Welcome!

@CloudExpo Authors: Elizabeth White, Yeshim Deniz, Liz McMillan, Pat Romanski, Zakia Bouachraoui

Related Topics: @CloudExpo, Wearables, Cloud Security

@CloudExpo: Blog Post

Private Practice: Encryption Exposed | @CloudExpo #Cloud #Security #Encryption

Apple had used some of the strongest encryption technologies and practices to protect its users and their data

In September 2014, Apple made encryption default with the introduction of the iPhone 6. Then, in February 2016, a Los Angeles judge issued an order to Apple to help break into the encrypted iPhone belonging to a terrorist involved in a mass shooting.

Apple had used some of the strongest encryption technologies and practices to protect its users and their data.  The encryption technology did not discriminate between lawful and unlawful users.  While there were many sides to this issue, it surfaced many important debates on security, privacy, and civil rights.

Peekaboo
For developers wanting to add cryptographic libraries to their applications, a number of open source components are available to them. Of course, anyone seeking to add encryption to an application has an important requirement for the privacy and security it provides.

One of the more popular choices for encryption is known as the Legion of Bouncy Castle Java Cryptography library. According to the 2016 State of the Software Supply Chain report, records reveal that 17.4 million Bouncy Castle components across all versions were downloaded last year. Of these, 5.8 million (33%) were known vulnerable versions of Bouncy Castle.

It's a sobering fact, but it's true. Last year alone, organizations downloaded vulnerable versions of the Bouncy Castle cryptography library 5.8 million times. The defective components downloads occurred across 93,253 unique IP addresses from 13,824 organizations in 197 countries.

Think Different
Think about it.  The Bouncy Castle project is developed by experts in cryptography.  Occasionally, their crypto library is discovered to have a flaw and the project owners rapidly fix and release a new version.  If you use the latest versions without known vulnerabilities, your application, your users, and your data are protected.  If you use the versions that include known vulnerabilities, you have electively declined those protections.

Two of the critical principles of using open source components are to use the highest quality components and to select them from the best suppliers.  In this case, the Bouncy Castle project does an excellent job of releasing new and improved versions.  While flawed versions are still available, those seeking to protect applications, users, and data need to use the highest quality versions.

Which Version Are You Using?
Determining which versions of Bouncy Castle or any other open source component you are using is simple.  A number of free and paid services are available to help you analyze your application and report a full list of the components, including dependencies, that are used.

Some of the free services require you to upload your application for analysis while other services are performed on-premises.  One example of a free on-premises tool used to create a software Bill of Materials is the Application Health Check app from Sonatype.  Another example is the OWASP Dependency Check app.  Precision of these tools may vary, but regardless of the tool you use, you should use one.

More insights on the quality, security, and integrity of open source components used to build modern applications can be found in the 2016 State of the Software Supply Chain report.

More Stories By Derek Weeks

In 2015, Derek Weeks led the largest and most comprehensive analysis of software supply chain practices to date across 160,000 development organizations. He is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies, reduce costs, and sustain long-lasting competitive advantages.

As a 20+ year veteran of the software industry, he has advised leading businesses on IT performance improvement practices covering continuous delivery, business process management, systems and network operations, service management, capacity planning and storage management. As the VP and DevOps Advocate for Sonatype, he is passionate about changing the way people think about software supply chains and improving public safety through improved software integrity. Follow him here @weekstweets, find me here www.linkedin.com/in/derekeweeks, and read me here http://blog.sonatype.com/author/weeks/.

CloudEXPO Stories
Your job is mostly boring. Many of the IT operations tasks you perform on a day-to-day basis are repetitive and dull. Utilizing automation can improve your work life, automating away the drudgery and embracing the passion for technology that got you started in the first place. In this presentation, I'll talk about what automation is, and how to approach implementing it in the context of IT Operations. Ned will discuss keys to success in the long term and include practical real-world examples. Get started on automating your way to a brighter future!
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next-gen applications and how to address the challenges of building applications that harness all data types and sources.
Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine where she evaluated and tested application-focused technologies including app security and encryption-related solutions. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University, and is an O'Reilly author.
CloudEXPO New York 2018, colocated with DevOpsSUMMIT and DXWorldEXPO New York 2018 will be held November 12-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI and Machine Learning to one location.
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.