Tag Archives: software

The Air Gap a Security Fallacy?

12 Saturday Jun 2021

Posted by in General, Technology

Leave a comment

Tags

, ,

Securing systems through an air gap is an idea goes back decades, and through the 50s to as recently as the 2000s the idea that you could safely and successfully run and maintain systems by simply not connecting to a network protects them from vulnerabilities may have been true. But in the last ten or more years, I would argue it is a fallacy, that can lull people into a false sense of security and therefore more likely to take more risks (or at least not be as careful as we should be). This idea is a well established piece of psychology with modern cars (here for example). This is known as Risk Compensation (also more here) or an aspect of behaviour adaptation.

Whilst this is rather theoretical, perhaps we should illustrate in practical terms why it is both a fallacy, and in the modern day simply impractical.

Continue reading

Security Vulnerabilities in Solution Deployment

04 Saturday Jan 2020

Posted by in development, General, Technology

Leave a comment

Tags

, , , , , , , ,

To varying degrees, most techies are aware of the security vulnerabilities identified in the OWASP Top 10 (SQL Injection, trying to homebrew Identity management etc), although I still sometimes have conversations where I feel the need to get the yellow or red card out. But the bottom line is that these risks are perhaps more appreciated because it is easier to understand external entities attacking seeking direct attacks to disrupt or access information. But there are often subtler and at least more costly to repair attacks such as internal attacks and indirect attacks such as compromising software deployment mechanisms.

This, later attack Is not a new risk, as you can see from the following links, been recognised by the security community for some time (you can find academic papers going back 10+ years looking at the security risks for Yum and RPM for example).

But software is becoming ever more pervasive, we’re more aware than ever that maintaining software to the latest releases means that known vulnerabilities are closed. As a result, we have seen a proliferation in mechanisms to recognise the need to update and deploying updates. 10 years ago, updating frameworks where typically small in number and linked to vendors who could/had to invest in making the mechanisms as a secure as possible – think Microsoft, Red Hat. However we have seen this proliferate, any browser worthy of attention has automated updating let alone the wider software tools. As development has become more polyglot every language has its central repos of framework libraries (maven central, npm, chocolatey ….). Add to this the growth in multi-cloud and emphasis on micro deployments to support microservices and the deployment landscape gets larger and ever more complex and therefore vulnerable.

What to do?

Continue reading

Enterprise Architect Cloud

18 Thursday Dec 2014

Posted by in General, Technology

Leave a comment

Tags

, , , , , , ,

With version 11 of Sparx‘ Enterprise Architect tool a new cloud feature was introduced to support team working, which previously had been achieved using a shared Database.

When we heard about EA Cloud, both myself and my colleagues got rather excited, thinking that this would be the opportunity to offload the effort of looking after a central DB (making sure backups happened, fine tuning the DB settings and so on) plus maintaining the platform’s patching for security etc. Not only that through the cloud capability we could host the repository that made it very easy for the team to access the repository on the move without needing to have another whole in our corporate firewall etc.

Unfortunately, EA Cloud provides all the software to establish a cloud based repository – which can be used through firewalls etc – HTTPS traffic rather than DB connectors on unusual ports but not the hosting.  This seems to a bit of a missed opportunity for Sparx who already have to deal with all of these points to host 3 demo cloud servers.  So the next step of instantiating a server for a regular on going fee doesn’t seem too challenging, not to mention promotes customer tie in, plus the ability to capture some potentially interesting metrics about its users (e.g. which modelling techniques are most popular etc).  Having looked at Sparx partners they don’t offer the capability either which is a shame.

Oracle WebCenter Suite Structure Representation

23 Friday May 2014

Posted by in Oracle, Technology

Leave a comment

Tags

, , , , , ,

When it comes to understanding the range of products and how product families fit together Oracle have created some helpful block diagrams, such as the one below.

SOA / AIA Structure

This really helpful – particuarly when trying to understand potential licensing relationships. However there doesn’t appear to be an equivalent diagram (certainly not on OTN). So after a bit of navigating around OTN we have produced the following diagram:

WebCentre Suite Makup

WebCentre Suite Makup

If you find it useful, help yourself but a nod would be appreciated.

eBook Library Organizes and Indexes Your Books

02 Wednesday Sep 2009

Posted by in General

Leave a comment

Tags

, , , ,

I came across this – eBook Library Organizes and Indexes Your Books [Downloads] which looks interesting. I have a growing collection of eBooks and PDF based articles – as most engineers do.  The problem is quickly searching them for the information that is needed.  so We’ll be giving this tool a try.

AJAX Resources

11 Tuesday Aug 2009

Posted by in General

Leave a comment

Tags

, , , , ,

With WebUI’s getting more like thick applications as a result of the increasing adoption and sophistication of AJAX use I came across a website that does a good job of pulling together AJAX lessons, examples and tips tricks called www.ajaxlessons.com. Its a link’d recommedn adding to any web developers list of dev resources.