Well, as the title states we'll be addressing software development topics (mainly in English). Topics will be quick and short and most probably aligned with the training "problems", sorry, programs I am involved in. PS. Some links are "internal" (not publicly available): If you are not able to reach it, google will find you a publicly available information source for sure. Happy trails to you.
quinta-feira, 30 de novembro de 2017
TOOLS: Mocking Frameworks for .Net Developers (LIST)
Quoting:
"What is a Mocking Framework?
Mocking framework is used to create replacement objects like Fakes, Stubs and Mocks. It is used to isolate each dependency and help developers in performing unit testing in a concise, quick and reliable way.
Creating mock objects manually is difficult and time-consuming so to increase your productivity you can go for automatic generating of mock objects by using a mocking framework. A developer can build his/her unit test by using any of one NUnit, MbUnit, MSTest, xUnit etc. unit test framework and can further test it on a mocking framework."
The list:
terça-feira, 28 de novembro de 2017
TOOL: IBM Rational Logiscope (Static Analysis, Dynamic Testing)
IBM Rational Logiscope is (amongst other things) a static analysis tool for C, C++, Java, and Ada.
Quoting:
"IBM Rational Logiscope tackles software quality head-on, providing a comprehensive suite of highly customizable static and dynamic testing tools to ensure that:
- Latent bugs and faulty constructs are detected and eliminated
- Software complies with required coding standards, whether they are personal standards, internal standards, or industry standards such as MISRA.
- Complex and error-prone areas of code are identified at the earliest stage and corrective actions are taken.
- Code review is automated and effort is focused on problematic area helping you adopt verification processes that are described by international standards such as SEI/CMMi, ISO/IEC 9216 and 9001, DO-178B, IEC 61508, EN 50128.
- Unnecessary duplicated code blocks are identified and removed, therefore optimizing your testing effort and maintenance effort over time.
- Testing is both comprehensive and efficient by identifying untested pieces of code. "
(...)
"The proven verification capabilities of IBM Rational Logiscope help you optimize expensive development resources to reliably deliver on-time, on-budget, and to specification.
IBM Rational Logiscope currently supports four programming languages: C, C++, Java, and Ada. It is available on Windows, UNIX, and Linux platforms and includes four different products:
- IBM Rational Logiscope RuleChecker, for code rule checking
- IBM Rational Logiscope QualityChecker, for code quality metrics
- IBM Rational Logiscope Code Reducer, for finding code similarities
- IBM Rational Logiscope TestChecker, for dynamic test coverage analysis
sexta-feira, 24 de novembro de 2017
BOOK: Mastering ASP.Net Core (R. Peres)
A new book on ASP.Net by our well known R. Peres is out:
https://weblogs.asp.net/ricardoperes/mastering-asp-net-core-2-0
Quoting:
"Spanning multiple .NET Core versions – 1.1 and 2.0. The chapters are:
Getting Started with ASP.NET Core: .NET Core, ASP.NET Core, platforms, DI & IoC, MVC pattern, OWIN, hosting, environments
Configuration: providers
Routing: templates, handlers, constraints, areas, error handling
Controllers and Actions: controller lifecycle, API controllers, versioning, documentation, globalization, binding
Views: areas, layouts, Razor pages, globalization
Using Forms and Models: metadata, templates, binding, validation
Security: authentication, authorization, anti-forgery, CORS, HTTPS
Reusable Components: partial views, view components, tag helpers and tag helper components
Filters: authorization, resource, action, result, exception, Razor page
Logging, Tracing and Diagnostics: custom middleware, logging, DiagnosticSource, ELM, AppInsights, HealthCheck
Testing: xUnit, integration tests, UI tests with Selenium
Client-Side Development: Bower, Node.js/NPM, Gulp, Grunt, TypeScript, LESS
Improving the Performance and Scalability: asynchronous methods, profiling, bundling and minification, caching, response compression
Real-Time Communication: SignalR
Other Topics: areas, static files, application lifetime events, conventions, embedded resources, hosting extensions, URL rewriting
Deployment: Visual Studio, IIS, Azure, AWS, Nginx, Apache, Docker, Windows Service
Whenever there are important differences, I mention the differences between ASP.NET Core 1.x and 2.x, although I think this will be less important over time.
Overall, it was an exciting task, but not one without obstacles. I must thank the team at Packt Publishing, namely, Siddhi Chavan and Abhishek Sharma for all their patience and support. Also, Alvin Ashcraft, who was the technical reviewer.
Do have a look and share your feedback! It is available from the Packt Publishing site, Amazon and others, either in hardcopy or ebook format. The source code is available at https://github.com/PacktPublishing/Mastering-ASP.NET-Core-2.0."
Kudos to R. Peres for pointing this out.
quinta-feira, 23 de novembro de 2017
TOOL: Microsoft Teams Jira Connector (Atlassian Marketplace)
Microsoft Teams Jira Connector | Atlassian Marketplace
Features (quoted):
"What is supported in Microsoft Teams Jira Connector?
- Near real-time notifications about activities in Jira Server and Jira Cloud.
- Granural global and project-specific channel configuration, so different channels can receive different information.
- You can filter notifications by project, issue type, issue priority and issue workflow status.
- We support Jira Cloud (including Software and Service Desk) and Jira Server (including Data Center).
- You can read the setup documentation about Microsoft Teams Jira Server Connector
- Microsoft Teams is not open for everybody yet, so the configuration is not 1 click, but 3.
- If you have any questions or feature requests please reach out to us.
- There is also Microsoft Teams Confluence Connector available for Confluence Server"
Kudos to J. Sobral for pointing this out
TOOL: Mapping between Enterprise Architect 12.1 menus and Enterprise Architect 13 ribbons
Mapping between Enterprise Architect 12.1 menus and Enterprise Architect 13 ribbons
TOOL: EA Image Library (Enterprise Architect, UML tool)
The Short Story
Useful at all times, this free image library will speed up the production of professional diagrams (that can be incorporated into presentations and/or technical documents), in the case you are using Sparx Systems Enterprise Architect (EA) to model yourinformation system:
Step 1: Download the free image libray
Step 2: Install the image library in EA
http://www.sparxsystems.com/enterprise_architect_user_guide/12.0/modeling_basics/importimagelibary.html
Step 3: use the images
To use the images (e.g. change an UML node to a server image):
· Press Ctrl+Shift+W, or
· Right-click the selected element and select Appearance | Select Alternate Image
The Long Story
Why use this with EA? Example: A UML Deployment Diagram can be changed to use the images in the library, instead of the standard UML images (Nodes, Artifacts). This will benefit validation with the customer, hence, it will benefit you, as a business analyst (right?).quarta-feira, 22 de novembro de 2017
SW Testing | TOOLS: Continuous testing (in .Net)
"The idea of continuous testing is to make this feedback loop even more tight. The tests should be run automatically whenever the code changes and the developer should not need to run them manually.
"(...) three competing solutions available:
- NCrunch from Remco Software,
- DotCover by JetBrains, sold as a part of ReSharper Ultimate bundle, and...
- Smart Runner by Typemock, sold together with Typemock Isolator for .NET.
ASP.Net and tutorials? (Dotnetcurry.com)
http://www.dotnetcurry.com/tutorials/aspnet
What is ASP.Net (and dotnetcurry)?
Quoting:
"ASP.NET is a modern open source server-side web framework for building static, dynamic and real-time Web sites, Web applications and Mobile applications using HTML, HTML5, CSS and JavaScript.
So far, we have published 173 ASP.NET tutorials and articles, which have been read by over 22446387 (Twenty Two Million Four Hundred Forty Six Thousand Three Hundred Eighty Seven)developers and architects."
