07 Thursday Apr 2016
Posted in Development, IoT, Programming, Raspberry Pi, Security, Tools, Windows
Tags
Architecture, Coding, Development, DevOps, Innovation, IoT, Knowledge, Open Source, OpsDev, Productivity, Programming
Following the latest Build 2016 conference Microsoft have new released a number of resources and videos on Channel 9, providing 49 pages of videos and presentations.
Lots of learning available.
29 Friday Jan 2016
Posted in DevOps/OpsDev, Programming, Security
Tags
Oracle have recently announced via a blog post that they are going to deprecate the Java browser plug in JDK9 and remove it from future releases.
By late 2015, many browser vendors have either removed or announced timelines for the removal of standards based plugin support, eliminating the ability to embed Flash, Silverlight, Java and other plugin based technologies.
With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology.
Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release.
Early Access releases of JDK 9 are available for download and testing at http://jdk9.java.net. More background and information about different migration options can be found in this short whitepaper from Oracle.
Source: https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free
Most browsers are already removing plugin support or don’t support extensions any more. See links below:
Oracle are addressing this through their Java Web Start which downloads the relevant files to your computer if not present then caches them for later use.
Java Web Start is an application-deployment technology that gives you the power to launch full-featured applications with a single click from your Web browser. You can now download and launch applications, such as a complete spreadsheet program or an Internet chat client, without going through complicated installation procedures.
Java Web Start includes the security features of the Java platform, so the integrity of your data and files is never compromised. In addition, Java Web Start technology enables you to use the latest Java SE technology with any browser.
With Java Web Start, you launch applications simply by clicking on a Web page link. If the application is not present on your computer, Java Web Start automatically downloads all necessary files. It then caches the files on your computer so the application is always ready to be relaunched anytime you want—either from an icon on your desktop or from the browser link. And no matter which method you use to launch the application, the most current version of the application is always presented to you.
Source: http://docs.oracle.com/javase/8/docs/technotes/guides/javaws/
However this may not be plain sailing as pointed out in this blog post from Openmicroscopy
What does it mean for desktop developers/administrators?
To deploy Java Web Start, one first needs to get familiar with Deployment Rule Sets. Administrators can then create a list of known-safe applications and manage compatibility between different versions of Java on the system. Each browser will have their own set of dialogs and control mechanisms.
It is getting harder and harder to distribute Java Web Start applications for developers and/or administrators.
Source: http://blog.openmicroscopy.org/tech-issues/future-plans/2015/09/23/java-web-start/
Other useful reads:
NPAPI Plugin Perspectives and the Oracle JRE
20 Wednesday Jan 2016
Tags
Like them or hate them, passwords are one of the regular occurrences in our everyday lives. We use them on an almost daily basis and have so many for each of the systems/web services we use.
How many people have the same password across two or more of these systems/web services.
SplashData have released their annual password list of the worst passwords in use today (or as at the time of the survey) and this is already generating a lot of discussions about the list and how to set passwords.
Source: http://splashdata.com/blog/
The list of passwords can be found at: http://www.bbc.co.uk/newsbeat/article/35351265/star-wars-is-now-one-of-the-most-popular-passwords
123456 and password remain the top 1 and 2 positions for the past couple of years. Starwars has made the list as a new entry.
Part of the problem is the systems registering and requesting the passwords are not configured to allow complex passwords of long length and allow simple passwords without an exceptions list. However there are good systems that do.
Next time you set a password, there are a number of simple things to think about:
A good analysis of how to set a password comes from the xkcd comics:
Source: https://xkcd.com/936/
Time to reset your passwords if yours is on the list and set a good habit of changing it at least every 30 days. Establish a strong password policy of uppercase alpha , lowercase alpha, numeric, special characters. Also a long password rather than a short password.
12 Tuesday Jan 2016
Posted in Architecture, Cloud, Development, DevOps/OpsDev, Enterprise Architecture, Innovation, Programming, Security
Tags
Architecture, Development, DevOps, Knowledge, OpsDev, Productivity, Programming, Security, Tools
There has been a lot of the free smaller versions of the “For Dummies” books published recently. These are normally sponsored by a company to help promote a way of thinking/product/etc, however they do contain useful overviews and information on the subject that they are presenting on.
Here are my top 8 of these which should be on your reading list for the start of 2016. All are downloadable in PDF format*.
