Wednesday, March 13, 2019

A Great Application Dependency Discovery and Mapping Tool

I recently ran across www.device42.com and am blown away by the price and capabilities of their offerings. One of the most difficult challenges in IT is to get application dependency maps in your infrastructure. The biggest hurdle is access to the different systems. Device42 helps ease this problem by providing standalone discovery executables that can be given to system administrators to run themselves. This means that credentials don't NEED to be stored centrally (this is the root of the access problem). Each administrator can simply upload the results of the discovery process.

The tool also lets you drag-and-drop servers into rack configurations, so you can get a real-world visualization of your datacenter.

All of the above is standard in the software from the leaders in this space (BMC ADDM, ServiceNow Discovery, IBM TADDM), but Device42's price just blows the others away. Their pricing page is here: https://www.device42.com/pricing/ . If you've done any research in the space, you know that the pricing gives you a terrific amount of value.


* Gulfsoft has no relationship with Device42. This opinion is being provided simply because we're so amazed by this application.

Tuesday, March 12, 2019

How does an SQL injection attack occur and how can developers guard against it?

I ran across this great YouTube video that shows exactly how to perform an SQL injection attack:

https://www.youtube.com/watch?v=ciNHn38EyRc

I like the way the author steps through all of the gory details of the attack, including his assumptions, thought processes, etc. It's simply a great tutorial on how a hacker would go about formulating this type of attack. What it doesn't explicitly cover is the list of specific mitigation techniques that can be employed to stop this kind of attack, but you can find that information easily with Google:

https://www.google.com/search?&q=how+to+protect+against+code+injection

There you'll find tons of language-specific solutions to the problem.

Thursday, March 7, 2019

Full service cloud providers deliver better, faster, cheaper services (and more of them) than your IT department

Isn't The Cloud just "running my stuff on someone else's hardware"?

In a word, NO! If you're in IT at any level, from individual contributor all the way up to CIO, you need to take the time to really look in-depth at the cloud offerings available today. If you aren't blown away by what's available, then you need to spend more time looking at the capabilities on offer. That's not meant as an insult - it's my honest opinion as a deeply technical consultant who has been in IT for  a very long time. Personally, I would recommend that you look at AWS because they're the leader and have been since Cloud became a thing. They simply have more resources available (documents, videos, tutorials, use cases, case studies, third party tools, etc.) to really show you what they offer, and it's absolutely incredible.

OK, I'm impressed, but my IT department can provide everything we need

You may be getting everything you currently think you need, but I promise you there are more capabilities out there that you just haven't thought of yet because of limitations that exist in your current environment. For example, what reply would you get from this request:

I would like to see a topology graph of all of the server, network, database and security resources associated with Application X.

I've worked with thousands of companies of all sizes, and I've only seen this question answered a couple of times, and only for very well-known, small applications. The tools to answer it are out there, and many companies own several of them, but there are technical and political obstacles that prohibit this information from being displayed on a single pane of glass. However, with AWS, there are several third party vendors that offer products that can provide this information within minutes. Specifically, all of the components are registered centrally within AWS, so their metadata can be retrieved with the AWS API. These third party tools pull the data and display it on a graph to make it easier to consume (with filtering so you can include/exclude the appropriate components based on name or tag). 

This central repository of configuration information is, basically, a built-in CMDB. There are companies that have been working for years and years to eventually have a partial CMDB, and the big cloud providers offer it from day one. And in AWS, this central repository is audited BY DEFAULT. That means you can see exactly who changed exactly what and when. That's incredible.

I still don't see what's so great about The Cloud

That means you still haven't spent enough time trying to understand what's available. What I would recommend is that you go through one of the AWS workshops available on Github. Specifically, go through the Website workshop available here:


It will step you through the creation of a serverless web application, including a user self-registration component. This is something that's normally a HUGE obstacle in enterprise application creation, and AWS offers it directly via their IAM service. And, as I mentioned, everything is defined centrally, so you can see what your applications look like.

Now I'm impressed, but it looks pretty difficult to set up

It is definitely complicated, but it can be done. You do need to define policies around things like naming, tags and usage, and you need to restrict who can perform which actions, and there are a multitude of other policies that must be defined for your specific enterprise. The good news is that there are several education and certification tracks available to get people certified as AWS architects. Additionally, there are lots of AWS architects available for hire. It's like any new initiative - it just needs to be approached incrementally.

How to get started with serverless apps on AWS

Amazon has workshops on Github!

This is really neat stuff. Amazon has a collection of several serverless workshops available on Github here:


These workshops take you step by step through the entire process of creating several different types of serverless applications. Hopefully this will help demystify serverless for you.

Wednesday, March 6, 2019

NSA open sourced a powerful software reverse engineering tool, Ghidra

WIRED: The NSA Makes Ghidra, a Powerful Cybersecurity Tool, Open Source. https://www.wired.com/story/nsa-ghidra-open-source-tool

Tuesday, March 5, 2019

How do you start on the path of Digital Transformation?

What is Digital Transformation?

Most of the definitions I've found are grandiose, vague and elusive at best. From an implementation perspective, the definition is, IMO, very simple:

Find better ways to use available technology.

I realize that's still pretty vague, but I have some concrete details and examples to show you how you can start addressing this challenge.

How do I start?

The best way we've found to help companies start down the path of Digital Transformation is to create a list of questions that need to be answered. Specifically, we've expanded the definition above to:

Find better ways to use available technology to provide answers to our daily/weekly/monthly questions.

Once we have at least one question that we want to answer, we can identify information or technology gaps in our current environment. For example, an extremely common question among companies is:

How many servers do we own and what is the status of each?

We've found that this seemingly simple question can cause fistfights to break out in a meeting. That's because multiple different departments have different answers, and the true answer has been an elusive quest for a number of years. The goal is to identify the data required to answer the question and the location(s) of that data if available. For example, you may have the beginning of an answer that looks like this:

For the development servers, Jim R. has a manually updated spreadsheet at location XXXX on Sharepoint. 
For the engineering servers, Nancy P. has a homegrown database that only she has access to.
For the website, we think Ashok V. has a spreadsheet that may or may not be up-to-date.

Notice that we don't actually have an answer at all, but we're identifying areas of interest that may get us the information we need. This exercise shows areas where improvement is needed. In this case, it should be apparent that some type of asset discovery and management system is needed to enable us to get a valid answer to the question. What we normally find is that the customer actually owns one (or several) tools that can provide the required function, but no one in the meeting knows about these tools. This usually leads to another question similar to:

What software do we currently own and what are the capabilities of each title?

And you have to go through the same process as above with this question. I guarantee that it will be frustrating for everyone involved, but this is the process that is absolutely required. 

Further along in the process, as new systems are introduced, the owners of those systems need to be aware of the questions that the system will need to provide answers for so that they can be architected appropriately. For example, any new online system needs to be able to provide data that can answer the following questions:

How many users are actively using the system?
How many failed transactions have occurred in the past (hour/day/week) and which users were affected?
Is the system working properly at this moment and is it accessible to all of my users?

There are literally thousands of other questions that you may have, and part of Digital Transformation is identifying those questions so that the answers can be obtained quickly. And this is where another version of my original definition comes in handy:

Find better ways to use available technology to save time.

You can come up with tons of different reasons to use technology more wisely, and they are all perfectly valid reasons for you to continuously work on your Digital Transformation.

Customizing bash command line completion

What am I talking about?

In the bash shell on Linux, you can type a character or two then hit the TAB key to get a list of the commands that start with those characters. You can do the same to complete the name of a file you're trying to edit or directory you're trying to change to. It turns out that you can customize this command line completion behavior by installing the "bash-completion" package. This package is often installed by default and has been available for several years.

What can you do with bash-completion?

You can have the TAB key complete command arguments for you. For example, the 'curl' command has tons of arguments. You can customize bash to auto-complete the parameters for you. You just need to create a specifically coded file named 'curl' in the /etc/bash_completion.d folder. Here's a great tutorial on creating these command completion scripts:


Even more helpful, here is a ton of them that have already been created:


If you've got a command with tons of options, you can use this to make it easier for you or your users to successfully create a working command.