IAST: A New Approach to Finding Security Vulnerabilities

Roberto Velasco
CEO, Hdiv Security

One of the most prevalent misconceptions about cybersecurity, especially in the mainstream media and also among our clients, is that to conduct a successful attack against an IT system it is necessary to ‘investigate’ and find a new defect in the target’s system.

However, for most security incidents involving internet applications, it is enough to simply exploit existing and known programming errors.

For instance, the dramatic Equifax breach could have been prevented by following basic software security best-practices, such as patching the system to prevent known vulnerabilities. That was, in fact, one of the main takeaways from the forensic investigation led by the US federal government.

One of the most important ways to reduce security risks is to ensure that all known programming errors are corrected before the system is exposed to internet traffic. Research bodies such as the US NIST found that correcting security bugs early on is orders of magnitude cheaper than doing so when the development has been completed.

When composing a text in a text editor, the spelling and grammar corrector highlights the mistakes in the text. Similarly, there are security tools known as AST (Application Security Testing) that find programming errors that introduce security weaknesses. ASTs report the file and line where the vulnerability is located, in the same way, that a text editor reports the page and the line that contains a typo.

In other words, these tools allow developers to build software that is largely free of security-related programming errors, resulting in more secure applications.

Just like it is almost impossible to catch all errors in a long piece of text, most software contains many serious security vulnerabilities. The fact that some teams do not use any automated help at all, makes these security weaknesses all the most prevalent and easy to exploit.

Let’s take a look at the different types of security issue detection tools also known as ASTs, or vulnerability assessment tools, available in the market.

The Traditional Approach

Two mature technologies capture most of the market: static code analysis (SAST) and web scanners (dynamic analysis or DAST). Each of these two families of tools is focused on a different execution environment.

The SAST static analysis, also known as white-box analysis because the tool has access to the source code of the application, scans the source code looking for known patterns that indicate insecure programming that could lead to a vulnerability.

The DAST dynamic analysis replicates the view of an attacker. At this point, the tool executes hundreds or thousands of queries against the application designed to replicate the activity of an attacker to find security vulnerabilities. This is a black-box analysis because the point of view is purely external, with no knowledge of the application’s internal architecture.

The level of detail provided by the two types of tools is different. SAST tools provide file and line where the vulnerability is located, but no URL, while DAST tools provide the external URL, but no details on the location of the problem within the code base of the application. Some teams use both tools to improve visibility, but this requires long and complex triaging to manage the vulnerabilities.

The Interactive AST Approach

The Interactive Application Security Testing (IAST) tools combine the static approach and the dynamic approach. They have access to the internal structure of the application, and to the way it behaves with actual traffic. This privileged point of view is ideal to conduct security analysis.

From an architecture point of view, the IAST tools become part of the infrastructure that hosts the web applications, because an IAST runs together with the application server. This approach is called instrumentation, and it is implemented by a component known as an agent. Other platforms such as Application Performance Monitoring tools (APMs) share this proven approach.

Once the agent has been installed, it incorporates automatic security sensors in the critical execution points of the application. These sensors monitor the dataflow between requests and responses, the external components that the application includes, and data operations such as database access. This broad-spectrum coverage is much better than the visibility that SAST and DAST rely on.

In terms of specific results, we can look at two important metrics – how many types of vulnerabilities the tool finds, and how many of the identified vulnerabilities are false positives. Well, the best DAST is able to find only 18% of the existing vulnerabilities on a test application. And even worse, around 50% of the vulnerabilities reported by the best SAST static analysis tool are not true problems!

IT Automation with AI

Source: Hdiv Security via OWASP Benchmark public result data

The IAST approach provides these tangible benefits:

  1. Complete coverage, because the entire application is reviewed, both the custom code and the external code, such as open-source components and legacy dependencies.
  2. Flexibility, because it can be used in all environments; development, quality assurance (QA), and production.
  3. High accuracy, because the combination of static and dynamic point of views allow us to find more vulnerabilities with no false positives.
  4. Complete vulnerability information, including the static aspects (source code details) and dynamic aspects (execution details).
  5. Reduction of the duration of the security verification phase, so that the time-to-market of the secure applications is shorter.
  6. Compatible with agile development methodologies, such as DevSecOps, because it can be easily automated, and reduces the manual verification activities

IAST tool can add tons of value to the security tooling of any organization concerned with the security of the software.

In the same way that everyone uses an automated spell checker to find typos in a document, we believe that any team would benefit from an automated validation of the security of an application.

However, the AST does not represent a security utopia, since they can only detect security problems that follow a common pattern.

About the Author –

Roberto Velasco is the CEO of Hdiv Security. He has been involved with the IT and security industry for the past 16 years and is experienced in software development, software architecture and application security across different sectors such as banking, government and energy. Prior to founding Hdiv Security, Roberto worked for 8 years as a software architect and co-founded ARIMA, a company specialized in software architecture. He regularly speaks at Software Architecture and cybersecurity conferences such as Spring I/O and APWG.eu.

Design-led Organization: Creative Thinking as a Practice!

Gogul R G

This is the first article in the series of ‘Design-led organization’ writing about creative thinking as a practice in GAVS. It is the first step for the readers to explore the world of design and creativity. So, let’s get started!

First let’s see what is design thinking is all about

There is a common misconception that design thinking is new. But when you look back, people have applied a human-centric creative process to build meaningful and effective solutions. Design has been practiced for ages to build monuments, bridges, automobiles, subway systems, etc. Design is not only limited to aesthetics, it is more of a mindset to think of a solution. Design thinking is a mindset to iteratively think about a complex problem and come up with a viable solution

Thinking outside of the box can provide an innovative solution to a sticky problem. However, thinking outside of the box can be a real challenge as we naturally develop patterns of thinking that are based on the repetitive activities and commonly accessed knowledge surround ourselves. It takes something to detach away from a situation where we’re too closely involved to be able to find better possibilities.

To illustrate how a fresh way of thinking can create unexpectedly good solutions, let’s look at a famous incident. Some years ago, an incident occurred where a truck driver had tried to pass under a low bridge. But, he failed, and the truck became firmly lodged under the bridge.

