October 30, 2016 Comments Off on Why the recent Internet of Things (IoT) attack is just the beginning
A few days ago we witnessed a new type of distributed denial of service (DDoS) incident. Unlike previous botnet attacks that enlisted compromised computers, this one corralled assorted unprotected devices like Internet-ready webcams, DVRs, and baby monitors to flood Domain Name System (DNS) servers, and thereby seriously degrade the Internet for hours. I’ll leave the explanation of the mechanics of this incident to more qualified commentators, but I do want to weigh in on why I think these types of events are very hard to combat and why I’m very skeptical about the hype around the Internet of Things (IoT).
We all (well, many of us) know how important it is to keep our computers and software patched and up-to-date; most people also get why firewalls are essential. But consider these facts about IoT devices:
- They’re being created for just about every industry. This diversity means that it’s much harder for the entire universe of vendors to agree on common security standards: defining safeguards for a heart pump is a little different than for a Web-ready washing machine. I’ve served on my share of standards committees: to say that they move slowly is an understatement!
- They have really short development cycles. IoT is shaping up to be a brutally competitive landscape. The winners will be those vendors that deliver solutions to market quickly. Designing and building strong security safeguards takes time, and time is money. The end result is that device protection takes a back seat to market pressures.
- There’s limited space for security software. Margins are very thin on hardware devices: security-focused onboard storage space adds costs that aren’t directly related to functionality.
- They frequently rely on APIs for communication. I’ve blogged about API security in the past. Suffice it to say that it’s a rare API that’s locked down properly.
- New models are always coming on the market. Here’s the really scary part: even if vendors do start getting their security act together, it will be years before today’s highly insecure devices get retired. Meanwhile, they’ll be standing by for their next set of DDoS orders.
September 30, 2016 Comments Off on Nice article about serverless architectures
As cloud computing – and the infrastructure that underpins it – continues to advance, we’re seeing some very interesting new software development design patterns gaining traction. I’ve been working with Service Oriented Architecture (SOA) for years, and it’s been fascinating to watch it evolving into new approaches such as microservices and now serverless architectures. Unsurprisingly, leading cloud computing vendors like Amazon Web Services (AWS) are getting on board the train, with AWS Lambda an example of where things are heading.
If you’re curious about what serverless architecture is all about, Mike Roberts has written a comprehensive article on Martin Fowler’s website. I encourage you to check it out, because you’ll be hearing more about serverless architectures in the very near future.
August 6, 2016 Comments Off on Free Agile API development eBook available
The process of designing, developing, testing, and deploying software – including mission-critical APIs – is very different today than it was even just a few years ago. This transformation has been driven by advances in DevOps, Agile methodologies, and Continuous Integration/Continuous Delivery.
Simply making sense of all these new techniques can be a bit intimidating, so I’m glad that my colleague Chris Riley has authored a very useful guide that explains how all of these moving parts fit together. You can download a copy for yourself here.
August 3, 2016 Comments Off on Overcoming a Technical Sales Ambush Best Practice #2: Request a List of Questions in Advance
Continuing this series on technical sales and sales engineering, a technical sales ambush is a situation where prospect calls a technically-oriented meeting with the hidden (and bad-faith) purpose of introducing impossible or unreasonable requirements that end up monkey wrenching the entire sale. Naturally, legitimate technical questions are part of every sales cycle, but an ambush is deliberately meant to derail the sale while making it look like it’s the vendor’s fault. Any new product or service can be disruptive and threatening, so you should be on the lookout for it.
While ambushes can’t be totally avoided, they can be managed through proper preparation. For example, you should avoid open-ended “discovery” meetings at all costs. Instead, all interactions should be structured: by simply requesting a list of questions – well in advance of the meeting – you have an excellent chance of thwarting surprises. In fact, scheduling the meeting should be gated on receiving the list of questions, and you should also keep the decision makers in the loop.
Once you have the list, prepare to put your answers in writing, and distribute them to all prospect constituencies (including line-of-business leaders) in advance of the meeting. During the session, you can discuss the answers, provide demonstrations, and so on. This is much more effective than an open-ended “fishing expedition”. And if unplanned questions arise, you can either address them on the spot (and append the written list), or use the time-tested “I’ll get back to you on this” response, and simply come back with your answers once you’ve done your research.
Either way, this strategy gives you much more control over the interaction with the prospect, and can help you win the opportunity.
July 25, 2016 Comments Off on Announcing Swagger training & certification
Whether they’re employed internally, externally, or both, APIs are vital assets that connect systems, streamline workflows, and make every type of integration possible. In fact, beyond strengthening operational efficiency and enabling cross-system communication, APIs now serve as competitive differentiators for many organizations. It’s no exaggeration to point out that renowned technology-driven businesses such as Uber, AirBnB, or eBay live and die on the quality and performance of their APIs, and this intense reliance is spreading across every industry.
Swagger – and its ecosystem of standards and products – is in the process of transforming the ways that APIs are designed, developed, tested, and supported. I’m happy to announce that my colleague Chris Riley has created an outstanding one-day training and certification program to help enterprises get the most out of Swagger.
Chris is a world-class expert on DevOps, Continuous Integration, and everything else related to how modern APIs are being created, and this deep knowledge comes across in his courseware. He also happens to be a great trainer who is committed to helping his students gain the proficiency they need.
Organizations can send individuals to public Webinars, schedule a private Webinar, or even have an instructor deliver the class onsite. To learn more, visit SmartBear’s registration page.
July 18, 2016 Comments Off on Presenting a Webinar on Delivering Data Security with Hadoop and the IoT
On August 9, I’ll be teaming with Reiner Kappenberger from Hewlett Packard Enterprise to explore some of the most pressing security implications of Hadoop and the Internet of Things (IoT). Hosted by the IT GRC Forum, here’s what we’ll be covering:
The Internet of Things (IoT) is here to stay, and Gartner predicts there will be over 26 billion connected devices by 2020. This is driving an explosion of data which offers tremendous opportunity for organizations to gain business value, and Hadoop has emerged as the key component to make sense of the data and realize the maximum value. On the flip side the surge of new devices has increased potential for hackers to wreak havoc, and Hadoop has been described as the biggest cybercrime bait ever created.
Data security is a fundamental enabler of the IoT, and if it is not prioritized the business opportunity will be undermined, so protecting company data is more urgent than ever before. The risks are huge and Hadoop comes with few safeguards, leaving it to organizations to add an enterprise security layer. Securing multiple points of vulnerability is a major challenge, although when armed with good information and a few best practices, enterprise security leaders can ensure attackers will glean nothing from their attempts to breach Hadoop. In this webinar we will discuss some steps to identify what needs protecting and apply the right techniques to protect it before you put Hadoop into production.
If you’d like to join us, register here.
July 1, 2016 Comments Off on Helpful REST API 101 guide available online
For software developers and architects tasked with creating programmatic interfaces to their applications, there’s been a longstanding debate between utilizing the structure and standards of SOAP-based Web services versus offering the freedom and flexibility of REST APIs.
In the midst of all these deliberations, I’ve observed a great deal of confusion about what, exactly, defines a REST API. SmartBear has come up with a helpful resource that provides a nice overview of the origins, attributes, and goals of REST APIs. You can view the guide here.
If you’re interested in learning more about REST API design, development, and testing, check out my other postings on the subject.