Why Security is Important for Developer Operations

After working at my current gig for about a year now (internship plus full-time), I wanted to take some time to outline my experiences transitioning to more of a developer operations role from my existing security background. The transition has been fairly straight-forward, as much of the work I do currently touches security in some aspect. However, the biggest point I've noticed is how much security considerations are involved when developing tools for a traditional developer operations requirement.

While I am a big proponent of at least some security training for everyone in a technical role, it remains to be seen just how much is "enough." Obviously, as the realm of technical fields continues to expand at its current pace, having every member of a technical team fully trained in the security of the applications they are developing is impossible. Yet it is also imperative that they at least understand the risks associated with these applications; doing so should be a requirement of a good developer.

As a "Developer Operations Engineer" (a role whose title is still rather undefined and unstandardized), I generally focus on several categories of projects: infrastructure development, monitoring and incident response, and deployments and the application lifecycle. While this is a highly compressed view of my role, each of these has a dizzying array of security concerns. While some companies offload much of these concerns to a security team, smaller companies need to remain vigilant of their impact.

In most modern startup environments, infrastructure development typically refers to everyone's favorite buzzword: the cloud. Amazon Web Services, Microsoft Azure, Google's App Engine, the list goes on. The security concerns associated with the cloud are not the focus of this post, but I do want to highlight places where security is especially important. Almost every one of these services has security enhancements that are not used as often as they should be. For example, AWS's Virtual Private Cloud is not only free, but can also greatly improve security when used properly. Yet quickly starting instances from EC2 still requires less hassle and so remains the more common choice. Another example is the use of security groups. AWS's security groups are infinitely customizable, yet simply opening a port to the world (0.0.0.0) is a tempting simpler option. While hosted infrastructure providers like Amazon and Google abstract a lot of security work away from the customer, good security practices still require active participation.

Monitoring and incident response is perhaps the area in which a lack of security can have the biggest impact. While many "DevOps" engineers view monitoring in terms of system performance, monitoring must also cover system security. Disk space, CPU utilization, and memory usage are all important indicators of a healthy system, but so too are login attempts, changes to file permissions, and unauthorized outgoing network connections. A good monitoring platform must also monitor for security events that could signal an intrusion or potential breach of security. In the same light, the response to a security event should also contain a viable plan for mitigating the same risk in the future.

Finally, the deployment of applications is a critical component of the security of an infrastructure. Because the main goal of deployments from a developer operation's standpoint is automation, any security bugs introduced once tend to be replicated. For this reason, it is imperative that the deployment process and any actors in it (Jenkins, AWS S3, etc.) are fully secured and audited often. Vulnerabilities that are present here can expand exponentially when deployments are pushed.

The role of developer operations or server engineering is rapidly changing and expanding. While it does, it is important, if not necessary, to include security in the expansion and ensure that those building a company's most critical technological parts are also trained in protecting them.

Use google-passport Authentication in Node.js Projects without Google+

NPM passport-google and 400 Error "OpenID auth request contains an unregistered domain"

If you've been using the Node.js module "passport-google" for authentication in your projects you will now notice that new projects are receiving an error stating:

"400 That's an error. OpenID auth request contains an unregistered domain."

This issue is due to the fact that Google has deprecated their OpenID API for new domains beginning in May 2014. Old projects which had previously been used should not have an issue (although you should upgrade at some point), but new projects will not be allowed to authenticate.

There are two fixes for this:

1) Convert your application to using the new, Google+ sign-in. This will require users to have a Google+ profile and approve your application to access it. The passport-google-plus module located on GitHub can do just that: https://github.com/sqrrrl/passport-google-plus

2) Convert your application to use OAuth2.0 signin. Your users will not need to have a Google+ profile and this new method is the closest match to the old. The passport-google-oauth module can help with this: https://github.com/jaredhanson/passport-google-oauth

If you choose the second option, be sure to only provide the userinfo scope (and not the google.plus scope):

passport.authenticate('google', { scope: ['https://www.googleapis.com/auth/userinfo.email'] })

One additional note is that you will now be required to register your application at https://console.developers.google.com and create a client ID and secret (which are used in the passport module).

Chromecast Development Tutorial - Getting Started

This guide is being moved to: http://chromecasthub.com/developers/
Please visit the site for complete tutorials and more resources for Chromecast programming!

Note: This is part of a multi-part series on developing web applications that integrate Google's Chromecast SDK. I am working on making a complete resource for web development with the Chromecast, so consider this a pre-release version and please comment if you see any issues or have recommendations on how to improve the tutorial.
Part 1 - Introduction
Part 2 - Getting Started
Part 3 - Hello World
Part 4 - Your Own First App

2 Getting Started

The first and foremost place to begin is the official Google Chromecast Developer’s site (https://developers.google.com/cast/).

