When we think of protecting our information online, it’s usually in the context of traditionally sensitive data-- credit card numbers, addresses, SSNs, and so on. But as anyone who has taken a picture of themselves wearing nothing but a smile can tell you, the information exchanged during online dating can be just as personal. I haven’t done that, though. Ever. I have never done it.
This week, Apple’s App Store and iTunes Store suffered a downtime of about 10 hours. For the better part of the day, customers were unable to access the stores, purchase music or apps, or make payments using the Apple Pay payment system. The problem has been attributed to “a configuration blunder” of its DNS setup.
UpGuard attended the DevOps Enterprise Summit recently, and we had a blast. We talked to people non-stop for three days, gave countless UpGuard demonstrations, caught a few talks, made some new friends, and learned a lot from attendees about the kinds of challenges they face implementing DevOps. (And hey, did you guys try those breakfast burritos they had on day 2? Delicious.)
News about the major bash vulnerability dubbed Shell Shock is reaching far and wide at the moment, and for good reason — its effects have the potential to reach even further than its distant cousin Heartbleed had previously. IT departments have been scrambling not only to patch machines, but to even find affected machines on their own networks. As config monitoring becomes commonplace, however, today's headache will probably be remembered as something that could've been just a simple nuisance. While both OpenSSL (responsible for Heartbleed) and the bash shell (where Shell Shock gets its name) are found in datacenters and businesses in every corner in the world, that's where the similarities end. The mechanisms exploiting the two vulnerabilities are entirely different, despite the tech media continuing to compare the two.
Imagine this — you're rolling out a new version of your web app. Works great in the dev environment, and it's been signed off on in staging, so it gets rolled out to production. Things seem fine, so you call it a night. Then the support requests begin flooding in. Something's broken somewhere, and it's not immediately obvious how. Performance monitor shows the machines are running well, so it can't be that. Ah well, better crack one of those neon-colored energy drinks, it's time to roll back and log into these machines to look through logs and config files for a potential cause. "How could this be happening," you ask, "I mean... these machines are all configured the same, right?"
"Did you really just say 'thought leader'?" Everyone laughed. The open space topic we'd gathered to discuss was "DevOps as an Echo Chamber." The room was full of people who wanted faster, more stable deployments, and none of them were getting help from the DevOps blog-industrial complex.
If you’re working with IIS then you know that preventing configuration drift is as important as it is time consuming. In the best case scenario you’re monitoring configs daily to keep development, testing, and deployment running smoothly. In the worst case—well, all-nighters make good war stories but aren’t much fun. A proactive approach is much better. UpGuard automates configuration testing at scale, to find out if your IIS servers are hardened and as expected. We'll look at how UpGuard can help with these five major problems as an example of what we do. Here are the top five critical configuration problems we see on IIS servers and how we fix them.
There's an old idea in Hollywood— if you can't pitch an idea in one sentence, it's too complicated. The term "DevOps" is about 5 years old, and the community still has no consensus on what that word really means, even though it's full of thought leaders who'll claim to be able to tell you.
Cyber resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been. And the cybersecurity industry, for what it's worth, has generally avoided this concept because it goes against the narrative that their respective offerings—whether it's a firewall, IDS, monitoring tool, or otherwise—would be the one-size-fits-all silver bullet that can keep businesses safe. But reality tells a different story.