Click here to close now.

Welcome!

Mobile IoT Authors: Liz McMillan, Pat Romanski, Elizabeth White, David Miller, Carmen Gonzalez

Related Topics: Microservices Expo, Mobile IoT, Microsoft Cloud, Containers Expo Blog, CloudExpo® Blog, Cloud Security

Microservices Expo: Article

Built-in Security: Making Applications Security Pervasive

Learn how a telecoms provider takes strides to make applications security pervasive

Welcome to the latest edition of the HP Discover Performance Podcast Series. Our next discussion examines how a major telecommunications provider is tackling security, managing the details and the strategy simultaneously, and extending that value onto their many types of customers.

Here to explore these and other enterprise IT security issues, we're joined by our co-host for this sponsored podcast, Raf Los, who is the Chief Security Evangelist at HP Software.

And we also welcome our special guest, George Turrentine, Senior IT Manager at a large telecoms company, with a focus on IT Security and Compliance. George started out as a network architect and transitioned to a security architect and over the past 12 years, George has focused on application security, studying vulnerabilities in web applications using dynamic analysis, and more recently, using static analysis. George holds certifications in CISSP, CISM, and CRISC.

The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: George, many of the organizations that I'm familiar with are very focused on security, sometimes at a laser level. They're very focused on tactics, on individual technologies and products, and looking at specific types of vulnerabilities. But I sense that, sometimes, they might be missing the strategy, the whole greater than the sum of the parts, and that there is lack of integration in some of these aspects, of how to approach security.

I wonder if that’s what you are seeing it, and if that’s an important aspect to keeping a large telecommunications organization robust, when it comes to a security posture.

Turrentine: We definitely are at the time and place where attacks against organizations have changed. It used to be that you would have a very focused attack against an organization by a single individual or a couple of individuals. It would be a brute-force type attack. In this case, we're seeing more and more that applications and infrastructure are being attacked, not brute force, but more subtly.

The fact that somebody that is trying to effect an advanced persistent threat (APT) against a company, means they're not looking to set off any alarms within the organization. They're trying to stay below the radar and stay focused on doing a little bit at a time and breaking it up over a long period of time, so that people don’t necessarily see what’s going on.

Gardner: Raf, how does that jibe with what you are seeing? Is there a new type of awareness that is, as George points out, subtle?

Los: Subtlety is the thing. Nobody wants to be a bull-in-a-china-shop hacker. The reward may be high, but the risk of getting caught and getting busted is also high. The notion that somebody is going to break in and deface your website is childish at best today. As somebody once put it to me, the good hackers are the ones you catch months later; the great ones, you'll never see.

That’s what we're worried about, right. Whatever buzzwords we throw around and use, the reality is that attacks are evolving, attackers are evolving, and they are evolving faster than we are and than we have defenses for.

They are evolving faster than we are and than we have defenses for.

As I've said before, it’s like being out in a dark field chasing fireflies. We tend to be chasing the shiny, blinky thing of the day, rather than doing pragmatic security that is relevant to the company or the organization that you're supporting.

Gardner: One of the things I've seen is that there is a different organization, even a different culture, in managing network security, as opposed to, say, application security, and that often, they're not collaborating as closely as they might. And that offers some cracks between their different defenses.

George, it strikes me that in the telecommunications arena, the service providers are at an advantage, where they've got a strong network history and understanding and they're beginning to extend more applications and services onto that network. Is there something to be said that you're ahead of the curve on this bridging of the cultural divide between network and application?

Turrentine: It used to be that we focused a whole lot on the attack and the perimeter and trying to make sure that nobody got through the crunchy exterior. The problem is that, in the modern network scenario, when you're hosting applications, etc., you've already opened the door for the event to take place, because you've had to open up pathways for users to get into your network, to get to your servers, and to be able to do business with you. So you've opened up these holes.

Primary barrier

Unfortunately, a hole that's opened is an avenue of an attack. So the application now has become the primary barrier for protecting data. A lot of folks haven't necessarily made that transition yet to understanding that application security actually is your front row of attack and defense within an organization.

It means that you have to now move into an area where applications not only can defend themselves, but are also free from vulnerabilities or coding flaws that can easily allow somebody to grab data that they shouldn't have access to.

Gardner: Raf, it sounds as if, for some period of time, the applications folks may have had a little bit of an easy go at it, because the applications were inside a firewall. The network was going to be protected, therefore I didn't have to think about it. Now, as George is pointing out, the applications are exposed. I guess we need to change the way we think about application development and lifecycle.

Los: Dana, having spent some time in extremely large enterprise, starting in like 2001, for a number of years, I can't tell you the amount of times applications’ owners would come back and say, "I don't feel I need to fix this. This isn’t really a big risk, because the application is inside the firewall.”

Raf Los

Even going back that far, though, that was still a cop-out, because at that time, the perimeter was continuing to erode. Today, it's just all about gone. That’s the reality.

So this erosion of perimeter, combined with the fact that nothing is really internal anymore, makes this all difficult. As George already said, applications need not just to be free of bugs, but actually be built to defend themselves in cases where we put them out into an uncertain environment. And we'll call the Internet uncertain on a good day and extremely hostile on every other day.

Turrentine: Not only that, but now developers are developing applications to make them feature rich, because consumers want feature-rich applications. The problem is that those same developers aren't educated and trained in how to produce secure code.

The other thing is that too many organizations have a tendency to look at that big event with a possibility of it taking place. Yet hackers aren’t looking for the big event. They're actually looking for the small backdoor that they can quietly come in and then leverage that access. They leverage the trust between applications and servers within the infrastructure to promote themselves to other boxes and other locations and get to the data.

Little applications

We used to take for granted that it was protected by the perimeter. But now it isn’t, because you have these little applications that most security departments ignore. They don’t test them. They don’t necessarily go through and make sure that they're secure or that they're even tested with either dynamic or static analysis, and you are putting them out there because they are "low risk."

Gardner: Let’s chunk this out a little bit. On one side, we have applications that have been written over any number of years, or even decades, and we need to consider the risks of exposing them, knowing that they're going to get exposed. So is that a developer’s job? How do we make those older apps either sunsetted or low risk in terms of being exposed?

And on the other side, we've got new applications that we need to develop in a different way, with security instantiated into the requirements right from the get-go. How do you guys parse either side of that equation? What should people be considering as they approach these issues?

Turrentine: I'm going to go back to the fact that even though you may put security requirements in at the beginning, in the requirements phase of the SDLC, the fact is that many developers are going to take the low path and the easiest way to get to what is required and not necessarily understand how to get it more secure.

This is where the education system right now has let us down. I started off programming 30 years ago. Back then, there was a very finite area of memory that you could write an application into. You had to write overlays. You had to make sure that you moved data in and out of memory and took care of everything, so that the application could actually run in the space provided. Nowadays, we have bloat. We have RAM bloat. We have systems with 16 to 64 gigabytes of RAM.

Los: Just to run the operating system.

We've gotten careless

Turrentine: Just to run the operating system. And we've gotten careless. We've gotten to where we really don’t care. We don’t have to move things in and out of memory, so we leave it in memory. We do all these other different things, and we put all these features and functionality in there.

The schools, when they used to teach you how to write in very small areas, taught how to optimize the code, how to fix the code, and in many ways, efficiency and optimization gave you security.

Nowadays, we have bloatware. Our developers are going to college, they are being trained, and all they're learning is how to add features and functionality. The grand total of training they get in security is usually a one hour lecture.

You've got people like Joe Jarzombek at the Department of Homeland Security (DHS), with a Software Assurance Forum that he has put together. They're trying to get security back into the colleges, so that we can teach developers that are coming up how to develop secure code. If we can actually train them properly and look at the mindset, methodologies, and the architecture to produce secure code, then we would get secure applications and we would have secure data.

Gardner: That’s certainly a good message for the education of newer developers. How about building more of the security architect role into the scrum, into the team that’s in development? Is that another cultural shift that seems to make sense?

It's just a reactive move to the poor quality that’s been put out over the last couple of years of software.

Turrentine: Part of it also is the fact that application security architects, who I view differently than a more global security architect, tend to have a myopic view. They're limited, in many cases, by their education and their knowledge, which we all are.

Face it. We all have those same things. Part of the training that needs to be provided to folks is to think outside the box. If all you're doing is defining the requirements for an application based upon the current knowledge of security of the day, and not trying to think outside the box, then you're already obsolescent, and that's imposed upon that application when it’s actually put into production.

Project into the future

You have to start thinking further of the evolution that’s going on in the way of the attacks, see where it’s going, and then project two years or three years in the future to be able to truly architect what needs to be there for today’s application, before the release.

Gardner: What about legacy applications? We've seen a lot of modernization. We're able to move to newer platforms using virtualization, cutting the total cost when it comes to the support and the platform. Older applications, in many cases, are here to stay for quite a few number of years longer. What do we need to think about, when security is the issue of these apps getting more exposure?