IT Infrastructure Managed Services

The driver was unable to continue driving through or reverse out. The struck truck caused massive traffic problems, which resulted in emergency personnel, engineers, firefighters, and truck drivers gathering to negotiate various solutions to dislodge the truck.

Emergency workers were debating whether to dismantle parts of the truck or chip away at parts of the bridge. Each of one were looking for a solution with their respective level of expertise. A boy walking by and witnessing the intense debate looked at the truck, at the bridge, then looked at the road and said, “Why not just let the air out of the tires?” to the absolute amazement of all the specialists and experts trying to resolve the issue.

When the solution was tested, the truck could drive with ease, having suffered only the damage caused by its initial attempt to pass underneath the bridge. It symbolizes the struggles we face where often the most obvious solutions are the ones hardest to come by because of the self-imposed constraints we work within.  

“Challenging our assumptions and everyday knowledge is often difficult for us humans, as we rely on building patterns of thinking in order not to have to learn everything from scratch every time.

Let’s come back to our topic “What is Design thinking?” Tim Brown, Executive Chairman of IDEO – an international design and consulting firm quoted design thinking as below.

“Design thinking is a human-centered approach to innovation that draws from the designer’s toolkit to integrate the needs of people, the possibilities of technology, and the requirements for business success.

Now let’s think about our truck example. A boy with his fresh mindset provides a simple solution to address a complex problem. Yeah! this is the sweet spot. Everyone is creative and capable of thinking like a designer, and out of the box, to come up with a solution. This way of inculcating design as a mindset for a solution is known as Design thinking.

Yes, you read it right, everyone is creative…

We forget that back in kindergarten, we were all creative. We all played and experimented with weird things without fear or shame. We didn’t know enough not to. The fear of social rejection is something we learned as we got older. And that’s why it’s possible to regain our creative abilities, even decades later. In the field of design and user experience, there are individuals to stick with a methodology a while, they will end up doing amazing things. They come up with break through ideas or suggestions and work creatively with a team to develop something truly innovative. They surprise themselves with the realization that they are a lot more creative than they had thought. That early success shakes up how they see themselves and makes them eager to do more.

We just need to rediscover what we already have: the capacity to imagine, or build upon, new to the world ideas.  But the real value of creativity doesn’t emerge until you are brave enough to act on those ideas.

Geshe Thupten Jinpa, who has been the Dalai Lama’s chief English translator for more than twenty years, shared an insight about the nature of creativity. Jinpa pointed out that there’s no word in the Tibetan language for ‘creativity’ or ‘being creative’. The closest translation is ‘natural’. In other words, if you want to be more creative, you should be more natural! So…be natural!

At your workplace, the complex problems can be easily sorted out when you find a solution using creativity with the mindset of design thinking. Creativity can be improved by following the below steps.

  1. Go for a walk.
  2. Play your favorite games.
  3. Move your eyes.
  4. Take a break and enjoy yourself.
  5. Congratulate yourself each time you do something well.
  6. Estimate time, distance, and money.
  7. Take a route you never have taken before.
  8. Look for images in mosaics, patterns, textures, clouds, stars…
  9. Try something you have never done before.
  10. Do a creative exercise.
  11. Start a collection (stamps, coins, art, stationery, anything you wish to collect)
  12. Watch Sci-Fi or fantasy films.
  13. Change the way you do things – there are no routine tasks, only routine way of doing things.
  14. Wear a color you do not like.
  15. Think about how they invented equipment or objects you use daily.
  16. Make a list of 10 things you think are impossible to do and then imagine how you could make each one possible.
  17. For every bad thing that happens to you, remember at least 3 good things that happened.
  18. Read something you have not read yet.
  19. Make friends with people on the other side of the world.
  20. When you have an idea, make a note of it, and later check to see if it happened.
  21. Connect a sport with your work.
  22. Try food you never tried before.
  23. Talk to grandparents and relatives and listen to their stories.
  24. Give an incorrect answer to a question.
  25. Find links between people, things, ideas, or facts.
  26. Ask children how to do something and observe their creativity.

Start doing the above-mentioned steps to inculcate a creative mindset and apply it in your day-to-day work. Companies like GE health care, Procter & Gamble, UBER practiced design thinking and implemented in their new product launches and for solving complex problems in their organizations. Be natural to be more creative! When you are more creative, you can apply design thinking for seeking any solution for a complex problem in your work.

This is the first article in the series of Design led Organization in GAVS. Keep watching this space for more articles on design and keep exploring the world of design-thinking!

References:

About the Author –

Gogul is a passionate UX designer with 8+ years of experience into designing experiences for digital channels like Enterprise apps, B2C, B2B apps, Mobile apps, Kiosk, Point of Sale, Endless aisle, telecom products. He is passionate about transforming complex problems into actionable solutions using design.

Center of Excellence – Network

The Network CoE was established to focus on Network solution design, Network design, Advanced Network troubleshooting, Network consulting, Network automation, and competency development in Next Generation Network technologies. It is also involved in conducting Network and Network security assessments in the customer’s IT infrastructure environments focused on optimization and transformation.

Network and Network Security Certification drive

As part of Network CoE, we focus on upgrading the skill sets of L1, L2, L3 Network engineers so that their competency levels are high. This is achieved by Network certification drives organized by Network COE. There are many certification drives focusing on Routing, Switching, Network security, Data Center Technologies, and Network automation driven by Network CoE like CCNA, CCNP, PCNSE, CCNA Data Center and Cisco Certified DevNet Associate. There is an active participation in these certification drives, and many GAVS engineers got themselves certified.

Standard Best Practices and Standard Operating Procedures

In Network CoE, the focus is on industry best practices. Standard Operating Practices are created for various technologies within Networking and Network security and used for Network operations.  We have Standard Operating Practices for Monitoring, NOC, switching, routing, WIFI, load balancers and Network security.

Next generation Network Transformation

The Network and Network Security Industry is undergoing key changes in terms of next generation technologies,Next Generation Firewall, Software defined Networks, WIFI 6 standard. There is an added impetus to Network automation, Intent based Networking. We enable Network transformation by enabling these technologies in customer environments.

Network Automation

We are focusing on Network automation of Standard Operating practices pertaining to Network and Network Security technologies. Instead of usual script-based automation, we focus on automation through Network Programmability via standard API interfaces. This gives much finer control and increased functionality in automation.

