March 31, 2019 Comments Off on Free REST API Security guide
If you’ve worked with both major varieties of API (Web services & REST) for any length of time, you’ll know that the approach to security varies widely between them. In the Web services world, there are numerous standards bodies and security guidelines, such as:
These are just a few examples of what’s out there.
Thanks to all of this ancillary work, a common (mis)perception has sprung up that Web services are more secure than REST APIs. While there’s a kernel of truth to this assumption, REST APIs now benefit from their own set of security standards and best practices. To give you a better idea of what these are, check out this helpful eBook on Dzone, written by Guy Levin, CTO of RestCase.
July 18, 2016 Comments Off on Presenting a Webinar on Delivering Data Security with Hadoop and the IoT
On August 9, I’ll be teaming with Reiner Kappenberger from Hewlett Packard Enterprise to explore some of the most pressing security implications of Hadoop and the Internet of Things (IoT). Hosted by the IT GRC Forum, here’s what we’ll be covering:
The Internet of Things (IoT) is here to stay, and Gartner predicts there will be over 26 billion connected devices by 2020. This is driving an explosion of data which offers tremendous opportunity for organizations to gain business value, and Hadoop has emerged as the key component to make sense of the data and realize the maximum value. On the flip side the surge of new devices has increased potential for hackers to wreak havoc, and Hadoop has been described as the biggest cybercrime bait ever created.
Data security is a fundamental enabler of the IoT, and if it is not prioritized the business opportunity will be undermined, so protecting company data is more urgent than ever before. The risks are huge and Hadoop comes with few safeguards, leaving it to organizations to add an enterprise security layer. Securing multiple points of vulnerability is a major challenge, although when armed with good information and a few best practices, enterprise security leaders can ensure attackers will glean nothing from their attempts to breach Hadoop. In this webinar we will discuss some steps to identify what needs protecting and apply the right techniques to protect it before you put Hadoop into production.
If you’d like to join us, register here.
October 1, 2013 Comments Off on Big Data security and privacy risk podcast
I recently participated in a podcast sponsored by Edward Haletky at The Virtualization Practice.
My co-panelists (Edward, Iben Rodriguez @iben, Mike Foley @mikefoley) and I discussed many aspects of the inherent security and privacy risks that enterprises and the general public alike are encountering with Big Data. You can find a recording of the podcast here.
August 4, 2013 Comments Off on Introducing a half-day Big Data security training class
Beginning on September 20, I’ll be teaching a half-day Big Data security Webinar. These classes will take place once a month, and will cover the following topics:
Big Data information categories
- Document store
Big Data security requirements
- Legal and regulatory
- Internal guidelines
- Industry standards
- User access
Big Data security risks
- Meta data
- Distributed processing (e.g. MapReduce, Hadoop, and Cassandra)
- Overt attacks
- Covert attacks
Best practices for securing Big Data
- Setting realistic security goals
- Reducing surface area for attacks
- Protecting physical assets
- Safeguarding the network
- Encrypting data
- Data obfuscation via tokenization and masking
- Retiring data
To allow for maximum student interaction, classes will be limited to 10 people. You can register here
February 11, 2013 § 1 Comment
I’m looking forward to my speaking engagement at the Conference on Big Data Security this July in Boston. I’ll be talking about how to keep your Hadoop environment safe and secure. In particular, I’ll be discussing:
- The key diverse technologies contained within a typical Hadoop environment
- Current and trending security risks characteristic in Hadoop implementations
- Setting and attaining realistic goals
- Contrasting open-source vs. proprietary Hadoop security tools
- Protecting your Hadoop landscape through controlled access
- Inherent differences safeguarding data-at-rest vs. defending data while in motion
I hope you can join me there – it should be a very interesting conference.
September 30, 2018 Comments Off on Advanced SoapUI Training Agenda at SmartBear Connect 2018
I’m looking forward to presenting a series of eight advanced SoapUI API testing talks at the upcoming SmartBear Connect conference in Boston on October 29. Here’s what I’ll be covering:
- Determining if your API is behaving properly requires examining the contents of the responses it returns. This session will showcase some of SoapUI’s most powerful message evaluation assertions.
- Automating your API tests means avoiding hard-coded, rigid message response evaluations. This session will teach you how you can apply flexibility when examining what your APIs return.
- Using XPath expressions in your SoapUI assertions offer tremendous productivity enhancements versus writing Groovy code. This session will show you how to create powerful and flexible XPath.
- Many applications incorporate multiple APIs. In this session, you’ll learn how to use the SoapUI data sources that enable feeding the output of one API to subsequent API calls.
- It’s important to use diverse data when testing your APIs. SoapUI includes robust data generation features, which we’ll explore in this session.
