Amazon believes an exemption is in the public’s best interest because it progresses Congress’ goal to launch commercial small unmanned aircraft systems (sUAS) in the US faster. –Christina MulliganAmazon announces new mobile web development tools for AWS at NYC SummitAmazon debuted an updated mobile SDK and new Cognito, Zocalo and Mobile Analytics services at the 2014 Amazon Web Services Summit in New York City.The company detailed the new and updated developer products and services in a blog post explaining how these mobile development offerings will make it easier to build AWS-powered mobile apps. In the updated AWS Mobile SDK, new features include a DynamoDB object mapper for iOS, an S3 transfer manager and support enhancements for Android, Amazon’s FireOS and iOS/Objective-C.The Amazon Cognito service is focused on data synchronization and user identity for developers to manage data synchronization across devices. Amazon Zocalo is a secure enterprise storage and sharing service that can be managed from any device, and Amazon Mobile Analytics uses raw app data to calculate and report various metrics to developers.For more information, check out the AWS blog post. –Rob Marvin Kids programming robots to learn new skillsWith just a smart tablet and Angry Birds, Georgia Institute of Technology researchers are making it possible for kids to program robots. The researchers have paired an Android tablet paired with a small humanoid robot, and kids are teaching it how to play Angry Birds just by dragging their finger on the tablet and flinging the birds across the screen. While the kids are playing Angry Birds, the robot is watching and recording what’s happening in it’s memory, and then mimics what the child did when it is their turn to play.“The robot is able to learn by watching because it knows how interaction with a tablet app is supposed to work,” said Ayanna Howard, professor of electrical and computer engineering at Georgia Tech. –Christina MulliganAmazon wants the FAA to allow them to test their delivery dronesAmazon is petitioning the Federal Aviation Administration (FAA) for permission to test their drones, Amazon Prime Air, in the United States. Currently, Amazon is limited to conducting R&D flights indoors or outside the country because it is a commercial enterprise.“Amazon would prefer to keep the focus, jobs, and investments of this important research and development initiative in the United States by conducting private research and development operations outdoors near Seattle,” Paul Misener, VP of global public policy at Amazon, wrote in a letter to FAA.
Did you hear about the hacking attack carried out a few years ago on AT&T that resulted in exposing the contact details of more than 100,000 iPad users that were stored on their system? It was one of the high-profile attacks that targeted a “security misconfiguration” vulnerability in AT&T’s system architecture.That was not a one-off case. Online restaurant review site Zomato was also involved in a similar user confidentiality breach. A hacker exploited a known component vulnerability in Zomato’s web portal to retrieve the personal details of more than 62.5 million Zomato users, including their Instagram access tokens. Similar security breaches have been reported in the past that took advantage of insecure configuration of system components to compromise the security of distributed systems.(Related: Two doses of Big Data beats one) What is security misconfiguration?Security misconfiguration is nothing but incorrectly configuring the security gateways in a web environment. The term commonly refers to the security threats that arise due to insecure configuration of underlying components in a web-based environment. Security weaknesses found in the configuration of a system may result in compromising the security of the environment, either partially or entirely.Big Data and security misconfigurationSecurity Misconfiguration vulnerabilities can affect any Big Data project that requires access to cloud-based resources over the web. As more and more Big Data initiatives are getting adapted to cloud-based solutions, platforms and applications, there is an ever-increasing risk of web-based security breaches related to configuration flaws in underlying systems, modules and components.Common security misconfigurations that can affect your Big Data projectThere are seven critical target areas in a web-based environment that are often targeted by attackers. Typical root causes for such vulnerabilities include implementation flaws, configuration errors and unchanged default settings. Let’s take a closer look at each of the seven soft targets that are susceptible to potential security misconfigurations. Unnecessary features/services in enabled stateA Big Data application is usually bundled with lots of features and services. Most of the projects won’t need all of these features. So what’s the point in keeping a certain feature/service in active mode if you are never going to use that? Disable all the unnecessary features and services right away. Doing so will save significant amount of server resources and minimize the threat surface area. Using default accountsIt is common for an application to have a default user account with administrative privileges, which is another soft target for the attackers. In a production environment, do away with all the default accounts and settings. If you need to use the default account for some reasons, then change the default password immediately and keep the new one safe. Overexposure of debugging informationDebugging information and error messages are vital for the developers and sys admins to find the root cause of a failure event. However, what if an attacker manages to get hold of those notifications? Detailed error messages can provide him enough information to compromise the security of your system. So it is a good practice to hide those details from general users and make them available only to the administrative users. Misconfigured SSL certificatesIt is a common practice to safeguard sensitive data over the web by means of SSL encryption. Configuring SSL the right way is essential to establish secure connectivity between the end-user systems and hosted application on the cloud. Improper encryption key generation and management is a serious concern. The keys must be secured using a strong encryption algorithm. Ensure that sensitive data is kept under the wrap of encryption while being stored and transmitted. SSL gateways must be properly validated with penetration testing for detecting any potential vulnerabilities. Improper file and directory permissionsFile and directory level permission is another area that is susceptible to hacking attempts. It is important to have well-defined user roles to prevent misuse of access rights. Any default access settings must be overruled with a proven access-control mechanism. Grant access privileges to individual users according to their needs. It’s a good idea to create a security policy to govern file and directory permission rights. Password-protected folders and directory structures can also be used to prevent unauthorized access to protected data. Improper authentication with external systemsGone are the days of standalone systems that could cater to all computational needs. Nowadays Big Data initiatives involve using a wide array of systems and modules. It is important to safeguard the authentication gateways while integrating multiple systems. Each independent module must have its own set of user authentication functions. Implementing strict authentication mechanism for external systems is the way to achieve enhanced security. Ensure that the users are required to provide valid credentials (username/password) to access external systems and modules. Unpatched security flawsSecurity is a continuous process. No system is 100% secure. New threat areas can be detected over time. Software manufacturers and application developers are constantly working to figure out the emerging threats to devise appropriate patches. It is a good practice to update your system with latest security patches as soon as they are released by the manufacturers.Final thoughtsSecurity misconfiguration vulnerabilities in Big Data projects can occur at any level, including (but not limited to) the business intelligence platform, web server console, applications hosted on the cloud, cloud-based storage mediums, and even the custom code modules. The need of the hour is to ensure that application developers and system administrators are working together to bridge the security lapses. The entire application stack has to be configured properly to prevent potential data security breaches.
The Twelve-Factor app is a methodology for apps that use declarative formats, have a clean contract, are suitable for modern cloud platforms, minimize divergence, and can scale up without significant changes. According to IBM’s Daniel Berg, the 12 factors are directly related to the same principles for developing apps with the microservices architecture. The Twelve-Factor app was published by Heroku co-founder Adam Wiggins in 2011 based on the development, operation and scaling witnessed on the Heroku platform. “Twelve Factor apps are built for agility and rapid deployment, enabling continuous delivery and reducing the time and cost for new developers to join a project. At the same time, they are architected to exploit the principles of modern cloud platforms while permitting maximum portability between them. Finally, they can scale up without significant changes to tooling, architecture or development practices,” the Heroku team wrote in a post. Recently, with the rise of microservices, the 12 factors have started to become more popular because it aligns with the microservices principle, according to Pivotal’s Lawrence Crowther. The 12 factors are “a triangulation on ideal practices for app development, paying particular attention to the dynamics of the organic growth of an app over time, the dynamics of collaboration between developers working on the app’s codebase, and avoiding the cost of software erosion,” the methodology states. According to its website, the 12 factors are:One codebase tracked in revision control, many deploysExplicitly declare and isolate dependenciesStore config in the environmentTreat backing services as attached resourcesStrictly separate build and run stagesExecute the app as one or more stateless processesExport services via port bindingScale out via the process modelMaximize robustness with fast startup and graceful shutdownKeep development, staging and production as similar as possibleTreat logs as event streamsRun admin/management asks as one-off processesCrowther suggests those starting on a microservices journey from scratch should strictly follow the 12 factors if they wish to gain agility and the ability to scale. However, if they are taking a legacy monolithic application and transitioning it to a microservice, it will be harder to adhere to those 12 factors. Over time, companies can start introducing or improving the codebase more in line with the 12 factors, Crowther explained. “The 12 factor apps check-list is really just a set of guidelines that dictate how a microservice should be built to properly support the concept of independently managed and iterated services. These factors are important when building decoupled, stateless microservices,” said Matt Ellis, product management and strategy architect at TIBCO.