Network Assessments and Recommendations

We undertake Network Assessments which focuses on Networking and Network security infrastructure including devices and monitoring tools. We focus on various device types like routers, switches, firewall, WIFI controllers, WIFI access points, load balancers, Layer-3 switches, collaboration devices, SD-WAN devices, MPLS devices, VPN devices, IPS devices, etc. We also focus on Network monitoring tools.  We have a GAVS tool called GAVS topology mapper which can be used to discover network topology and its serves as one of the inputs during Network assessment. We apply standard best practices and come out with findings and recommendations. The recommendations will be directed towards Network optimization and/or Network transformation.

Solutions for Pain Points

We identify customer paint points in Networking and Network security areas and address it with comprehensive solutions. A case in point is where we designed a disaster recovery solution for an enterprise network, where the main site and DR site had different subnet schemes and for the Disaster recovery solution to work the VMs in main site and DR site need to have the same IP address.

Network Maturity Model

In GAVS, we have a Network Maturity Model. We have various levels with the Model. We use the Network Maturity Model to rate Network and Network Security setup.

Network Maturity Levels
ScoreLevel
5Optimised
4Managed
3Defined
2Repeatable
1Ad hoc
Network Design

We undertake Network design of Green Field projects (New Network) or Network re-design of Brownfield projects (Existing Network).  A case in point is where we re-designed an existing data center for better resiliency.

Data Center Design

We have designed Data Centers with N+1 Redundancy based on Cisco Nexus 9K and ACI as part of Data Center move and consolidation.  We used spine and leaf architecture for high availability. We have migrated Catalyst 6000 based data center to a Data Center with Nexus 9K.

Advanced Network and Network Security Services

We undertake several Advanced Network and Network security services. We have done large scale Cisco Identity Service Engine (ISE) Hardening and upgrade. We also migrated to DMVPN for several hundreds of sites.

Advanced Network and Network SecurityTroubleshooting

There are situations when a problem will involve two or more towers, e.g., Networking, server applications etc., we get involved and crack these kinds of problems.

For example, a problem which involved DHCP Network service running in a server. The DHCP network service became slow. We systematically analysed and found out that the actual problem is the server slowness and not the DHCP Network service. In another situation, we found out that DMZ firewall was having 90% CPU utilization which led to connection drops of Applications and we fixed it by upgrading the firewall devices.

Conclusion

We continue to partner with GAVS Customer success managers to provide unique experience to customers in the Networking area.

If you have any questions about the CoE, you may reach out to them at COE_NETWORK@gavstech.com

CoE Team Members

  • Ambika Tripathi
  • Andrew Ellis
  • AvineshYokanathan
  • Deepak Narayanaswamy
  • Durai Murugan Prakash
  • Faheem koyatty
  • Ganesh Kumar J
  • Gayathri R
  • Ibrahim Silver Nooruddin
  • JettiTarakesh
  • Justin Robinson
  • Krishnakumar R
  • Nabiulla A
  • Nandhini Prabhu
  • Navaneetha Krishnan
  • Palanisamy Sakthivel
  • Prasad R
  • Rajeshkanna S
  • Ravichandran V
  • Shafi H
  • Shamini P
  • Shanmukha Ganesh
  • Sridhar
  • Srijith
  • Suresh Chander
  • Venkata Manikrishna Soma
  • Vishal Manuhar

Center of Excellence – Java

The Java CoE was established to partner with our customers and aid them in realizing business benefits through effective adoption of cutting-edge technologies; thus, enabling customer success.

Objectives

  • Be the go-to team for anything related to Java across the organization and customer engagements.
  • Build competency by conducting training and mentoring sessions, publishing blogs, whitepapers and participating in Hackathons.
  • Support presales team in creating proposals by providing industry best solutions using the latest technologies, standards & principles.
  • Contribute a certain percent of revenue growth along with the CSMs.
  • Create reusable artifacts, frameworks, solutions and best practices which can be used across organization to improve delivery quality.

Focus Areas

  1. Design Thinking: Setting up a strong foundation of “Design Thinking and Engineering Mindset” is paramount for any business. We aim to do so in the following way:
IT Infrastructure Managed Services

2. Solution and Technology: Through our practice, we aim to equip GAVS with solution-oriented technology leaders who can lead us ahead through disruptive times

IT Operations Management Software

3. Customer success

  • Identify opportunities in accounts based on the collaboration with CSMs, understand customer needs, get details about the engagement, understand the focus areas and challenges.
  • Understand the immediate need of the project, provide solution to address the need.
  • Java council to help developers arrive at solutions.
  • Understand architecture in detail and provide recommendation / create awareness to use new technologies
  • Enforce a comprehensive review process to enable quality delivery.

Accomplishments

  • Formed the CoE team
  • Identified the focus Areas
  • Identified leads for every stream
  • Socialized the CoEwithin GAVS
  • Delivered effective solutions across projects to improve delivery quality
  • Conducted trainings on standards and design-oriented coding practices across GAVS
  • Publishedblogs to bring in design-oriented development practices
  • Identified the areas for creating re-usable artefacts (Libraries / Frameworks)
  • Brainstormed and finalized the design for creating Frameworks (For the identified areas)
  • Streamlined the DevOps process which can be applied in any engagement
  • Built reusable libraries, components and frameworks which can be used across GAVS
  • Automated the Code Review process
  • Organized and conducted hackathons and tech meetups
  • Discovered potential technical problems/challenges across teams and offered effective solutions, thereby enabling customer success
  • Supported the presales team in creating customized solutions for prospects

Upcoming Activities

  • Establishing tech governance and align managers / tech leads to the process
  • Setting up security standards and principles across domain
  • Buildingmore reusable libraries, components and frameworks which can be used across GAVS
  • Adopting Design Patterns / Anti-patterns
  • Enforcing a strong review process to bring in quality delivery
  • Enabling discussions with the customers
  • Setting up a customer advisory team

Contribution to Organizational Growth

As we continue our journey, we aim to support the revenue growth of our organization. Customer Success being a key goal of GAVS, we will continue to enable it by improving the quality of service delivery and building a solid foundation across all technology and process streams. We also want to contribute to the organization by developing a core competency around a strategic capability and reduce knowledge management risks.

If you have any questions about the CoE, you may reach out to them at COE_JAVA@gavstech.com

CoE Team Members

  • Lakshminarasimhan J
  • Muraleedharan Vijayakumar
  • Bipin V
  • Meenakshi Sundaram
  • Mahesh Rajakumar M
  • Ranjith Joseph Selvaraj
  • Jagathesewaren K
  • Sivakumar Krishnasamy
  • Vijay Anand Shanmughadass
  • Sathya Selvam
  • Arun Kumar Ananthanarayanan
  • John Kalvin Jesudhason

Center of Excellence – Database

Data Center as a Service Providers in USA

“During the World War II, there was a time when the Germans winning on every front and the fear of Hitler taking over the world was looming. At that point in time, had the Allies not taken drastic measures and invested in ground-breaking technologies such as radars, aircraft, atomic energy, etc., the world would have been starkly different from what it is today.

Even in today’s world, the pace at which things are changing is incredible. The evolution of technology is unstoppable, and companies must be ready. There is an inherent need for them to differentiate themselves by providing solutions that showcase a deep understanding of domain and technology to address evolving customer expectations. What becomes extremely important for companies is to establish themselves as incubators of innovation and possess the ability to constantly innovate and fail fast. Centers of Excellence can be an effective solution to address these challenges.

“An Organisation’s ability to learn, and translate that learning into action rapidly, is the ultimate competitive advantage”

  • Jack Welch, former Chairman and CEO of General Electric

The Database CoE was formed with a mission to groom, enhance and incubate talents within GAVS to stay abreast of the evolving technology landscape and help our customers with cutting edge technology solutions.

We identify the expert and the requirements across all customer engagements within GAVS. Regular connects and technology sessions ensure everyone in the CoE is learning at least one new topic in a week. Below is our charter and roadmap by priority:

Data Center Consolidation Initiative Services

Data Center Migration Planning Tools

Database CoE is focused on assisting our customers in every stage of the engagement right from on-boarding, planning, execution with consultative approach and a futuristic mindset. With above primary goals we are currently working on below initiatives:

Competency Building

When we help each other and stand together we evolve to be the strongest.

Continuous learning is an imperative in the current times. Our fast-paced trainings on project teams is an alternate to the primitive classroom sessions. We believe true learning happen when you are working on it hands-on. With this key aspect in mind, we divide the teams in smaller groups and map them to projects to get larger exposure and gain from experience.

This started off with a pilot with an ISP provider where we trained 4 CoE members in Azure and Power BI within a span of 2 months.

Desktop-as-a-Service (DaaS) Solution

Database Maturity Assessment

“When digital transformation is done right, it’s like a caterpillar turning into a butterfly “

  • George Westerman, research scientist at the MIT Center for Digital Business

Why Bother with a Database Assessment?

We often know we have a problem and can visualize the ideal state we want our technology solution to get us to.  However, it is challenging to figure out how to get there because it’s easy to confuse the symptoms with the cause of a problem. Thus, you end up solving the ‘symptom’ with a (potentially expensive) piece of technology that is ill-equipped to address the underlying cause.

We offer a structured process to assess your current database estate and select a technology solution helps you get around this problem, reduce risks and fast track the path to your true objective with futureproofing, by forcing you to both identify the right problem and solve it the right way.

Assessment Framework

Digital Service Desk AI Software

Below are the three key drivers powering the assessment.

Accelerated Assessment:

  • Automated assessment and benchmark of existing and new database estates against industry best practices and standards.
  • Analyze & Finetune
    • Analyze assessment findings and implement recommendations on performance, consistency, and security aspect
  • NOC+ZERO TOUCH L2
    • Shift Left and Automate L1/L2 Service requests and incidents with help of Database COE- Automation experts

As we progress on our journey, we want to establish ourselves as a catalyst to help our customers future-proof technology and help in early adoption of new solutions seamlessly.

If you have any questions about the CoE, you may reach out to them at COE_DATABASE@gavstech.com

CoE Team Members

  • Ashwin Kumar K
  • Ayesha Yasmin
  • Backiyalakshmi M
  • Dharmeswaran P
  • Gopinathan Sivasubramanian
  • Karthikeyan Rajasekaran
  • Lakshmi Kiran  
  • Manju Vellaichamy  
  • Manjunath Kadubayi  
  • Nagarajan A  
  • Nirosha Venkatesalu  
  • Praveen kumar Ralla  
  • Praveena M  
  • Rajesh Kumar Reddy Mannuru  
  • Satheesh Kumar K  
  • Sivagami R  
  • Subramanian Krishnan
  • Venkatesh Raghavendran

Observability versus Monitoring

Sri Chaganty

“Observability” has become a key trend in Service Reliability Engineering practice.  One of the recommendations from Gartner’s latest Market Guide for IT Infrastructure Monitoring Tools released in January 2020 says, “Contextualize data that ITIM tools collect from highly modular IT architectures by using AIOps to manage other sources, such as observability metrics from cloud-native monitoring tools.”

Like so many other terms in software engineering, ‘observability’ is a term borrowed from an older physical discipline: in this case, control systems engineering. Let me use the definition of observability from control theory in Wikipedia: “observability is a measure of how well internal states of a system can be inferred from knowledge of its external outputs.”

Observability is gaining attention in the software world because of its effectiveness at enabling engineers to deliver excellent customer experiences with software despite the complexity of the modern digital enterprise.

When we blew up the monolith into many services, we lost the ability to step through our code with a debugger: it now hops the network.  Monitoring tools are still coming to grips with this seismic shift.

How is observability different than monitoring?

Monitoring requires you to know what you care about before you know you care about it. Observability allows you to understand your entire system and how it fits together, and then use that information to discover what specifically you should care about when it’s most important.

Monitoring requires you to already know what normal is. Observability allows discovery of different types of ‘normal’ by looking at how the system behaves, over time, in different circumstances.

Monitoring asks the same questions over and over again. Is the CPU usage under 80%? Is memory usage under 75% percent? Or, is the latency under 500ms? This is valuable information, but monitoring is useful for known problems.

Observability, on the other side, is about asking different questions almost all the time. You discover new things.

Observability allows the discovery of different types of ‘normal’ by looking at behavior, over time, in different circumstances.

Metrics do not equal observability.

What Questions Can Observability Answer?

Below are sample questions that can be addressed by an effective observability solution:

  • Why is x broken?
  • What services does my service depend on — and what services are dependent on my service?
  • Why has performance degraded over the past quarter?
  • What changed? Why?
  • What logs should we look at right now?
  • What is system performance like for our most important customers?”
  • What SLO should we set?
  • Are we out of SLO?
  • What did my service look like at time point x?
  • What was the relationship between my service and x at time point y?
  • What was the relationship of attributed across the system before we deployed? What’s it like now?
  • What is most likely contributing to latency right now? What is most likely not?
  • Are these performance optimizations on the critical path?

About the Author –

Sri is a Serial Entrepreneur with over 30 years’ experience delivering creative, client-centric, value-driven solutions for bootstrapped and venture-backed startups.

JAVA – Cache Management

Sivaprakash Krishnan

This article explores the offering of the various Java caching technologies that can play critical roles in improving application performance.

What is Cache Management?

A cache is a hot or a temporary memory buffer which stores most frequently used data like the live transactions, logical datasets, etc. This intensely improves the performance of an application, as read/write happens in the memory buffer thus reducing retrieval time and load on the primary source. Implementing and maintaining a cache in any Java enterprise application is important.

  • The client-side cache is used to temporarily store the static data transmitted over the network from the server to avoid unnecessarily calling to the server.
  • The server-side cache could be a query cache, CDN cache or a proxy cache where the data is stored in the respective servers instead of temporarily storing it on the browser.

Adoption of the right caching technique and tools allows the programmer to focus on the implementation of business logic; leaving the backend complexities like cache expiration, mutual exclusion, spooling, cache consistency to the frameworks and tools.

Caching should be designed specifically for the environment considering a single/multiple JVM and clusters. Given below multiple scenarios where caching can be used to improve performance.

1. In-process Cache – The In-process/local cache is the simplest cache, where the cache-store is effectively an object which is accessed inside the application process. It is much faster than any other cache accessed over a network and is strictly available only to the process that hosted it.

Data Center Consolidation Initiative Services

  • If the application is deployed only in one node, then in-process caching is the right candidate to store frequently accessed data with fast data access.
  • If the in-process cache is to be deployed in multiple instances of the application, then keeping data in-sync across all instances could be a challenge and cause data inconsistency.
  • An in-process cache can bring down the performance of any application where the server memory is limited and shared. In such cases, a garbage collector will be invoked often to clean up objects that may lead to performance overhead.

In-Memory Distributed Cache

Distributed caches can be built externally to an application that supports read/write to/from data repositories, keeps frequently accessed data in RAM, and avoid continuous fetching data from the data source. Such caches can be deployed on a cluster of multiple nodes, forming a single logical view.

  • In-memory distributed cache is suitable for applications running on multiple clusters where performance is key. Data inconsistency and shared memory aren’t matters of concern, as a distributed cache is deployed in the cluster as a single logical state.
  • As inter-process is required to access caches over a network, latency, failure, and object serialization are some overheads that could degrade performance.

2. In-memory database

In-memory database (IMDB) stores data in the main memory instead of a disk to produce quicker response times. The query is executed directly on the dataset stored in memory, thereby avoiding frequent read/writes to disk which provides better throughput and faster response times. It provides a configurable data persistence mechanism to avoid data loss.

Redis is an open-source in-memory data structure store used as a database, cache, and message broker. It offers data replication, different levels of persistence, HA, automatic partitioning that improves read/write.

Replacing the RDBMS with an in-memory database will improve the performance of an application without changing the application layer.

3. In-Memory Data Grid

An in-memory data grid (IMDG) is a data structure that resides entirely in RAM and is distributed among multiple servers.

Key features

  • Parallel computation of the data in memory
  • Search, aggregation, and sorting of the data in memory
  • Transactions management in memory
  • Event-handling

Cache Use Cases

There are use cases where a specific caching should be adapted to improve the performance of the application.

1. Application Cache

Application cache caches web content that can be accessed offline. Application owners/developers have the flexibility to configure what to cache and make it available for offline users. It has the following advantages:

  • Offline browsing
  • Quicker retrieval of data
  • Reduced load on servers

2. Level 1 (L1) Cache

This is the default transactional cache per session. It can be managed by any Java persistence framework (JPA) or object-relational mapping (ORM) tool.

The L1 cache stores entities that fall under a specific session and are cleared once a session is closed. If there are multiple transactions inside one session, all entities will be stored from all these transactions.

3. Level 2 (L2) Cache

The L2 cache can be configured to provide custom caches that can hold onto the data for all entities to be cached. It’s configured at the session factory-level and exists as long as the session factory is available.

  • Sessions in an application.
  • Applications on the same servers with the same database.
  • Application clusters running on multiple nodes but pointing to the same database.

4. Proxy / Load balancer cache

Enabling this reduces the load on application servers. When similar content is queried/requested frequently, proxy takes care of serving the content from the cache rather than routing the request back to application servers.

When a dataset is requested for the first time, proxy saves the response from the application server to a disk cache and uses them to respond to subsequent client requests without having to route the request back to the application server. Apache, NGINX, and F5 support proxy cache.

Desktop-as-a-Service (DaaS) Solution

5. Hybrid Cache

A hybrid cache is a combination of JPA/ORM frameworks and open source services. It is used in applications where response time is a key factor.

Caching Design Considerations

  • Data loading/updating
  • Performance/memory size
  • Eviction policy
  • Concurrency
  • Cache statistics.

1. Data Loading/Updating

Data loading into a cache is an important design decision to maintain consistency across all cached content. The following approaches can be considered to load data:

  • Using default function/configuration provided by JPA and ORM frameworks to load/update data.
  • Implementing key-value maps using open-source cache APIs.
  • Programmatically loading entities through automatic or explicit insertion.
  • External application through synchronous or asynchronous communication.

2. Performance/Memory Size

Resource configuration is an important factor in achieving the performance SLA. Available memory and CPU architecture play a vital role in application performance. Available memory has a direct impact on garbage collection performance. More GC cycles can bring down the performance.

