Category Archives: CA Technologies

Upcoming Talks At MobileWeek 2014 In NYC

I’ll be attending MobileWeek 2014 in New York City next Monday, April 13. I’m at the conference all day, so drop by and say hello. Part way through the day I’ll  deliver a 2-minute lightning talk on mobile authentication followed by a panel on enterprise mobile security and scalability.

The lightning talk is at 12:25 pm:

How To Make Mobile Authentication Dead Easy

Are your developers struggling to integrate mobile apps and enterprise data? They shouldn’t be! In just 2 minutes, learn the easiest way to get easy end-to-end security between your mobile apps and the enterprise—all without using a VPN.

It must be easy if I can cover it in only 2 minutes.

The panel starts at 1:10 (which is an odd time to start, so keep an eye on the clock). It includes participants from Hightail, and will be moderated by Geoff Domoracki, who is one of the conference founders:

The Mobile Enterprise: Productivity, Security and Scalability

We hear terms like “mobile enterprise” or “mobile workforce” – but how far are we to creating an enterprise work environment that enables real-time communication beyond geographic boundaries – freeing the employee to work from his phone anywhere in the world? This panel explores the opportunities and challenges around the emergence of a “mobile enterprise” where sitting at a desk in the office is becoming more and more out-dated. How do you share documents – secure data – prove identity – and geo-collaborate in the new mobile enterprise?

Overall it looks to be a good day. New York is a hot bed of mobile development, and I’m looking forward to meeting lots of interesting people.

See you at MobileWeek.

Advertisements

What We Should Learn From the Apple SSL Bug

Two years ago a paper appeared with the provocative title “The Most Dangerous Code in the World.” Its subject? SSL, the foundation for secure e-commerce. The world’s most dangerous software, it turns out, is a technology we all use on a more or less daily basis.

The problem the paper described wasn’t an issue with the SSL protocol, which is a solid and mature technology, but with the client libraries developers use to start a session. SSL is easy to use but you must be careful to set it up properly. The authors found that many developers aren’t so careful, leaving the protocol open to exploit. Most of these mistakes are elementary, such as not fully validating server certificates and trust chains.

Another dramatic example of the pitfalls of SSL emerged this last weekend as Apple issued a warning about an issue discovered in its own SSL libraries on iOS. The problem seems to come from a spurious goto fail statement that crept into the source code, likely the result of a bad copy/paste. Ironically, fail is exactly what this extra code did. Clients using the library failed to completely validate server certificates, leaving them vulnerable to exploit.

The problem should have been caught in QA; obviously, it wasn’t. The lesson to take away from here is not that Apple is bad—they responded quickly and efficiently the way they should—but that even the best of the best sometimes make mistakes. Security is just hard.

So if security is too hard, and people will always make mistakes, how should we protect ourselves? The answer is to simplify. Complexity is the enemy of good security because complexity masks problems. We need to build our security architectures on basic principles that promote peer-reviewed validation of configuration as well as continuous audit of operation.

Despite this very public failure, it is safe to rely on SSL as a security solution, but only if you configure it correctly. SSL is a mature technology, and it is unusual for problems to appear in libraries. But this weekend’s event does highlight the uncomfortable line of trust we necessarily draw with third party code. Obviously, we need to invest our trust carefully. But we also must recognize that bugs happen, and the real test is about how effectively we respond when exploits appear and patches become available. Simple architectures work to our favour when the zero-day clock starts ticking.

On Monday at the RSA Conference, CA Technologies announced the general availability of our new SDK for securing mobile transactions. We designed this SDK with one goal: to make API security simpler for mobile developers. We do this by automating the process of authentication, and setting up secure connections with API servers. If developers are freed up from tedious security programming, they are less likely to do something wrong—however simple the configuration may appear. In this way, developers can focus on building great apps, instead of worrying about security minutia.

In addition to offering secure authentication and communications, the SDK also provides secure single sign on (SSO) across mobile apps. Say the word SSO and most people instinctively picture one browser authenticating across many web servers. This common use case defined the term. But SSO can also be applied to the client apps on a mobile device. Apps are very independent in iOS and Android, and sharing information between them, such as an authentication context, is challenging. Our SDK does this automatically, and securely, providing a VPN-like experience for apps without the very negative user experience of mobile VPNs.

Let me assure you that this is not yet another opaque, proprietary security solution. Peel back the layers of this onion and you will find a standards-based OAuth+OpenID Connect implementation. We built this solution on top of the SecureSpan Gateway’s underlying PKI system and we leveraged this to provide increased levels of trust.

If you see me in the halls of the RSA Conference, don’t hesitate to stop me and ask for a demo. Or drop by the CA Technologies booth where we can show you this exciting new technology in action.

RSA Conference 2014 Preview And A Special CA Technologies/Layer 7 Event

Despite all our advances in communications—from social networking, to blogs, to actual functional video meetings—the trade conference is still a necessity. Maybe not as much for the content, which makes the rounds pretty fast regardless of whether you attend the show or not, but for the serendipitous meetings and social networking (in the pre-Facebook sense).

I find something comforting in the rhythm and structure a handful of annual conferences bring to my life. The best ones stay rooted in one location, occurring at the same time, year after year. They are as much defined by time and place as topic.

If it’s February, it must be San Francisco and the RSA conference. I’ve attended for years, and despite the draw from the simultaneous Mobile World Congress in Barcelona, RSA is a show I won’t skip. But I do wish MWC would bump itself a week in either direction so I could do both.

As everyone knows, this year the press made much ado of a few high profile boycotts of the conference and the two alt-cons, Security B-sides and TrustyCon, that sprung up in response. But I think it’s important to separate RSA the company from RSA the conference. The latter remains the most important security event of the year.

Every year, one theme rises above the rest. I’m not referring to the “official” theme, but the trends that appear spontaneously in the valley. The theme this year should be security analytics. The venture community put this idea on an aggressive regime of funding injections. We should expect an entertaining gallery of result good and bad. But either way, we will learn something, and it would be a poor move to bet against this sector’s future.

I’m also expecting 2014 to bring some real SDN traction. Traditional security infrastructure is low hanging fruit vendors too often miss. RSA is where SDNs for security will finally get a long awaited debut.

MWC may be the premier event for mobile, but most mobile security companies cover both, and CA is no exception. At RSA we’re showcasing our new Mobile Access Gateway (MAG). This features SDKs for iOS, Android, and JavaScript that make enterprise authentication simple for mobile developers.  As a bonus, this SDK offers cross app SSO. It means users sign on just once, from any authorized app. You should definitely come by the CA Technologies booth and have a look. And if you do see me at the show, be sure to ask me about the integrated PKI—surely one of the coolest, unsung features underneath the SDK hood.

CA and Layer 7 will host an afternoon event Monday Feb 24 at the nearby Marriott Marquis, and you are invited. You may recall we’ve held a few of these before, but this year, we have a very special guest. The event features Forrester Analyst Eve Maler, who will talk about Zero Trust and APIs. It is a great way to kick off the RSA 2014, and we’ll even give you a nice lunch. Who could refuse that?

To join us, sign up here.