Enterprise mobile trends – IBM Pulse 2013

Tivoli is one of IBM’s Software Group brands.  IBM’s “Software group” is the business which creates software products.  Tivoli has an annual conference called PULSE.  IBM’s conferences are a great way to get insight into the industry and current trends.  Here is my first attempt at making sense of the conference.

This is not written to promote IBM.  I wrote this more for software 
testers/developers.  If you work with enterprise software this might 
give you some ideas for your future career. I am writing this at a 
very high level.  This is not a discussion of IBM's strategy. You can 
always refer to the main conference site for more information.

Pulse will be held in Las Vegas from March 3-6.  The tag line for PULSE/Tivoli is “Optimizing the world’s infrastructure”.

Tivoli‘s official tag line is: “Manage your business infrastructure in real time.”
and vision:
IBM Tivoli Software helps clients optimize the value of their business infrastructures and technology assets enabling greater visibility, control and automation across their end-to-end business operations.
A simple way to understand this is that Tivoli helps manage, improve (optimize!) your computer/hardware/software (you are working in an enterprise).  However, now you can extend that concept to include managing machines like POS terminals, ATMs, ….everything….any computer related infrastructure.

Pulse 2013 has 4 streams:

  1. Cloud and IT Optimization
  2. Smarter Physical Infrastructure
  3. The Mobile Enterprise
  4. Security Intelligence

In this post I will be focusing on the mobile stream.  The mobile stream has 55 sessions.  There are 3 tracks:

  • Becoming a mobile enterprise
  • Managing and Securing the mobile enterprise
  • Best practices and case studies in endpoint management

In the first track, “Becoming…mobile”, the focus is on better understanding mobile, the issues, what it takes to become mobile, tools, and information on various IBM products.  These are some of the issues:

  • Mobile Security
  • Agile and Devops
  • Mobile and Cloud trends
  • User-Centered Design
  • Managing multi-channel web experiences
  • Mobile application testing
  • IBM’s Collaboration strategy for mobile

The managing and securing track is about managing devices in a large/diverse enterprise and ensuring security.

  • Managing BYOD
  • Network management
  • Social businesses are using mobile and cloud to enable collaboration and context.  Existing business can also use these strategies to make better use of their resources. (read the session info – MME-2106)
  • Using IBM Security Access Manager and IBM Tivoli Federated Identity Manager to address the BYOD Challenge
  • Partner product to manage and secure two OS’s side-by-side on a mobile device

Some of the main issues addressed in the best practices and case studies track include:

  • Large windows 7 migration
  • Acquisition management with endpoint management
  • Endpoint Manager integration with “pervasive smart home appliances”.  Also “medical instruments, security devices, energy information systems, and smart equipment.
  • License optimization and compliance
  • Toshiba/IBM partnership to manage Toshiba devices

This is a good point to stop if you are overwhelmed or bored !!  In the rest of this post, I list some of IBM’s products and services which are mentioned in Pulse2013’s mobile stream.

The following list includes most of the IBM products/services mentioned in the mobile stream in Pulse 2013.  If you aren’t really into this market, I would recommend at least looking at IBM Endpoint Manager – just a nice product/technology and IBM Worklight which can be downloaded for free.

IBM Cast Iron
WebSphere Cast Iron Cloud Integration enables companies to rapidly connect their hybrid world of public clouds, private clouds, and on-premise applications.
Nilanjan says: Cast Iron allows you to quickly connect to various enterprise applications such as Salesforce and Microsoft Dynamics.
IBM Endpoint Manager
IBM Endpoint Manager for Mobile
IBM® Endpoint Manager can help you achieve smarter, faster endpoint management and security.
Nilanjan says: Endpoint Manager is a neat product which manages everything on endpoints (including mobile) in enterprises.
IBM Worklight
IBM Worklight Developer Edition. Download nowIBM Worklight provides an open, comprehensive and advanced mobile application platform for smartphones and tablets, helping organizations of all sizes to efficiently develop, connect, run and manage HTML5, hybrid and native applications.  Note: IBM Worklight can be download free.
IBM Mobile Foundation
– an integrated package of Worklight, CastIron and Endpoint Manager
IBM Interactive
IBM Interactive is a leading interactive agency with a unique ability to imagine, discover, and deliver compelling user experiences.
Redbend Software’s TRUE solution
“The answer is Red Bend’s TRUE™ Solution for BYOD – an end-to-end solution for mobile device manufacturers and service providers to create and manage virtualized mobile devices that are “TRUsted by the Enterprise” for employee use.”
IBM Web Experience
IBM web experience software provides access to critical information and applications that is personalized to users’ needs – available anytime, on any device – to deliver an exceptional experience.
Pirean
platform for versatile authentication, federated identity management and single sign-on across Cloud and Corporate resources
IBM Virtual Desktop
allows access to a personal PC desktop from anywhere, using any device, using the Virtual Enterprise Remote Desktop Environment (VERDE) from Virtual Bridges

Testing hash functions

Cryptographic hash functions are used to avoid handling passwords in plain text. They are also used to verify data integrity, e.g., downloaded files (software). Hash functions are used to generate a message digest which is then encrypted using a private key.

A hash function converts the input of any length to a fixed length output, called message digest.

Requirements of a hash function:

  • input can be any length
  • output length is fixed
  • relatively easy to compute
  • one way (hash functions are also called one-way functions)
  • collision-free – it is very difficult to find two strings which can generate the same hash value

Although this is not a requirement, hash functions are fast/should not be slow.

Some of the popular hash functions are MD5, SHA1 and SHA2.

Hands on

Use ruby to generate a hash. In IRB:

require 'digest/sha2' 
h = Digest::SHA2.new << 'string'
=> #<Digest::SHA2:256 
473287f8298dba7163a897908958f7c0eae733e25d2e027992ea2edc9bed2fa8>
p h.class
=> Digest::SHA2

A common hash function SHA256 generates a hash which is 256 bits long. Each hex digit has 4 bits and you need 64 hex characters to store the digest.

p h.to_s.length
=> 64

Cross check with an online calculator at http://www.hashgenerator.de/

Check the hash for other values such as ‘string1’, ‘grinst’, ‘string2’

Can you modify the string to generate a given hash? Can you ‘guess’ the hash?

Can you crack a hash?

When the input to a hash function is restricted, you can compute the hash for the all the input values and compare the output with the computed values. e.g., Encrypt a IP address using MD5. There are 256 values. Each of these can be computed in advance to understand the values. (Introduction to Network security – Neal Krawetz)

Using a ‘salt’

One way to crack hashes is to compute the hash of common words and see if they match the stored hash (dictionary attack). To prevent that you can use a ‘salt’. A salt is a random string which is pre-pended to each string to be hashed. This adds another layer of complexity to guessing the hash.

Which hash function should you use?

Weaknesses have been found in MD5 and SHA1. At this point (May 2012) you should make sure you are using SHA2.

Homework: How is encryption different from hashing? When would you use encryption instead of hashing?

Testing hash functions

If your application (web or desktop) uses passwords or other vulnerable information such as credit cards, you should check how the data is stored. Start by tracing the flow of the relevant data through the entire application (data tour).  If you have been doing blackbox testing, you may not have access to source and might face resistance when discussing the flow of data through the application.  To make an impact on testing security you should be able to discuss the flow of data through an application

If you are creating a security product which uses a hash function, e.g., allows administrators to use a hash function to create message digests, you may want to pay more attention to the correctness of the hash.

You should spend some time cross checking values with an online calculator.

You should trace how the original input value is stored and when the hash is computed.

When the user enters the value again, how is that compared with the stored value?

When working with security you often encounter complex algorithms.  Don’t be intimidated by the complexity – as a tester you need to focus on what is important.  It is less important to validate the actual algorithm. Although don’t ignore this. You are responsible for validating the results. It is more important to examine what type of data is stored in the application and how it is stored.

Note that calculating hash values of incorrect length or which are incorrect will leave you/the organization looking very stupid. (tester beware)

Are you using the correct standard?

When working with security algorithms, most teams work with standard algorithms. However, these algorithms are always undergoing scrutiny and change/refinement. You should check if you are using algorithms which don’t have any published flaws. Note that these algorithms are complex and you don’t need to understand the actually weakness. You can just search for opinion on the algorithm and any concerns. Should you be using the newer algorithm which was recently published?

Are you vulnerable if you don’t use the most recent algorithm?

It is unlikely that you will be vulnerable in the case of an attack if you use MD5 or SHA1 (along with a salt and other precautions). However, if you use SHA2, no one will find fault with you.

Use of third party libraries

When working with security algorithms you should check how the algorithm is implemented.  Is it part of the standard library provided with the compiler or are you using a third party component.  In both cases, is the implementation certified?

When hash functions are used to encrypt passwords or other user information, you should check how the data is stored and retrieved from a database. Are there performance implications? You should be able to create a very large number of the items to check performance.

In general when working with hash functions, you should plan to create large amount of data and check against an oracle, such as online calculator or a simple function in ruby or python.

You should have access to password lists and incorporate that into your testing.

Glossary

These are some terms you should know when working with hash functions:

  • Parity check – used to detect errors in memory or communication. Add the number of bits and check with a parity bit.
  • CRC – Cyclic redundancy checks are used to detect changes to input, such as network data. Also used as a synonym for hash
  • checksums – generate fixed length data from input. They are generally simpler than hash functions. The hash value is also called a checksum
  • Non-repudiation – digital signatures are signed using the sender’s private key and can be used to establish ownership. Message authentication codes use a shared public key and do not have the property of non-repudiation.
  • rainbow tables  – save long chains of hashed passwords, saving on storage compared to a dictionary attack
  • dictionary attack – tries all the words in a list called a dictionary
  • brute force – tries every possible combination of characters
  • MD – Message Digest algorithm
  • SHA – Secure hash algorithm
  • one way encryption
  • data integrity
  • message digest

Final Thoughts

Spend time playing around with creating hashes in ruby.  You should know the length of the digest for different hash functions.  The only way to build confidence is to work with these functions instead of reading about them.

Scriptless automation – Worksoft Certify

Worksoft Certify from Worksoft is an “automated functional testing platform for SAP”.  What is unique about Worksoft Certify is that users can create automation without any script or code. Worksoft Certify is very tightly integrated with SAP. The alternative to using Worksoft is using tools like HP’s QTP or IBM’s Rational Functional Tester.

The only action that users take when creating automation in Worksoft is to identify the fields used to enter data or user actions, e.g., a checkbox. Note that this is not like the mainstream record and playback technology. The result of such ‘recording’ is a set of steps. Each step has a ‘narrative’. For example, “Input the value ‘OR’ into the order type CtextField”. Note that this is presented in language which can be understood by a non-technical business user.

Worksoft also provides some related products which are interesting.

  • Worksoft Data allows users to use data which is very close to actual data. It allows you to copy data from one SAP system to another. They key here is the tight integration with SAP and shielding users from technical details.
  •  Worksoft Impact is another key software. One of the challenges in automation is to make sure that the changes in the software don’t ‘break’ the scripts. Worksoft completely avoids this problem. It helps analyze the changes in the implementation and highlights which tests are impacted. It presents the changes in language which can be understood by the end user.

Here is some of the motivation for Worksoft’s approach:

  • “You don’t write code to test code”
  • Allows business analysts and users to ‘test’ the software
  • Avoids the ‘tedium’ of manual testing

Worksoft claims that users can easily automate 80-85% of their manual tests. Software upgrades are completed rapidly, 1-2 days, compared to weeks.

Here are a few more features worth highlighting:

  • Worksoft works with SAP on multiple platforms.
  • Worksoft Certify can be used from SAP’s Solution manager
  • Worksoft Certify can be used along with SAP’s Business Process Change analyzer
  • Compared to BPCA Worksoft provides guidance on changes at a higher level.

In the last few years there has been a huge focus on agile development and a focus on automation. In software testing communities testers seem resigned to the fact that automation is an essential skill for testers. The automation I am referring to is using scripting languages like Ruby, Python and tools like Watir, Selenium. Note also that this is probably more prevalent in software product companies, rather than enterprise IT departments. Given this environment, Worksoft has created a unique product which is focused on solving an important business problem. I don’t think this will or can change any of the development and testing practices in other industries. However, testers should be aware of this unique solution.

 What is ERP

ERP systems automate most business functions in organizations. They use a common database and provide an integrated view of the data. The access to the data is in real time. The advantage of such a system is that “Decisions can be made more quickly and with fewer errors. Data becomes visible across the organization.” (from wikipedia)

These are some of the modules in SAP:

  • ERP operations – to manage manufacturing operations
  • ERP Financials
  • ERP Human Capital Management
  • Enterprise Asset Management
  • Procurement

SAP is a market leader in the ERP market. SAP is headquartered in Germany and was founded in 1972. It has more than 55,000 employees. SAP’s 2011 revenues were $13.6 billion compared to Microsoft $69 billion and Oracle $36 billion.

 Information on Worksoft

Worksoft products

Worksoft has a great set of resources on their website. This includes a set of webinars. A simple registration gives you immedicate access to all the resources.

In 2011 IBM entered into a re-marketing agreement with Worksoft. Worksoft Certify, Certify Impact and Certify Data are available for licensing through IBM’s passport advantage. Worksoft Certify is integrated with IBM’s Rational Quality Manager.

Note: Although I work for IBM, the intent of this post is to talk about an interesting technology and not to promote IBM’s products.

Systems and Infrastructure software taxonomy

This is a continuation of a previous post.  IDC publishes a software taxonomy every year.  In this post I’ve shown a mindmap of the systems and infrastructure software market.  Some of the terms might sound academic or confusing.  You will need to read the report or search for more information.  Please do not copy or distribute the image.  Let me know if you think any category is missing.

Systems Infrastructure software taxonomy

Systems Infrastructure software taxonomy

Application software market

This is a continuation of a previous post.  IDC publishes a software taxonomy every year.  In this post I show a mindmap of the application software market.  Some of the terms might sound academic or confusing.  You will need to read the report or search for more information.  Please do not copy or distribute the image.  Let me know if you think any category is missing.

Applications by secondary market

Applications by secondary market

Application Development and Deployment taxonomy

IDC publishes a software taxonomy every year.  It shows a great overview of the various types of software, focused on the enterprise.  The link shows the table of contents.  There is a lot information and I thought it might be easier to visualize in a mindmap.  This is the mindmap of application development and deployment software (more to follow).  Please do not copy or distribute this image.

Some of the terminology might be  intimidating.  However, to be fair to IDC you will need to purchase their report or search for more information.

Application development and deployment taxonomy

Application Development and Deployment taxonomy