Micro-segmentation for Dummies
Next Generation Endpoint Security for Dummies
Software Defined Data Centres for Dummies
Software Defined Networking for Dummies
Software Defined Storage for Dummies
*You may need to sign up to receive some of these books.
07 Thursday Jan 2016
Tags
Architecture, Cloud, CPD, Data, Development, DevOps, Innovation, IoT, Knowledge, learning, Open Source, OpsDev, Productivity, Programming, Social Media
Back in 2008 Microsoft published An A-Z Guide to 
Being an Architect in their Architecture Journals.
Here is my take on an updated A to Z Guide to being an Architect. A couple of these may be similar.
A – Architect
Having the right level of skills as an Architect or engaging an Architect with the right level of skills will depend on the work needing to be undertaken. There are several types of Architect with some specialising in certain areas and others being multi domain skilled. The list below covers some of the different types of Architect- this is not an exhaustive list:
B – Blueprints
Following Blueprints and Patterns either published by vendors (such as the Microsoft Blueprints) or developed internally around your products and services will ensure repeat-ability and cost control around the design process.
Some examples showing different pattern types can be found at Architecture Patterns
C – Contextual Web Era
The up and coming 4th Platform area is the Contextual Web Era
This is an up and coming era with lots of new innovation and developments. Keeping up with developments is key going forward for any architect to understand designs/solutions, art of the possible now and future, innovation and for developing roadmaps for solutions.
D – DevOps
To quote Wikipedia – “DevOps (a clipped compound of “development” and “operations”) is a culture, movement or practice that emphasizes the collaboration and communication of both software developers and other information-technology (IT) professionals while automating the process of software delivery and infrastructure changes”. Having knowledge of DevOps, OpsDev and Agile assist with Architecting a solution for a business understanding their practices and modes of interacting with technology to meet business requirements. A Good book on the subject of DevOps is “The Phoenix Project” by Gene Kim.
E – Enterprise Architecture
EA (Enterprise Architecture) is a blueprint that defines how a business can meet its objectives and strategy. This is achieved by conducting analysis, design, planning, recommendations and implementations through an Enterprise Architecture Framework
Enterprise Architecture Wikibook
F – Four Two Zero One Zero
42010 is the ISO Standard that most frameworks adhere to. Working to a Framework brings structure to your designs and life cycles.
There are a number of frame works available such as:
Enterprise Architecture Wikipedia Book
G – Governance
Governance is an important part of architecture as it
H – Hands On
It is important to be current and understand the technologies you are architecting. There are lots of options available to get your hands dirty using technology from using Cloud Servers to virtual machines on your compute device. There are other computing devices such as the Raspberry PI that provide a cheap alternative to standing up small farms to learn on.
I – IoT
IoT (Internet of Things) is where physical things are connected by the internet using embedded sensors, software, networks and electronics. This allows the items to be managed, controlled and reported on. My blog posts on IoT Device Security Considerations and Security Layers goes into more detail on this subject.
J – Juxtaposition
Source:http://dictionary.reference.com/browse/juxtaposition
K – Knowledge
I would class Skills with Knowledge. It is important as an Architect to ensure that your skills/knowledge are up to date and where you are unsure of a technology, you have a plan to address and skill up. Build a good CPD (Continuing Professional Development) plan and work towards completing it.
L – Language
With the move to cloud it is important to ensure your scripting skills are up to date as most cloud platforms use scripting to assist with the deployment of environments. This is also true of other DevOps/OpsDev applications. If you are unsure on what to learn this guide may help you – Learn a Programming Language – But which one?
M -Micro Segmentation
Micro Segmentation allows a business to use Networks, Compute and Storage to automate and deliver complex solutions by carving up and using the infrastructure. This segments part of the infrastructures to specific functions/tasks. It can also be used in a security context to segment networks, firewalls, compute and storage to increase security and reduce cyber attacks. VMware have produced a book “Micro Segmentation for Dummies” that can be downloaded from here.
N – Next Generation
Next Generation refers to the next stage or development to something such as a new release of hardware or software. Next Generation is becoming a common term now to define products and artefacts, an example being Next Generation Firewalls.
