Runtime application self-protection (RASP) is a promising solution for strengthening the security posture of an application while supporting faster development, but RASP can introduce serious unintended risks, particularly if developers are not producing quality code from the start.
RASP is a technology approach being evangelized by Joseph Feiman, a research vice president and fellow at Gartner. Last fall, in a report entitled “Stop Protecting Your Apps: It’s Time for Apps to Protect Themselves,” Feiman noted that application self-protection must be a CISO’s top priority because “modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics and self-protection.”
To read this article in full or to leave a comment, please click here
Accelerated software development brings with it particular advantages and disadvantages. On one hand, it increases the speed to market and allows for fast, frequent code releases, which trump slow, carefully planned ones that unleash a torrent of features at once. Continuous release cycles also allow teams to fine-tune software. With continuous updates, customers don’t have to wait for big releases that could take weeks or months.
Embracing failure without blame is also a key tenet of rapid acceleration. Teams grow faster this way, and management should embrace this culture change. Those who contribute to accidents can give detailed accounts of what happened without fear of repercussion, providing valuable learning opportunities for all involved.
To read this article in full or to leave a comment, please click here
You built a private cloud at great expense and, despite the initial cost, real savings are being made. And even though you thought the cloud was just what your development teams wanted, they are now clamouring for containers. Why?
In common with most enterprise companies, you probably justified the investment in your cloud from an Infrastructure perspective with an emphasis on increasing utilization of physical hardware. The average utilization before virtualization was often below 10%, and virtualization as an enabler of workload consolidation has been a critical tool in ensuring that money spent on hardware is not wasted.
But – and it is a big but – typical enterprise private clouds offer little beyond cost savings and accelerated (virtual) machine delivery to the development teams who consume them. These are certainly valuable, but are rather short of the full promise of cloud.
To read this article in full or to leave a comment, please click here
If you use a Telecom Expense Management (TEM) provider to audit your telecommunications invoices, you may be in for a surprise. TEM providers claim to catch all supplier billing errors and overcharges. They don’t. In fact, often what they miss is bigger than what they find.
We’ve spent much of the past decade coming in behind the TEMs, finding the overcharges they’ve missed, and turning them into client refunds. We have found something in every post-TEM audit we’ve completed. After creating our master issues list, we were struck by the diverse nature of the errors the three of us have uncovered at one time or another. Here are some of our favorites:
To read this article in full or to leave a comment, please click here
To understand risk exposure, security pros gather and digest intelligence feeds about vulnerabilities, indications of compromise (IOCs) and other machine-readable data all the time. But real-time insight into what adversaries are seeing in underground forums, the dark web, social media and other sharing sites is hard to come by. Yet it is precisely this attacker’s eye view you need to gain a clear picture of your risk profile, to prioritize which threats are likely – even imminent – versus others.
With 411 breaches so far this year exposing 17,678,050 records, according to the Identity Theft Resource Center report, there is a growing need to use this insight to better inform and tune defenses. However, it takes more than downloading the TOR browser bundle or devising a good underground cover identity to access these sources and gather actionable intelligence. What can you do to avoid wasting time, keep your employers out of trouble with the law and make a difference in anticipating risk? It starts with understanding the intelligence gap that exists between you and your adversaries.
To read this article in full or to leave a comment, please click here
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
In late 2007, AOL security researcher William Salusky and his team discovered one of the first reported instances of malvertising -- a digital ad running on aol.com had been configured to serve up malware to unsuspecting visitors. This turned out to be the beginning of a new era where attackers use a company’s digital footprint (web infrastructures and mobile apps) to distribute malware and commit fraud.
For security teams, protecting the digital footprint, which resides outside the firewall, poses three distinct challenges. Namely, securing assets you know about, securing assets you don’t know about (like those created by someone within the organization or by an authorized third-party), and identifying rogue assets that are impersonating the organization’s brand or sub-brands.
To read this article in full or to leave a comment, please click here
In recent months the news of Chris Roberts alleged hacking of an inflight entertainment system and possibly other parts of the Boeing 737 have sparked a wave of controversy. Public opinion was originally on Roberts' side, but the recent publication of the FBI affidavit changed that drastically. According to the affidavit, Roberts admitted to doing a live "pen-test" of a plane network in mid-air.
Whether this is true or not, it raises some valid concerns over the ethical implications of white hat hacking. In the case of Roberts, who, according to the affidavit, was able to steer the airplane off the intended course, the consequences could have been dire. It is not believed that Roberts had any intention of hurting either himself or any of the passengers, but if the affidavit is in fact true, the possibility was real.
To read this article in full or to leave a comment, please click here
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Advancements in attack evasion techniques are making new threats extremely difficult to detect. The recent Duqu 2.0 malware, which was used to hack the Iranian nuclear pact discussions, Kaspersky Lab, and an ICS/SCADA hardware vendor, is a prime example. To keep up, a new security model that uses a different approach to the traditional “evidence of compromise” process is needed.
To read this article in full or to leave a comment, please click here
The gold standard for corporate networks today is MPLS, but carrier pricing issues and MPLS’s failure to play well with new, cost-efficient forms of network access are causing problems for the legion of enterprise customers that rely on it.
Consider:
It’s not clear how fast MPLS will go the way of Frame Relay and ATM, but changing apps and bandwidth needs, coupled with Continue reading
The gold standard for corporate networks today is MPLS, but carrier pricing issues and MPLS’s failure to play well with new, cost-efficient forms of network access are causing problems for the legion of enterprise customers that rely on it.
Consider:
It’s not clear how fast MPLS will go the way of Frame Relay and ATM, but changing apps and bandwidth needs, coupled with Continue reading
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
If network infrastructure is not your organization’s core competency or you have outsourced the environment, you lack control of equipment and transport services and probably struggle with complex pricing and non-standard billing. Worse yet, if your service provider owns either all or components of the processes, procedures, staffing and tools, it limits the changes you can make.
If that describes your environment, a network infrastructure cost optimization consultation can help you drive infrastructure costs down, capture the network environment processes, identify systemic issues and leverage best practices.
To read this article in full or to leave a comment, please click here
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
The model of the future is based on social, mobile, cloud and big data, and IT is realizing that to succeed it must have the right processes, tools and culture. This is where open source is a major benefit.
Once you’ve decided to make open source a key feature of your enterprise IT infrastructure, here are steps you should take:
* Identify critical dependencies: It’s important to determine which components of an open source deployment represent critical dependencies. These are the ones you need to be fully certain about in terms of community size, robustness, feature suggestions and more. When it comes to components that represent dependencies, it’s important to ensure you don’t get locked into something that isn’t the perfect fit.
To read this article in full or to leave a comment, please click here
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
IT is headed toward being something more akin to a utility service, transformed by OpenStack’s open standardized cloud architecture, which will improve interoperability and render vendor lock-in a thing of the past.
Initially a solution adopted by smaller ISVs lacking the capital to build private clouds, OpenStack-based cloud solutions are shaping up to be the logical choice for large enterprise as industry leaders, including IBM, Cisco, EMC, HP and Oracle, bet on its value for defining the next-generation model for business computing.
To read this article in full or to leave a comment, please click here
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Overprovisioning has been the go-to approach for ensuring infrastructure and application performance. But when performance degradations and unplanned outages occur, even the most experienced teams move into “react-and-guess” mode.
Where to start? Every level of the infrastructure stack comes with its own possible issues, and tracking the culprit down takes time. And with IT infrastructures growing at an exponential pace and workloads to the cloud, the typical approach of overprovisioning and reacting-and-guessing is no longer a viable option.
To read this article in full or to leave a comment, please click here
Perhaps the single-most significant standards based technological advancement in the field of unified communications over the past year has been the completion of Web Real Time Communication (WebRTC) standard and the appearance of several WebRTC based implementations.
WebRTC 1.0 APIs are defined by the World Wide Web Consortium (W3C) and the IETF (Internet Engineering Taskforce) RTCWeb Working Group, and they make it possible for Web browsers to support voice calling, video chat, and peer-to-peer connections.
There has been considerable stabilization of the WebRTC browser implementation over the past year or so, enabling much more robust WebRTC apps to be developed. On the other hand, there still remains considerable and substantial work to be done on the IETF protocols for WebRTC.
To read this article in full or to leave a comment, please click here
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
The economics, scale, and manageability of cloud storage simply cannot be matched even by the largest enterprise datacenters.
Hyperscale cloud storage providers like AWS, Google and Azure dropped prices by up to 65% last year and promised a Moore’s Law pricing model going forward. AWS provides eleven 9’s of durability, meaning if you store 10,000 objects with Amazon S3, you can, on average, expect to incur a loss of a single object once every 10,000,000 years. Further, Amazon S3 is designed to sustain the concurrent loss of data in two facilities by storing objects on multiple devices across multiple facilities.
To read this article in full or to leave a comment, please click here
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Asked whether he was considering a cloud application for his company, a CIO of a mid-size organization said the downside risk of ripping and replacing the company’s existing on-premises application outweighed the productivity gains the cloud application might bring. Part of that risk, he felt, was his job security.
That sentiment is common. IT professionals, after all, are responsible for keeping the organization’s applications running and ensuring the security of sensitive data. When they do decide to make a software change, IT leaders traditionally consider criteria such as:
To read this article in full or to leave a comment, please click here
Studies show that around 40% of products fail. But what if product designers could understand what features are most and least popular, which components tend to fail sooner than others, and how customers actually use products versus how designers think they use them? And, what if product developers could then utilize these insights to develop products that perform better, potentially cost less and, most importantly, are aligned with actual customer needs?
Innovative product development teams in pretty much every industry are beginning to look at ways to translate enormous streams of real time machine data into actionable information to improve the product development process by understanding where product innovation is necessary, which features are most desirable, and how to lower their overall cost of ownership.
To read this article in full or to leave a comment, please click here
Cybercriminals are constantly looking for new ways to bypass security measures. In a survey conducted by the SANS Institute on the behalf of Guidance Software, 56% of respondents assumed they have been breached or will be soon, compared with 47% last year.
Assistant United States Attorney and Cybercrime Coordinator with the U.S. Attorney’s Office in the District of Delaware Ed McAndrew, and Guidance Software Director of Security Anthony Di Bello, have compiled best practices for preparing and responding to a cyber attack and working with law enforcement:
* Have an incident response plan – Creating established and actionable plans and procedures for managing and responding to a cyber intrusion can help organizations limit the damage to their computer networks and minimize work stoppage. It also helps law enforcement locate and apprehend the perpetrators.
To read this article in full or to leave a comment, please click here
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Corporate use of smartphones and tablets, both enterprise- and employee-owned (BYOD), has introduced significant risk and legal challenges for many organizations.
Other mobile security solutions such as MDM (mobile device management) and MAM (mobile app management) have attempted to address this problem by either locking down or creating “workspaces” on users’ personal devices. For BYOD, this approach has failed to adequately secure enterprise data, and created liability issues in terms of ownership of the device – since it is now BOTH a personal and enterprise (corporate)-owned device.
To read this article in full or to leave a comment, please click here