“An unsecured API is literally an ‘all you can eat buffet’ for hackers.”
What is API security?
API security is the protection of network-exposed APIs that an organization, both owns and uses. APIs are becoming the preferred method to develop new-age applications. They are one of most common ways to interact between microservices and containers like systems and apps. API are developed using REST or SOAP methods. However, the true strength of API security depends on how there are implemented.
REST API Security Vs SOAP API Security
REST APIs use HTTP and Support Transport Layer Security Encryption (TLS). It is a standard that makes the connection private and checks whether the data transferred between the two systems (client and server) is encrypted. REST API is faster than SOAP because of the statelessness of nature. REST API doesn’t need to store or repackage data.
SOAP APIs use built protocols known as Web services. These protocols are defined using a rule set that is guided by confidentiality and authentication. SOAP API has not been around for as long as REST API. SOAP API is more secure than REST API as it uses Web security for transmission long with SSL.
Why is API security important?
Organizations use API to connect services and transferred data. The major data breaches through API are broken, exposed, or hacked APIs. The way API security is used depends on what kind of data is transferred.
How API Security works?
API security depends on authentication and authorization. Authentication is the first step; it is used to verify that the client application has the required permission to use API. Authorization is the subsequent step that determines what data and action an authentication application can access while interacting with API.
APIs should be developed with protective features to reduce the system’s vulnerability to malicious attacks during API calls.
The developer is responsible for ensuring the developed API successfully validates all the input collected from the user during API calls. The prepared statements with blind variables are one of the most effective ways to prevent API from SQL injection. XSS can be easily handled by cleaning the user input from the API call. Cleaning the inputs helps to ensure that potential XSS vulnerabilities are minimized.
Best Practice for Secure API
Some basic security practice and well-established security control if the APIs are shared publicly are as follows:
Prioritize security: Potential loss for the organization happens using unsecured APIs, so make security a priority and build the API securely as they are being developed.
Encrypt traffic using TLS: Some organizations may choose not to encrypt API payload data that is considered to be non-sensitive, but for organizations whose API exchange sensitive data, TLS encryption should be essential.
Validate input: Never pass input from an API through to the endpoint without validating it first.
Use a WAP: Ensure that it can understand API payloads.
Use token: Establish trusted identities and then control access to services and resources by using tokens.
Use an API gateway: API gateways act as the major point of enforcement for API traffic. A good gateway will allow you to authenticate traffic as well as control and analyze how your APIs are used.
Modern API Data breach
USPS Cooperate Database Exposure
The weakness allowed an attacker to query the USPS website and scrape a database of over 60 million cooperate users, email addresses, phone numbers, account numbers, etc.
The issue was authentication-related which allowed unauthorized access to an API service called ‘informed visibility’, which was designed to deliver real-time tracking data for large-scale shipping operations.
This tracking system was tied into web API in a way that users could change the search parameters and view and even in some cases modify the information of other users. Since there wasn’t a robust anti-scraping system in place, this mass exposure was compounded by the automated and unfettered access available.
Providers giving extreme power to a specific service or function without securing every permutation of its interaction flow can lead to such exploits. To mitigate API-related risks, coding should be done with the assumption that the APIs might be abused by both internal and external forces.
The pandemic has indeed impelled organizations to rethink the way they approach traditional business operations. The market realigned businesses to adapt to the changing environment and optimize their costs. For the past couple of months, nearly every organization implemented work for home as a mandate. This shift in operations had both highs and lows in terms of productivity. Almost a year into the pandemic, the impacts are yet to be fully understood. The productivity realized from the remote workers, month on month, shaped the policies and led to investments in different tools that aided collaboration between teams.
Impact on Delivery Centers
Technology companies have been leading the charge towards remote working as many have adopted permanent work from home options for their employees. While identifying cost avenues for optimization, office space allocation and commuting costs are places where redundant operational cash flow can be invested to other areas for scaling.
The availability and speed of internet connections across geographies have aided the transformation of office spaces for better utilization of the budget. Considering the current economy, office spaces are becoming expensive and inefficient. TheAnnual Survey byJLL Enterprises in 2020 reveals that organizations spend close to $10,000 on global office real estate cost per employee per year on an average. As offices have adopted social distancing policies, the need for more space per employee would result in even higher costs during these pandemic operations. To optimize their budgets, companies have reduced their allocation spaces and introduced regional contractual sub-offices to reduce the commute expenses of their employees in the big cities.
With this, the notion of a 9-5 job is slowly being depleted and people have been paid based on their function rather than the time they spend at work. The flexibility of working hours while linking their performance to their delivery has seen momentum in terms of productivity per resource. An interesting fact that arose out of this pandemic economy is that the number of remote workers in a country is proportional to the country’s GDP. A work from home survey undertaken by The Economist in 2020 finds that only 11% of work from home jobs can be done in Cambodia, 37% in America, and 45% in Switzerland.
The fact of the matter is that a privileged minority has been enjoying work from home for the past couple of months. While a vast majority of the semi-urban and rural population don’t have the infrastructure to support their functional roles. For better optimization and resource utilization, India would need to invest heavily in these resources to catch up on the deficit GDP from the past couple of quarters.
Long-term work from home options challenges the foundational fabric of our industrial operations. It can alter the shape and purpose of cities, change workplace gender distribution and equality. Above all, it can change how we perceive time, especially while estimating delivery.
Overall Pulse Analysis
Many employees prefer to work from home as they can devote extra time to their family. While this option has been found to have a detrimental impact on organizational culture, creativity, and networking. Making decisions based on skewed information would have an adverse effect on the culture, productivity, and attrition.
To gather sufficient input for decisions, PWC conducted a remote work survey in 2020 called “When everyone can work from home, what’s the office for“. Here are some insights from the report
Many businesses have aligned themselves to accommodate both on-premise and remote working model. Organizations need to figure out how to better collaborate and network with employees in ways to elevate the organization culture.
