This week The New Stack saw a great deal of discussion around a concept we haven’t heard about in a while, Web Application FirewallsView in browser »
The New Stack Update

ISSUE 252: The Firewall Is Dead, Long Live the Firewall

Talk Talk Talk

“Iceberg, an open table format for huge analytic datasets [is] based on an all-or-nothing approach: An operation should complete entirely and commit at one point in time or it should fail and make no changes to the table. Anything in between leaves a lot of clean-up work.”

Add It Up
Use of Digital Signatures and Two-factor Aunthentication at FOSS Contributors' Projects

Half of all open source contributors are never encouraged to use digital signatures when making changes to the open source projects they’re involved with, according to the “2020 FOSS Contributor Survey.” In contrast, 17% are typically required to use a digital signature on all commits. Slightly more projects require cryptographic proof of somebody’s identity before the final package is released.

Especially in light of the recent SolarWinds attack, requiring digital certificates is a strong way to track open source code’s chain of custody throughout the software supply chain.

Since 2004, developer certificate of origins (DCOs) were used as a way to give a project legal permission to use a developer’s intellectual property, but their value as a way to increase trust among community participants has rarely been highlighted. In fact, when asked about the importance of DCOs, a third of contributors didn’t even know what they were, let alone if they were useful.

Requiring a digital signature can be a barrier for contributions because of the time and effort required to implement the system. If an open source project only has a few contributors, it may not seem worth the effort. Yet, 48% of projects also do not require the use of two-factor authentication (e.g., Google Authenticator or SMS messages) to accept a change request. Without this commonly used security approach, stolen or lost passwords can easily be used to hack a system.

These approaches demonstrate attempts to secure the code repository platform itself and the user actions within in, but there are countless other attack surfaces in the CI/CD pipeline. Many times the need to identify code authorship is related to debugging and not security concerns.

Choosing a license and governing model are essential elements to making a project ready for prime time. Creating a code of conduct and contributing guide are important too but so are policies that promote security. However, only 26% of the maintainers or core participants said the projects they are involved with have a security policy in place. On a slightly more positive note, 41% of the respondents said that the projects have someone with a security focus. Let’s hope that every project will have a security champion going forward.

What's Happening

Palo Alto Networks is providing a new approach to protecting APIs and web applications with the release of its Web Application Firewall, an extension of its Prisma Cloud cloud native security platform.

Hosted by Alex Williams, founder and publisher of The New Stack, this edition of The New Stack Makers podcast features Ory Segal, senior distinguished research engineer, Palo Alto Networks. They discussed how the WAF module and Prisma in general addresses security in today’s highly distributed cloud native environments.

Ory Segal - A New Approach to the Firewall for Protecting Cloud-Native Services

The Firewall Is Dead, Long Live the Firewall

This week The New Stack saw a great deal of discussion around a concept we haven’t heard about in a while, Web Application Firewalls (WAFs). A WAF provides a shield between an internet-facing application and the internet. The cloud native computing community we cover is slowly coalescing around an idea that is almost diametrically opposite of firewalls, namely that of Zero Trust Computing. Zero Trust gets rid of the firewall boundary itself, assuming the internal network is already compromised, and moves the burden of authentication and access control to end-user devices and the applications (to their sidecars if they are service mesh-enabled). Zero Trust means you just don’t trust the network, even the private one.

A popular post on The New Stack this week, contributed by Check Point’s Head of Security TJ Gonen, pointed out that the WAF is totally unsuited for today’s DevOps environments: “It’s the worst-kept industry secret that WAFs aren’t all that they’re cracked up to be in the modern world of agile development. A WAF cannot keep up with application updates, which happen regularly, and maintaining a WAF has become labor-intensive and complex.” 

Ouch! Others, however, are not so sure to body bag WAF. This week also saw the debut of Palo Alto Network (PANW)’s Web Application Firewall for its Prisma Cloud security platform. To be fair, PANW is no stranger to the fast DevOps environments that Gonen invokes: Prisma is literally made for dynamic cloud native environments. Also, Prisma’s WAF is not exactly your father’s WAF (assuming your father is a security professional). 

“In PANW’s new-look web application firewall, several different functions are combined to protect your cloud services. Its WAF combines application programming interface (API) security, runtime protection, and a bot defense platform into a strong defense for cloud native applications,” writes TNS security reporter Steven J. Vaughan-Nichols, in a sponsored report on the new technology.

“The word ‘firewall’ is a bit dated, but as you will see, the concepts that we are presenting here are completely new and are for completely new-and-modern environments,” further explained Ory Segal, PANW senior distinguished research engineer in The New Stack Makers podcast hosted by TNS founder and Publisher Alex Williams. 

The traditional firewall doesn’t work in cloud native environments, Segal agreed. But in addition to the usual firewall duties, such as API protection, access control, file upload control, detection of unprotected web applications, the Prisma WAF offers dynamic features such as a “penalty box” for attackers, one which can “ban” attackers’ access on an as-needed basis.

“Then it doesn’t matter if then they pull out the big gun or big trick or the sophisticated attack, since those will be automatically and categorically blocked, because they’re in the penalty box, which again, is a very good defense against such attacks,” Segal said.

vFunction Transforms Monolithic Java to Microservices

More than 21 billion Java virtual machines are out there today running predominantly monolithic applications. Many could take advantage of cloud native architectures, but rebuilding them for this new environment would be complex, time-consuming, and could require taking employees from other, more value-adding tasks. A new company publicly launched Tuesday, vFunction, has created a system to transform monolithic Java applications into microservices, using what it claims is a scalable, repeatable factory model.

2021 Will Be the Year of Enterprise Machine Learning

Could this be the year machine learning finally takes off in the enterprise? Diego Oppenheimer, founder and CEO of enterprise ML company Algorithmia, thinks so. He writes that “Every organization had to adapt to the realities of the pandemic. Business leaders adjusted their strategic roadmaps to refocus on their most pressing priorities and scale back or eliminate less critical plans. In the midst of considerable change, we at Algorithmia saw something fascinating unfold: Many enterprises not only moved full speed ahead with their AI/ML initiatives, but they actually doubled down on those efforts.” Read more here.

Thundra Cloud Debugging Platform Supports Java/Spring Hotfix Capabilities

Cloud monitoring provider Thundra has extended its platform by offering a plugin to debug and make fixes remotely for application code without disrupting application execution times. While Thundra previously allowed for monitoring and debugging applications and microservices, Thundra’s Sidekick plugin goes further by allowing for hotfixes to be implemented directly to live code.

Party On

TNS' Alex Williams, Ben Ball, Libby Clark and Richard MacManus on a conference call with Chip Childers (top right), Executive Director, Cloud Foundry Foundation.

Meena Arunachalam (top right), Intel ,and Paul Teich (bottom), Equinix, discuss matters with Alex Williams.

On The Road
A Day of Machine Learning: oneAPI and the Future of the Data Center //FEB. 10 // LIVE STARTING AT 9 AM PST


A Day of Machine Learning: oneAPI and the Future of the Data Center

Developing and deploying machine learning models at scale is one of the most pressing challenges data scientists and engineers face today. As machine learning becomes more complex, it’s only getting harder to scale with the hardware it demands.

This is a one-day event featuring 4 livestream discussions with Intel about oneAPI & ML and the Future of the Data Center hosted by The New Stack. Register now!

The New Stack Makers podcast is available on: — Pocket CastsStitcher — Apple PodcastsOvercastSpotifyTuneIn

Technologists building and managing new stack architectures join us for short conversations at conferences out on the tech conference circuit. These are the people defining how applications are developed and managed at scale.
Copyright © 2021 The New Stack, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp