Real World Software Architecture

Real World Software Architecture is dedicated to providing information and experiences from the field of Software Architecture.



Subscribe with RSS or ATOM Add to Google

Links

  • Home Page
  • Real World Software Process Engineering
  • Suggested Reading
  • .NET Dev and Arch Collection
  • SEI Essays on SA
  • Software Architecture
  • Bredemeyer
  • wwisa
  • Product Line Engineering
  • PLEES
  • Software Product Lines
  • MSDN Architecture Center
  • patterns & practices






Wednesday, February 22, 2012

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes Book Review

Working as a Software Architect one of the main concerns we always have is Security. At an application level that can usually be easily implemented if you are up to speed with the latest industry standards and best practices for the technology you are working in.

Working as an Enterprise Architect, security becomes a much broader subject. Insider threats become part of the picture and there is no cookie cutter solution for them. I have seen plenty of potential issues thwarted, and over the years working as a consultant I have witnessed plenty of successful insider attacks.

One of my first experiences with insider threat was when I was still in the engineering field. We used an email product called Pega eMail. A few of us discovered that no password was required to log into another person's email if it was done in a certain way. We would do goofy stuff like rename each other's folders to stupid names. We got bored with it in about a day and forgot about it. As time went on our company was purchased by an England company.

The new parent company sent in a new president. One of the new president's jobs was to reorganize. People were let go and offices were moved. Some of the people in one of the departments decided they wanted the inside scoop. Apparently they had learned about the email trick. They began reading all the new presidents emails. From what I heard one of them mentioned something in a meeting that was confidential between the new president and the company's London office.

The IT security team started to investigate and discovered the email product flaw. They then monitored the IP logging into the presidents email and discovered the entire department was guilty. One Friday afternoon they were all escorted out of the building.

I have experienced several insider threat scenarios but the worst one was at a small company that decided it was a good idea to hire a hacker to be the lead network administrator. At the time he was very good at hacking, but not so good with ethical hacking. Actually he wasn't so good with ethics at all. I am pretty sure he had a drug problem also. Either that or he was just downright nuts. He came and went as he pleased. In the weeks leading up to the incident he was missing for days at a time. When he did show up, it was better to avoid him. He was a mess.

They eventually called him in and told him he had to straighten up, or else. He politely apologized, said no problem, and proceeded to change all the network and server passwords and remove everyone else's access. He then disappeared for good. It took the company a few days to figure out what had happened. There only choice was to completely rebuild a mirror company infrastructure. It took weeks and cost them a ton of cash.

That is just two of many things I have witnessed over the years as a consultant. You like to think you work with people you can trust, but everyone has the potential for having an off day and making a bad choice. The problem is being able to identify those individuals that are heading towards their bad day and their bad decision. This book is a tremendous resource in helping with that.

Below are the chapters and appendices included in the book.

Chapter 1: Overview
Chapter 2: Insider IT Sabotage
Chapter 3: Insider Theft of Intellectual Property
Chapter 4: Insider Fraud
Chapter 5: Insider Threat Issues in the Software Development Life Cycle
Chapter 6: Best Practices for the Prevention and Detection of Insider Threats
Chapter 7: Technical Insider Threat Controls
Chapter 8: Case Examples
Chapter 9: Conclusion and Miscellaneous Issues

Appendix A: Insider Threat Center Products and Services
Appendix B: Deeper Dive into the Data
Appendix C: CyberSecurity Watch Survey
Appendix D: Insider Threat Database Structure
Appendix E: Insider Threat Training Simulation: MERIT InterActive
Appendix F: System Dynamics Background

This book has categorized insider threats into IT Sabotage, theft of intellectual property (IP), and fraud. After the introduction in chapter 1 the book has a chapter on each category. It mainly covers attacks by current and former employees, contractors, and trusted business partners. They each cover patterns related to the crimes and offer mitigation strategies.

Insider IT Sabotage covers patterns like Personal Predispositions, Disgruntlement and Unmet Expectations, Behavioral Precursors, Stressful Events, Technical Precursors and Access Paths, and The Trust Trap. Some of the mitigation strategies include Handling Disgruntlement through Positive Intervention, Eliminating Unknown Access Paths, A Risk-Based Approach to Prioritizing Alerts, Measures upon Demotion or Termination, and Test Backup and Recovery Process.

Insider Theft of Intellectual Property patterns include Insider Contribution and Entitlement, Insider Dissatisfaction, Insider Theft and Deception, Insider Planning of Theft, and Increasing Access. This chapter also cover the who, what, and why of the crimes. Some of the mitigation strategies covered include Network Data Exfiltration, Host Data Exfiltration, Physical Exfiltration, Exfiltration of Specific Types of IP, and Concealment.

Insider Fraud patterns include Origins of Fraud, Outsider Facilitation, Recruiting Other Insiders into the Scheme, and Insider Stressors. This chapter also includes a cool who, why, what, and how section. This chapter countermeasure such as watching out for Inadequate Auditing of Critical and Irregular Processes, Employee/Coworker Susceptibility to Recruitment, Financial Problems, and Excessive Access Privilege.

The authors use MERIT (Management and Education of the Risk of Insider Threat) diagrams to design the most effective mitigation strategies. They really help put the threat into context. The really cool thing about the MERIT diagrams in the book is that they are mirrors of actual working system dynamics models. I wish these models were available for download.

The chapter on Insider Threat Issues in the Software Development Life Cycle really points out the importance of following a good SDLC and how a an inadequate job of following one can later lead to exploitations. It covers topics like Separation of Duties, Automated Data Integrity Checks, Exception Handling, Code Reviews, Attribution, System Deployment, and Backups.

Best Practices for the Prevention and Detection of Insider Threats is worth the price of the book. It covers 15 practices. A few of them include Consider Threats from Insiders and Business Partners in Enterprise-Wide Risk Assessments, Institute Periodic Security Awareness Training for All Employees, Anticipate and Manage Negative Workplace Issues, and Monitor and Respond to Suspicious or Disruptive Behavior, Beginning with the Hiring Process. Each principle includes section explaining what you can do, and offers a case study to give you an example of what can happen if you don't.

One of the things I like most about this book is all the examples that are included. They are very interesting. They help to put you in the shoes of a person that may commit a crime. They really will help you identify and head off attacks.

The CERT Insider Threat Center has a ton of additional information available. You can learn a lot form the site, but I highly recommend reading the book. It has put everything together in one place in a logical reading order.

Over all I think every single person that has anything to do with IT should read this book. Even if you don't deal with sensitive data, you are at risk for sabotage.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering)

posted by tadanderson at 5:10 PM 0 comments

Monday, February 13, 2012

Succeeding with Agile: Software Development Using Scrum Book Review

I have been implementing and improving development processes for a while now. Either directly when I am brought in as a Software Process Engineer, or indirectly when I am brought in as a Software Architect. I have not been involved with process improvement on all my engagements. The ones I was not involved with already had a decent development process in place, or they already had an initiative underway.

I have never personally led a process improvement initiative to a Scrum implementation. I always implement a configurable process repository that allows for everything from OpenUP, to UP, to RUP. I have never had the request for Scrum nor have I tried to sell it as an option. The main reason for that is until recently I have found it to be incomplete when it came to enterprise scale. The Scaled Agile Framework has taken the initiative and filled in the gaps. The book Agile Software Requirements: Lean Requirements Practices for Teams, Programs, and the Enterprise does a great job of covering the Scaled Agile Framework.

I have seen Scrum attempted multiple times. Depending on the perspective they all failed and they all succeeded. Watching from the sidelines, our consult team's view was they failed miserably, but according to the internal managers that made the choice to go with Scrum they were a huge success. Depending on who was asking the development team, us or the managers, they had completely different answers.

The most important party, the end user, saw no change to the quality of software delivered or slightly worse quality. They were never the wiser that the team was attempting Scrum, so their opinion didn't matter. What? Yep, in every single attempt I have witnessed the end user's role didn't change. Neither did the upper management, sales, or marketing. It was a development level attempt to implement a bottom up change that requires change at every level of any decent size organization.

I don't have to really go into any more detail explaining why the initiatives failed. By the way, if you are sitting there thinking, 'I must have missed something, why did they fail?', you absolutely must read this book!!!

This book is down to earth does not just regurgitate Scrum practices, it provides tons of advice and examples from past experience. The book is for all levels of individuals and teams involved with or thinking about getting involved with Scrum.

The book is broken down into five parts. Getting Started, Individuals, Teams, The Organization, and Next Steps.

The chapter's titles are self explanatory. I have listed them by part below.

Part I: Getting Started- Why Becoming Agile Is Hard (But Worth It), ADAPTing to Scrum, Patterns for Adopting Scrum, Iterating Toward Agility, Your First Projects

Part II: Individuals- Overcoming Resistance, New Roles, Changed Roles, Technical Practices

Part III: Teams- Team Structure, Teamwork, Leading a Self-Organizing Team, The Product Backlog, Sprints, Planning, Quality

Part IV: The Organization- Scaling Scrum, Distributed Teams, Coexisting with Other Approaches, Human Resources, Facilities, and the PMO

Part V: Next Steps- Seeing How Far You’ve Come, You’re Not Done Yet

Every chapter gives in depth coverage of the topics included. What I like best about the book is all the examples the author includes from past experience. There is only two ways of gaining experience, gain by doing and learning yourself, or learning from others that are willing to share theirs with you. The author offers every ounce of his experience he has with both successes and failures. He does not pull punches. He gives accurate full accounts of the reasons for both.

There wasn't a chapter I did not enjoy or did not find valuable, but I really liked part two, Individuals. The first chapter in part two is Overcoming Resistance. I have experienced everything the author highlights in this chapter when I am involved with process improvement. You will need the advice offered in this chapter to succeed. People do not like change even when it is for the better. There will be those that make it their mission to sabotage your efforts.

Another really important chapter in part two is Changing Roles. Not only is it important to understand what is changing about the roles, but also understand the ones being eliminated, like the project manager. Although the project manager is being eliminated the responsibilities are not. In Scrum most of the responsibility is transferred to the team. This can be a major issue if the team can't handle them. You need to be careful to not just blindly axe the project manager.

Every time I have seen Scrum attempted the project managers are simply give the role of ScrumMaster. The problem I have seen though, is that they don't change anything they are doing. You don't have to do away with project managers, but at a minimum a name change is recommend. The author includes a great explanation as to why in this chapter. The chapter discusses changes to Analysts, Project Managers, Architects, Functional Managers, Programmers, Database Administrators, Testers and User Experience Designers.

Another thing I like about this book is that the author does not lose sight of the enterprise. He covers several topics throughout the book that enable scale and organization wide implementation. You may get lucky and Scrum may take off like wild fire after you have a small successful project, but odds are it will not. The author covers Enterprise Transition Community, scaling Scrum, distributed teams, epics, themes, and Scrum of Scrums.

There is nothing I can think of that I would have liked to see included that wasn't. This is one of the most enjoyable reads I have read in a while. The author's writing style is great. All the stories from past experience really help you to put the subject being covered into context. The stories also keep it interesting.

All in all I highly recommend this book to anyone getting involved with, or already involved with Scrum. It is an absolute must read!!!

Succeeding with Agile: Software Development Using Scrum

posted by tadanderson at 4:49 PM 0 comments

Saturday, February 11, 2012

Warning about Pro Silverlight 5 in C# Publishing Issue - NO COLOR

I just wanted to give everyone a heads up that Pro Silverlight 5 in C# is not printed in color. The cover has the full color inside advertisement, but the book I received today is only in black and white.

I am hoping this was a printer error because one of the things that made this book a really nice read was the color.  I have contacted the author and the publisher and will update this post as I receive feedback.

I am sure the content is still great, and I will follow up with a full review after I have had the chance to read it, but I wanted to get a warning out.

UPDATE
Looks like this version will be black and white. I must say I hope the printing process is improved because as it is the code in the book was made for color, and printed in grey scale makes it practically unreadable. I do want to say everyone involved was helpful.  Apress gave me an ebook version and Amazon sent a second book thinking the first one was just a mistake.

From Apress:
We're very sorry about this; what you saw - and experienced - is the result of a mistake on our part, pure and simple. The print version of the book is grayscale, while the eBook version is in full color. If the grayscale version is not suitable for your needs, we recommend you seek a refund from the vendor who sold you the book. We have begun the process of altering the cover for a new print run, and changing the preview images available at sites such as amazon.com.

posted by tadanderson at 7:35 AM 0 comments

Friday, February 10, 2012

TFS Process Template Content Comparison - Scrum 1.0 vs Agile Software Development v5.0 vs CMMI Process Improvement v5.0

I recently had to decide which base template I wanted to use for a TFS project. I had not looked at the templates for a while and wanted to compare them to each other. I ended up just taking screenshots for each category's tab. You can check them out in this PDF.

posted by tadanderson at 12:13 PM 0 comments

Saturday, February 04, 2012

The Definitive Guide to HTML5 Book Review

Although I started with Cold Fusion for application development, I did plenty brochureware sites with HTML. I believe the version was HTML 2.0 for IE 2.0. I lived in the browser world for years doing Cold Fusion, ASP, and HTML sites. When winforms and Smart Client with Web Services emerged I changed my religion. I have been avoiding the browser whenever possible since.

For the past couple of years my extent of using simple HTML has been limited to writing blogs and book reviews. Simple HTML means no ASP.NET or ASP.NET MVC. With all the HTML5 hype I figured I would take some time and read a few books on it. This one is my third and I have one more on the way.

So far I have found HTML5 is no different than any other version with respect to the way its capabilities are implemented and where it belongs when architecting a solution. It is far reaching, but if you want a rich HTML5 UI you will be writing a lot of JavaScript and CSS. It really can't be helped, that has always been the real skin and muscle on the HTML skeleton.

HTML5, JavaScript, and CSS are broad subjects. This book can help the beginner learn HTML5, JavaScript, and CSS and it can serve as a nice reference for the experienced developer. This tome definitely delivers a lot of information.

There are getting started chapters for beginner on HTML5, JavaScript, and CSS. They are followed by a chapter that puts all the elements the book covers into context. Meaning there are tables showing which elements are used for metadata, text, grouping, sectioning, tables, forms, and embedding.

The book continues with chapters covering Creating HTML Documents, Marking Up Text, Grouping Content, Creating Sections, Working with Tables, Working with Forms, Customizing the Input Element, Other Forms Elements & Input Validation, and Embedding Content.

The chapters list above are followed by an in-depth treatment of CSS and JavaScript. There are 16 chapters covering the topics in great detail.

The author then moves into more advanced features. It covers using ajax, multimedia, the canvas, drag and drop, geolocation, web storage, and creating offline applications.

The one thing the book does not do is stray from core browser capabilities. However, the author points out when using advanced libraries like jQuery would be advantageous. I am glad the author handled it this way. Instead of glossing over topics that need a complete book to cover completely, he kept the scope limit allow for more in-depth coverage of core browser capabilities.

The authors writing style is great, but the book also makes a great reference. Tons of tables and a nice index helps you to find things quickly.

The code is organized in folders by chapter. It is all usable and works like it is supposed to. I know this sounds like something that is just expected, but there have been some book's code I have downloaded that was disorganized to the point of being unusable. In a book like this, accompanying code is an important aspect.

If you are doing, or considering doing HTML5 development, you own it to yourself to have this book by your side. I highly recommend it to anyone involved with web development.


The Definitive Guide to HTML5

posted by tadanderson at 8:16 PM 0 comments

Previous Posts

  • DevOps: A Software Architect's Perspective Book Re...
  • Scaled Agile Framework (SAFe) LiveLessons Video Se...
  • Bulletproof Android: Practical Advice for Building...
  • Swift for Programmers Book Review
  • Security in Computing (5th Edition) Book Review
  • Swift in 24 Hours, Sams Teach Yourself Book Review
  • Sparx Systems Releases Enterprise Architect 12
  • Learning Swift Programming Book Review
  • Android Security Internals: An In-Depth Guide to A...
  • Adaptive Code via C#: Agile coding with design pat...



Archives

  • December 2005
  • January 2006
  • February 2006
  • March 2006
  • April 2006
  • June 2006
  • August 2006
  • October 2006
  • November 2006
  • December 2006
  • January 2007
  • February 2007
  • March 2007
  • April 2007
  • May 2007
  • June 2007
  • July 2007
  • August 2007
  • September 2007
  • October 2007
  • November 2007
  • December 2007
  • January 2008
  • February 2008
  • March 2008
  • April 2008
  • May 2008
  • June 2008
  • July 2008
  • August 2008
  • September 2008
  • October 2008
  • December 2008
  • January 2009
  • February 2009
  • March 2009
  • April 2009
  • May 2009
  • June 2009
  • July 2009
  • August 2009
  • September 2009
  • October 2009
  • November 2009
  • December 2009
  • January 2010
  • February 2010
  • March 2010
  • April 2010
  • May 2010
  • June 2010
  • August 2010
  • September 2010
  • October 2010
  • November 2010
  • December 2010
  • January 2011
  • February 2011
  • March 2011
  • April 2011
  • May 2011
  • June 2011
  • July 2011
  • August 2011
  • September 2011
  • October 2011
  • November 2011
  • December 2011
  • January 2012
  • February 2012
  • March 2012
  • April 2012
  • May 2012
  • June 2012
  • July 2012
  • August 2012
  • September 2012
  • October 2012
  • November 2012
  • December 2012
  • January 2013
  • February 2013
  • March 2013
  • April 2013
  • May 2013
  • June 2013
  • July 2013
  • August 2013
  • September 2013
  • October 2013
  • November 2013
  • December 2013
  • January 2014
  • February 2014
  • March 2014
  • April 2014
  • May 2014
  • June 2014
  • July 2014
  • August 2014
  • September 2014
  • October 2014
  • December 2014
  • February 2015
  • March 2015
  • April 2015
  • June 2015
  • July 2015
  • September 2015

Powered by Blogger