As offices are slowly transitioning to a hybrid model, organizations have decentralized how they operate. They have shifted from working in a common centralized office to contractual office spaces as per employee role and function, to better allocate their operational budget. The survey found that 72% of the workers would like to work remotely at least 2 days a week. This showcases the need for a hybrid workspace in the long run.
Maintaining & Sustaining Productivity
During the transition, keeping a check on the efficiency of remote workers was prime. The absence of these checks would jeopardize the delivery, resulting in a severe impact on customer satisfaction and retention.
This number however, could be far less if the scale of the survey was higher. This in turn signifies that productivity is not uniform and requires course corrective action to maintain the delivery. An initial approach from an employee’s standpoint would result in higher results. The measures to help remote workers be more productive were found to be as follows.
Many employees point out that greater flexibility of working hours and better equipment would help increase work productivity.
Most of the productivity hindrances can be solved by effective employee management. How a particular manager supervises their team members has a direct correlation towards their productivity and satisfaction to the project delivery.
Theory X & Theory Y
Theory X and Theory Y were introduced by Douglas McGregor in his book, “The Human Side of Enterprise”. He talks about two styles of management in his research – Authoritarian (Theory X) and Participative (Theory Y). The theory heavily believes that Employee Beliefs directly influence their behavior in the organization. The approach that is taken by the organization will have a significant impact on the ability to manage team members.
For theory X, McGregor speculates that “Without active intervention by management, people would be passive, even resistant to organizational needs. They must therefore be persuaded, rewarded, punished, controlled and their activities must be directed”
Work under this style of management tends to be repetitive and motivation is done based on a carrot and stick approach. Performance Appraisals and remuneration are directly correlated to tangible results and are often used to control staff and keep tabs on them. Organizations with several tiers of managers and supervisors tend to use this style. Here authority is rarely delegated, and control remains firmly centralized.
Even though this style of management may seem outdated, big organizations find it unavoidable to adopt due to the sheer number of employees on the payroll and tight delivery deadlines.
When it comes to Theory Y, McGregor firmly believes that objectives should be arranged so that individuals can achieve their own goals and happily accomplish the organization’s goal at the same time.
Organizations that follow this style of management would have an optimistic and positive approach to people and problems. Here the team management is decentralized and participative.
Working under such organizational styles bestow greater responsibilities on employees and managers encourage them to develop skills and suggest areas of improvement. Appraisals in Theory Y organizations encourage open communication rather than to exercise control. This style of management has been popular these days as it results in employees wanting to have a meaningful career and looking forward to things beyond money.
Balancing X over Y
Even though McGregor suggests that Theory Y is better than Theory X. There are instances where managers would need to balance the styles depending upon how the team function even post the implementation of certain management strategies. This is very important from a remote working context as the time for intervention would be too late before it impacts the delivery. Even though Theory Y comprises creativity and discussion in its DNA, it has its limitations in terms of consistency and uniformity. An environment with varying rules and practices could be detrimental to the quality and operational standards of an organization. Hence maintaining a balance is important.
When we look at a typical cycle of Theory X, we can find that the foundational beliefs result in controlling practices, appearing in employee resistance which in turn delivers poor results. The results again cause the entire cycle to repeat, making the work monotonous and pointless.
Upon the identification of resources that require course correction and supervision, understanding the root cause and subsequently adjusting your management style to solve the problem would be more beneficial in the long run. Theory X must only be used in dire circumstances requiring a course correction. The balance where we need to maintain is on how far we can establish control to not result in resistance which in turn wouldn’t impact the end goal.
Theory X and Theory Y can be directly correlated to Maslow’s hierarchy of Needs. The reason why Theory Y is superior to Theory X is that it focuses on the higher needs of the employee than their foundational needs. The theory Y managers gravitate towards making a connection with their team members on a personal level by creating a healthier atmosphere in the workplace. Theory Y brings in a pseudo-democratic environment, where employees can design, construct and publish their work in accordance with their personal and organizational goals.
When it comes to Theory X and Theory Y, striking a balance will not be perfect. The American Psychologist Bruce J Avolio, in his paper titled “Promoting more integrative strategies for leadership theory-building” speculates, “Managers who choose the Theory Y approach have a hands-off style of management. An organization with this style of management encourages participation and values an individual’s thoughts and goals. However, because there is no optimal way for a manager to choose between adopting either Theory X or Theory Y, it is likely that a manager will need to adopt both approaches depending on the evolving circumstances and levels of internal and external locus of control throughout the workplace”.
The New Normal 3.0
As circumstances keep changing by the day, organizations need to adapt to the rate at which the market is changing to envision new working models that take human interactions into account as well. The crises of 2020 made organizations build up their workforce capabilities that are critical for growth. Organizations must relook at their workforce by reskilling them in different areas of digital expertise as well as emotional, cognitive, and adaptive skills to push forward in our changing world.
About the Author –
Ashish Joseph is a Lead Consultant at GAVS working for a healthcare client in the Product Management space. His areas of expertise lie in branding and outbound product management.
He runs two independent series called BizPective & The Inside World, focusing on breaking down contemporary business trends and Growth strategies for independent artists on his website www.ashishjoseph.biz
Outside work, he is very passionate about basketball, music, and food.
A 2020 headline read, ‘The number of female CEOs in the Fortune 500 hits an all-time record’. It sounds like a great news until you start reading further. Only 37 of the 500 companies on the list were led by female CEOs which is just 7.4%. But it also marks a considerable jump from its preceding years’ rates which were 6.6% in 2019 and just 4.8% in 2018, i.e., 33 and 24 companies respectively. Another report by McKinsey & Co. on the advancing of women’s equality in the Asia-Pacific region, tells us that just around 25% of India’s workforce is female, and only 5% of them make it to the top. This decline in percentage is due to many women dropping out of their jobs. One of the major factors for women to take this decision is ‘sexism at the workplace’.
