and simple way to introduce Machine Leaning to anyone and everyone. Together we will solve a machine learning problem and find an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/busine...
CloudEXPO has been the M&A capital for Cloud companies for more than a decade with memorable acquisition news stories which came out of CloudEXPO expo floor. DevOpsSUMMIT New York faculty member Greg Bledsoe shared his views on IBM's Red Hat acquisition live from NASDAQ floor. Acquisition news was announced during CloudEXPO New York which took place November 12-13, 2019 in New York City. Our Silicon Valley 2019 schedule will showcase 200 keynotes, sessions, general sessions, power panels, and...
ShieldX's CEO and Founder, Ratinder Ahuja, believes that traditional security solutions are not designed to be effective in the cloud. The role of Data Loss Prevention must evolve in order to combat the challenges of changing infrastructure associated with modernized cloud environments. Ratinder will call out the notion that security processes and controls must be equally dynamic and able to adapt for the cloud. Utilizing four key factors of automation, enterprises can remediate issues and impro...
Intel is an American multinational corporation and technology company headquartered in Santa Clara, California, in the Silicon Valley. It is the world's second largest and second highest valued semiconductor chip maker based on revenue after being overtaken by Samsung, and is the inventor of the x86 series of microprocessors, the processors found in most personal computers (PCs). Intel supplies processors for computer system manufacturers such as Apple, Lenovo, HP, and Dell. Intel also manufactu...
When you're operating multiple services in production, building out forensics tools such as monitoring and observability becomes essential. Unfortunately, it is a real challenge balancing priorities between building new features and tools to help pinpoint root causes. Linkerd provides many of the tools you need to tame the chaos of operating microservices in a cloud native world. Because Linkerd is a transparent proxy that runs alongside your application, there are no code changes required. I...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.
The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential. DevOpsSUMMIT at CloudEXPO expands the DevOps community, enable a wide sharing of knowledge, and educate delegates and technology providers alike.
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understa...
Cloud-Native thinking and Serverless Computing are now the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, as well as the public sector. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that pro...
As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. As they do so, IT professionals are also embr...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
OpsRamp is an enterprise IT operation platform provided by US-based OpsRamp, Inc. It provides SaaS services through support for increasingly complex cloud and hybrid computing environments from system operation to service management. The OpsRamp platform is a SaaS-based, multi-tenant solution that enables enterprise IT organizations and cloud service providers like JBS the flexibility and control they need to manage and monitor today's hybrid, multi-cloud infrastructure, applications, and wor...
Apptio fuels digital business transformation. Technology leaders use Apptio's machine learning to analyze and plan their technology spend so they can invest in products that increase the speed of business and deliver innovation. With Apptio, they translate raw costs, utilization, and billing data into business-centric views that help their organization optimize spending, plan strategically, and drive digital strategy that funds growth of the business. Technology leaders can gather instant recomm...