SW Construction: Generics and maintainability (C#)
http://www.dotnetcurry.com/patterns-practices/1381/using-generics-csharp-maintainability
Quoting:
"When we encapsulate data, we can change the internal representation of the data without affecting the consumers of the unit encapsulating the data.
On the other hand, when we don’t encapsulate data, the behavior units will access data (received as method parameters for example) directly and therefore they have a hard dependency on the internal representation of the data.
Therefore, when doing behavior-only encapsulation, it is harder to change the internal representation of data.
In this article, I am going to discuss how we can use generics in C# to make it easier to handle data-related change requests in software applications when doing behavior-only encapsulation."
(...)
"You aren’t gonna need it (The YAGNI principle)
Should we always separate data-independent and data-dependent logic into different classes?
Should we make our data-independent classes generic from the start?
Well, it depends.
But in most of the cases, we don’t have to.
In most of the cases, applications start small, and then they evolve with time. It is important to first concentrate efforts on meeting the requirements we have at hand. We can always refactor later to meet new requirements.
In a document processing application that processes plain text documents only, we can start normally without making the document type generic in the classes that deal with documents.
Later, when we need to introduce different documents types, we can refactor existing classes/interfaces to become generic, and we can also refactor to separate data-independent behavior and data-dependent behavior into different classes.
If we follow the SOLID principles (the Single Responsibility Principle in particular), chances are that separation of data-independent and data-dependent behavior, is already high. Also, refactoring in this case would be a lot easier compared to when our classes are very long."
Mobile Development: Cross platform languages?
https://www.infoworld.com/article/3231664/application-development/apples-swift-is-losing-developers-to-multiplatform-frameworks.html
Quoting:
"Microsoft’s Xamarin, Apache Cordova, and Ionic are replacing the use of Swift and Xcode as developers seek to maintain fewer code bases".
Naturally. The TIOBE guys say.
terça-feira, 21 de novembro de 2017
domingo, 19 de novembro de 2017
Space: PT invests 20M€ / year in ESA
... to have a return of 40?
https://www.publico.pt/2017/11/15/ciencia/noticia/portugal-investe-20-milhoes-de-euros-por-ano-na-agencia-espacial-europeia-1792673
Quoting:
"Hoje o espaço abre novas oportunidades sobretudo associadas às novas indústrias do espaço”, disse aos jornalistas Manuel Heitor à margem da comemoração do 3º aniversário do centro de incubação da Agência Espacial Europeia (ESA BIC Portugal).
O governante afirmou que em 12 anos, até 2030, o Governo pretende que a taxa de retorno do investimento aumente dos actuais 40 milhões de euros para 400 milhões e, para isso, está a desenvolver uma nova estratégia para aumentar a facturação do sector do espaço, indicou."
sexta-feira, 17 de novembro de 2017
Penises in the sky vs. swearing in source code?
This navy pilot drew a penis in the sky with a F18:
https://www.washingtonpost.com/news/checkpoint/wp/2017/11/17/a-navy-pilot-drew-a-penis-in-the-sky-its-not-the-first-time-something-like-this-has-been-investigated/?utm_term=.7f2f002a464c
Is this more or less severe than swearing in your code comments (like I've seen in the source code of the IS supporting all the courts of a certain European country)?
For me the severity varies (I won't tell you which one I consider more severe) but both show a dispicable lack of...
Professionalism.
Hope you agree.
terça-feira, 14 de novembro de 2017
TOOL: PlanITpoker - Online Scrum planning poker for Agile project teams
Quoting:
"Pure & Simple Planning
Make Estimating Agile Projects Accurate & Fun
Estimate Like An Expert
Sprint Plan Effortlessly
Play Online Anywhere"
Requirements Analysis: Weasel words, weak expressions
The Short Story
While writing requirements texts (imperative sentences like "The SW shall etc."), as part of the analysis team, weasel words and weak expressions have to be avoided at all times. Automatic spell checking scripts can be devised to ensure that, prior to peer review, all these expressions are removed.What are weasel words?
https://en.wikipedia.org/wiki/Weasel_word
Quoting:
"A 2009 study of Wikipedia found that most weasel words in it could be divided into three main categories:
- Numerically vague expressions (for example, "some people", "experts", "many")
- Use of the passive voice to avoid specifying an authority (for example, "it is said")
- Adverbs that weaken (for example, "often", "probably")
- Non sequitur statements
- Use of vague or ambiguous euphemisms
- Use of grammatical devices such as qualifiers and the subjunctive mood
- Glittering or vague generalizations"
Remember: ambiguity is one of our major enemies when doing requirements analysis. Whatever gets approved will have to be implemented by the development team and tests will have to be written against it (by the test analysts). A requirement using weak expressions is failing the S criteria in the SMART quality attributes all requirements should have.
O&M: LightStep - A new APM tool (from Ex-Google employees)?
https://www.computing.co.uk/ctg/news/3021006/former-google-employee-sets-up-start-up-to-transform-application-management
Quoting:
"[The goal is to] transform the way that companies manage application performance management (APM). (...)
The product uses a decentralised architecture that constantly analyses transactions across all services, letting customers measure the performance areas impacting their businesses.
In particular, it focuses on microservices, key mobile transitions, crucial customer accounts and individual end-users. There's also a built-in statistical engine that can detect anomalies and record detailed end-to-end traces.
This trace gives organisations a cross-service contact so they can address performance problems quickly. It claims that "customers take seconds or minutes to resolve incidents that previously required days of investigations".
Transport app Lyft, a rival to Uber, has created a distributed architecture with LightStep. Pete Morelli, vice president of engineering at the firm, said: "LightStep is the future of monitoring and was instrumental in our move to microservices.
"Our systems generate more than 100 billion microservice calls per day. LightStep is one of the only systems that can make sense of that firehose: it jumps to the root cause of performance problems anywhere from mobile all the way to the bottom of our distributed stack.""
sexta-feira, 10 de novembro de 2017
Startup: Portugal Inovação Social (PT)
A funding program (Portugal 2020) for social innovative startups (PT, FFR):
http://inovacaosocial.portugal2020.pt/
quinta-feira, 9 de novembro de 2017
Inception/Business Modeling/Requirements Engineering: The KAOS approach (Goal-oriented)
"KAOS, is a goal-oriented software requirements capturing approach in requirements engineering.
It is a specific Goal modeling method (as the i* or I Star is).
It allows for requirements to be calculated from goal diagrams.
http://www.objectiver.com/fileadmin/download/documents/KaosTutorial.pdf
IoT: Samsung SmartThings review
https://www.theguardian.com/technology/2016/feb/08/samsung-smartthings-hub-review-internet-of-things
Quoting:
"It supports home-network based devices, plugging into your router to control them through fixed or Wi-Fi networks, as well as two of the most broadly used wireless home-automation standards, ZigBee and Z-Wave. It means that the Hub can talk to almost every product currently available on the market that doesn’t use an isolated proprietary system."
(...)
"Verdict
The Internet of Things is still a bit of a mess of standards and protocols, with loads of devices unable to talk to each other. The SmartThings Hub is the closest thing I’ve come across to unifying your existing and new kit.
Pros: simple setup, cross-platform, decent app, developer community, multiple standards in one box, unites your existing kit, adaptable
Cons: not compatible with everything, workarounds for non-natively supported devices will be difficult for some, Internet of Things still very early in its lifecycle"
2017-11: Amazon Alexa gets a new version
https://www.theguardian.com/technology/2017/nov/09/amazon-echo-review-smaller-cheaper-alexa-gadget-new-second-generation
Quoting:
"The new Amazon Echo is cheaper, smaller and has a less imposing stature, but is it still the best smart speaker going?
Amazon’s voice assistant Alexa has improved greatly since the Echo’s introduction to the UK at the end of last year, altered behind the scenes without users needing to do anything thanks the virtue of being a cloud-powered product. It has gained new skills, routines and other smart home control abilities. Its voice recognition and understanding has improved, and it is now a little more conversational, remembering certain topics that you’re talking about the way a human would.
But the outside of the speaker has not changed, until now. The new Amazon Echo for 2017 (find here) is just under 9cm shorter, standing 14.8cm tall and is covered in your choice of fabric, wood or metallic finish, standing in stark contrast to the monolithic black or white towering cylinder of the previous generation."
Details on link. Do read.
"Verdict
The new 2017 Amazon Echo is an absolute bargain at £80. Alexa is still the best voice assistant for smart home control, still hears you better than any other over noise and music, and is still getting better with feature updates and improvements behind the scene.
There are now better-sounding, more expensive smart speakers available such as the £199 Sonos One, and Google Assistant still beats Alexa on general knowledge, but at £80 the Echo undercuts the competition by some margin and sounds pretty good for the money."
2017-11: Autonomous vehicle in crash after 2h in LA
.... But it was the other party's fault:
https://news.sky.com/story/driverless-bus-in-crash-after-two-hours-on-road-in-las-vegas-11119198
I wonder what would happen if it was the other way around.
Quoting:
"
The bus, which can hold up to 12 passengers, has an attendant and computer monitor but no steering wheel or brake pedals.
It uses GPS and electronic kerb sensors to navigate the roads."
quarta-feira, 8 de novembro de 2017
Inception/Business Modeling/Requirements Engineering: i star framework?
https://en.m.wikipedia.org/wiki/I*
"i* (pronounced "i star") or i* framework is a modeling language suitable for an early phase of system modeling in order to understand the problem domain.
Virtualization: Docker as an helper for dev envs (as well as production scenarios)
Allows independent "containers" to run within a single Linux instance, avoiding the overhead of starting and maintaining virtual machines (VMs). [Source: Wikipedia]
INTERNAL: Useful for creating and maintaining dev, test and pre-prod envsironments made available to IS project teams as well as Maintenance and Support (M&S)teams, DevOps (additional terms used in this include or development envs, testing environment, qualification environment, maintenance environment) .
But also used in production: e.g. used at the OVERSEE S&R IS for production environment (for fault tolerance, several app servers or web servers at the same production VM for instance, several RDBMS instances, etc.).
Additional information:
https://en.wikipedia.org/wiki/Docker_(software)
AI: OpenAI (open source systems)
"Old" news about OpenAI firm by Elon Musk (2015) and MS Azure:
http://www.ibtimes.co.uk/microsoft-elon-musks-openai-join-hands-democratize-artificial-intelligence-1591770
Quoting:
"Elon Musk's $1bn non-profit artificial intelligence (AI) research firm OpenAI has signed an agreement with Microsoft to run most of its large-scale experiments on the tech giant's flagship cloud platform, Azure. Announcing the partnership on Tuesday (15 November), the companies said they are focused on the importance of "democratizing access to AI" and "making significant contributions to advance the field of AI" to tackle some of the world's most challenging issues. OpenAI said it will use Microsoft's Azure platform for its experiments and research in AI and deep learning."
The (open source) systems are listed here:
https://openai.com/systems
AI: Stephen Hawking's Concerns
Stephen Hawking was at the Web Summit opening conference in a surprise appearance, to talk about AI:
http://www.ibtimes.co.uk/stephen-hawking-ai-could-develop-will-its-own-conflict-ours-that-could-destroy-us-1646352
Quoting:
"Renowned physicist Stephen Hawking has warned that the rise of artificial intelligence could become "the worst event in the history of our civilization" unless humanity is prepared for the potential risks that come with it.