It has made its way into the ‘work-from-home’ world as well. Imagine this scenario: In a discussion about hiring employees for a new project, a male committee member says, “I think we should hire more men as this project requires spending extra time and effort“. In this case, it is not very difficult to identify the prejudice. But let’s consider another scenario- there is a need to move some machines for which a person asks for help saying, “I need a few strong men to help me lift this“. Most of the time people will not realize how problematic this statement is. This is an example of ‘gender microaggression’. But what exactly is a microaggression? Microaggression is verbal or nonverbal behavior that, intentionally or unintentionally, can communicate denigratory behavior towards the members of a minority/oppressed group which often goes unnoticed and unreported. In simple words, it is a form of discrimination that is subtle yet harmful. There are mainly 3 forms of Microaggressions: microassaults (purposeful discriminatory actions), microinsults (communicate a covert insulting message), and microinvalidations (dismiss the thoughts of certain groups). Different kinds of gender microaggressions are sexual objectification, second-class citizenship, use of sexist language, assumption of inferiority, restrictive gender roles, invisibility, sexist humor/jokes. According to Australia’s sex discrimination commissioner, Kate Jenkins, people typically don’t raise their voice against everyday sexism because it can be seen as too small to make a fuss about, but it matters. As the Women in the Workplace report also reflects, “Microaggressions can seem small when dealt with one by one. But when repeated over time, they can have a major impact.”
Let’s go back to the above example for people who could not identify what was wrong in that statement. When people use phrases like ‘strong men’, it tells that only men are strong and conversely, that women are weak. This statement does not have to be focused on gender at all. It can be rephrased as “I need a few strong people to help me lift this“, and people around can determine for themselves who the strong helpers will be. Few other examples of common gender-related microaggressions are:
Mansplaining – Explaining a subject to a woman in a condescending, overconfident, and often oversimplified manner with a presumption that she wouldn’t know about it.
Manterrupting – Unnecessary interruption of a woman by a man whenever she is trying to convey her ideas or thoughts.
Bropropriating – A man taking a woman’s idea and showing it as his own hence, taking all the credit for it.
‘Boys will be boys’ – A phrase used to dismiss any traditionally masculine behavior and not holding men accountable for their wrong deeds.
Using differentiated words when describing women and men, such as ‘Bossy’ versus ‘Leader’, ‘Annoying’ versus ‘Passionate’.
The pandemic has given way to a new surge of microaggressions for working women. A law firm Slater and Gordon conducted a poll of 2,000 remote workers and found that 35% of women reported experiencing at least one sexist demand from their employer since the lockdown started. For video conferences, some women were asked to wear more make-up or do something to their hair, while others were asked to dress more provocatively. Their bosses also tried to justify this by saying it could ‘help win business’, or it was important to ‘look nice for the team’. Nearly 40% said these demands were targeted at women, rather than equally with their male peers. Also, a lot of women are being micromanaged by their managers while their male colleagues are not. This sends a message of distrust towards them. Researches have indicated that experiences with these microaggressions, and many others not mentioned above, are related to a negative impact on the standard of living, physical health as well as psychological health, such as unequal wages, migraines, heart disease, depression, anxiety, and body image dissatisfaction. As a result, women who experience such insidious, everyday forms of sexist discrimination, are three times more likely to regularly think about leaving the organization. Hence, sexism can not only impact the individual but also the overall performance and working culture of the organization. Eliminating such behavior at the physical and virtual workplace is extremely important and will enable the organization to break down the barriers for equal access to different career opportunities for leadership for women and will help include diverse thinking, perspectives, and experiences in the workplace at every level. As an individual, the most basic yet effective thing to do would be to develop an honest awareness of our own biases and stereotypes.
“Unless we tackle everyday sexism, the most innovative policies and initiatives designed to advance gender equality and inclusive and effective organisations will not deliver the change we need.” – Kate Jenkins
Here’s a small story of grace and grit which might inspire some, to take a stand against such gender-related microaggressions. Back in the 1970s, when feminism was a word unheard of, an incident took place. A woman saw a job advertisement by a telecom company, which said it required only male engineers. On seeing this requirement, she wrote back a postcard to the company’s Chairman questioning the gender biases. She was then called for a special interview, where they told her their side of the story – “We haven’t hired any women so far”. To which she replied, “You must start from somewhere.” Her name was Sudha Murty, who is now Chairperson of Infosys Foundation.
So, the next time when conversing with a colleague, consider all of this and be kind!
About the Author –
Priyanka is an ardent feminist and a dog-lover. She spends her free time cooking, reading poetry, and exploring new ways to conserve the environment.
In this pandemic economy, the topmost priorities for most companies are to make sure the operations costs and business processes are optimized and streamlined. Organizations must be more proactive than ever and identify gaps that need to be acted upon at the earliest.
The industry has been striving towards efficiency and effectivity in its operations day in and day out. As a reliability check to ensure operational standards, many organizations consider the following levers:
High Application Availability & Reliability
Optimized Performance Tuning & Monitoring
Operational gains & Cost Optimization
Generation of Actionable Insights for Efficiency
Workforce Productivity Improvement
Organizations that have prioritized the above levers in their daily operations require dedicated teams to analyze different silos and implement solutions that provide the result. Running projects of this complexity affects the scalability and monitoring of these systems. This is where AIOps platforms come in to provide customized solutions for the growing needs of all organizations, regardless of the size.
Deep Dive into AIOps
Artificial Intelligence for IT Operations (AIOps) is a platform that provides multilayers of functionalities that leverage machine learning and analytics. Gartner defines AIOps as a combination of big data and machine learning functionalities that empower IT functions, enabling scalability and robustness of its entire ecosystem.
These systems transform the existing landscape to analyze and correlate historical and real-time data to provide actionable intelligence in an automated fashion.
AIOps platforms are designed to handle large volumes of data. The tools offer various data collection methods, integration of multiple data sources, and generate visual analytical intelligence. These tools are centralized and flexible across directly and indirectly coupled IT operations for data insights.
The platform aims to bring an organization’s infrastructure monitoring, application performance monitoring, and IT systems management process under a single roof to enable big data analytics that give correlation and causality insights across all domains. These functionalities open different avenues for system engineers to proactively determine how to optimize application performance, quickly find the potential root causes, and design preventive steps to avoid issues from ever happening.
AIOps has transformed the culture of IT war rooms from reactive to proactive firefighting.
Industrial Inclination to Transformation
The pandemic economy has challenged the traditional way companies choose their transformational strategies. Machine learning-powered automations for creating an autonomous IT environment is no longer a luxury.The usage of mathematical and logical algorithms to derive solutions and forecasts for issues have a direct correlation with the overall customer experience. In this pandemic economy, customer attrition has a serious impact on the annual recurring revenue. Hence, organizations must reposition their strategies to be more customer-centric in everything they do. Thus, providing customers with the best-in-class service coupled with continuous availability and enhanced reliability has become an industry standard.
As reliability and scalability are crucial factors for any company’s growth, cloud technologies have seen a growing demand. This shift of demand for cloud premises for core businesses has made AIOps platforms more accessible and easier to integrate. With the handshake between analytics and automation, AIOps has become a transformative technology investment that any organization can make.
As organizations scale in size, so does the workforce and the complexity of the processes. The increase in size often burdens organizations with time-pressed teams having high pressure on delivery and reactive housekeeping strategies. An organization must be ready to meet the present and future demands with systems and processes that scale seamlessly. This why AIOps platforms serve as a multilayered functional solution that integrates the existing systems to manage and automate tasks with efficiency and effectivity. When scaling results in process complexity, AIOps platforms convert the complexity to effort savings and productivity enhancements.
Across the industry, many organizations have implemented AIOps platforms as transformative solutions to help them embrace their present and future demand. Various studies have been conducted by different research groups that have quantified the effort savings and productivity improvements.
The AIOps Organizational Vision
As the digital transformation race has been in full throttle during the pandemic, AIOps platforms have also evolved. The industry did venture upon traditional event correlation and operations analytical tools that helped organizations reduce incidents and the overall MTTR. AIOps has been relatively new in the market as Gartner had coined the phrase in 2016. Today, AIOps has attracted a lot of attention from multiple industries to analyze its feasibility of implementation and the return of investment from the overall transformation. Google trends show a significant increase in user search results for AIOps during the last couple of years.
While taking a well-informed decision to include AIOps into the organization’s vision of growth, we must analyze the following:
Understanding the feasibility and concerns for its future adoption
Classification of business processes and use cases for AIOps intervention
Quantification of operational gains from incident management using the functional AIOps tools
AIOps is truly visioned to provide tools that transform system engineers to reliability engineers to bring a system that trends towards zero incidents.
Because above all, Zero is the New Normal.
About the Author –
Ashish Joseph is a Lead Consultant at GAVS working for a healthcare client in the Product Management space. His areas of expertise lie in branding and outbound product management. He runs a series called #BizPective on LinkedIn and Instagram focusing on contemporary business trends from a different perspective. Outside work, he is very passionate about basketball, music, and food.
We live in a world of innovation and are beneficiaries of new advancements. New advancements in software technology also comes with potential security vulnerabilities.
‘Containers’ are no exception. Let us first understand what a container is and then the vulnerabilities associated with it and how to mitigate them.
What is a Container?
You might have seen containers in the shipyard. It is used to isolate different cargos which is transported via ships. In the same way, software technologies use a containerization approach.
Containers are different from Virtual Machines (VM) where VMs need a guest operating system which runs on a host operating system (OS). Containers uses OS virtualization, in which required processes, CPU, Memory, and disk are virtualized so that containers can run without a separate operating system.
In containers, software and its dependencies are packaged so that it can run anywhere whether on-premises desktop or in the cloud.
As stated by Google, “From Gmail to YouTube to Search, everything at Google runs in containers”.
Container Vulnerabilities and Countermeasures
Containers Image Vulnerabilities
While creating a container, an image may be patched without any known vulnerabilities. But a vulnerability might have been discovered later, while the container image is no longer patched. For traditional systems, it can be patched when there is a fix for the vulnerability without making any changes but for containers, updates should be upstreamed in the images, and then redeployed. So, containers have vulnerabilities because of the older image version which is deployed.
Also, if the container image is misconfigured or unwanted services are running, it will lead to vulnerabilities.
If you use traditional vulnerability assessment tools to assess containers, it will lead to false positives. You need to consider a tool that has been designed to assess containers so that you can get actionable and reliable results.
To avoid container image misconfiguration, you need to validate the image configuration before deploying.
Embedded Malware and Clear Text Secrets
Container images are collections of files packaged together. Hence, there are chances of malicious files getting added unintentionally or intentionally. That malicious software will have the same effect as of the traditional systems.
If secrets are embedded in clear text, it may lead to security risks if someone unauthorized gets access.
Continuous monitoring of all images for embedded malware with signature and behavioral detection can mitigate embedded malware risks.
Secrets should never be stored inside of containers image and when required, it should be provided dynamically at runtime.
Use of Untrusted Images
Containers have the advantages of ease of use and portability. This capability may lead teams to run container images from a third party without validating it and thus can introducing data leakage, malware, or components with known vulnerabilities.
Your team should maintain and use only trusted images, to avoid the risk of untrusted or malicious components being deployed.
Registry is nothing but a repository for storing container images.
Insecure connections to registries
Images can have sensitive information. If connections to registries are performed over insecure channels, it can lead to man-in-the-middle attacks that could intercept network traffic to steal programmer or admin credentials to provide outdated or fraudulent images.
You should configure development tools and containers while running, to connect only over the encrypted medium to overcome the unsecured connection issue.
Insufficient authentication and authorization restrictions
As we have already seen that registries store container images with sensitive information. Insufficient authentication and authorization will result in exposure of technical details of an app and loss of intellectual property. It also can lead to compromise of containers.
Access to registries should authenticated and only trusted entities should be able to add images and all write access should be periodically audited and read access should be logged. Proper authorization controls should be enabled to avoid the authentication and authorization related risks.
Unbounded administrative access
There are many orchestrators designed with an assumption that all the users are administrators but, a single orchestrator may run different apps with different access levels. If you treat all users as administrators, it will affect the operation of containers managed by the orchestrator.
Orchestrators should be given the required access with proper role-based authorization to avoid the risk of unbounded administrative access.
Poorly separated inter-container network traffic
In containers, traffic between the host is routed through virtual overlay networks. This is managed by the orchestrator. This traffic will not be visible to existing network security and management tools since network filters only see the encrypted packets traveling between the hosts and will lead to security blindness. It will be ineffective in monitoring the traffic.
To overcome this risk, orchestrators need to configure separate network traffic as per the sensitivity levels in the virtual networks.
Orchestrator node trust
You need to give special attention while maintaining the trust between the hosts, especially the orchestrator node. Weakness in orchestrator configuration will lead to increased risk. For example, communication can be unencrypted and unauthenticated between the orchestrator, DevOps personnel, and administrators.
To mitigate this, orchestration should be configured securely for nodes and apps. If any node is compromised, it should be isolated and removed without disturbing other nodes.
It is always good to have a defense. Even after going through the recommendations, we have seen above; containers may still be compromised if the apps are vulnerable.
As we have already seen that traditional security tools may not be effective when you use it for containers. So, you need a container aware tool which will detect behavior and anomalies in the app at run time to find and mitigate it.
It is possible to have rogue containers. Developers may have launched them to test their code and left it there. It may lead to exploits as those containers might not have been thoroughly checked for security loopholes.
You can overcome this by a separate environment for development, test, production, and with a role-based access control.
Host OS Risks
Large attack surface
Every operating system has its attack surface and the larger the attack surface, the easier it will be for the attacker to find it and exploit the vulnerability and compromise the host operating system and the container which run on it.
You can follow the NIST SP 800-123 guide to server security if you cannot use container specific operating system to minimize the attack surface.
If you only run containers on a host OS you will have a smaller attack surface than the normal host machine where you will need libraries and packages when you run a web server or a database and other software.
You should not mix containers and non-containers workload on the same host machine.
If you wish to further explore this topic, I suggest you read NIST.SP.800-190.
Anandharaj is a lead DevSecOps at GAVS and has over 13 years of experience in Cybersecurity across different verticals which include Network Security, application Security, computer forensics and cloud security.
One of the most prevalent misconceptions about cybersecurity, especially in the mainstream media and also among our clients, is that to conduct a successful attack against an IT system it is necessary to ‘investigate’ and find a new defect in the target’s system.
However, for most security incidents involving internet applications, it is enough to simply exploit existing and known programming errors.
For instance, the dramatic Equifax breach could have been prevented by following basic software security best-practices, such as patching the system to prevent known vulnerabilities. That was, in fact, one of the main takeaways from the forensic investigation led by the US federal government.
One of the most important ways to reduce security risks is to ensure that all known programming errors are corrected before the system is exposed to internet traffic. Research bodies such as the US NIST found that correcting security bugs early on is orders of magnitude cheaper than doing so when the development has been completed.
When composing a text in a text editor, the spelling and grammar corrector highlights the mistakes in the text. Similarly, there are security tools known as AST (Application Security Testing) that find programming errors that introduce security weaknesses. ASTs report the file and line where the vulnerability is located, in the same way, that a text editor reports the page and the line that contains a typo.
In other words, these tools allow developers to build software that is largely free of security-related programming errors, resulting in more secure applications.
Just like it is almost impossible to catch all errors in a long piece of text, most software contains many serious security vulnerabilities. The fact that some teams do not use any automated help at all, makes these security weaknesses all the most prevalent and easy to exploit.
Let’s take a look at the different types of security issue detection tools also known as ASTs, or vulnerability assessment tools, available in the market.
The Traditional Approach
Two mature technologies capture most of the market: static code analysis (SAST) and web scanners (dynamic analysis or DAST). Each of these two families of tools is focused on a different execution environment.
The SAST static analysis, also known as white-box analysis because the tool has access to the source code of the application, scans the source code looking for known patterns that indicate insecure programming that could lead to a vulnerability.
The DAST dynamic analysis replicates the view of an attacker. At this point, the tool executes hundreds or thousands of queries against the application designed to replicate the activity of an attacker to find security vulnerabilities. This is a black-box analysis because the point of view is purely external, with no knowledge of the application’s internal architecture.
The level of detail provided by the two types of tools is different. SAST tools provide file and line where the vulnerability is located, but no URL, while DAST tools provide the external URL, but no details on the location of the problem within the code base of the application. Some teams use both tools to improve visibility, but this requires long and complex triaging to manage the vulnerabilities.
The Interactive AST Approach
The Interactive Application Security Testing (IAST) tools combine the static approach and the dynamic approach. They have access to the internal structure of the application, and to the way it behaves with actual traffic. This privileged point of view is ideal to conduct security analysis.
From an architecture point of view, the IAST tools become part of the infrastructure that hosts the web applications, because an IAST runs together with the application server. This approach is called instrumentation, and it is implemented by a component known as an agent. Other platforms such as Application Performance Monitoring tools (APMs) share this proven approach.
Once the agent has been installed, it incorporates automatic security sensors in the critical execution points of the application. These sensors monitor the dataflow between requests and responses, the external components that the application includes, and data operations such as database access. This broad-spectrum coverage is much better than the visibility that SAST and DAST rely on.
In terms of specific results, we can look at two important metrics – how many types of vulnerabilities the tool finds, and how many of the identified vulnerabilities are false positives. Well, the best DAST is able to find only 18% of the existing vulnerabilities on a test application. And even worse, around 50% of the vulnerabilities reported by the best SAST static analysis tool are not true problems!
Source: Hdiv Security via OWASP Benchmark public result data
The IAST approach provides these tangible benefits:
Complete coverage, because the entire application is reviewed, both the custom code and the external code, such as open-source components and legacy dependencies.
Flexibility, because it can be used in all environments; development, quality assurance (QA), and production.
High accuracy, because the combination of static and dynamic point of views allow us to find more vulnerabilities with no false positives.
Complete vulnerability information, including the static aspects (source code details) and dynamic aspects (execution details).