Figure 2-1 - The Chromecast Developer’s Homepage

If you’re reading this guide, it’s very likely that you have been to this site and left frustrated, exactly as I did. While the Chromecast is an excellent device, its documentation is unfortunately lacking. In the next few pages, I will be walking through the various steps required to begin working on developing a web application integrated with Chromecast.

Development Environment

I’m sure you already have a favorite text editor or programming environment setup. But if not, this is the part where you will want to download something more than just Notepad. Here are a few recommendations:

• Sublime Text: Free “Development Edition”, Mac, Windows, Linux  http://www.sublimetext.com/
• Komodo Edit: Free, Mac, Windows, Linux http://www.activestate.com/komodo-edit/downloads

There are thousands of editors, but you’ll only need one with HTML and JavaScript support (unless you plan to make a more functional website with Python, PHP, Ruby, etc.). Once you have installed your editor, you can begin writing code.

Server Environment

Personally, I develop locally on my machine before deploying to a virtual server hosted through a provider such as Amazon, DigitalOcean, Linode, or one of many others. When developing for the Chromecast, you will need to have a web server reachable via the Internet. This is because the Chromecast communicates with server directly rather than over the local WiFi connection. For example, when you cast a YouTube video, Google is receiving the instructions for casting, pausing, playing, etc. via YouTube.com

If you want your own dedicated IP address and server, the quickest and simplest method of getting a server online is through DigitalOcean (http://digitalocean.com). Their simplest plans cost only $5 at the time of publishing and have enough resources to host basic websites. Alternatively, you can use GitHub Pages (https://pages.github.com) for hosting of HTML, CSS, JavaScript, and media files. The prior link explains how to setup GitHub pages, so I will not walk through every step of that process. In this book, I will be using a standard Ubuntu Server with a dedicated public IP address.

If you choose to use a standalone server, ensure that Apache or some other web server alternative is setup (such as nginx). I will not be walking through this process, as setting up Apache is one of the most popular how-to guides on the Internet.

Additionally, you can host everything needed for your website on Google Drive (as long as it is a simple HTML application and doesn't use PHP, Node.JS, or another sever-side code base). Here is a video explaining how to host website on Google Drive (the easiest method):

Configuring the Chromecast

By default, the Chromecast is not setup for development. To enable development, you have to change a setting within the Chromecast Desktop App. You used this app when you first setup the Chromecast, but if you’ve deleted it since, you can redownload it at: https://cast.google.com/chromecast/setup/

Once you’ve installed the Chromecast application and ensured your device is online, click on the “Settings” button within the app.

Figure 2-2 - Desktop Chromecast App

At the bottom of the settings page, check the box labeled “Send this Chromecast’s serial number to Google when checking for updates” and then reboot the Chromecast.

Figure 2-3 - Chromecast Development Settings

Once the Chromecast is configured, ensure that you have the Chrome Chromecast Extension installed. It should appear at the top right of your browser, and clicking it should enable casting of the current tab or media if it is a supported page such as YouTube.

Developer Tools

Once you have enabled the checkboxes above and rebooted, you will have access to the developer tools of the Chromecast device. These tools look very similar to the standard Chrome developer tools and will become helpful later when developing receiver applications, so you may wish to check that you can access them now and familiarize yourself with them. They are located on port 9222 of the Chromecast. Find the Chromecast’s IP address via the application used previously (under “Settings”) and then access the tools via the browser at http://<ip-address>:9222.

You are now ready to begin Chromecast development! There are a few more “Setup” steps that I will discuss later, but they are not required to begin. In the next section, we will walk through downloading and running a demo app provided by Google so that you can understand how the Chromecast SDK is integrated into a website.

Continue on to Part 3 Here

Google+ Vs Facebook: Separate But Integrated Services

Since Google+ launched several weeks ago, it has been fairly universally praised, yet it has also been doubted and questioned extensively. Can Google+ compete with Facebook and its myriad of over 700 million users (and growing)? Many have wondered if Google, an algorithmic company at its core, has the talent and engineering skills to produce a product that is used in a very different way than traditional search. Although I believe that Google+ will have a slow start, I also feel that the product will ultimately become not only a viable alternative to Facebook, but a better one. There is one major advantage that Google has over Facebook: separate, yet tightly integrated services.

For years, Google has been slowly moving our lives to the cloud. Gmail, although not the top email service, is used and loved by millions of people around the globe. Next, our calendars became available online, easily synced to any computer or device. Google Docs now stores and provides access to almost any file type imaginable without ever leaving the browser. Google Pictures (Picasa), YouTube, Reader, Tasks, Maps, the list goes on. Ultimately, these are separate, yet tightly integrated services. If you need directions, you access Google Maps; events take us to Google Calendar; email to Gmail. Yet within all of these services, although they appear to be distinct and separate, there is an element of connectivity. For example, Google Calendar integrates well with Gmail: we can send and receive invites seamlessley and access our contacts. The same goes for Google Docs.