During a speech at the opening night of the Web Summit conference in Lisbon, Portugal on Monday (6 November), Hawking said effective AI could bring a host of societal benefits and transformation for mankind, noting that "computers can, in theory, emulate human intelligence and exceed it.""
segunda-feira, 6 de novembro de 2017
Open Source: What kind of license to choose?
Interesting article on what kind of open source license to choose if you are to be the project maintainer:
https://01.org/blogs/jc415/2017/open-source-hacks-one-question-interviews-open-source-experts-licenses?sf148133548=1
Quoting:
“Which open source software license should I use for my project?”
I get asked that a lot. Or this variation, “What are your preferred open source licenses?” My answer: It depends.
I’m not trying to be flip; really, IT DEPENDS! No single open source license is appropriate for every use case or objective. And I have no “preferred” open source licenses—sure, there are some I find myself using or recommending more frequently, but as long as it has been approved as an open source license by the Open Source Initiative (OSI) or a free license by the Free Software Foundation (FSF), there is no license that I *wouldn’t* use, given the right scenario.
The choice comes down to what is most appropriate for a particular situation. How do you determine which license(s) might be appropriate for a given project? There are multiple factors to weigh.
If you are contributing to an existing project, the community expects you will make contributions under the existing project license, or a compatible license—the important thing is to understand and follow that community’s norms.
A project maintainer might reject contributions made under any license other than the one they’ve specified, even if from a legal and practical perspective the licenses have no incompatibilities. “Know your audience” and “go with the flow” are two maxims to keep in mind when you’re making upstream contributions.
What license to choose becomes more interesting when the project is your own. Assuming you have a choice (you haven’t used or incorporated any code licensed under terms that require the same license for derivative work), think about what you want recipients to be able to do (or not do) with your code.
(...)
The “right” open source license for your project will be the one that has terms that support your objectives, is compatible with other licenses in the relevant ecosystem, and is acceptable to your users.
Getting that equation right doesn’t guarantee your project success, of course, but getting it wrong is almost certain to ensure failure.
One of the best ways to learn about open source licensing is to keep up to date with discussions in the open source legal and licensing community, either by joining a mailing list or browsing a mailing list’s archives (...)"
Examples of those discussion lists are in the article.
Crow's foot notation (as in Entity–relationship model)?
https://en.wikipedia.org/wiki/Entity%E2%80%93relationship_model#Crow.27s_foot_notation
Entity–relationship model - Wikipedia
PS. UML now has equivalent diagrams, used for conceptual modelling (look for UML Domain Models, that show [domain] entities as classes with just a name).
sexta-feira, 3 de novembro de 2017
Git Pull Requests vs. Formal Code Reviews?
The Short Story
https://help.github.com/articles/about-pull-requests/
https://help.github.com/articles/creating-a-pull-request/
https://help.github.com/articles/requesting-a-pull-request-review/
Because formal review procedures typically require the creation of review records (CRRs are separate - potentially deliverable - documents that identify the scope of the review, the reviewers, the subject under review and all the issues identified) and the collection of metrics that might be checked against (code review) performance baselines in order to evaluate the quality of the review being performed and feed the continuous improvement process.
The Long Story
If you do not generate CRRs you might get into re-certification issues (difficulties showing compliance, verifiability and making the records auditable) or contractual issues (if the customer needs and/or demands you evidence of code reviews being performed).So it is a good mechanism to improve code quality but they could not replace totally a formal [Fagan] code review unless you generate (manually or automatically with some bespoke scripting) CRRs.
quinta-feira, 2 de novembro de 2017
CT: Continuous Testing for the testing bottleneck?
Citando:
"A quick history lesson on why testing has become a bottleneck. Agile methodologies, DevOps and continuous delivery tool chains are modern practices that have been adopted and implemented to drive the speed of applications released into production. But modernizing the testing practices within the software development lifecycle hasn’t occurred at the same pace.
