Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership.
As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership ab...| By Lori MacVittie | Article Rating: |
|
| October 23, 2015 06:00 AM EDT | Reads: |
314 |
Is the App Attack Surface in the Cloud Really Different Than On-Premises?
No.
Still here? Okay then, let me explain further. This whole thing started because I was reading the Internet the other day and happened upon a claim that stated: “the attack surface for cloud applications is dramatically different than for highly controlled data centers”.
And that made me frustrated because it isn’t true at all.
The attack surface for applications deployed in the cloud is the same as that of applications deployed on-premises. It doesn’t matter if we’re talking about SaaS or IaaS. An application’s attack surface is always the same.
An application may be attacked at the application layer, at the platform layer and sometimes* at the operating system layer.
The vast majority of threats against applications in the past 15 years have targeted protocols (HTTP, TCP, or SSL/TLS) that are the responsibility of the platform (app or web server) or at the application itself (SQLi, XSS, CSRF, etc…). Both of these layers of the application stack are the same irrespective of where that application might be deployed.

The attack surface for cloud applications remains the same. Let’s say you had an app, in the cloud, that was vulnerable to SQLi. Which shouldn’t be too much of a stretch cause there are a whole lot of apps that are today. Just saying.
Let’s say you decided to move that app on-premises. In that “highly controlled data center.”
Did the SQLi vulnerability go away?
Of course not. It’s still there and it’s still just as exploitable. We can reverse that process and guess what, the app is vulnerable (and exploitable) regardless of whether it’s “in the cloud” or “on-premises.”
If it was vulnerable to Heartbleed or Shellshock or Apache Killer on-premises, it’s still vulnerable in the cloud. And vice versa. The attack surface of an application does not change with its deployment location.
What changes when you move from on-premises to the cloud is what you are responsible for securing.
For example, the only thing you really have control over with SaaS (and are ultimately responsible for managing) is who is authorized access. That’s why ID federation is becoming such a big deal; it’s the best technological solution we have to providing the level of corporate governance over access to SaaS applications.
In IaaS, your responsibility goes deeper into the stack – down to the guest operating system. You may recall this statement from AWS head of global security programs Bill Murray:
“Customers are responsible for protecting everything from the guest operating system they run on AWS up through the applications they are running, ” he told El Reg. We are responsible for the host OS and the VM and everything down to the concrete of the data centre floor.”
Which means the OS, platform, and application layers of the application stack are your responsibility in IaaS. Interestingly enough, they’re also your responsibility in the data center. And those layers – those attack surfaces – don’t magically disappear when you put an app into the cloud.
That’s important to remember when you start evaluating what services you need in the cloud for apps you may be deploying “out there.” DDoS. WAF. Data leak prevention. Access control. These are all app security services that remain as critical in the cloud as they are in the data center, on-premises – because the attack surface of an application doesn’t change with its deployment location.
* I say sometimes because while the rate at which malware/trojans are deposited during volumetric attacks is increasing, the thing is that the deposits are generally happening via the application layer. They aren’t directly targeting the operating system layer.
Published October 23, 2015 Reads 314
Copyright © 2015 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Lori MacVittie
Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership.
As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership ab...Oct. 24, 2015 02:30 PM EDT Reads: 221 |
By Pat Romanski Most everyone in Cloud IT circles has realized the power of containerization and that companies are adopting Docker containers at a remarkable rate. There are many good reasons for this, such as easily setting up dev/test scenarios (DevOps), and building out sophisticated, distributed computing clusters. But there are some deeper questions this talk will address from the Microsoft perspective. For example, what is the future of Windows in a containerized world? How will Windows and Linux work to...Oct. 24, 2015 02:00 PM EDT Reads: 212 |
By Elizabeth White SYS-CON Events announced today that Ericsson has been named “Silver Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
Ericsson strives to connect everyone, wherever they may be. Because by being connected, people can take part in the emerging global collaboration that is the Networked Society – a society in which every person and every industry is empowered to reach their full potential.Oct. 24, 2015 02:00 PM EDT Reads: 423 |
By Liz McMillan Cloud computing delivers on-demand IT resources that provide businesses flexibility. The challenge is the cost and complexity of cloud security compliance (PCI, HIPAA, FFIEC). Raxak Protect automated cloud security enables cloud apps to be deployed quickly and cost-effectively. Get the guide to decreasing your security costs up to 50% through automated cloud security. Oct. 24, 2015 02:00 PM EDT Reads: 211 |
By Jason Bloomberg Ever since the dawn of the Internet, people have struggled with how to get one computer to talk to another. Early business systems had no provision for such interactions. They were entirely closed— worlds unto themselves.
As enterprises set up early networks, the question of how to get applications to interact with each other became a pressing business concern, and led to the introduction of Remote Procedure Calls (RPCs). A client computer might directly interact with the program running on a...Oct. 24, 2015 02:00 PM EDT Reads: 243 |
By Elizabeth White After more than five years of DevOps, definitions are evolving, boundaries are expanding, ‘unicorns’ are no longer rare, enterprises are on board, and pundits are moving on. Can we now look at an evolution of DevOps? Should we? Is the foundation of DevOps ‘done’, or is there still too much left to do? What is mature, and what is still missing? What does the next 5 years of DevOps look like?
In this Power Panel at DevOps Summit, moderated by DevOps Summit Conference Chair Andi Mann, panelists w...Oct. 24, 2015 01:45 PM EDT Reads: 269 |
By Liz McMillan Automating AWS environments is important for all businesses as it simplifies creation and setup of cloud resources, facilitates otherwise complex processes, and streamlines management. The benefits of automation are clear: accelerate execution, reduce human error and unwanted consequences, and increase the enterprise’s ability to rapidly adapt, all while reducing the overall cost of IT operations.
In his session at 17th Cloud Expo, Patrick McClory, Director of Automation and DevOps at Datapipe...Oct. 24, 2015 01:15 PM EDT Reads: 251 |
By Liz McMillan Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds.
How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem"...Oct. 24, 2015 01:15 PM EDT Reads: 430 |
By Pat Romanski IT is often cast in a dichotomy where things are either viewed as traditional, stable, and safe or innovative, impermanent, and vulnerable. There have been multiple attempts to organize these classifications in a fashion that make IT budget and planning more predictable such as various agile methodologies, DevOps, and the bimodal model.
What qualifies as success depends on the customer and producer involved in a project. A survey conducted by Scott Ambler in 2013 suggests that being on schedule...Oct. 24, 2015 01:00 PM EDT Reads: 376 |
By Elizabeth White Most everyone in Cloud IT circles has realized the power of containerization and that companies are adopting Docker containers at a remarkable rate. There are many good reasons for this, such as easily setting up dev/test scenarios (DevOps), and building out sophisticated, distributed computing clusters. But there are some deeper questions this talk will address from the Microsoft perspective. For example, what is the future of Windows in a containerized world? How will Windows and Linux work to...Oct. 24, 2015 01:00 PM EDT Reads: 242 |
By Liz McMillan SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in high-performance, high-efficiency server, storage technology and green computing, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology is a premier provider of advanced server Building Block Solutions® for Data ...Oct. 24, 2015 12:30 PM EDT Reads: 617 |
By Carmen Gonzalez Oct. 24, 2015 12:30 PM EDT Reads: 260 |
By Pat Romanski Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible.
In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists will address the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make t...Oct. 24, 2015 12:00 PM EDT Reads: 360 |
By Elizabeth White SYS-CON Events announced today that Colovore, the Bay Area’s leading provider of scalable, high-density colocation solutions, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
With power densities of 20 kW per rack and a pay-by-the-kW pricing model, Colovore is Silicon Valley’s premier provider of flexible, high-density colocation solutions. Our 9 MW facility has the power and cooling your se...Oct. 24, 2015 12:00 PM EDT Reads: 267 |
By Carmen Gonzalez Docker is hot. However, as Docker container use spreads into more mature production pipelines, there can be issues about control of Docker images to ensure they are production-ready. Is a promotion-based model appropriate to control and track the flow of Docker images from development to production?
In his session at DevOps Summit, Fred Simon, Co-founder and Chief Architect of JFrog, will demonstrate how to implement a promotion model for Docker images using a binary repository, and then show h...Oct. 24, 2015 11:00 AM EDT Reads: 270 |
By Yeshim Deniz Overgrown applications have given way to modular applications, driven by the need to break larger problems into smaller problems. Similarly large monolithic development processes have been forced to be broken into smaller agile development cycles. Looking at trends in software development, microservices architectures meet the same demands.
Additional benefits of microservices architectures are compartmentalization and a limited impact of service failure versus a complete software malfunction....Oct. 24, 2015 10:00 AM EDT Reads: 588 |
By Hovhannes Avoyan Node.js has been in the industry a long time and yet the conversations about it never seem to slow down. So what’s all the fuss about? What makes Node.js different from other programming languages and environments out there?
Take a look at the infographic below and discover what!
BTW: You should know that Monitis has Node.js monitoring in its suite of application monitoring services. So if you’re building innovative mobile and web applications in the Node.js platform, you’ll certainly appr...Oct. 24, 2015 10:00 AM EDT Reads: 329 |
By Carmen Gonzalez In their session at DevOps Summit, Asaf Yigal, co-founder and the VP of Product at Logz.io, and Tomer Levy, co-founder and CEO of Logz.io, will explore the entire process that they have undergone – through research, benchmarking, implementation, optimization, and customer success – in developing a processing engine that can handle petabytes of data.
They will also discuss the requirements of such an engine in terms of scalability, resilience, security, and availability along with how the archi...Oct. 24, 2015 08:00 AM EDT Reads: 267 |
By AppDynamics Blog This article series has covered a lot of ground: it presented an overview of application performance management (APM), it identified the challenges in implementing an APM strategy, it proposed a top-5 list of important metrics to measure to assess the health of an enterprise PHP application, and it presented AppDynamics’ approach to building an APM solution. In this final installment this article provides some tips-and-tricks to help you implement an optimal APM strategy. Specifically, this arti...Oct. 24, 2015 08:00 AM EDT Reads: 417 |
By PagerDuty Blog No one should need to be convinced the value of good data. It gives you the confidence to make decisions quickly and with less risk, it allows you to measure your success, and it lets you know when you need to adjust your course. But there’s a difference between knowing the value of data, and creating a culture around it. A data-driven culture is a culture where everyone quantifies their actions as much as possible, and asks themselves how their teams are having a tangible impact on the business...Oct. 24, 2015 06:00 AM EDT Reads: 214 |

Most everyone in Cloud IT circles has realized the power of containerization and that companies are adopting Docker containers at a remarkable rate. There are many good reasons for this, such as easily setting up dev/test scenarios (DevOps), and building out sophisticated, distributed computing clusters. But there are some deeper questions this talk will address from the Microsoft perspective. For example, what is the future of Windows in a containerized world? How will Windows and Linux work to...
SYS-CON Events announced today that Ericsson has been named “Silver Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
Ericsson strives to connect everyone, wherever they may be. Because by being connected, people can take part in the emerging global collaboration that is the Networked Society – a society in which every person and every industry is empowered to reach their full potential.
Cloud computing delivers on-demand IT resources that provide businesses flexibility. The challenge is the cost and complexity of cloud security compliance (PCI, HIPAA, FFIEC). Raxak Protect automated cloud security enables cloud apps to be deployed quickly and cost-effectively. Get the guide to decreasing your security costs up to 50% through automated cloud security.
Ever since the dawn of the Internet, people have struggled with how to get one computer to talk to another. Early business systems had no provision for such interactions. They were entirely closed— worlds unto themselves.
As enterprises set up early networks, the question of how to get applications to interact with each other became a pressing business concern, and led to the introduction of Remote Procedure Calls (RPCs). A client computer might directly interact with the program running on a...
After more than five years of DevOps, definitions are evolving, boundaries are expanding, ‘unicorns’ are no longer rare, enterprises are on board, and pundits are moving on. Can we now look at an evolution of DevOps? Should we? Is the foundation of DevOps ‘done’, or is there still too much left to do? What is mature, and what is still missing? What does the next 5 years of DevOps look like?
In this Power Panel at DevOps Summit, moderated by DevOps Summit Conference Chair Andi Mann, panelists w...
Automating AWS environments is important for all businesses as it simplifies creation and setup of cloud resources, facilitates otherwise complex processes, and streamlines management. The benefits of automation are clear: accelerate execution, reduce human error and unwanted consequences, and increase the enterprise’s ability to rapidly adapt, all while reducing the overall cost of IT operations.
In his session at 17th Cloud Expo, Patrick McClory, Director of Automation and DevOps at Datapipe...
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds.
How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem"...
IT is often cast in a dichotomy where things are either viewed as traditional, stable, and safe or innovative, impermanent, and vulnerable. There have been multiple attempts to organize these classifications in a fashion that make IT budget and planning more predictable such as various agile methodologies, DevOps, and the bimodal model.
What qualifies as success depends on the customer and producer involved in a project. A survey conducted by Scott Ambler in 2013 suggests that being on schedule...
Most everyone in Cloud IT circles has realized the power of containerization and that companies are adopting Docker containers at a remarkable rate. There are many good reasons for this, such as easily setting up dev/test scenarios (DevOps), and building out sophisticated, distributed computing clusters. But there are some deeper questions this talk will address from the Microsoft perspective. For example, what is the future of Windows in a containerized world? How will Windows and Linux work to...
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in high-performance, high-efficiency server, storage technology and green computing, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology is a premier provider of advanced server Building Block Solutions® for Data ...
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible.
In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists will address the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make t...
SYS-CON Events announced today that Colovore, the Bay Area’s leading provider of scalable, high-density colocation solutions, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
With power densities of 20 kW per rack and a pay-by-the-kW pricing model, Colovore is Silicon Valley’s premier provider of flexible, high-density colocation solutions. Our 9 MW facility has the power and cooling your se...
Docker is hot. However, as Docker container use spreads into more mature production pipelines, there can be issues about control of Docker images to ensure they are production-ready. Is a promotion-based model appropriate to control and track the flow of Docker images from development to production?
In his session at DevOps Summit, Fred Simon, Co-founder and Chief Architect of JFrog, will demonstrate how to implement a promotion model for Docker images using a binary repository, and then show h...
Overgrown applications have given way to modular applications, driven by the need to break larger problems into smaller problems. Similarly large monolithic development processes have been forced to be broken into smaller agile development cycles. Looking at trends in software development, microservices architectures meet the same demands.
Additional benefits of microservices architectures are compartmentalization and a limited impact of service failure versus a complete software malfunction....
Node.js has been in the industry a long time and yet the conversations about it never seem to slow down. So what’s all the fuss about? What makes Node.js different from other programming languages and environments out there?
Take a look at the infographic below and discover what!
BTW: You should know that Monitis has Node.js monitoring in its suite of application monitoring services. So if you’re building innovative mobile and web applications in the Node.js platform, you’ll certainly appr...
In their session at DevOps Summit, Asaf Yigal, co-founder and the VP of Product at Logz.io, and Tomer Levy, co-founder and CEO of Logz.io, will explore the entire process that they have undergone – through research, benchmarking, implementation, optimization, and customer success – in developing a processing engine that can handle petabytes of data.
They will also discuss the requirements of such an engine in terms of scalability, resilience, security, and availability along with how the archi...
This article series has covered a lot of ground: it presented an overview of application performance management (APM), it identified the challenges in implementing an APM strategy, it proposed a top-5 list of important metrics to measure to assess the health of an enterprise PHP application, and it presented AppDynamics’ approach to building an APM solution. In this final installment this article provides some tips-and-tricks to help you implement an optimal APM strategy. Specifically, this arti...
No one should need to be convinced the value of good data. It gives you the confidence to make decisions quickly and with less risk, it allows you to measure your success, and it lets you know when you need to adjust your course. But there’s a difference between knowing the value of data, and creating a culture around it. A data-driven culture is a culture where everyone quantifies their actions as much as possible, and asks themselves how their teams are having a tangible impact on the business...
DevOps has traditionally played important roles in development and IT operations, but the practice is quickly becoming core to other business functions such as customer success, business intelligence, and marketing analytics.
Modern marketers today are driven by data and rely on many different analytics tools. They need DevOps engineers in general and server log data specifically to do their jobs well. Here’s why: Server log files contain the only data that is completely full and accurate in the context of how search engines such as Google are crawling websites.
If a search engine spider enc...
Test-Driven Development is a great tool for functional testing, but can you apply the same technique to performance testing? Why not? The purpose of TDD is to build out small unit tests, or scenarios, under which you control your initial coding. Your tests will fail the first time you run them because you haven’t actually developed any code. But once you do start coding, you’ll end up with just enough code to pass the test. There’s no reason the same philosophy can’t be applied to performance testing.
At some point you’ve probably heard the term “test early and often.” If you are in an Agile organization, that term perfectly captures the philosophy of iterative development and the commitment to rooting out defects sooner rather than later. It's nice - maybe even ironic - that a phrase which had such unscrupulous origins is now a hallmark characteristic of a process that exemplifies teamwork and quality. It's in that modern spirit that we wanted to share these 10 strategies to help you test early - and test often.
Agile software development and agile marketing have followed similar, but unique paths. Buggy software, product delays and death marches were the norm in the 90s. A groundswell formed around the idea of taking the agile principles that had been so successful in manufacturing and applying them to software.
Containers are a hot topic these days. I have run a few workshops with clients, and one of the questions I get asked most frequently is “what are companies using containers for?”
After answering this question a number of times, I thought I would share some common use cases with my readers.
Check out my latest post at the Virtualization Practice where I highlight 3 common use cases.
As with most modernized economies, the United States economy utilizes capitalist principles. It is only fitting that we invented a technological solution that will help companies engage in c-api-talism using APIs in a more efficient manner.
If we look back into the history of mankind, we progressed towards more civilized, mature, monetary-based economies on a steady basis. The progression from the Stone Age, to the Bronze Age, to the Iron Age, to the Industrial Age and to the current Digital Age all made strides towards the current digital economy.
When organizations make the choice to put a digital platform in place, a discussion on MicroServices is never far behind. By putting a MicroServices layer in place, an organization creates the springboard to launch into the digital future, whether that involves apps, rich Web clients, or IoT devices such as in-store beacons.
Look at production incident numbers, most organizations have sufficient data on that and sufficient problems to solve. It ends up being really compelling. Once you show the numbers, generally management just says do it, if that solves the problem just do it. Though you might have to prove that the approach you’re proposing, in other words putting the environments under better control and getting better control on the application releases. You can do that through proof of concept, but I would say that the hard dollar costs are generally there in almost every organization, and that if you’re not...
Your Node.js application may be utilizing a backend database, a caching layer, or possibly even a queue server as it offloads CPU intensive tasks onto worker servers to process in the background. Whatever the backend your Node.js application interfaces with, the latency to these backend services can potentially affect the performance of your Node.js application performance, even if you’re interfacing with them asynchronously. The various types of exit calls may include:
To let other TypeScript libraries use your library, you need to create a .d.ts file to declare all your public APIs of your library with the typing information. The enforce to clearly list all your public APIs for each libraries you are developing. We found it serves as a quick and accurate reference for all your APIs.
Refer to https://github.com/borisyankov/DefinitelyTyped for TypeScript definition files created for large amounts of JavaScript libraries.

