3. Eviction Policy

An eviction policy enables a cache to ensure that the size of the cache doesn’t exceed the maximum limit. The eviction algorithm decides what elements can be removed from the cache depending on the configured eviction policy thereby creating space for the new datasets.

There are various popular eviction algorithms used in cache solution:

  • Least Recently Used (LRU)
  • Least Frequently Used (LFU)
  • First In, First Out (FIFO)

4. Concurrency

Concurrency is a common issue in enterprise applications. It creates conflict and leaves the system in an inconsistent state. It can occur when multiple clients try to update the same data object at the same time during cache refresh. A common solution is to use a lock, but this may affect performance. Hence, optimization techniques should be considered.

5. Cache Statistics

Cache statistics are used to identify the health of cache and provide insights about its behavior and performance. Following attributes can be used:

  • Hit Count: Indicates the number of times the cache lookup has returned a cached value.
  • Miss Count: Indicates number of times cache lookup has returned a null or newly loaded or uncached value
  • Load success count: Indicates the number of times the cache lookup has successfully loaded a new value.
  • Total load time: Indicates time spent (nanoseconds) in loading new values.
  • Load exception count: Number of exceptions thrown while loading an entry
  • Eviction count: Number of entries evicted from the cache

Various Caching Solutions

There are various Java caching solutions available — the right choice depends on the use case.

Software Test Automation Platform

At GAVS, we focus on building a strong foundation of coding practices. We encourage and implement the “Design First, Code Later” principle and “Design Oriented Coding Practices” to bring in design thinking and engineering mindset to build stronger solutions.

We have been training and mentoring our talent on cutting-edge JAVA technologies, building reusable frameworks, templates, and solutions on the major areas like Security, DevOps, Migration, Performance, etc. Our objective is to “Partner with customers to realize business benefits through effective adoption of cutting-edge JAVA technologies thereby enabling customer success”.

About the Author –

Sivaprakash is a solutions architect with strong solutions and design skills. He is a seasoned expert in JAVA, Big Data, DevOps, Cloud, Containers, and Micro Services. He has successfully designed and implemented a stable monitoring platform for ZIF. He has also designed and driven Cloud assessment/migration, enterprise BRMS, and IoT-based solutions for many of our customers. At present, his focus is on building ‘ZIF Business’ a new-generation AIOps platform aligned to business outcomes.

IoT Adoption during the Pandemic

Artificial Intelligence for IT Operations

Naveen KT

From lightbulbs to cities, IoT is adding a level of digital intelligence to various things around us. Internet of Things or IoT is physical devices connected to the internet, all collecting and sharing data, which can then be used for various purposes. The arrival of super-cheap computers and the ubiquity of wireless networks are behind the widespread adoption of IoT. It is possible to turn any object, from a pill to an airplane, into an IoT-enabled device. It is making devices smarter by letting them ‘sense’ and communicate, without any human involvement.

Let us look at the developments that enabled the commercialization of IoT.

History

The idea of integrating sensors and intelligence to basic objects dates to the 1980s and 1990s. But the progress was slow because the technology was not ready. Chips were too big and bulky and there was no way for an object to communicate effectively.

Processors had to be cheap and power-frugal enough to be disposed of before it finally becomes cost-effective to connect to billions of devices. The adoption of RFID tags and IPV6 was a necessary step for IoT to scale.

Kevin Ashton penned the phrase ‘Internet of Things’ in 1999. Although it took a decade for this technology to catch up with his vision. According to Ashton “The IoT integrates the interconnectedness of human culture (our things) with our digital information system(internet). That’s the IoT”.

Early suggestions for IoT include ‘Blogjects’ (object that blog and record data about themselves to the internet), Ubiquitous computing (or ‘ubicomp’), invisible computing, and pervasive computing.

How big is IoT?

AIOps in Infrastructure Management

IDC predicts that there will be 41.6 billion connected IoT devices by 2025. It also suggests industrial and automotive equipment represent the largest opportunity of connected ‘things’.

Gartner predicts that the enterprise and automotive sectors will account for 5.8 billion devices this year.

However, the COVID-19 pandemic has further enhanced the need for IoT-enabled devices to help the nations tackle the crisis.

IoT for the Government

Information about the movement of citizens is urgently required by governments to track the spread of the virus and potentially monitor their quarantine measures. Some IoT operators have solutions that could serve these purposes.

AIOps platform
  • Telia’s Division X has developed Crowd Insights which provides aggregated smartphone data to city and transport authorities of Nordic Countries. It is using the tool which will track the movement of citizens during the quarantine.
  • Vodafone provides insights on traffic congestion.
  • Telefonica developed Smart steps, which aggregates data on footfall and movement for the transport, tourism, and retail sectors.

Personal data of people will also help in tracking clusters of infection by changing the privacy regulations. For example, in Taiwan, high-risk quarantined patients were being monitored through their mobile phones to ensure compliance with quarantine rules. In South Korea, the officials track infected citizens and alert others if they come into contact with them. The government of Israel went as far as passing an emergency law to monitor the movement of infected citizens via their phones.

China is already using mass temperature scanning devices in public areas like airports. A team of researchers at UMass Amherst is testing a device that can analyze coughing sounds to identify the presence of flu-like symptoms among crowds.

IoT in Health care

COVID-19 could be the trigger to explore new solutions and be prepared for any such future pandemics, just as the SARS epidemic in 2003 which spurred the governments in South Korea and Taiwan to prepare for today’s problems.

IT operations analytics

Remote patient monitoring (RPM) and telemedicine could be helpful in managing a future pandemic. For example, patients with chronic diseases who are required to self-isolate to reduce their exposure to COVID-19 but need continuous care would benefit from RPM. Operators like Orange, Telefónica, and Vodafone already have some experience in RPM.

Connected thermometers are being used in hospitals to collect data while maintaining a social distance. Smart wearables are also helpful in preventing the spread of the virus and responding to those who might be at risk by monitoring their vital signs.

Connected thermometers are being used in hospitals to collect data while maintaining a social distance. Smart wearables are also helpful in preventing the spread of the virus and responding to those who might be at risk by monitoring their vital signs.

Telehealth is widely adopted in the US, and the authorities there are relaxing reimbursement rules and regulations to encourage the extension of specific services. These include the following.

  • Medicare, the US healthcare program for senior citizens, has temporarily expanded its telehealth service to enable remote consultations.
  • The FCC has made changes to the Rural Health Care (RHC) and E-Rate programs to support telemedicine and remote learning. Network operators will be able to provide incentives or free network upgrades that were previously not permitted, for example, for hospitals that are looking to expand their telemedicine programs.

IoT for Consumers

The IoT promises to make our environment smarter, measurable, and interactive.COVID-19 is highly contagious, and it can be transmitted from one to another even by touching the objects used by the affected person. The WHO has instructed us to disinfect and sanitize high touch objects. IoT presents us with an ingenious solution to avoid touching these surfaces altogether. Hands-free and sensor-enabled devices and solutions like smart lightbulbs, door openers, smart sinks, and others help prevent the spread of the virus.

Security aspects of IoT

Security is one of the biggest issues with the IoT. These sensors collect extremely sensitive data like what we say and do in our own homes and where we travel. Many IoT devices lack security patches, which means they are permanently at risk. Hackers are now actively targeting IoT devices such as routers and webcams because of their inherent lack of security makes them easy to compromise and pave the way to giant botnets.

Machine learning service provider
Machine learning service provider

IoT bridges the gap between the digital and the physical world which means hacking into devices can have dangerous real-world consequences. Hacking into sensors and controlling the temperature in power stations might end up in catastrophic decisions and taking control of a driverless car could also end in disaster.

Overall IoT makes the world around us smarter and more responsive by merging the digital and physical universe. IoT companies should look at ways their solutions can be repurposed to help respond to the crisis.

Enterprise IT infrastructure services
Enterprise IT infrastructure services

References:

  • https://www.analysysmason.com/Research/Content/Comments/covid19-iot-role-rdme0-rma17/
  • shorturl.at/wBFGT

Naveen is a software developer at GAVS. He teaches underprivileged children and is interested in giving back to society in as many ways as he can. He is also interested in dancing, painting, playing keyboard, and is a district-level handball player.

Combating a health crisis with digital health technologies

Bindu Vijayan

The current pandemic has exposed yawning gaps in the systems of the best of developed countries to be able to respond to virulent pathogens.  The world has seen SARS and Ebola in fairly recent times, and with the COVID 19 pandemic, it is becoming clear that technology can help combat and overcome future epidemics if we plan and strategize with these technologies.  They bring efficiency to our response times, and we are currently learning the importance of using these technologies for prevention as well.  A small example – Canadian AI health monitoring platform BlueDot’s outbreak risk software is said to have predicted the outbreak of the pandemic a whole week before America (who announced on Jan 8), and the WHO (on Jan 9) did. BlueDot predicted the spread of COVID 19 from Wuhan to other countries like Bangkok and Seoul by parsing through huge volumes of international news (in local languages).  It further was able to predict where the infection would spread by accessing global airline data to trace and track where the infected people were headed.

Contrary to earlier times, today it only takes a few hours to sequence a virus, thanks of course, to technology.  The scientists don’t have to cultivate a sufficient batch of viruses any longer in order to examine them, today, its DNA can be got from an infected person’s blood sample or saliva.  India’s National Institute of Animal Biotechnology (NIAB), Hyderabad, has developed a biosensor that can detect the novel coronavirus in saliva samples. The new portable device called ‘eCovSens’, can detect coronavirus antigens in human saliva within 30 seconds using just 20 microlitres of sample.  Startups like Canadian GenMarkDx, US-based Aperiomics & XCR Diagnostics, Singapore based MiRXES, and Polish company’s SensDx have introduced top notch diagnostic solutions.  Identifying infected people to provide strict medical care will be made a lot faster with these diagnostic kits. 

Genome sequencing is also vital to fight the pandemic.  The genome of this virus was completely sequenced by the Chinese scientists in under a month from detection of the first case, and then on the biotech companies created synthetic copies of the virus for research.  Today creating a synthetic copy of a single nucleotide costs under 10 cents (in comparison to the earlier $ 10), so these days it is far quicker and cheaper, which means the chances of finding appropriate / adequate medication are much faster which will help save more lives.

Healthcare workers are having to pay a huge price, they run the risk of getting infected, there is often paucity of PPE, and in some countries, they even have to face assault from crowds that are angry and confused at the situation.  Medical workers are targetted by mobs, there are instances where communities don’t allow them to come back to their homes after duty, shops don’t sell them necessities, etc.  Medical robots can be the real game-changers in such situations.  Deploying robots in such scenarios to do the rescue is becoming a much sought after option, wherever possible.   Robots become the answer to such difficult situations as they are impervious to infections.  They allow physicians to treat/communicate through a screen. The patient’s vitals are also recorded by the robot.  Patients can be very efficiently monitored this way.

Drones for deliveries, especially medical deliveries can also be used to reach isolation zones or quarantined zones.  Italy made a big success out of this. Italy’s coronavirus epicenter, Bergamo, in Lombardy region, had to resort to people’s temperature being read by drones.  ‘The Star’ reported that “once a person’s temperature is read by the drone, you must still stop that person and measure their temperature with a normal thermometer,” said Matteo Copia, a police commander in Treviolo, near Bergamo. Drones are being used for surveillance – In areas where people were not complying with social distancing and lockdown restrictions, authorities are using drones to monitor people’s movement and break up social gatherings that could be a potential risk to the society. Drones are also being used for Disinfectant spraying, broadcasting messages, medicine and grocery deliveries and so on.

Interactive maps give us the data on the pandemic on real time, and monitoring a pandemic this wide and dangerous is very crucial to stopping/controlling its spread. These maps are made available to everybody, and the truth and transparency in the situation of such epic proportion is necessary in order to avoid panic within communities.  We now have apps for tracking the virus spread, fatalities and recovery rates, and apps would be developed for the future that will warn us about impending outbreaks, the geographies and flight routes that we must avoid

Implementing these technologies will enable us to manage and conquer situations like the current pandemic we are going through. As Bernardo Mariano Junior, Director of WHO’s Department of Digital Health and Innovation, rightly said “The world needs to be well prepared and united in the spirit of shared responsibility, to digitally detect, protect, respond, and prepare the recovery for COVID 19. No single entity or single country initiative will be sufficient. We need everyone.”