O – Open Source
Open Source has been available for a long time with software such a Linux, however there is a bigger shift towards using Open Source and acceptance by businesses. Some examples of Open Source that is now mainstream within business include;
P – Performance
Performance can cover people as well as solutions / systems. Performance metrics should be set out at the inception of an engagement then monitored and reported on. This will be a factor in driving Continuous Improvement going forward as well as forecasting / planning for future upgrades and expansion.
Q – Quality
Quality is a huge subject and has a lot if standards governing it and how it affects all aspects of business and architecture. Knowing which standards and how they affect a solution will assist in the whole architecture lifecycle. There are also a number of tools available to help you;
There is also a level of pride and satisfaction in producing a quality solution and system achieving the objectives and requirements set out by the business.
R- Roadmap
Any architecture/solution should have a roadmap to set out its future. Roadmaps should include items such as:
S – SMAC
SMAC stands for Social, Mobile, Analytics, Cloud. SMAC is an acronym that covers the areas and concepts when these four technologies are brought together to drive innovation in business. A good description of SMAC written by a colleague can be found here Acronyms SMAC.
T – Transformation
The majority, if not all systems will undergo a form of transformation. This may be in the form of a simple upgrade or to a complex redesign and migration to something else.
U – UX
UX (User eXperience) affects how people interact with your architecture / design and how they feel about it (emotions and attitudes). With the boom in apps and the nearing Contextual Web Era, UX is one of the most important factors to getting an architecture used. If your users don’t like the system they may find something else to use that they like.
V – Vision
Understanding the vision of your customer and their business is the driving factor for any architecture.
On working with your customer you should look to become a Trusted Advisor and also with your colleagues. A great book on the subject is The Trusted Advisor by David Maister. The book covers 3 main areas which discusses perspectives on trust, the structure of trust building and putting trust to work.
W – WWW
The internet is a key delivery mechanism for systems. Knowing how this works and key components to the internet should be understood such as:
X – X86
X86 – is a standard that every knows as its one of the most common platform types available.
Y – Year
Year is for the longevity of the solution you are designing. How many years are your expecting it to last What are the Business Requirements, statutory obligations, depreciation etc that need to be planned in. Consider things like End of Life, Maintenance and Upgrades on hardware and software from a solution point of view.
Z – Zero Defects
The best solution is the one with zero defects, but reaching this goal can be a challenge and can also consume a lot of expense. The best way to ensure Zero Defects is to use:
This is my current A to Z and some of the entries may be different in your version so “What is in your A to Z of being an Architect?”
I will look to write some further blog posts on the areas listed in this A to Z
04 Monday Jan 2016
Posted in Security, Social Media
Tags
Over the festive break I have seen many people letting their guard down on my Social Media feeds and responding to those quizzes and prediction sites that scan your data and come up with some random facts about you.
The lure of finding out “Which are your most used words on facebook?” or “Which friend will be your luck charm in 2016?” is too much for some to resist. These apps usually result is a few words or a match of pictures that appeases the user based on the mining of data in their social feeds and friends profiles.
Examples of these types of apps are:
Whilst there are a number of innocent apps/sites that genuinely provide this type of tool to tell you who your best friend is, there is a darker side to some of these as well.
On the face of an app it may look genuine, but you are not aware of what the app is actually doing with your data and to what extent your data is being mined. Where the results are stored or to what purposes it will be used for afterwards.
Here are some basic actions to follow to secure your social data
Some useful links
25 Wednesday Nov 2015
Tags
The next layer to cover in my blog series on IoT Device Security Considerations and Security Layers is that of Encryption.
With the IoT expect to be collecting and storing masses of data, protecting the data is a key consideration for any system.
Encryption plays an important part on devices these days and it can be used/be part of a number of the layers in the IoT stack. End to end encryption should be considered in any IoT design.
There are numerous encryption standards currently available and product to help you secure your data. Some are now being tailored to IoT applications and solutions.
There are two main areas of consideration for encryption in an IoT design:
Data is about encrypting the data at rest (data on a storage device) to secure the information.
Communication is about encoding data as it is sent over a network.
The main issue with encryption though is the overhead of encrypting & decrypting and the impact on resources on the IoT device/system. This has been recognised by chip manufactures and application vendors as they work together to speed up this process. An example of this is Intel and McAfee. Other companies are doing the same.
In any case the use of encryption should be given considerable thought, especially on any network communications and back systems to protect the data. There have been many cases in the news illustrating what can happen if your data is not encrypted.
Further Reading:
18 Wednesday Nov 2015
The next post in my IoT Series on IoT Device Security Considerations and Security Layers is on Access Control and Authentication.
Security around access is always a hot topic for people and systems and the IoT should be no different. From user interfaces to devices communicating with each other Access Control and Authentication are key to maintaining a secure solution/system.
There are lots of information and posts appearing about this subject, however in the larger stack its only one part of securing the IoT, so should be used in conjunction with other solutions to create and end to end secure stack. (See IoT Device Security Considerations and Security Layers for the full stack).
To keep this blog post simple I have outlined four main areas in IoT that will use Access Control and Authentication.
Each of these areas can leverage or use their own Access Control and Authentication solution.
The good news is that you don’t necessarily need a “New” thing to to achieve this and there are a number of good standards and best practices currently available to follow. If however you are developing something specialised this may need to be customised.
Most solutions will employ a central Access Control and Authentication solution that can be updated, patched and maintained rather than a point solution that will require more effort to look after properly.
Examples of a centralised solution are Azure IoT Hub and Active Directory for a Cloud or On-Premise solution. Other solutions are available.
Areas that you may consider when looking at Access Control and Authentication could include:
Access Control Considerations
Authentication Considerations
Further Reading:
11 Wednesday Nov 2015
Posted in Architecture, IoT, Programming, Security
Tags
The next area in my series on IoT Device Security Considerations and Security Layers is the User Interface.
Many IoT solutions may just have a standard Web interface to a back end system where IoT Devices and Sensors can be controlled. There is already a lot of documentation on good practices for the Web front end.
In some cases the User Interface may be on the IoT device or not delivered over a Web interface. In these cases many of the good practices for Web front ends can still be applied.
Here are a few of the main considerations:
User Interface
User experience is key to any system, however security is as well. When designing your User Interface you should consider the functionality needed to what the user requirements are, keeping the design slick reduces options for hackers to exploit.
Following good code practices and testing will help in this area.
Identification and Authentication
Most applications these days requires a form of log on and password to links into another system for identification such as AD, LDAP or SSO (Single Sign On).
Ensuring that a strong password policy is in place with rules such as:
Some of these rules will depend if you are authenticating against an existing directory system and its current policies. you should consider changing them if they are not secure.
This in turn allows for the authentication of users against other methods such as a 2 factor.
Error Messages
Firstly ensuring that the application and interface have good error handling to reduce the number of messages that the user sees should something unexpected happen.
Secondly having simple well defined error messages reduces exposure of what systems you are running or the type of code that can appear in some errors.
Some further reading:
09 Monday Nov 2015
Posted in Architecture, IoT, Programming, Security
Tags
Furthering my series on “IoT Device Security Considerations and Security Layers” next in the stack is the Device/Application API’s.
API’s (Application Programming Interface) provide a capability to easily interact with a system. This could be an API to an IoT Sensor that a server application could use to get information from through using a set of common libraries and functions.
APIs often come in the form of a library that includes specifications for routines, data structures, object classes, and variables. In other cases, notably SOAP and REST services, an API is simply a specification of remote calls exposed to the API consumers.
-Wikipedia
There are a number of steps you can take to secure your API’s:
Standards
Follow any standards/security standards available for the systems you are working with. As discussed in previous blog posts standards for the IoT is one area that is still being defined.
Libraries
Installing only the API’s/libraries you need for your application/IoT Device/IoT Sensor (or un-installing any unused API’s/libraries)
Secure Messaging
Where feasible using Secure Messaging using a level of authentication ensures that the API is communicating and operating with the right system. This ensures that the IoT Device/Sensor can only interface with the correct system and not accept any rogue requests.
Error Handling
An API should be able to understand what to do when it detects an error condition and what to do when it cant. This is important so false instructions/data cannot be sent to the API to make it fail and then be open to attack.
Patching
Using the most up to date version of the API’s/libraries will ensure any bugs or issues have been removed reducing any exposure to attacks that hit known issues. employing a regular patching capability where possible maintains a level of security. It may not be possible to update IoT Devices/Sensors that are embedded, however any server side API’s/libraries should be up to date. This will however increase compatibility testing with the IoT Devices/Sensors to ensure the interfaces still work.
Further Reading
Max Hemingway 