It's a truism often tossed around among software engineers: the faster you can find a bug, the cheaper it is to fix it. Lately, we've been publishing a series about DevOps — the combination of development and operations teams, de-siloing IT, embracing automation and extending agile development practices past development and across the applications lifecycle. Speed is a huge benefit of DevOps — when workflows are automated, code is released faster.
Five things. If you want to see an interesting cross-section of culture go to YouTube.com and search on "five things". Dogs. Beauty tips. Snipers. Things guys do that girls hate. Things girls do that guys love. Things found underwater that no one can explain. Five things might be enough to cover some of those topics. We're looking at software security. Five things is barely enough to get started. A good start is better than not starting, so five things it is.
Internet of Things
Amazon Web Services (AWS) launched a new service this year to help people work with internet connected devices, also known as Internet of Things. Things are a thing, and they actually call these devices "Things" in their service. There is a lot of interest in connecting things to the internet these days, and while times are still early, vendors like Amazon have staked a claim as to a) what they believe they can offer and b) what is important going forward that is missing from many implementations. Of these the biggest is security. While working with a client that manufactured large industrial equipment, we saw an example of why security may be the largest focus for AWS. This client had connected their machine to the internet by putting a little web server on it. They were then surprised when the shop’s network administrator didn't want to open a port to their machine in their firewall. The administrator correctly predicted that this little device was no match for internet hackers. In the AWS model, they provide an SDK to connect the device directly to AWS IoT service. There are no listening ports on the device. Instead a messaging protocol based on MQTT is used to push data back and forth to AWS. In addition, all connections must be made via Transport Layer Security (TLS) and authenticated with device specific certificates. To make that easier, AWS IoT is set up as a device management hub where you can create definitions for devices, and the service automatically generates the needed certificates. It also lets you specify what to do if the device stops communicating (the "last will and testament" topic). MQTT is a publish / subscribe model of topics and subscriptions. To connect to data sent by the device, the device publishes to an agreed upon topic to which other AWS services can subscribe. Examples would be SQS, or Dynamo DB, from which you can do additional processing. By default, a device is connected to a state topic unique to the device—the "Device Shadow." This is used to push messages to the device to control internal data. As an example, you might have a motor connected to your device and could represent its on/off switch in the code with a variable that is written to an OUTPUT pin on the board. You would publish a message to the devices shadow topic and the message would be pushed to the device, where the code would receive this message, and update the pin to start the motor. Our first experiment with AWS IoT was with an Arduino YUN, for which AWS has a specific SDK. Even with the embedded Atheros AR9331 running Linux providing the TLS communication, it was pretty easy to consume the entire memory of the Arduino chip with the software. Without the YUN, the straight C based embedded SDK did not fit in the Arduino, so it became clear that the TLS requirement will be a burden for many small devices. A gateway will be needed in these cases. We also found that although the UI for AWS IoT was easy enough to use, it was hard to imagine it working well for a large number of devices. We felt that the service is an interesting first step, but much of the interface is kind of a toy at this point. The underlying communications infrastructure is sound though, so while the device management features will take some time to mature, it would work well in many applications.
Information security is one of those topics that everyone is concerned about but no one really wants to deal with. Yet, you can play the “what if” scenarios in your head until they keep you up at night. There is a constant war going on between those who have information, and those who are seeking to steal it. Gone are the days of having a group password posted on the wall for an application that only a handful of people use. Gone are the days when careless coding mistakes are only noticed by the original developer and ignored. Gone are the days when information security is given a back seat, when the thought of security risks rarely enters the development process.