AppSec and DevOps - What Should Teams Be Focusing On

AppSec California 2015 is just around the corner. I’ve looked at the agenda to get a sense of where attendees will spend their time. Overall, I suspect the top areas of interest will revolve around:

  • OWASP Top 10: SQL Injections, XSS, Chrome, Java, and other web/mobile app vulnerabilities, safeguards, and controls
  • Mobile Devices and Apps: iOS, Android, medical devices, geolocation, mobile SSL, Internet of things, MDM, and more
  • Collection of Best Practices: Development models, cryptography, threat modeling, ROI, policy management, GRC, and incident response

Here are my picks for the “must-see” sessions based on role:

  • Application Developers | Iron-Clad Development : Building Secure Applications (Training)
  • Application Testers and Quality Assurance | Why Your AppSec Experts Are Killing You (Session)
  • Application Project Management and Staff | Scaling Security in Agile Scrum (Session)
  • CIOs, CISOs, and CTOs | Building a Modern Security Engineering Organization (Session)
  • Security Managers and Staff | Enterprise Incident Response (Training)
  • CFOs, IT Risk and Compliance Staff and Auditors | Proactively defending your business against security protocol attacks and implementation flaws (Session)
  • Governance Executives, Managers, and Staff | Misconceptions in the Cloud (Session)
  • IT Professionals Interested in Improving IT Security | OWASP Top Ten Proactive Controls (Session)

I’m curious to know what sessions and trainings would be most interesting and valuable for you and your team. Is the security industry investing in the right topics? What's missing? Does anyone else find it troubling that we continue to discuss SQL injections and XSS as part of the OWASP top 10?

Brazilian University Embraces Wireless, BYOD, and IPv6

As part of theCube’s continued coverage of the HP Discover conference in Las Vegas today, Wikibon founder Dave Vellante met with two practitioners from HP customer, Sao Paulo State University in Brazil whose network supports about 60,000 users; among these users are roughly 45,000 students and 10,000 faculty members. Each faculty member has their own VoIP device connected to the network, equaling 10,000 managed VoIP endpoints. The campus, and therefore its network, is connected across 23 cities, supported by five regional nodes, with the main node located in the capital of the state. The network consists of two rings and a total of 40 WAN nodes.

The team manages over 300 physical servers, 60 percent of which are virtualized using VMware; a project that the university began in 2008.

The video provides some great insight into how an institution can embrace new technologies and the necessary change that comes with being innovative. Read the article and Watch the video.

Big Data and the Cloud – Take the Lead or Be Disrupted

Intel is a company driven by Moore’s law and possessing a culture that eats, drinks, and breathes innovation; they are always looking ahead, continuously moving forward, and constantly pushing itself to the next level. This doesn’t happen by accident – it is driven by the mission of a company organized and managed by leaders who embrace the mission and strive to uphold it. Big Data was a key element of Kim Stevenson's keynote earlier in the day, and she provided Furrier with her own definition of the term: “Big Data is all information created (machine-generated and human generated) – all of this information fits into the Big Data envelope.” Stevenson, Vice President Information Technology Group CIO at Intel, added that “the important parts of Big Data are the pieces we have failed to contextualize in a systematic way up until now.”

Among other things, Stevenson shared two recent scenarios in which Intel’s bleeding-edge innovation is evident: both of which were rooted in the Cloud.

1) The first use case provided was that of an in-house virtualized office/enterprise application store for Intel employees in which Intel moved its office and enterprise application-provisioning services to an environment that is 75 percent virtualized and in the Cloud. “This allows us to provision our services in under an hour for all of our employees,” said Stevenson.

2) The second use case covered Intel’s product development and design engineer operations. Intel deployed a massive cloud-based compute infrastructure comprised of 50,000 servers hung together in a grid (aka a “clustered cloud”). “This implementation dramatically improves the throughput time for every engineering job that happens at Intel,” said Stevenson.

The video delivers an amazing exchange between the hosts and the speaker - it is well worth watching. Read the article and watch the video to experience the conversation for yourself.

Getting Active/Active with Email Compliance: An IBM Customer Story

During the IBM Edge conference, live from Orlando, FL, theCube was able to capture a number of customer stories, including a session hosted by Wikibon analysts John McArthur and David Floyer in which they engaged with Tim Harvey, CEO of Perimeter E-Security, both an IBM customer and partner. Harvey described Perimeter E-Security’s value proposition as one that provides “more secure and reliable email services for mid to large enterprises at 50 percent less than the cost of managing the service in-house.” Harvey delivers on this value proposition by moving beyond basic email hosting and simple email archiving to a business solution that provides hosted email or hosted exchange services surrounded by a complete set of security and compliance capabilities such as email hygiene, encryption, and archival.