Turrentine: One of the things is that if you have a legacy app, one of the areas that they always try to update, if they're going to update it at all, is to write some sort of application programming interface (API) for it. Then, you just opened the door, because once you have an API interface, if the underlying legacy application hasn’t been securely built, you've just invited everybody to come steal your data.

So in many ways, legacy applications need to be evaluated and protected, either by wrapper application or something else that actually will protect the data and the application that has to run and provide access to it, but not necessarily expose it.

I know over the years everybody has said that we need to be putting out more and more web application firewalls (WAFs). I have always viewed a WAF as nothing more than a band aid, and yet a lot of companies will put a WAF out there and think that after 30 days, they've written the rules, they're done, and they're now secure.

A WAF, unless it is tested and updated on a daily basis, is worthless.

A WAF, unless it is tested and updated on a daily basis, is worthless.

Los: That’s the trick. You just hit a sore spot for me, because I ran into that in a previous life and it stunk really bad. We had a mainframe app that had ported along the way that the enterprise could not live without. They put a web interface on it to make it remotely accessible. If that doesn’t make you want to run your head through a wall, I don’t know what will.

On top of that, I complained loud enough and showed them that I could manipulate everything I wanted to. SQL injection was a brand-new thing in 2004 or something, and it wasn’t. They were like, fine, "WAF, let’s do WAF." I said, "Let me just make sure that we're going to do this while we go fix the problem." No, no, we could either fix the problem or put the WAF in. Remember that’s what the payment card industry (PCI) said back then.

Tactics and strategy

Gardner: So let's get back to this issue of tactics and strategy. Should there be someone who is looking at both of these sides of the equation, the web apps, the legacy, vulnerabilities that are coming increasingly to the floor, as well as looking at that new development? How do we approach this problem?

Turrentine: One of the ways that you approach it is that security should not be an organization unto itself. Security has to have some prophets and some evangelists -- we are getting into religion here -- who go out throughout the organization, train people, get them to think about how security should be, and then provide information back and forth and an interchange between them.

That’s one of the things that I've set up in a couple of different organizations, what I would call a security focal point. They weren’t people in my group. They were people within the organizations that I was to provide services to, or evaluations of.

They would be the ones that I would train and work with to make sure that they were the eyes and ears within the organizations, and I'd then provide them information on how to resolve issues and empower them to be the primary person that would interface with the development teams, application teams, whatever.

If they ran into a problem, they had the opportunity to come back, ask questions, and get educated in a different area. That sort of militia is what we need within organizations.

I've not seen a single security organization that could actually get the headcount they need.

I've not seen a single security organization that could actually get the headcount they need. Yet this way, you're not paying for headcount, which is getting people dotted lined to you, or that is working with you and relying on you. You end up having people who will be able to take the message where you can’t necessarily take it on your own.

Gardner: Raf, in other podcasts that we've done recently we talked about culture, and now we're talking organization. How do we adjust our organization inside of companies, so that security becomes a horizontal factor, rather than group oversight? I think that’s what George was getting at. Is that it becomes inculcated in the organization.

Los: Yeah. I had a brilliant CISO I worked under a number of years back, a gentleman by a name of Dan Conroy. Some of you guys know him. His strategy was to split the security organization essentially uneven, not even close to down the middle, but unevenly into a strategy, governance, and operations.

Strategy and governance became the team that decided what was right, and we were the architects. We were the folks who decided what was the right thing to do, roughly, conceptually how to do it, and who should do it. Then, we made sure that we did regular audits and performed governance activities around it's being done.

Then, the operational part of security was moved back into the technology unit. So the network team had a security component to it, the desktop team had a security component to it, and the server team had security components, but they were all dotted line employees back to the CISO.

Up to date

They didn’t have direct lines of reporting, but they came to our meetings and reported on things that were going on. They reported on issues that were haunting them. They asked for advice. And we made sure that we were up to date on what they were doing. They brought us information, it was bidirectional, and it worked great.

If you're going to try to build a security organization that scales to today’s pace of business, that's the only way to do it, because for everything else, you're going to have to ask for $10 million in budget and 2,000 new headcounts, and none of those is going to be possible.

Gardner: Moving to looking at the future, we talked about some of the chunks with legacy and with new applications. What about some of the requirements for mobile in cloud?

As organizations are being asked to go with hybrid services delivery, even more opportunity for exposure, more exposure both to cloud, but also to a mobile edge, what can we be advising people to consider, both organizationally as well as tactically for these sorts of threats or these sorts of challenges?

Turrentine: Any time you move data outside the organization that owns it, you're running into problems, whether it’s bring your own device (BYOD), or whether it’s cloud, that is a public offering. Private cloud is internal. It's just another way of munging virtualization and calling it something new.

