Updated on June 20, 2017 by Alan Sharp-Paul
OK, it's Labor Day weekend. I don't suppose any of you want to read about application configuration. Time to bring a bit of culture into matters then. Arts and culture are very important to us here at UpGuard. OK, so that's a stretch. We may not be brogrammers but we have a lot of Australians working here. Art appreciation often only extends as far as stubby holder (koozie) design. Having said that, and contrary to some rumors that are currently doing the rounds, we can read. I'm a bit of a Cormac McCarthy fan myself (insert disclaimer here that I was into his stuff before Oprah tarnished his cool), and my favorite book of his is Blood Meridian. I won't go into too much detail other than to say if you're into epic tales of debauchery you should check it out.
A choice quote from the book comes from perhaps the most impressive and repulsive character, the Judge. A twisted philosopher, his actions could not be more base. His words contain many nuggets of wisdom though and, desperately short of blog ideas, I realised that this one in particular has relevance for application owners.
"Whatever in UAT exists without my knowledge exists without my consent."
OK, so I switched in a word so that we could examine it from the point of view of an application owner. In shepherding changes and improvements to their application through the myriad environments that exist in a typical Enterprise today, what area do they have the least visibility, control, and therefore knowledge of? Configuration!
Unlike changes to code, the impact of which are generally both well known and highly visible, changes to application and infrastructure configuration are mostly hidden. Hidden, that is, until something goes wrong. Does the following scenario sound familiar?
"We just deployed to the QA environment but the application is refusing to start up. QA should be a mirror of SIT and everything is working fine in there. We've asked operations and they swear they haven't touched it. Security say that their patching spreadsheet looks fine and the East Coast development team say they haven't pushed to QA in over 2 weeks. We're stumped!"
Now you're not crazy. You know that, given the same inputs, you should expect the same output. Something has changed, but what? Has a library been updated? Was an unapproved patch run made? Did someone tweak the firewall? Were all the configuration files updated for QA? Did we mess up?
No one knows and the only option is to trawl through each environment, trying to work out what is different. This is crazy though, why are we still doing this manually in this day and age?
So if you're responsible for an application ask yourself this for each of its environments, "What configuration exists without my knowledge?", because if you're not aware of it then you are not in control of it. If you are not in control of it then it will come back to bite you, but I don't need to tell you that, you know it already.
As luck would have it we have a solution for this at UpGuard. We allow users of any capability level to scan and understand, compare, and control their application configurations. Would you believe that we can do this for an app in under 5 minutes? No, well your lack of trust in me, whilst completely understandable, is unfounded. Click this link to see our demo and prepare to be schooled.
Happy Labor Day!
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.