References:

Smart Spaces Tech Trends for 2020

data center as a service providers in usa

Priyanka Pandey

These are unprecedented times. The world hadn’t witnessed such a disruption in recent history. It is times like these test the strength and resilience of our community. While we’ve been advised to maintain social distancing to flatten to curve, we must keep the wheels of the economy rolling.

In my previous article, I covered the ‘People-Centric’ Tech Trends of the year, i.e., Hyper automation, Multiexperience, Democratization, Human Augmentation and Transparency and Traceability. All of those hold more importance now in the light of current events. Per Gartner, Smart Spaces enable people to interact with people-centric technologies. Hence, the next Tech Trends in the list are about creating ‘Smart Spaces’ around us.

Smart spaces, in simple words, are interactive physical environments decked out with technology, that act as a bridge between humans and the digital world. The most common example of a smart space is a smart home, also called as a connected home. Other environments that could be a smart space are offices and communal workspaces; hotels, malls, hospitals, public places such as libraries and schools, and transportation portals such as airports and train stations. Listed below are the 5 Smart Spaces Technology Trends which, per Gartner, have great potential for disruption.

Trend 6: Empowered Edge

Edge computing is a distributed computing topology in which information processing and data storage are located closer to the sources, repositories and consumers of this information. Empowered Edge is about moving towards a smarter, faster and more flexible edge by using more adaptive processes, fog/mesh architectures, dynamic network topology and distributed cloud. This trend will be introduced across a spectrum of endpoint devices which includes simple embedded devices (e.g., appliances, industrial devices), input/output devices (e.g., speakers, screens), computing devices (e.g., smartphones, PCs) and complex embedded devices (e.g., automobiles, power generators). Per Gartner predictions, by 2022, more than 50% of enterprise-generated data will be created and processed outside the data center or cloud. This trend also includes the next-generation cellular standard after 4G Long Term Evolution (LTE), i.e., 5G. The concept of edge also percolates to the digital-twin models.

Trend 7: Distributed Cloud

Gartner defines a distributed cloud as “distribution of public cloud services to different locations outside the cloud providers’ data centers, while the originating public cloud provider assumes responsibility for the operation, governance, maintenance and updates.” Cloud computing has always been viewed as a centralized service, although, private and hybrid cloud options compliments this model. Implementing private cloud is not an easy task and hybrid cloud breaks many important cloud computing principles such as shifting the responsibility to cloud providers, exploiting the economics of cloud elasticity and using the top-class services of large cloud service providers. A distributed cloud provides services in a location which meets organization’s requirements without compromising on the features of a public cloud. This trend is still in the early stages of development and is expected to build in three phases:

Phase 1: Services will be provided from a micro-cloud which will have a subset of services from its centralized cloud.

Phase 2: An extension to phase 1, where service provider will team up with a third-party to deliver subset of services from the centralized cloud.

Phase 3: Distributed cloud substations will be setup which could be shared by different organizations. This will improve the economics associated as the installation cost can be split among the companies.

Trend 8: Autonomous Things

Autonomous can be defined as being able to control oneself. Similarly, Autonomous Things are devices which can operate by themselves without human intervention using AI to automate all their functions. The most common among these devices are robots, drones, and aircrafts. These devices can operate across different environments and will interact more naturally with their surroundings and people. While exploring use cases of this technology, understanding the different spaces the device will interact to, is very important like the people, terrain obstacles or other autonomous things. Another aspect to consider would be the level of autonomy which can be applied. The different levels are: No automation, Human-assisted automation, Partial automation, Conditional automation, High automation and Full automation. With the proliferation of this trend, a shift is expected from stand-alone intelligent things to collaborative intelligent things in which multiple devices work together to deliver the final output. The U.S. Defense Advanced Research Projects Agency (DARPA) is studying the use of drone swarms to defend or attack military targets.

Trend 9: Practical Blockchain

Most of us have heard about Blockchain technology. It is a tamper-proof, decentralized, distributed database that stores blocks of records linked together using cryptography. It holds the power to take industries to another level by enabling trust, providing transparency, reducing transaction settlement times and improving cash flow. Blockchain also makes it easy to trail assets back to its origin, reducing the chances of substituting it with counterfeit products. Smart contracts are used as part of the blockchain which can trigger actions on encountering any change in the blockchain; such as releasing payment when goods are received. New developments are being introduced in public blockchains but over time these will be integrated with permissioned blockchains which supports membership, governance and operating model requirements. Some of the use cases of this trend that Gartner has identified are: Asset Tracking, Identity Management/Know Your Client (KYC), Internal Record Keeping, Shared Record Keeping, Smart Cities/the IoT, Trading, Blockchain-based voting, Cryptocurrency payments and remittance services. Per the 2019 Gartner CIO Survey, in the next three years 60% of CIOs expect blockchain deployment in some way.

Trend 10: AI Security

Per Gartner, over the next five years AI-based decision-making will be applied across a wide set of use cases which will result in a tremendous increase of potential attack surfaces. Gartner provides three key perspectives on how AI impacts security: protecting AI-powered systems, leveraging AI to enhance security defense and anticipating negative use of AI by attackers. ML pipelines have different phases and at each of these phases there are various kinds of risks associated. AI-based security tools can be very powerful extension to toolkits with use cases such as security monitoring, malware detection, etc. On the other hand, there are many AI-related attack techniques which include training data poisoning, adversarial inputs and model theft and per Gartner predictions, through 2022, 30% of all AI cyberattacks will leverage these attacking techniques. Every innovation in AI can be exploited by attackers for finding new vulnerabilities. Few of the AI attacks that security professionals must explore are phishing, identity theft and DeepExploit.

One of the most important things to note here is that the trends listed above cannot exist in isolation. IT leaders must analyse what combination of these trends will drive the most innovation and strategy fitting it into their business models. Soon we will have smart spaces around us in forms of factories, offices and cities with increasingly insightful digital services everywhere for an ambient experience.

Sources:

https://www.pcmag.com/news/gartners-top-10-strategic-technology-trends-for-2020

About the Author:

Priyanka is an ardent feminist and a dog-lover. She spends her free time cooking, reading poetry and exploring new ways to conserve the environment.