Sunday, December 15, 2013

Application Security: An Afterthought for Most Organizations

My comment on this article from Infosecurity - The PonemonInstitute: Most Organziations are Woefully Behind in Application Security  was too long for LinkedIn where I found the original link so I stuck it out here.  A relevant and I think fairly accurate assessment when it comes to corporate IT application developers and security practices.  A generalization but a lot application developers are not adequately educated when it comes to application security practices.  Security is seen as a checkpoint item somewhere in the project lifecycle (if at all) versus integrated into the SDLC.  Another force at work is the relationship between the application developer and the security team.  It's not always a healthy one where application developers perceive correctly or not the security team's mission of just saying no.   

The other big elephant in the room is that the current security practices installed in most of the corporate world is the perimeter based defense approach to security, i.e. firewalls, proxies, dmzs etc.  This gives the application developer a false sense of security for their internally hosted applications and as result internal breaches account for some of the more devastating security breaches.  It's possible that the emerging thoughts around zero trust networks will help address this but it's certainly in the early stages.

From my viewpoint in the enterprise architecture world I think seeing security as a strategic enabler versus a defense or checkpoint can give an organization the ability to innovate at a far faster pace than those that do not.  Those that perceive security as a necessary evil or a drag on their efforts will struggle to keep up.  The great challenge of course is elevating security to that strategic enabler role and getting application developers to understand the importance.  Again an excellent article and a must read for CIOs and Enterprise Architects.

Sunday, November 03, 2013

Revisiting "The Cloud" and rise of the "uber developer"

The past year has seen some rapid advances in cloud computing adoption and advances in offerings.  The competition has heated up, Amazon is still the clear leader but Microsoft Azure and Google are starting to make some real noise and have the pocketbooks to do it.  Pretty much everyone else is in serious catch up mode and will have some major mind share as well financial obstacles to overcome, not impossible but definitely an uphill climb.

Most of you at this point, except the vendors in catch-up mode,  are probably nodding your heads thinking yes we know this tell us something we don't know.  What you may not know or see clearly yet is that the cloud model is giving rise to the concept of the "uber developer".  The rest of this post will explore the "uber developer" concept and why it may be the catalyst to your business and technology innovation.

Forrester released some research back in June looking at the state of public cloud platforms.  Here is a link to the article .  One key take away from the Forrester article was the classification of the types of developers present in a typical business IT shop.  Before we jump into that it is important to understand what a business IT shop is from my perspective.  A business IT shop is one found in the typical corporation where technology is not the primary business of the corporation ie not Google, Amazon, Netflix but rather corporations like Sears, Bank of America, American Express etc. 

To paraphrase Forrester's definitions there are existentially three types of developers in corporate IT shops: "coder", "rapid developers", "DevOps pros".   Coders are willing to write complex programs but don't want the burden of having to deal with the underlying infrastructure.  Rapid developers like all the complexity abstracted away and normally using the declarative GUI's, drag and drop coding if you will.  DevOps pros want to write the complex programs but also want complete control of the infrastructure as well.  They want all the knobs available to them, very little abstraction.  This DevOps pro is what I would classify as the "uber developer".

It is highly likely and preferable that you have all three types of developers within your organization. Heavily loading up on one type can create an imbalance in your organization's capability to both sustain and to innovate.  The rest of this post however will focus on the uber developer, innovation and the cloud. 

The uber developer is not a new concept and have existed since the beginning of the IT.  Uber developers are the developers constantly learning new stuff and wanting to learn and in a lot of cases control the entire stack of their applications including infrastructure.  It's important to distinguish uber developers from hackers or cowboy coders, uber developers are usually thoughtful and pragmatic about their solutions.  Uber developers know a lot about networks, hardware, operating systems, databases etc.  They have an absolute passion about understanding the entire application stack.

The majority of the traditional business IT shops don't have a lot of these types of developers for two primary reasons.  First, uber developers are attracted to start-ups and technology companies because the willingness to embrace new technology or solutions is high.  These types of developers are pragmatic risk takers, they are not afraid to press the button.  Second, business IT groups are heavily laden with compliance issues, legacy software, technology debt and extreme bureaucracy.   Uber developers and traditional IT business shops go together about as well as matter and anti-matter.

So what has changed? Why are we seeing the rise of this type of developer starting to exist for more than a brief moment in the traditional IT shop and what does this mean to your organization?  The answer is simple, it's the public cloud combined with open source software.  All the power and technology of modern IT is now available via a control panel and a credit card to anyone who has the desire and capability to use it.  It is the world's largest sandbox in the eyes of the uber developer and it's a match made in heaven.  And if you don't have any of these developers the tread marks on your forehead are you competition.  Innovation will be driven at the most successful companies by pairing these uber developers with capable business architects.

How do you know if you have any uber developers?  It's pretty simple since these developers have already figured out the power of the cloud.  Poll your development group and simply ask, how many of you have a private cloud account(s) with AWS, Google, Azure or other cloud provider?  If the answer is zero you are in trouble.  If the answer is we really don't know what the cloud is well RIP.  Simply having a private account is not the only indicator but it's a good starting point to getting to know what you have.

The modern IT landscape is changing at a velocity unprecedented in the modern era.  This rate of change is not only driving IT to figure itself out, it is also driving the velocity of business change.  Business leaders and architects now have information available to them and the ability to disseminate it at the speed of light.  The uber developer will be the link that drives innovated solutions that meets the demands of business.  The future IT shop will look much different in just a few years with uber developers being the dominate innovation engine and mainstay within the IT shop.