But when you start handling data outside your organization, you need to be able to care for it in a proper way. With mobile, a lot of the current interface IDEs and SDKs, etc., try to handle everything as one size fits all. We need to be sending a message back to the owners of those SDKs that you need to be able to provide secure and protected areas within the device for specific data, so that it can either be encrypted or it can be processed in a different way, hashed, whatever it is.

Then, you also need to be able to properly and cleanly delete it or remove it should something try and attack it or remove it without going through the normal channel called the application.

Secure evolution

I don’t think anybody has a handle on that one yet, but I think that, as we can start working with the organizations and with the owners of the IDEs, we can get to the point where we can have a more secure evolution of mobile OS and be able to protect the data.

Gardner: I am afraid we will have to leave it there. With that, I would like to thank our co-host, Rafal Los, Chief Security Evangelist at HP Software. And I'd also like to thank our supporter for this series, HP Software, and remind our audience to carry on the dialogue with Raf through his personal blog, Following the White Rabbit, as well as through the Discover Performance Group on LinkedIn.

I'd also like to extend a huge thank you to our special guest, George Turrentine, the Senior Manager at a large telecoms company.

You can also gain more insights and information on the best of IT performance management at http://www.hp.com/go/discoverperformance. And you can always access this and other episodes in our HP Discover Performance Podcast Series on iTunes under BriefingsDirect.

More Stories By Dana Gardner

At Interarbor Solutions, we create the analysis and in-depth podcasts on enterprise software and cloud trends that help fuel the social media revolution. As a veteran IT analyst, Dana Gardner moderates discussions and interviews get to the meat of the hottest technology topics. We define and forecast the business productivity effects of enterprise infrastructure, SOA and cloud advances. Our social media vehicles become conversational platforms, powerfully distributed via the BriefingsDirect Network of online media partners like ZDNet and IT-Director.com. As founder and principal analyst at Interarbor Solutions, Dana Gardner created BriefingsDirect to give online readers and listeners in-depth and direct access to the brightest thought leaders on IT. Our twice-monthly BriefingsDirect Analyst Insights Edition podcasts examine the latest IT news with a panel of analysts and guests. Our sponsored discussions provide a unique, deep-dive focus on specific industry problems and the latest solutions. This podcast equivalent of an analyst briefing session -- made available as a podcast/transcript/blog to any interested viewer and search engine seeker -- breaks the mold on closed knowledge. These informational podcasts jump-start conversational evangelism, drive traffic to lead generation campaigns, and produce strong SEO returns. Interarbor Solutions provides fresh and creative thinking on IT, SOA, cloud and social media strategies based on the power of thoughtful content, made freely and easily available to proactive seekers of insights and information. As a result, marketers and branding professionals can communicate inexpensively with self-qualifiying readers/listeners in discreet market segments. BriefingsDirect podcasts hosted by Dana Gardner: Full turnkey planning, moderatiing, producing, hosting, and distribution via blogs and IT media partners of essential IT knowledge and understanding.

@ThingsExpo Stories
Cultural, regulatory, environmental, political and economic (CREPE) conditions over the past decade are creating cross-industry solution spaces that require processes and technologies from both the Internet of Things (IoT), and Data Management and Analytics (DMA). These solution spaces are evolving into Sensor Analytics Ecosystems (SAE) that represent significant new opportunities for organizations of all types. Public Utilities throughout the world, providing electricity, natural gas and water, are pursuing SmartGrid initiatives that represent one of the more mature examples of SAE. We have s...
The Internet of Things will put IT to its ultimate test by creating infinite new opportunities to digitize products and services, generate and analyze new data to improve customer satisfaction, and discover new ways to gain a competitive advantage across nearly every industry. In order to help corporate business units to capitalize on the rapidly evolving IoT opportunities, IT must stand up to a new set of challenges. In his session at @ThingsExpo, Jeff Kaplan, Managing Director of THINKstrategies, will examine why IT must finally fulfill its role in support of its SBUs or face a new round of...
One of the biggest challenges when developing connected devices is identifying user value and delivering it through successful user experiences. In his session at Internet of @ThingsExpo, Mike Kuniavsky, Principal Scientist, Innovation Services at PARC, described an IoT-specific approach to user experience design that combines approaches from interaction design, industrial design and service design to create experiences that go beyond simple connected gadgets to create lasting, multi-device experiences grounded in people's real needs and desires.
The true value of the Internet of Things (IoT) lies not just in the data, but through the services that protect the data, perform the analysis and present findings in a usable way. With many IoT elements rooted in traditional IT components, Big Data and IoT isn’t just a play for enterprise. In fact, the IoT presents SMBs with the prospect of launching entirely new activities and exploring innovative areas. CompTIA research identifies several areas where IoT is expected to have the greatest impact.
Can call centers hang up the phones for good? Intuitive Solutions did. WebRTC enabled this contact center provider to eliminate antiquated telephony and desktop phone infrastructure with a pure web-based solution, allowing them to expand beyond brick-and-mortar confines to a home-based agent model. It also ensured scalability and better service for customers, including MUY! Companies, one of the country's largest franchise restaurant companies with 232 Pizza Hut locations. This is one example of WebRTC adoption today, but the potential is limitless when powered by IoT.
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, discussed how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money!
SYS-CON Events announced today that MetraTech, now part of Ericsson, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Ericsson is the driving force behind the Networked Society- a world leader in communications infrastructure, software and services. Some 40% of the world’s mobile traffic runs through networks Ericsson has supplied, serving more than 2.5 billion subscribers.
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will addresses this very serious issue of profound change in the industry.
SYS-CON Events announced today that BMC will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. BMC delivers software solutions that help IT transform digital enterprises for the ultimate competitive business advantage. BMC has worked with thousands of leading companies to create and deliver powerful IT management services. From mainframe to cloud to mobile, BMC pairs high-speed digital innovation with robust IT industrialization – allowing customers to provide amazing user experiences with optimized IT per...
The Internet of Things is not new. Historically, smart businesses have used its basic concept of leveraging data to drive better decision making and have capitalized on those insights to realize additional revenue opportunities. So, what has changed to make the Internet of Things one of the hottest topics in tech? In his session at @ThingsExpo, Chris Gray, Director, Embedded and Internet of Things, discussed the underlying factors that are driving the economics of intelligent systems. Discover how hardware commoditization, the ubiquitous nature of connectivity, and the emergence of Big Data a...
SYS-CON Events announced today that O'Reilly Media has been named “Media Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York City, NY. O'Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O'Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying "faint signals" from the alpha geeks who are creating the future. An active participa...
The world is at a tipping point where the technology, the device and global adoption are converging to such a point that we will see an explosion of a world where smartphone devices not only allow us to talk to each other, but allow for communication between everything – serving as a central hub from which we control our world – MediaTek is at the heart of both driving this and allowing the markets to drive this reality forward themselves. The next wave of consumer gadgets is here – smart, connected, and small. If your ambitions are big, so are ours. In his session at @ThingsExpo, Jack Hu, D...
The 4th International Internet of @ThingsExpo, co-located with the 17th International Cloud Expo - to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA - announces that its Call for Papers is open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
SYS-CON Events announced today that DragonGlass, an enterprise search platform, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. After eleven years of designing and building custom applications, OpenCrowd has launched DragonGlass, a cloud-based platform that enables the development of search-based applications. These are a new breed of applications that utilize a search index as their backbone for data retrieval. They can easily adapt to new data sets and provide access to both structured and unstruc...
We’re entering a new era of computing technology that many are calling the Internet of Things (IoT). Machine to machine, machine to infrastructure, machine to environment, the Internet of Everything, the Internet of Intelligent Things, intelligent systems – call it what you want, but it’s happening, and its potential is huge. IoT is comprised of smart machines interacting and communicating with other machines, objects, environments and infrastructures. As a result, huge volumes of data are being generated, and that data is being processed into useful actions that can “command and control” thi...
As the Internet of Things unfolds, mobile and wearable devices are blurring the line between physical and digital, integrating ever more closely with our interests, our routines, our daily lives. Contextual computing and smart, sensor-equipped spaces bring the potential to walk through a world that recognizes us and responds accordingly. We become continuous transmitters and receivers of data. In his session at @ThingsExpo, Andrew Bolwell, Director of Innovation for HP's Printing and Personal Systems Group, discussed how key attributes of mobile technology – touch input, sensors, social, and ...
All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades. With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo, June 9-11, 2015, at the Javits Center in New York City. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be
WebRTC defines no default signaling protocol, causing fragmentation between WebRTC silos. SIP and XMPP provide possibilities, but come with considerable complexity and are not designed for use in a web environment. In his session at @ThingsExpo, Matthew Hodgson, technical co-founder of the Matrix.org, discussed how Matrix is a new non-profit Open Source Project that defines both a new HTTP-based standard for VoIP & IM signaling and provides reference implementations.
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud environment, and we must architect and code accordingly. At the very least, you'll have no problem fil...
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.