The Need for DevSecOps

  • Comments posted to this topic are about the item The Need for DevSecOps

  • Just call it "P-cubed" or "P3" for "Proper Programming Practices" instead of all this Dev-this and Ops-that stuff.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Jeff Moden wrote:

    Just call it "P-cubed" or "P3" for "Proper Programming Practices" instead of all this Dev-this and Ops-that stuff.

    Admirable restraint there Jeff.  The temptation for "P-Sept" or "P7" must have have been enormous.

    I followed a thread on Twitter (or whatever its called these days) from someone pointing out the amount of ancient software in use across the finance and insurance sector.  I've certainly seen a Windows XP boot up screen on a cash machine but we are talking even older than that.  I know of a critical system that was running Oracle 7.  It had been happily ticking over for years.  When it broke company found that the people to whom they had outsourced the support contract hadn't a clue how to execute a recovery scenario.  Doubly so as the hardware that caused the outage was obsolete.

    Inadequately secured cloud tech may be at the forefront of people's minds but how secure is the ancient stuff quietly running the world.  What damage could a motivated, hostile actor do?

     

  • This is a good article, but I've got a question or two for clarification. The first involves the release notes and feature changes that hackers use to devise ways of attacking. Perhaps because I work in government, I'm just not following you. Outside of the walled garden of government, do companies/agencies publish release notes and features exposing details for anyone to see? I've seen Microsoft's release notes on various products I use over the years, but I can honestly say I'd have no idea how to hack into any of them, just by reading those. Perhaps the same would be true of other vendors' products, but I've not looked at their release notes.

    The other thing I wonder about is the article you linked to by Byron V. Acohido on Security Boulevard. When I read that I got the feeling that the only way to defend against hackers exploiting breaking APIs was to remove all APIs and go back to having every app write its own mechanism to access resources. I hate that idea. And working at a place where no one writes APIs but takes time to write their own version of code to access the same thing that's been done 50 times previously, is crazy. Ultimately, is scrapping all APIs the only safe manner of accessing resources from multiple applications?

    Kindest Regards, Rod Connect with me on LinkedIn.

  • David.Poole wrote:

    Jeff Moden wrote:

    Just call it "P-cubed" or "P3" for "Proper Programming Practices" instead of all this Dev-this and Ops-that stuff.

    Admirable restraint there Jeff.  The temptation for "P-Sept" or "P7" must have have been enormous.

    I followed a thread on Twitter (or whatever its called these days) from someone pointing out the amount of ancient software in use across the finance and insurance sector.  I've certainly seen a Windows XP boot up screen on a cash machine but we are talking even older than that.  I know of a critical system that was running Oracle 7.  It had been happily ticking over for years.  When it broke company found that the people to whom they had outsourced the support contract hadn't a clue how to execute a recovery scenario.  Doubly so as the hardware that caused the outage was obsolete.

    Inadequately secured cloud tech may be at the forefront of people's minds but how secure is the ancient stuff quietly running the world.  What damage could a motivated, hostile actor do?

    On your first... heh... yeah.  "P7" is definitely the longer version but I thought that the people touting things like DevOps  would think it wasn't appropriate to use "officially".  I also thought of the good ol' fashioned "Do it right the first time" but "DIRTFT doesn't roll off the tongue and there's that word count thing might get in the way.

    I had a much longer bit on this but deleted it because it was just a rant about what the computational world has become, which I can do nothing about except to keep trying to set a good example like you and several other denizens of this and other sites do.

     

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • David.Poole wrote:

    ...

    Inadequately secured cloud tech may be at the forefront of people's minds but how secure is the ancient stuff quietly running the world.  What damage could a motivated, hostile actor do?

    Great point. A lot of banking and embedded systems run old OS's. Those are certainly a threat vector.

  • Rod at work wrote:

    This is a good article, but I've got a question or two for clarification. The first involves the release notes and feature changes that hackers use to devise ways of attacking. Perhaps because I work in government, I'm just not following you. Outside of the walled garden of government, do companies/agencies publish release notes and features exposing details for anyone to see? I've seen Microsoft's release notes on various products I use over the years, but I can honestly say I'd have no idea how to hack into any of them, just by reading those. Perhaps the same would be true of other vendors' products, but I've not looked at their release notes.

    The other thing I wonder about is the article you linked to by Byron V. Acohido on Security Boulevard. When I read that I got the feeling that the only way to defend against hackers exploiting breaking APIs was to remove all APIs and go back to having every app write its own mechanism to access resources. I hate that idea. And working at a place where no one writes APIs but takes time to write their own version of code to access the same thing that's been done 50 times previously, is crazy. Ultimately, is scrapping all APIs the only safe manner of accessing resources from multiple applications?

    Rod at work wrote:

    This is a good article, but I've got a question or two for clarification. The first involves the release notes and feature changes that hackers use to devise ways of attacking. Perhaps because I work in government, I'm just not following you. Outside of the walled garden of government, do companies/agencies publish release notes and features exposing details for anyone to see? I've seen Microsoft's release notes on various products I use over the years, but I can honestly say I'd have no idea how to hack into any of them, just by reading those. Perhaps the same would be true of other vendors' products, but I've not looked at their release notes.

    The other thing I wonder about is the article you linked to by Byron V. Acohido on Security Boulevard. When I read that I got the feeling that the only way to defend against hackers exploiting breaking APIs was to remove all APIs and go back to having every app write its own mechanism to access resources. I hate that idea. And working at a place where no one writes APIs but takes time to write their own version of code to access the same thing that's been done 50 times previously, is crazy. Ultimately, is scrapping all APIs the only safe manner of accessing resources from multiple applications?

     

    Release notes tell you what's changed. So if you look at something, say Salesforce (https://help.salesforce.com/s/articleView?id=release-notes.salesforce_release_notes.htm&release=246&type=5), you see things changing. One of the items is: Share CMS content from any workspace with your enhanced LWR site. Now all LWR sites that you create are enhanced.

    A hacker might look at how sharing works, or what an LWR site is and see if there are issues with URLs not being securely formed, parameters being passed (sql injection?) or ways in which the passing of context from one site to the next or user to a new site might have an issue.

    Hacking isn't about someone publishing code and you finding an issue. It's more about experimenting and looking for holes programmers left by not securing thigns.

    There are Windows release notes, there are some from Word. Hackers will spend a lot of time poking at these changes and looking to see if something new was built sloppily without the same level of security as the rest of the software.

  • Thank you, Steve, for clarifying what the security concerns are with release notes.

    • This reply was modified 1 year, 2 months ago by  Rod at work.

    Kindest Regards, Rod Connect with me on LinkedIn.

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply