Upcoming Talks At MobileWeek 2014 In NYC

Posted on April 9, 2014 | Leave a comment

I’ll be attending MobileWeek 2014 in New York City next Monday, April 13. I’m at the conference all day, so drop by and say hello. Part way through the day I’ll  deliver a 2-minute lightning talk on mobile authentication followed by a panel on enterprise mobile security and scalability.

The lightning talk is at 12:25 pm:

How To Make Mobile Authentication Dead Easy

Are your developers struggling to integrate mobile apps and enterprise data? They shouldn’t be! In just 2 minutes, learn the easiest way to get easy end-to-end security between your mobile apps and the enterprise—all without using a VPN.

It must be easy if I can cover it in only 2 minutes.

The panel starts at 1:10 (which is an odd time to start, so keep an eye on the clock). It includes participants from Hightail, and will be moderated by Geoff Domoracki, who is one of the conference founders:

The Mobile Enterprise: Productivity, Security and Scalability

We hear terms like “mobile enterprise” or “mobile workforce” – but how far are we to creating an enterprise work environment that enables real-time communication beyond geographic boundaries – freeing the employee to work from his phone anywhere in the world? This panel explores the opportunities and challenges around the emergence of a “mobile enterprise” where sitting at a desk in the office is becoming more and more out-dated. How do you share documents – secure data – prove identity – and geo-collaborate in the new mobile enterprise?

Overall it looks to be a good day. New York is a hot bed of mobile development, and I’m looking forward to meeting lots of interesting people.

See you at MobileWeek.

Leave a comment

Posted in CA Technologies, Layer 7 Technologies

Tagged , , ,

What We Should Learn From the Apple SSL Bug

Posted on February 26, 2014 | Leave a comment

Two years ago a paper appeared with the provocative title “The Most Dangerous Code in the World.” Its subject? SSL, the foundation for secure e-commerce. The world’s most dangerous software, it turns out, is a technology we all use on a more or less daily basis.

The problem the paper described wasn’t an issue with the SSL protocol, which is a solid and mature technology, but with the client libraries developers use to start a session. SSL is easy to use but you must be careful to set it up properly. The authors found that many developers aren’t so careful, leaving the protocol open to exploit. Most of these mistakes are elementary, such as not fully validating server certificates and trust chains.

Another dramatic example of the pitfalls of SSL emerged this last weekend as Apple issued a warning about an issue discovered in its own SSL libraries on iOS. The problem seems to come from a spurious goto fail statement that crept into the source code, likely the result of a bad copy/paste. Ironically, fail is exactly what this extra code did. Clients using the library failed to completely validate server certificates, leaving them vulnerable to exploit.

The problem should have been caught in QA; obviously, it wasn’t. The lesson to take away from here is not that Apple is bad—they responded quickly and efficiently the way they should—but that even the best of the best sometimes make mistakes. Security is just hard.

So if security is too hard, and people will always make mistakes, how should we protect ourselves? The answer is to simplify. Complexity is the enemy of good security because complexity masks problems. We need to build our security architectures on basic principles that promote peer-reviewed validation of configuration as well as continuous audit of operation.

Despite this very public failure, it is safe to rely on SSL as a security solution, but only if you configure it correctly. SSL is a mature technology, and it is unusual for problems to appear in libraries. But this weekend’s event does highlight the uncomfortable line of trust we necessarily draw with third party code. Obviously, we need to invest our trust carefully. But we also must recognize that bugs happen, and the real test is about how effectively we respond when exploits appear and patches become available. Simple architectures work to our favour when the zero-day clock starts ticking.

On Monday at the RSA Conference, CA Technologies announced the general availability of our new SDK for securing mobile transactions. We designed this SDK with one goal: to make API security simpler for mobile developers. We do this by automating the process of authentication, and setting up secure connections with API servers. If developers are freed up from tedious security programming, they are less likely to do something wrong—however simple the configuration may appear. In this way, developers can focus on building great apps, instead of worrying about security minutia.

In addition to offering secure authentication and communications, the SDK also provides secure single sign on (SSO) across mobile apps. Say the word SSO and most people instinctively picture one browser authenticating across many web servers. This common use case defined the term. But SSO can also be applied to the client apps on a mobile device. Apps are very independent in iOS and Android, and sharing information between them, such as an authentication context, is challenging. Our SDK does this automatically, and securely, providing a VPN-like experience for apps without the very negative user experience of mobile VPNs.

Let me assure you that this is not yet another opaque, proprietary security solution. Peel back the layers of this onion and you will find a standards-based OAuth+OpenID Connect implementation. We built this solution on top of the SecureSpan Gateway’s underlying PKI system and we leveraged this to provide increased levels of trust.

If you see me in the halls of the RSA Conference, don’t hesitate to stop me and ask for a demo. Or drop by the CA Technologies booth where we can show you this exciting new technology in action.

Leave a comment

Posted in CA Technologies

Tagged , , , ,

RSA Conference 2014 Preview And A Special CA Technologies/Layer 7 Event

Posted on February 20, 2014 | Leave a comment

Despite all our advances in communications—from social networking, to blogs, to actual functional video meetings—the trade conference is still a necessity. Maybe not as much for the content, which makes the rounds pretty fast regardless of whether you attend the show or not, but for the serendipitous meetings and social networking (in the pre-Facebook sense).

I find something comforting in the rhythm and structure a handful of annual conferences bring to my life. The best ones stay rooted in one location, occurring at the same time, year after year. They are as much defined by time and place as topic.

If it’s February, it must be San Francisco and the RSA conference. I’ve attended for years, and despite the draw from the simultaneous Mobile World Congress in Barcelona, RSA is a show I won’t skip. But I do wish MWC would bump itself a week in either direction so I could do both.

As everyone knows, this year the press made much ado of a few high profile boycotts of the conference and the two alt-cons, Security B-sides and TrustyCon, that sprung up in response. But I think it’s important to separate RSA the company from RSA the conference. The latter remains the most important security event of the year.

Every year, one theme rises above the rest. I’m not referring to the “official” theme, but the trends that appear spontaneously in the valley. The theme this year should be security analytics. The venture community put this idea on an aggressive regime of funding injections. We should expect an entertaining gallery of result good and bad. But either way, we will learn something, and it would be a poor move to bet against this sector’s future.

I’m also expecting 2014 to bring some real SDN traction. Traditional security infrastructure is low hanging fruit vendors too often miss. RSA is where SDNs for security will finally get a long awaited debut.

MWC may be the premier event for mobile, but most mobile security companies cover both, and CA is no exception. At RSA we’re showcasing our new Mobile Access Gateway (MAG). This features SDKs for iOS, Android, and JavaScript that make enterprise authentication simple for mobile developers.  As a bonus, this SDK offers cross app SSO. It means users sign on just once, from any authorized app. You should definitely come by the CA Technologies booth and have a look. And if you do see me at the show, be sure to ask me about the integrated PKI—surely one of the coolest, unsung features underneath the SDK hood.

CA and Layer 7 will host an afternoon event Monday Feb 24 at the nearby Marriott Marquis, and you are invited. You may recall we’ve held a few of these before, but this year, we have a very special guest. The event features Forrester Analyst Eve Maler, who will talk about Zero Trust and APIs. It is a great way to kick off the RSA 2014, and we’ll even give you a nice lunch. Who could refuse that?

To join us, sign up here.

Leave a comment

Posted in CA Technologies, Layer 7 Technologies

Tagged ,

New eBook: Five Simple Strategies For Securing Your APIs

Posted on February 14, 2014 | Leave a comment

Recently I wrote about the excitement I feel working within CA. This company is full of talented people, and when you draw on their capabilities, amazing stuff happens. Here in R&D we have some innovative solutions underway that are a tangible result of CA and Layer 7 working well together. I can’t reveal these yet, but you can see the same 1+1=3 equation at work in other groups throughout the organization.

Here is a good example. It’s an eBook we’ve assembled to help managers and developers build more secure APIs. The material started with a presentation I first delivered at a recent RSA show. We updated this with best practices developed by real customers facing real challenges. The content is solid, but what I love is the final product. It’s accessible, easy to digest, and the layout is fantastic. Half the battle is delivering the message so that it’s clear, approachable and actionable. This is just what we delivered. And best of all, it’s free.

The last year has been a difficult one in security. The Snowden affair made people talk about security; this, at least, is good and the dialog continues today. But if 2013 was a year of difficult revelation, 2014 is going to be about back-to-basics security.

APIs offer tremendous business value to enterprise computing. But they also represent a potential threat. You can manage this risk with a solid foundation and good basic practices, but you need to know where to start. This is the theme of our new eBook. It offers simple guidelines, not tied to a particular technology. You should apply these whenever you deploy APIs.

I hope you find this eBook useful. As always, I’d love to hear your feedback.

Download: Five Simple Strategies For Securing Your APIs.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , ,

Sex, Lies and Acquisitions

Posted on February 12, 2014 | 3 comments

Has it really been almost a year since my last post? I suspected I was nearing that milestone, but it’s still surprising to discover it has been so long. Blogs have a natural ebb and flow, governed as much by the irregular rhythms of the day job as inspiration. But this was a pretty big ebb. Maybe catastrophic drought is a better metaphor.

Naturally, my absence was not lost on the spammers. That curious breed who prey on dormant blogs left me with a mountain of weirdly unctuous commentary that I needed to shovel out of the way just to get to the front door. But now that I’ve finally worked my way inside, it’s time to turn up the heat, blow out the cobwebs, and get back to work.

The story of the last year, of course, is the acquisition of Layer 7 by CA Technologies. This explains my extended absence from writing. I’m no less busy than in the past, and indeed often quite a bit more, but I’ve been completely consumed with making this deal a success. So the last year is a blur of integration, customer outreach, some terrific innovations—but not a lot of writing. That changes today.

The number one question people ask—and they ask this quite a bit—is how am I doing at a large company, and more specifically, how is CA? It is a logical question, but one always delivered with a slightly raised eyebrow that really implies just give me the dirt—and the juicer the better.

I respond with the truth. And the truth, to be honest, is quite a bit less salacious than everyone secretly hopes. Everyone knows acquisitions can go spectacularly bad. The cultural explosions can power a small city through a tough eastern winter. People love to hear these bad news stories; it’s somehow wired into our DNA to revel in nasty gossip.

Fireworks are fun, but more often acquisitions simply wither. Often the combination of start-up and Fortune 500 is an impossible calculus of mismatched expectations. In a way, this is a much worse outcome, because although the end is the same, the story is more depressing.

At CA and Layer 7, we are steering clear of these all-too-common disaster scenarios. Against all odds, we seem to be finding a very effective approach that just seems to work well for everyone.

We built a great company at Layer 7, and around this a powerful international brand. This feat is hard to achieve and once there, it is heartbreakingly easy to destroy the results. Nobody is more acutely aware of this than acquirers, and they usually respond with one of two strategies, each taken to extreme. Either they leave their new prize alone, fearful of killing the goose that laid the golden egg, or they embrace it with enthusiasm and their own unique style. The former creates silos that will never come down; but the later can squeeze the vigor out of a start-up until someone notices that the empty shell isn’t moving any longer.

We are all working very hard to find the virtuous middle ground. CA recognizes that the Layer 7 team in Vancouver is a great engine of innovation. So the band stays together, and moreover has the opportunity—really the mandate—to continue to push the envelope around APIs and mobility. We all recognize that we are part of a much larger narrative now. But honestly, this is what excites us most of all.

CA is big but it isn’t overwhelming. I’ve been struck with what a small-big company this actually is. In just seven months, I feel as though I have a good handle on who all of the key players are, and I can pretty much engage anyone I need to and be taken seriously. It’s a level of engagement I never dreamed of at IBM, a company much larger in size and exponentially more complex in organization.

That said, not everything is sunshine and roses. The expense department is convinced I’m really Frank Abagnale. I have big philosophical differences with the Internet policies. And the telephone conference codes are just too long. But I suppose I can adapt.

So the truth is boring, my anecdotes are not sexy, and that’s all a very good thing. Actually a great thing. The numbers are high, opportunity abounds, and there is a sense we can affect real change when change makes sense. My stories about the swashbuckling days of Layer 7 are far more entertaining.

But to hear these, you’ll need to buy me a beer.

Cheers.
Scott

3 Comments

Posted in Layer 7 Technologies

Tagged ,

Cisco and the Internet of Everything

Posted on February 21, 2013 | 2 comments

John Chambers, CEO of Cisco, just published a good blog entry about the potential for change caused by universal connectivity, not just of our mobile gadgets, but of pretty much everything. Much has been made of late of the so-called “Internet of Things (IoT)”, to which Cisco is upping the scope and going so far as to make a bold estimate that 99.4% of objects still remain unconnected. This of course is great fodder for late night talk show hosts. I’ll leave this softball to them, and focus instead on some of the more interesting points in Chamber’s post and the accompanying white paper.

It strikes me that there might be more to Cisco’s Internet of Everything (#I0E) neologism than just a vendor’s attempt to brand what still may be a technology maverick. Internet of Everything sounds so much better than the common alternative when you append Economy on the end, and this is how it first appears in Chamber’s post. And that’s actually important, because adding economy in the same breath is an acknowledgement that this isn’t just marketing opportunism as much as a recognition that like mobility, the IoE is a potentially great catalyst for independent innovation. In fact, Cisco’s paper really isn’t about technology at all, but instead an analysis of market potential represented in each emerging sector, from smart factories to college education.

It is exactly this potential for innovation—a new economy—that is exciting. The combination of Mobile+APIs was so explosive precisely because it combined a technology with enormous creative potential (APIs) with a irresistible business impetus (access to information outside the enterprise network). The geeks love enabling tools, and APIs are nothing if not enabling; mobile just gives them something to build.

I0E of course is the ultimate business driver—and leveraging APIs as the enabler, it equals opportunity of staggering proportion. Like mobile before it—and indeed, social web integration before this—IoE will come about precisely because the foundation of APIs already exists.

It is here where I disagree with some IoT pundits who advocate specialized protocols to optimize performance. No thank you; it isn’t 1990 and opaque binary protocols no longer work for us except when streaming of large data sets (I’m looking at you, video).

Security in the IoE will be a huge issue, and on this topic Cisco has this to say:

IoE security will be addressed through network-powered technology: devices connecting to the network will take advantage of the inherent security that the network provides (rather than trying to ensure security at the device level).

I agree with this, because security coding is still just too hard and too easy to implement wrong. One of the key lessons of mobile development is that we need to make it easy for developers to enable secure communications automatically. Take security out of the hands of developers, put it in the hands of dedicated security professionals, and trust me, the developers will thank you.

As IoE extends to increasingly resource-constrained devices, the simpler we can make secure development, the better. Let application developers focus on creating great apps, and a new economy will follow.

2 Comments

Posted in Layer 7 Technologies

Tagged , ,

CES 2013 Panel: Privacy and Security in the Cloud

Posted on January 3, 2013 | Leave a comment

The Consumer Electronics Show (CES) 2013 is starting next week and cloud computing is on the agenda. You can be sure that a technology has moved out of the hype cycle and into everyday use when it shows up at a show like CES, known more for the latest TVs and phones than computing infrastructure. People don’t really need to talk about cloud any more; it’s just there, and we are using it.

Of course there will always be a place for a little more talk, and I’ll be doing some of this myself as part of the CES panel “Privacy and Security in the Cloud”. This discussion takes place Monday Jan 7 11:00am-12:00, in LVCC, North Hall N259. The panel is chaired by my good friend Jeremy Geelan, founder of Cloud Computing Expo, who honed his considerable moderation skills at the BBC.

I’m planning on exploring the intersection between the cloud and our increasingly ubiquitous consumer devices. We will highlight the opportunities created by this technological convergence, but we will also consider the implications this has for our personal privacy.

I hope you can join us.

Leave a comment

Posted in Layer 7 Technologies

Tagged ,

Do You Agree To The Terms and Conditions? Mobile Devices And The Tipping Point of Informed Consent.

Posted on December 17, 2012 | 1 comment

handshakeSometimes I wonder if anyone, in the entire history of computing, has every bothered to read and consider the contents of a typical End User License Agreement (EULA). Some Product Manager, I suppose (though truthfully, I’m not even sure of this one).

The EULA, however, is important. It’s the foundation of an important consent ceremony that ends with only one effective choice: pressing OK. This much-maligned step in every software installation is the only real binding between an end user and a provider of software. Out of this agreement emerges a contract between these two parties, and it is this contact that serves as a legal framework for interpretation should any issues arise in the relationship.

Therein lies the rub, as the emphasis in a EULA—as in so much of contract law—is on legal formalism at the expense of end user understanding. These priorities are not necessarily mutually exclusive, but as any lawyer will tell you, it’s a lot more work to make them co-exist on more of less equal footing.

Mobile devices, however, may provide the forcing function that brings change into this otherwise moribund corner of the software industry. Mobility is hot right now, and its demanding that we rethink process and technology all over business. These new demands are going to extend to the traditional EULA, and the result could be good for everyone.

Case in point: the New York Times reported recently on a study conducted by the FTC examining privacy in mobile apps for children. The researchers found that parents were not being adequately informed about what private information was being collected and the extent to which it could be shared. Furthermore, many mobile app developers are channeling data into just a few commercial analytics vendors. While this may not sound like too big a deal, it turns out that in some cases these data are tagged with unique device identifiers. This means that providers can potentially track behavior across multiple apps, giving them unprecedented visibility into the online habits of our children.

Kid and privacy are a lightening rod for controversy, but the study really speaks to a much greater problem in the mobile app industry. Just the previous week, the State of California launched a suit against Delta Airlines alleging the company failed to include a privacy policy in its mobile app, placing it in violation of that state’s 2004 privacy law.

You could argue that there is nothing new about this problem. Desktop applications have the same capacity for collecting information and so pose similar threats to our privacy. The difference is mostly the devil we know. After years of reading about the appalling threats to our privacy on the Internet, we have come to expect these shenanigans and approach the conventional web guarded and wary. Or we don’t care (see Facebook).

But the phone, well the phone is just… different.  A desktop—or even our mobile laptop—just isn’t as ubiquitous a part of our lives as our phone. The phone goes with us everywhere, which makes it both a triumph of technology and a tremendous potential threat to our privacy.

The problem with the phone is that it is the consumer device that isn’t. Apple crossed a chasm with the iPhone, taking the mobile device from constrained (like a blender) to extensible (like a Lego set) without breaking the consumer-orientation of the device. This was a real tour de force—but one with repercussions both good and bad.

The good stuff we live every day—we get to carefully curate our apps to make the phone our own. I can’t imagine traveling without my phone in my pocket. The bad part is we haven’t necessarily recognized the privacy implications of our own actions. Nobody expects to be betrayed by their constant companion, but it is this constant companion that poses the greatest threat to our security.

The good news is that the very characteristics that make mobile so popular also promise to bring much needed transparency to the user/app/provider relationship. Consumer-orientation plus small form factor equal a revolution in privacy and security.

Mobile devices tap into a market so vast it dwarfs the one addressed by the humble PC. And this is the group for which consumer protection laws were designed. And as we’ve seen in the Delta Airlines case above, the state’s have a lever, and apparently they aren’t afraid to use it.

But legislation is only part of the answer to reconcile the dueling priorities of privacy and consent. The other element working in favour of change is size, and small is definitely better here. The multi-page contract just isn’t going to play well on the 4″ screen. What consumer’s need is a message that is simple, clear, and understandable. Fortunately, we can look to the web for inspiration on how to do this right.

One of the reasons I get excited about the rise of OAuth is because it represents much more than yet another security token (God knows we have enough of those already). OAuth is really about granting consent. It doesn’t try to say anything about the nature of that consent; but it does put in the framework to make consent practical.

Coincident with the rise of OAuth on the Web is a movement to make the terms of consent more transparent. This needs to continue as the process moves to the restricted form factor of the mobile phone. I have no doubt that left to their own devices, most developers would take the easy route out and reduce mobile consent to a hyperlink pointing to pages of boilerplate legalese and an OK button. But add in some regulatory expectations of reasonable disclosure, and I can see a better future of clear and simple agreements that flourish first on mobile devices, but extend to all software.

Here at Layer 7 we are deeply interested in technologies like OAuth, and the role these play in a changing computer landscape. We are also spending lots of time working on mobile, because more than anything mobile solutions are driving uptake around APIs. When we built our mobile application gateway, we made sure this solution made OAuth simple to deploy, and simple to customize. This way, important steps like consent ceremonies can be made clear, unambiguous, and most important, compliant with the law.

1 Comment

Posted in Layer 7 Technologies

Tagged , ,

(ISC)2 Webinar – Identity is the New Perimeter: Identity and BYOD

Posted on October 24, 2012 | Leave a comment

Join me and Tyson Whitten from CA Technologies as we deliver a webinar about security in the BYOD world. The title of our talk is Identity and BYOD, and we are honored to be presenting as part of the International Information Systems Security Certification Consortium (ISC)² security series.

This webinar will take place on Oct 25, 2012 at 1pm ET/10am PT. We will delve deeply into the issues created by the Bring Your Own Device (BYOD) movement in the enterprise, and discuss what you can do to manage the associated risk.

You can sign up on the (ISC)² website.

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

The iPad Mini is for Cars

Posted on October 24, 2012 | 1 comment

Yesterday, Apple launched the iPad mini. Apple events in the fall of 2012 may no longer command the social anticipation of only a few years ago, but they remain flash points for technology reporting. This release brought on more than its share of speculation that the mini is simply an overdue acknowledgement that Amazon got something right with Kindle, and that Apple has quietly slipped into following mode. Some pundits have seized on the angle that Apple’s new tablet appeared to contradict Job’s famous trashing of the 7″ form factor. But in all of the hullabaloo one observation seems to be missing. That is, a tablet of this size is tailor-made for inclusion into the dashboard of your car.

Nothing dates a car like its electronics. And nothing is more tragic that the UX of pretty much every single in-car navigation and music system. The luxury car segment can do Corinthian leather and wood grain appointments like no industry on earth. They can build a magnificent driving machine that powers through rain and snow like it was a sunny day in LA. But ask them to do a screen-based app and you get something that looks like it was designed on a TRS-80.

I didn’t renew the trial SiriusXM in my 4Runner because I couldn’t stand its programming compared with what I could stream from my iPhone using Bluetooth. Every time I rent a car I use my phone-based Navigon app over any provided GPS because my app is just better. I’m hooked on Waze despite how few people use it up here in Vancouver (you should sign up—the more people who use it, the better the traffic data is). The apps on my phone are always up-to-date and I replace the hardware every couple of years for the latest model (which is good enough for me; after all, it’s only a phone).

All cars need is a standard, lockable frame where you can plug in the device of your choice, plus a standardized connector. Then let free market competition and innovation prevail over Apps. Tomorrow’s gear heads aren’t going to be like the hot rodders of my Dad’s generation or the tuner kids of a decade ago. They are going to be geeks with Apps using APIs.

That’s what the iPad mini is for.

(It’s interesting to note that the wifi-only mini has no GPS, but the cellular version does…)

1 Comment

Posted in Personal

Tagged