Why is that? Too many testing processes have been manual, slowing down the process and introducing the opportunity for human error. Additionally, a lack of visibility into the progression, status and results of QA testing has made it difficult for DevOps teams to determine if the code they built is truly aligned with the business and customer requirements. A telling stat is that 63% of organizations that implemented DevOps practices report that Testing/QA practices are a bottleneck."
Collaboration: Promoting online peer reviews
Peer review is essential to improve the quality of your outputs. What about doing it with the community support (not only your team members)? Using Google docs it is possible (out of the box).
Example on how to set it up:
https://cloudsecurityalliance.org/document/ccm-mapping-methodology/
Quoting:
"Participate in the CSA Peer Review
Please fill out the form below to gain access to CCM Mapping Methodology. Use the Comments or Suggesting features on the document to leave your feedback.
To use the Suggestion feature:
Write your comments in-line with the body of the content.Suggestions are associated to your Google Account.
To use the Comment feature:
Highlight the phrase you would like to comment on.Right click and select “Comment“ (or Ctrl+Alt+M).
All suggestions and comments will be reviewed by the editing committee.
For more information about the collaboration features, please refer to Google’s Support Document.
Fill out the form below to participate."
Security: CSA guidance V4 (Report)
A collaborative effort on mitigating (security) risks brought together by the Cloud Security Alliance (CSA):
https://cloudsecurityalliance.org/guidance/#_overview
Quoting:
"This version [V4] incorporates advances in cloud, security, and supporting technologies, reflects on real-world cloud security practices, integrates the latest Cloud Security Alliance research projects, and offers guidance for related technologies.
The goal of the fourth version of Security Guidance for Critical Areas of Focus in Cloud Computing is to provide both guidance and inspiration to support business goals while managing and mitigating the risks associated with the adoption of cloud computing technology."
And the V3 PDF can be found here:
https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/csaguide.v3.0.pdf&ved=0ahUKEwjk9NXbw5_XAhWIuRQKHUq1BfYQFggxMAI&usg=AOvVaw3OEGdJjEzR7a4T762_jjLm
quarta-feira, 1 de novembro de 2017
Security: Cloud security?
Sure! How? Some considerations:
https://www.theregister.co.uk/2017/11/01/how_to_secure_a_softwaredriven_technology_stack_in_a_cloud_of_moving_parts/
Quoting:
"That makes securing the APIs important. Start by authenticating the client, and then enforce SSL encryption to ensure that the client is talking to an authenticated server.
Commercial identity and access management (IAM) tools can handle authentication, meaning that you don’t have to code it directly into the API. This has two advantages. The first is that you don’t have to maintain authentication code that has been implemented in duplicate across a range of applications and interfaces. The second is that you can fold the client/server authentication process into a broader user identification system.
Finally, on the API security side proper vulnerability management and patching of the infrastructure hosting the API is a crucial part of the security process. While APIs may be the major touchpoints for developers and operations staff in a cloud environment, it’s still important to understand and secure each of the layers on which they rely."
(...)
Hardening components at each layer of the technology stack is important. Virtual machines should be security hardened, as should containers.
Other aspects of the cloud stack that should be hardened include your servers, applications and underlying databases. Automate compliance by codifying the rules for hardening your system as configuration parameters into your software. This will be more efficient than imposing security rules as written policies that business departments can ignore.
The hardened configuration can be audited at set intervals to ensure that the system is taking the security measures it is supposed to. If there are any problems, you can use configuration management tools to correct things and ensure that your cloud-based infrastructure is compliant with the necessary rules. This automation concept underpins the DevOps discipline, and it is a crucial part of a cloud deployment.
(...)
"There are broad guidelines you can subscribe to and follow to help secure a cloud-based stack of moving parts. These include the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 that was released in July (...) for OpenStack, Microsoft’s Azure, and Amazon’s AWS.
A mixture of general best practice and platform-specific implementation will help you avoid becoming the next headline."