Reduction of the duration of the security verification phase, so that the time-to-market of the secure applications is shorter.
Compatible with agile development methodologies, such as DevSecOps, because it can be easily automated, and reduces the manual verification activities
IAST tool can add tons of value to the security tooling of any organization concerned with the security of the software.
In the same way that everyone uses an automated spell checker to find typos in a document, we believe that any team would benefit from an automated validation of the security of an application.
However, the AST does not represent a security utopia, since they can only detect security problems that follow a common pattern.
About the Author –
Roberto Velasco is the CEO of Hdiv Security. He has been involved with the IT and security industry for the past 16 years and is experienced in software development, software architecture and application security across different sectors such as banking, government and energy. Prior to founding Hdiv Security, Roberto worked for 8 years as a software architect and co-founded ARIMA, a company specialized in software architecture. He regularly speaks at Software Architecture and cybersecurity conferences such as Spring I/O and APWG.eu.
The COVID pandemic has transformed business as we know it. This includes recruitment. Right from the pre-hire activities to the post-hire ones, no hiring practices will be exempt from change we’re witnessing. To maintain a feasible talent acquisition program now and in the coming years, organizations face a persistent need to reimagine the way they do things at every step of the hiring funnel.
In my perspicacity, following are the key aspects to look at:
1. Transforming Physical Workspaces
Having employees be physically present at workplace is fraught with challenges now. We envision many companies transitioning into a fully or partially remote workforce to save on costs and give employees more flexibility.
This means companies that maintain a physical headquarter will be paying much closer attention to the purpose those spaces really serve—and so will the candidates. The emphasis now will be on spaces of necessity—meeting areas, spaces for collaborative work, and comfortable, individual spaces for essential workers who need to be onsite.
2. Traveling for interviews will be an obsolete
It’s going to be a while before non-essential travel assumes its pre-corona importance. In a study of traveler attitudes spanning the U.S., Canada, the U.K., and Australia, the portion of people who said they intended to restrict their travel over the next year increased from 24% in the first half of March to 40% in the second half of March.
Candidates will be less willing than they once were to jump on a plane for an in-person interview when a video conference is a viable alternative.
3. Demand for workers with cross-trained skills will increase
Skills-based hiring has been on the rise now and will keep increasing as businesses strive to do more with a lesser headcount. We anticipate organizations to increasingly seek out candidates who can wear multiple hats.
Additionally, as machines take on more jobs that were once reserved for people, we will see even greater demand for uniquely human skills like problem solving and creative thinking. Ravi Kumar, president of Infosys Ltd., summed it up perfectly in an interview with Forbes: “machines will handle problem-solving and humans will focus on problem finding.”
4. Recruiting events will look a lot different
It’s unclear when large-scale, in-person gatherings like job fairs will be able to resume, but it will likely be a while. We will likely see most events move to a virtual model, which will not only reduce risk but significantly cut costs for those involved. This may open new opportunities to allocate that budget to improve some of the other pertinent recruiting practices on this list.
5. Time to hire may change dramatically
The current approach is likely to change. For example, that most people who took a new job last year were not searching for one: Somebody came and got them. Businesses seek to fill their recruiting funnel with as many candidates as possible, especially ‘passive candidates’, who are not looking to move. Frequently employers advertise jobs that do not exist, hoping to find people who might be useful later or in a different framework. We are always campaigning the importance of minding our recruiting metrics, which can help us not only to hire more competently but identify interruptions in our recruiting process.
Are there steps in the hiring process, like screening or onboarding, that can be accelerated to balance things out? Are there certain recruitment channels that typically yield faster hires than others that can be prioritized? These are important questions to ask as you analyze the pandemic’s impacts to your hiring funnel.
6. How AI can be leveraged to screen candidates?
AI is helping candidates get matched with the right companies. There are over 100 parameters to assess the candidates. This reduces wastage of time, money, and resources. The candidates are marked on their core strengths. This helps the recruitment manager to place them in the apt role.
The current situation presents the perfect opportunity for companies to adopt new tools. Organizations can reassess their recruitment processes and strategies through HR-aligned technology.
Post-pandemic hiring strategy
This pertains more to the industries most impacted by the pandemic, like businesses in the hospitality sector, outdoor dining, and travel to name a few. Many of the applicants in this domain have chosen to make the shift towards more promising or booming businesses.
However, once the pandemic blows over and restrictions are lifted, you can expect suffering sectors to come back with major recruitment changes and fierce competition over top talent.
Companies that take this time to act by cultivating relationships and connections with promising talent in their sphere, will have the advantage of gathering valuable data from probable candidates.
About the Author –
Prabhakar is a recruiter by profession and cricketer by passion. His focus is on hiring for the infra verticle. He hails from a small town in Bihar was brought up in Pondicherry. Prabhakar has represented Pondicherry in U-19 cricket (National School Games). In his free time he enjoys reading, working on his health and fitness and spending time with his family and friends.
RESTful Web Services are REST architecture based web services. Representational State Transfer (REST) is a style of software architecture for distributed systems such as the World Wide Web. In this architectural style, data and functionality is considered resources and are accessed using Uniform Resource Identifiers (URIs), typically links on the Web.
REST has some advantages over SOAP (Simple Objects Access Protocol) but is similar in technology since it is also a function call via HTTP protocol. REST is easier to call from various platforms, transfers pure human-readable data in JSON or XML and is faster and saves resources.
In the basic idea of REST, an object is accessed via REST, not its methods. The state of the object can be changed by the REST access. The change is caused by the passed parameters. A frequent application is the connection of the SAP PI via the REST interface.
When to use Rest Services
You want to access BI platform repository objects or perform basic scheduling.
You want to use a programming language that is not supported by another BI platform SDK.
You want to extract all the query details and number of records per query for all the reports like Webi and Crystal, etc.
You want to extract folder path of all reports at once.
RESTful Web Service Requests
To make a RESTful web service request, you need the following:
URL – The URL that hosts the RESTful web service.
Method – The type of HTTP method to use for sending the request, for example GET, PUT, POST, or DELETE.