When asked by Floyer what drove Perimeter E-Security to select IBM as a partner, Harvey quickly pointed to IBM’s infrastructure solution set and their comprehensive services offerings. “IBM is capable of helping us to define and implement the most appropriate topology and architecture, doing so with a lot more flexibility than the other vendors evaluated,” said Harvey.

Read the article and watch the video to see how Perimeter E-Security is able to implement both active/active [and] active/passive solutions, based on the business need.

HP Helps Deliver Mobility for Australian Students

theCube began its live coverage of the ~11,000-attendee HP Discover conference in Las Vegas today. Wikibon founder Dave Vellante and Wikibon analyst Stu Miniman kicked off the interviews with Gregory Bell, an HP customer and Head of Technical Services for Ballarat Grammar School in Australia. Vellante asked Bell how they deal with competitors when it comes time to purchasing new equipment. “We most certainly look at other vendors for servers, storage, notebooks, etc. – we put them all on the table, make our comparisons, and perform our due diligence,” Bell replied.

Bell described one of Ballarat Grammar’s more recent and tasking projects driven by the school’s initiative to provide a 1:1 pairing program for its senior students. With this program, the school opted to provide every student and staff member with his/her own HP Netbook running Windows 7 and a copy of the full version of Microsoft Office. Ballarat Grammar’s biggest hurdle with this initiative? Handling all of the additional devices connecting to the network via mobile hotspots throughout the school.

One of the key challenges described by Bell included that, at any given time, the network could have as many as 500 mobile devices connected. Bell said that HP’s wireless network and servers, 99% of which are virtualized, are running Windows in VMware and are managed by vCenter, allowing up to 900 devices to connect at any given time – all viewing rich content such as classroom videos from YouTube.

Read the full article by the imsmartin team on SiliconANGLE and watch the video to see and hear the list of some of the key challenges that HP helped Bell overcome at Ballarat Grammar School.

IBM Acquisitions Deliver Storage for the Rest of Us

The Edge conference in Orlando, FL is IBM’s opportunity to show off its wide range of storage solutions to the world. While IBM is typically known for its large enterprise offerings, some of its acquisitions highlighted during the conference make this year’s Edge “the storage coming-out party,” as said by Wikibon founder David Vellante. Wikibon analyst John McArthur and Wikibon founder Dave Vellante were fortunate to spend some time with IBM systems storage VP, Bob Cancilla (full video below). McArthur and Vellante prompt Cancilla to reminisce a few years back into his 27+ years with IBM to answer a few questions on IBM’s acquisitions, their strong go-to-market strategy, and insights into the future of storage at IBM.

The golden child of IBM's storage portfolio is IBM’s XIV offering, which is growing 30% per quarter. This is a significant number when compared to the single-digit figures captured and presented by IDC in a recent report coupled with last quarter’s earnings from EMC, a firm that relies heavily on storage and reported a down quarter. “XIV had $2M at the end of 2007, then $200M and $500M,” said Cancilla. “We are tracking quite nicely to becoming a billion-dollar entity,” he added. “It is evident that XIV is gaining share, despite some serious bumps in the road,” said Vellante. Cancilla was more than happy to confirm.

What's the future look like for IBM storage? Read the full article by the imsmartin team on SiliconANGLE and watch the video here.

Mass Amounts of Data Creates A Name for Itself, Big Data

The increase in data proliferation has also caused an increased need and opportunity in information security. While not new, the idea of “Big Data” has gained a tremendous amount of steam in the market. How much data are we creating you ask?

From the article, “Each day, the world creates 2.5 quintillion bytes of data, according to IBM, meaning some 90 percent of the information alive today was only born within the last two years. Each sector in the U.S. economy is responsible for at least 200 terabytes of stored data, says a report from the McKinsey Global Institute.”

As the world works away, creating more and more Big Data, the need for information security continues to become a critical element - both to protect the data and to use the data to better protect the environment in which it resides. It is imperative that companies realize how important is as a benefit their business.

Our very own Sean Martin, founder of imsmartin consulting, offered his own advice on the issue stating, “Perhaps no two verticals deal with security and Big Data more than the information-intensive industries of financial services and health care.”

To find out more about the "Three V’s of Big Data" and how to use the information to aid your company in developing a Big Data-driven security practice, read the full article on SC Magazine.

This article is from the full April 2012 Issue of SC Magazine

Blog: Survive the Cisco CSA Transition

Surviving the Cisco CSA Transition

Searching for behavioral based protection and control for your PCs? Look no further.

The search for a viable replacement to Cisco’s CSA has resulted in frustration for many CSA customers. As they look for alternatives, their demanding requirements for behavioral-based protection and complete endpoint control are quite clear. Cisco CSA users want the same technological capabilities they’ve loved for years, or something better. The featured whitepaper ‘Surviving the Cisco CSA Transition’ is available now and will help provide a deep view into these requirements.

Download the whitepaper. Complete your search.