You may be wondering what this has to do with Google+ or Facebook. My point is that the average user wants separate but integrated services. They want to be able to access their email without seeing their documents; they want to plan a trip without seeing YouTube videos. This is where Facebook falls short. Even with only a few "clones" of Google products, Facebook is starting to become crowded - a fact that many users are now complaining about. Facebook Messages, Events, Groups, Video Chat, regular chat, group chat, fan pages, and many other apps and services are slowly crowding a News Feed that was once a stream of updates from friends. There's only so many features that can fit on a single page and Facebook seems to be running out of white space. Google, although it has probably ten times more services than Facebook, does not feel crowded at all. All of Google's products are separated out into distinct web applications rather than crammed onto the same page. As I mentioned: separate but integrated services.

Now let's take into account social. For Facebook, social means having a base social platform and adding services to it. For Google, social means taking a base set of services and adding social to them. This is a key difference that I believe will ultimately benefit Google. If users can access their notification bar on every Google product (something Google is beginning to do already), social is not only more easily accessible, it is practically jumping out at users. Facebook has limited reach in these terms. Yes, they can have their own notifications as text messages or emails, but you will never see Facebook notifications as you surf the web, plan events on your calendar, or type documents in the cloud. Google already has these products, now it just needs to tightly integrate social into them just like they've integrated their existing products already.

So why do I think Google+ will have a slow start? For many users, moving to a new platform is a big change. The current dilemma facing Google+ seems to be the lack of users (although they are purposefully limiting it). It's a catch-22 of "I won't join until my friends join" and vice versa. However, Google, with its multitude of products can really begin to make not joining Google+ feel like missing out. When the notification bar is always a click away, I think it will become more and more tempting for non-users to give in and sign up. Google can have retention through integration. For Facebook, retention means keeping users on Facebook.com and no where else; for Google retention is becoming synonymous with opening a web browser.

What an iPhone on Verizon Means

As most of you have probably heard by now, rumors are flying about the iPhone coming to Verizon this Tuesday (January 11th). Although I feel that Verizon could use this moment to pull one of the largest pranks the entire mobile industry has ever seen and introduce another Android device, I think that most experts agree this is the day the iPhone will finally be announced. To be honest, I am not as excited about this as most. Allow me to explain.

Since the beginning, I have supported Android. I have owned iOS devices, but have felt that, as someone who loves to modify and customize my device, Android is the better platform. I do admire Apple for their products that "just work" and feel that they have become the leaders in the mobile industry because of this. They are catering to a market of people who don't care about the technology behind their devices, they just want to turn it on and use it (Obviously technology enthusiasts use iOS devices as well, they're just not the bulk of users). But in the end, Android has become a place where I can install whatever application I like, change my home screen, and make changes to how the entire operating system functions; it's just how open source works.

This is why I don't look forward to the 12 Million expected iPhone users, each consuming on average 200 MB of data per month, consuming valuable Verizon resources. Android users have enjoyed Verizon's fast, always-present network for about two years. Unless Verizon has invested millions of dollars in infrastructure to support the impending onslaught of iPhone users, you can bet that the network will stagger under the load. While I doubt that it will suffer as much as AT&T's has, I am certain that the slow-down and congestion will be noticeable.

In addition to speed issues, I fear for the future of Android. Android is an amazing product and has made huge leaps in terms of development and market share. A huge portion of Android's success (sadly) has been because it is typically referred to as the "Verizon iPhone." I have no doubt that Android's market share will take a huge dip when the iPhone is introduced. It will need to fight to stay alive, and without Verizon's ridiculous marketing, I honestly don't know about Android's future.

The iPhone coming to Verizon is something millions of customers have wanted for years. Now that it is finally here, I fear it will bring congestion to Verizon's networks and a decline in Android's market share and development. Google will need to invest millions in marketing, which I hope they do. Competition is good for the consumer and I hope that both products will benefit from this. I just hope that Google can do enough to convince new users that Android is just as good (and better, in some cases) than the iPhone.

Google Hacking

I recently completed a presentation for a security group at RIT called "Google Hacking." Essentially, Google hacking involves using certain logical search operators to find critical files that Google has indexed that shouldn't technically be indexed. This is usually the fault of the designers of the website because they did not specifically prevent Google from reading the content on their servers.

So what is the risk of having Google index your files? Well, let's think about the following search:
   - intitle:“Index of..etc" passwd


Now, here lies the problem. Imagine if someone were to get a hold of the passwords stored in "passwd." These passwords, which are typically hashed, can actually be broken using simple tools such as John the Ripper. After completing many of these searches, I determined that a surprising number of results were returned when searching for these types of files.

The web designers (or hosts) who are creating these websites need to secure these files, either by hiding them from search engines or preferably encrypting the actual files. Here is my presentation: