IoT Evolution Expo: Multi-Dimensional IoT Fog Computing Scalability & Security

Recorded: August 20, 2015, Caesar’s LV 

https://youtu.be/t2p35-fFNik

Posted in Uncategorized | Leave a comment

Manage Your IoT Mesh

October 20-21, 2014 video recording of my IoTA Moscone conference presentation on how to manage meshes of IoT enclaves with a focus on API security.

http://youtu.be/PjxNR-H0-nk

Posted in Uncategorized | Leave a comment

Javascript !=== Infinite

Some of my software engineering friends and I often discuss the concept of infinity and how near it actually is, be it in the form of the infinite number of points on any circle regardless of the circumference or taking an infinite number of half steps between here and there resulting in never actually getting all the way there — which is what coding in javascript has felt like for me.  When attempting to compute large numbers with accurate precision (meaning without scientific notation rounding lossiness) or when bumping into a tiny infinity boundary due to memory limitations of the javascript interpretor engine’s process. 

This week I worked to port javascript code that was performing JSON TO SOAP/XML message transformation on a Java 1.8 Jetty powered API gateway.  As a result of changing the programming model from interpreted js that needed to be compiled for every message passing through the API gateway to precompiled java components that instead read declarative configuration properties from a BPEL process the performance improved by a factor of 4. 

With regards to bumping into a tiny infinity in js when performing simple math operations such as the addition of large numbers, this js performance test is a simple way to benchmark the speed of one’s javascript interpreter ( http://ariya.ofilabs.com/tag/v8 ) while also getting to experience that infinity is just a handful of milliseconds away as this code bumps into that wall after just 1477 additions of fibonacci integers.  I won’t even waste your time with the version that slowly tests to see if each product is prime.  

window.addEventListener(‘load’, function(e) {

  document.querySelector(‘#test’).innerHTML = ‘fibonacci (Phi) Javascript performance test’;

}, false);

var x = 1;

var y = 1;

var n = 1;

var f = 1;

var start = Date.now();

document.writeln(“Phi @iryanb Perf Test” + “<br />”);

for(n = 3; n < 1478; n++){

f=x+y;

t=Math.abs(Date.now() – start);

  document.writeln(“F : ” + n + ” is ” + f + ” Time(ms): ” + t);

x=y;

y=f;

  document.writeln(” <br />”);

}

var speed = “average”;

if (t < 24) { speed = “fast”;}

if (t > 50) { speed = “slow”;}

document.writeln(“Results: ” + speed);

Try this code in the JSAnywhere app on your Smartphone to experience the speed of math in js on a mobile device. 

benchmark results: 

F : 1475 is 8.077637632156222e+307 Time(ms): 21 
F : 1476 is 1.3069892237633987e+308 Time(ms): 21 
F : 1477 is Infinity Time(ms): 21 

Posted in Uncategorized | Leave a comment

Mitigating the top five API security weaknesses 

https://blog.akana.com/iryanb-top-five-api-weaknesses/ 

Posted in Uncategorized | Leave a comment

i0t : internet zero trust

While most think the gist of IoT is about the Internet of Things, those of us following the recent events (heartbleeding shellshocked poodles) in the security space know that NIST is spot on with their recommendation to implement a “Zero Trust Architecture.”

If you’ve configured an Arduino, by now you know that it doesn’t take much to get the WiFi SSID and password from one of these little things, especially if it is equipped with a USB port to connect directly to it with a laptop — which most have as that is both the port used for power and for initial setup to configure it to connect to a network.

Having said that, it begs the question if an Arduino even has the computational power and memory required for adequate encryption of any data that the “thing” is sensing once it is on the network. And if data privacy is not a concern for your use case, then losing control of the things connected to it should minimally be a concern. The simplicity of IoT development is attractive to many developers due to the low cost to enter a very compelling market of wirelessly controlling anything with a switch. However simplicity and security are certainly orthogonal concepts.

While it may seem convenient to be able to turn on your air conditioner as you depart a plane so that your home is comfortable before you pull into the driveway, it would not be convenient to find out that somehow the “thing” was hijacked and had instead cranked up the heat while you were away. These are the types of things that should concern the consumer that is so enamored with a winking hub endorsed by a nesting actor obsessed with the fortune of perfectly dimmed lighting.

What is a Zero Trust Architecture? Start here: i0t

Now that we all understand the value of segmentation gateways at the API layer that offer value beyond simply opening and closing ports like a traditional network firewall, we can discuss enclaves of domains of trust and the ability to centrally manage policies across these zones of control.

I’ll be at Cloud Expo in Santa Clara on November 6, 2014 demonstrating how SOA Software API Gateways can play the role of a segmentation gateway Policy Enforcement Point for IoT API controllers, and how the SOA Policy Manager plays the role of the Policy Administration Point and the Policy Decision Point for each gateway.

Posted in Uncategorized | Leave a comment

Rapid Mobile App to OAuth Secured REST API Integration

Recorded Demo: August 26 2014

Wireframes for user interface design are still a good idea when communicating requirements to others, however lately I would rather create them as a HTML5 prototype that is usable across heterogeneous devices with various screen sizes and resolutions. One such tool that I prefer is from Appery.io, which is a browser based jQuery and PhoneGap powered mobile application development studio. Appery.io offers a faster path to publish an application in an App Store because once the HTML5 prototyping, user acceptance testing and usability work is complete, it can also generate the Android apk and IOS binaries without the need to port to Objective C manually. This feature alone is a major time saver, and so is the drag and drop JSON API response test message to UI component designer that creates a wireframe that will also generate the runtime code.

Let’s say you have your APIs ready to consume and you know what data elements need to be displayed to the user. Perhaps some of the APIs are SOAP/XML and others are REST/JSON and they are secured with different authentication protocols.

To simplify the user interface design process, let’s agree to transform the SOAP services to REST APIs using an API Gateway to also transform the XML to/from JSON. Then configure the API gateway to mediate the authentication on the client app side from OpenID & OAuth to the various different security protocols required for the downstream APIs being consumed. This avoids the need to require different credentials for each API in the client application code, and improves the security of the system by limiting the connections to the APIs to only the API gateways, greatly reducing the attack vector and lowering the risk of system outages and malformed requests that reach the application/data tier.

Now that security and API transformation is in place, we are ready to begin mobile application client development. First the developer will request an application ID and secret from the API developer portal that is linked to the API gateway cluster’s policy decision point. The app id will be used in an Authorization header by the client app in order to begin the OAuth process to authenticate the user and receive a token, thus avoiding the need to send user credentials with each API call and simplifying the authorization process to restrict which API operations can be used based on the “scope” of the token. The user will only be prompted to authenticate when the token has expired and there is no valid refresh token.

When creating the HTML5 client application using Appery.io the process is to first configure a GET API request for an authorization code from the OAuth server then to submit a POST request for the access and refresh tokens. These values will be parsed and stored into variables that can later be accessed using JavaScript to insert the tokens into the Authorization header for each subsequent API call that the application will make.

Next add the APIs that will be used by the application to retrieve the data requested by the user of the mobile app and save the response of each test call. After placing the fields on the canvas that will display the data returned, the data tab of the UI designer is used to visually wire (drag and link) the field in the JSON response payload to the field on the user interface that will display that string of text. Once all of the input and output fields are mapped, test the app to view the HTML5 version in your browser using the QR code that links to the app sandbox URL. In under an hour you’ve now got alpha wireframes and a secured prototype that is ready to share.

Experiment with portrait vs landscape given that not all users share the same perspective and adjust for inconsistencies across device type. Begin the UAT process and iterate iterate iterate.

Appery.io and SOA Software are partnering because SOA makes it easy to configure the API security properly and the SOA policy manager and API gateway make it easy to debug the API requests, and the Community Manager API portal is a turnkey solution that will generate client application IDs that are linked to SLA Quality of Service policies with reports to track how the mobile apps are consuming the various APIs.

Posted in Uncategorized | Leave a comment

Token Strengths & Mitigation Best Practices

An OAuth MAC token is similar to a WSSE token in that they both use a nonce to mitigate replay attacks, however the use of the 3-legged OAuth protocol to authenticate the user creates a smaller attack vector than a digest password in every WSSE token, thereby protecting the user’s credentials as well as making it easier to perform network based operational entitlement authorization at the API gateway layer with the use of scopes and licenses.

The scope of a token is similar in concept to SAML attributes which are commonly used for group memberships associated to the user subject.

I still talk to many enterprises using WSSE tokens with WS-Addressing which further restricts what the receiving API target host will accept and if asynchronous specify the reply to, which is similar to how hypermedia URL rewriting is being used in the response body of a REST API.

Below is from the OASIS WSSE spec on how to mitigate risks between the API gateway and the physical SOAP service:

“The use of the WSSE UsernameToken introduces no new threats beyond those already identified for other types of SecurityTokens. Replay attacks can be addressed by using message timestamps, nonces, and caching, as well as other application-specific tracking mechanisms. Token ownership is verified by use of keys and man-in-the-middle attacks are generally mitigated.

Transport-level security may be used to provide confidentiality and integrity of both the Username token and the entire message body.”

Posted in Uncategorized | Leave a comment