- Testing APIs means coping with ever-changing endpoints, security credentials, database connections, and so on. As you’ll learn in this session, SoapUI’s environments greatly simplify this vital responsibility.
- API testing responsibilities are often shared among multiple people. In this session, you’ll see how easy it is to utilize composite projects and Git to boost your teamwork.
- SmartBear continues to significantly improve SoapUI’s integration with the entire software development pipeline. This session will highlight just one example by demonstrating how to link your API testing efforts with Jenkins’ continuous integration/continuous delivery features.
August 31, 2017 Comments Off on SoapUI training & certification track at SmartBear Connect on September 12
If you’re going to be in the Boston area on September 12, and would like to learn how to deliver high quality APIs by applying robust functional, performance, and security tests, be sure to check out the special training course that will take place during the SmartBear Connect user conference.
This all-day class – which is usually only available for private organizations – will be delivered by SmartBear’s Mike Giller using a significant subset of the training materials WiseClouds presents during private sessions. Mike will discuss:
- The ReadyAPI Platform
- Establishing Connectivity to your APIs
- Developing Functional Tests
- Validating API Responses with Assertions
- Data-Driven Testing & Programmatic Test Control
- Performance Testing & Virtualization
- Best Practices for ReadyAPI
Along with increasing your skill levels, attending this class will prepare you for the optional SoapUI certification exam. And to make things even more interesting, there will be additional tracks and events dedicated to the other major components in SmartBear’s far-reaching product portfolio.
You can learn more here.
November 10, 2016 Comments Off on Helpful article on journalist protection is relevant for us all
In the aftermath of this week’s US election, it’s worthwhile to – once again – revisit techniques to protect private information from those that have no business seeing it. Here’s a link to a very useful article from The Atlantic that might give you some ideas about how to safeguard your data. If you’re curious about other security and privacy topics that I’ve written about, here’s a shortcut to them.
October 30, 2016 Comments Off on Why the recent Internet of Things (IoT) attack is just the beginning
A few days ago we witnessed a new type of distributed denial of service (DDoS) incident. Unlike previous botnet attacks that enlisted compromised computers, this one corralled assorted unprotected devices like Internet-ready webcams, DVRs, and baby monitors to flood Domain Name System (DNS) servers, and thereby seriously degrade the Internet for hours. I’ll leave the explanation of the mechanics of this incident to more qualified commentators, but I do want to weigh in on why I think these types of events are very hard to combat and why I’m very skeptical about the hype around the Internet of Things (IoT).
We all (well, many of us) know how important it is to keep our computers and software patched and up-to-date; most people also get why firewalls are essential. But consider these facts about IoT devices:
- They’re being created for just about every industry. This diversity means that it’s much harder for the entire universe of vendors to agree on common security standards: defining safeguards for a heart pump is a little different than for a Web-ready washing machine. I’ve served on my share of standards committees: to say that they move slowly is an understatement!
- They have really short development cycles. IoT is shaping up to be a brutally competitive landscape. The winners will be those vendors that deliver solutions to market quickly. Designing and building strong security safeguards takes time, and time is money. The end result is that device protection takes a back seat to market pressures.
- There’s limited space for security software. Margins are very thin on hardware devices: security-focused onboard storage space adds costs that aren’t directly related to functionality.
- They frequently rely on APIs for communication. I’ve blogged about API security in the past. Suffice it to say that it’s a rare API that’s locked down properly.
- New models are always coming on the market. Here’s the really scary part: even if vendors do start getting their security act together, it will be years before today’s highly insecure devices get retired. Meanwhile, they’ll be standing by for their next set of DDoS orders.
March 30, 2016 Comments Off on Excellent article about FBI’s iPhone crack
Bruce Schneier has long been one of my favorite technology authors and bloggers. He manages to write about extremely complex topics in a very accessible way – a notably rare and highly admirable skill. His latest article explains why the secretive approach that the FBI is employing to unlock iPhones will eventually harm innocent users unless Apple is notified of the device’s vulnerability.
The problem with computer vulnerabilities is that they’re general. There’s no such thing as a vulnerability that affects only one device. If it affects one copy of an application, operating system or piece of hardware, then it affects all identical copies. A vulnerability in Windows 10, for example, affects all of us who use Windows 10. And it can be used by anyone who knows it, be they the FBI, a gang of cyber criminals, the intelligence agency of another country … anyone.
This is precisely why Apple needs to understand what’s happened. Otherwise, the next entity to break into iPhones may not be doing so in the legitimate and honorable interest of solving crime.
I read Bruce’s blog regularly, and recommend it to anyone interested in security and information protection.