Request header – The attributes that describe the request.
Request body – Additional information that is used to process the request.
Common RWS Error Messages
Restful Web Service URIs Summary List
Service document that contains a link to the /infostore API.
This is the root level of an infostore resource
Feed contains all the objects in BOE system
Entry corresponding to the info object with SI_ID=.
Returns the long form for logon, which contains the user and password authentication template.
Used to logon to the BI system based on the authentication method.
XML feed of user details in BOE system
You can Modify user using PUT method and DELETE user using DELETE method.
XML feed of user group details in BOE system
Support GET and PUT and DELETE method. You can Modify user group using PUT method and DELETE user group using DELETE method.
XML feed displays the details of the folder, can be used to modify the details of the folder, and delete the folder.
You modify the folder using PUT method and DELETE the folder using DELETE method
XML feed of all publications created in BOE system
The Business Intelligence platform RESTful Web Service (BI-REST-SDK) allows you to programmatically access the BI platform functionalities such as administration, security configuration and modification of the repository. In addition, to the Business Intelligence platform RESTful web service SDK, you can also use the SAP Crystal Reports RESTful Web Services (CR REST SDK) and SAP Web Intelligence RESTful Web Services (WEBI REST SDK).
An application has been designed and implemented using Java to automate the extraction of SQL query for all the webi reports from the server at once.
Postman (Third party application)
The structure of the application is as below:
The application file comprises of the required java jar files, java class files, java properties files and logs. Java class files (SqlExtract) are the source code and will be compiled and executed using command prompt as:
The java properties file (log4j) is used to set the configurations for the java code to run. Also, the path for the log file can be set in the properties file.
The logs (SqlExtractLogger) consist of the required output file with all the extracted query for the webi reports along with the data source name, type and the row count for each query in the respective folder in the path set by the user in properties file.
The application is standalone and can run in any windows platform or server which has java JRE (version greater than 1.6 – preferred) installed in it.
Note: All the above steps required to execute the application are consolidated in the (steps) file.
SAP BO provides Restful web service to traverse through its repository, to fetch structural info and to modify the metadata structure based on the user requirements. When integrated with programming languages like python, java, etc., extends the scope to a greater extent, allowing the user to automate the workflows and to solve the backtracking problems.
Handling Restful web service needs expertise in server administration and programming as changes made to the metadata are irreversible.
Alan is a SAP Business Intelligence consultant with a critical thinking and an analytical mind. He believes in ‘The more extensive a man’s knowledge of what has been done, the greater will be his power of knowing what to do’.
“If I have seen further it is by standing on the shoulders of giants.”— Isaac Newton
Did you know the English word ‘Mentor’ actually originated from the Greek epic ‘The Odyssey’?
When Odysseus had to leave his kingdom to lead his army in the Trojan war, his son Telemachus was left under the guidance of a friend ‘Mentor’. Mentor was supposed to guide and groom Telemachus during his developmental years and make him independent. The word ‘Mentor’ was thus incorporated in the English language. We use the word in the same context that existed in Greek Mythology – to guide a person, make him/her an independent thinker, and a doer.
In the age of technology, there may be tools and enormous amounts of data to get a competitive advantage, but they’re no match for a mentor. The business hall of fame is adorned with the names of people who discovered that finding a mentor made all the difference.
A lot of people have been able to achieve greater heights than they imagined because they were able to tap into their potential and that is the energy mentoring brings in.
In today’s world, a lot of corporate offices offer mentoring programs that cut across age groups (called the cross-gens), backgrounds, and experiences that benefit everyone. But sometimes the mechanisms and expectations of a mentoring program are not clear which makes the practice unsuccessful. Today’s young generation think they have the internet to quench the thirst of their knowledge. They do not see mentors as guiding beacons to success but only help them meet their learning needs. Citing it with an example, mentoring is equivalent to teaching a man to not just fish, but also share the experiences, tricks, and tips, so that he becomes an independent fisher. More often, our current generation fails to understand that even geniuses like Aristotle and Bill Gates needed a mentor in their lives.
When mentoring is so powerful, why don’t we nurture the relationship? What stops us? Is time a factor? Not really. Any relationship needs some amount of time to be invested and so is the case with mentoring. Putting aside a few hours a month is an easily doable task, especially for something that is inspiring and energizing. Schedules can always be shuffled for priorities.
Now that we know that we have the time, why is it always hard to find a mentor? To begin with, how do you find a mentor? Well, it is not as difficult as we think. When you start looking for them, you will eventually find one. They are everywhere but may not necessarily be in your workplace.
We have the time, we have a mentor, so what are the guidelines in the mentoring relationship?
The guidelines can be extracted very much in the word ‘MENTOR’.
M=Mission: Any engagement works only if you have something to work on. Both the mentor and mentee must agree on the goals and share their mission statement. Creating a vision and a purpose for the mentoring relationship adds value to both sides and this keeps you going. Articulating the mission statement would be the first activity, to begin with in a mentor-mentee relationship.
E=Engage: Agree on ways to engage that works with your personalities and schedules. Set ground rules on the modes of communications. Is that going to be a one-one conversation periodically or remote calls? Find out the level of flexibility. Is an impromptu meeting fine? Can Emails or text messages be sent? Decide on the communication medium and time.
N=Network: Expanding your network with that of your mentor or mentee and cultivating productive relationships will be the key to success. While expanding your network will be productive, remember to tread carefully. Seek permissions, respect, and even ask for an introduction before you reach out to the other person’s contacts.
T=Trust: Build and maintain trust with your mentoring partner by telling the truth, staying connected, and being dependable. And as the mentorship grows, clear communication and honesty will deepen the relationship. Building trust takes time so always keep the lines of communication open.
O=Opportunity: Create opportunities for your mentee or mentor to grow. Being in a mentor-mentee relationship is like a two-way lane, where you can come across opportunities from both sides, which may not be open for non-mentors/mentees. Bringing in such opportunities will only help the other person achieving his/her goal or the mission statement that was set at the beginning.
R=Review and Renew: Schedule a regular time to review progress and renew your mentoring partnership. This will help you keep your progress on track and it will also help you look for short goals to achieve. Reviewing is also going to help retrospect if a different strategy is to be laid out to achieve your goals.
Mentoring may sound irrelevant and unnecessary while we are surviving a pandemic and going through bouts of intense emotions. But I feel it is even more necessary during this most unusual situation we’re facing. Mentoring could be one of the ways to combat anxiety and depression caused by isolation and the inability to meet people face-to-face.
Mentoring can be done virtually through video calls, by setting up a time to track the progress of your goals and discuss challenges/accomplishments. Mentoring also proves to be the place to ask difficult questions because it is a “No Judging” relationship and the absolute safe place to deal with work-related anxiety and fear. I still recall my early days as a campus graduate where I was assigned a ‘Buddy’, the go-to person. With them, I’d discussed a lot of my ‘what’, ‘why’ and ‘how’ questions of the work and the corporate world, which I had resisted opening up to my supervisors.
Mentoring takes time. Remember the first day you struggled to balance on your bicycle and may have fallen down hurting your knees? But once you learned to ride, you would have loved your time on the saddle. The same applies to mentoring. Investing the time and effort in mentoring will energize you even better than a few hours of Netflix or scrolling on Instagram. Let us create a culture that shares knowledge, guides & encourages nonstop, like how Socrates taught Plato, Plato taught Aristotle and Aristotle held the beacon for many. There is an adage that goes “when you are ready to become a teacher, the student appears”.
“A mentor is someone who allows you to see the hope inside yourself.”— Oprah Winfrey
The article is based on the book “One Minute Mentoring” by Ken Blanchard & Claire Diaz Ortiz.
About the Author –
Rama is that everyday woman you see who juggles between family and a 9 hours work life. She loves reading history, fiction, attempting half marathons, and traveling. To break the monotony of life and to share her interest in books & travel, she blogs and curates at www.kindleandkompass.com
Developing and releasing software can be a complicated process, especially as applications, teams, and deployment infrastructure grow in complexity themselves. Often, challenges become more pronounced as projects grow. To develop, test, and release software quickly and consistently, developers and organizations have created distinct strategies to manage and automate these processes.
Did you know? Amazon releases a new production code once every 11.6 seconds.
The era of digital transformations demands faster deployments into production. Faster deployments do not warrant defective releases, the solution – ‘DevOps’. The development team, operations team, and IT services team have to work in tandem and the magic circle that brings all of them together is DevOps.
To adopt a DevOps culture, implementing the right DevOps tools with the right DevOps process is essential. Continuous integration/continuous delivery/continuous deployment (CI/CD/CD) help us developers and testers ship the software faster and safer in a structured environment.
The biggest obstacle that needs to be overcome in constructing a DevOps environment is scalability. There are no definite measures on the scalability of an application or product development, but DevOps environment should be ready to scale to meet business and technology needs. It lays a strong foundation for building an agile DevOps for the business.
Continuous Integration and Deployment has seen many benefits in the software delivery process. Initiating automated code builds once checks are completed, running automated test suites, flagging errors and breaking builds if not adhered to compliance have eased the way of deploying a stable release into staging or production environment and eliminating manual errors and human bias.
How is CI/CD/CD Set Up?
Version control tools play an important role in the success of our DevOps pipeline. And designing a good source stage is pivotal to our CI/CD success. It ensures that we can version code, digital assets, and binary files (and more) all in one spot. This enables teams to communicate and collaborate better — and deploy faster.
Our code branching strategy determines how and when developers branch and merge. When deciding on a strategy it is important to evaluate what makes sense for our team and product. Most version control systems will let you adopt and customize standard strategies like mainline, trunk-based, task/feature branching, etc.,
Typical Branching Model Followed
A basic workflow starts with code being checked out. When the work in the branch is committed, CI processes are triggered. This can be done with a merge or pull request. Then the CI/CD pipeline kicks into high gear.
The goal of CI/CD is to continuously integrate changes to find errors earlier in the process, as known as ‘Shift Left’. The ultimate goal of having an automated CI/CD process in place to identify errors or flag non-compliance at an early stage of the development process. This increases the project’s velocity by avoiding late-stage defects and delays. It creates an environment where code is always ready for a release. With the right branching strategy, teams are equipped to deliver success.
Continuous Integration: Integrating newly developed code with the central repository is continuous integration. Automated CI results in automated builds that are triggered to merge the newly developed codes into the repository. As part of this process, plugins can be added to perform static code analysis, security compliance checks, etc., to identify if the newly added code would have any impact on the application. If there are compliance issues, the automated build breaks, and the same is reflected to the developer with insights. Automated CI helps in increasing the productivity of the developers and the team.
Continuous Delivery: At the end of a successful CI, Continuous Delivery is triggered. CD ensures to automate the software delivery process and commits to deliver the integrated code into the production stage without any bugs or delays. CD helps in merging the newly developed code into the main branch of the software so that a ready to production product is available with all the checks in place.CD also checks the quality of the code and performs tests to check whether it can release the functional build to the production environment.
Continuous Deployment: The final and most critical part of DevOps is Continuous Deployment. After the successful merging of certified code, the pipelines are triggered to deploy the code into the production environment. These pipelines are also triggered automatically. The pipelines are constructed to handle the target environment be it jar or container deployments. The most important aspect of this pipeline is to tag the releases that are also done in the production environment. If there are rollbacks these tags help the team to roll back to the right version of the build.
CI/CD/CD is an art that needs to be crafted in the right and most efficient way that will help the software development team achieve their success at a faster pace.
Different Stages & Complete DevOps Setup
What is the CI/CD/CD Outcome?
About the Author –
Murleedharan is a senior technical manager and has managed, developed, and launched cutting edge business intelligence and analytics platforms using big data technologies. He has experience in hosting the platform in Microsoft Azure by leveraging the MS PaaS. He is a product manager for zDesk – A Virtual Desktop offering from GAVS. His passion is to get a friction-less DevOps operational in an environment to bring down the deployment time to a few seconds.