Quote for the day:
"Great leaders do not desire to lead but to serve." -- Myles Munroe
RIP (finally) to the blockchain hype
Fowler is not alone in his skepticism about blockchain. It hasn’t yet
delivered practical benefits at scale, says Salome Mikadze, co-founder at
software development firm Movadex. Still, the technology is showing promise in
some niche areas, such as secure data sharing or certain supply chain
scenarios, she says. “Most of us agree that while it’s an exciting idea, its
real-world applications are still limited,” Mikadze adds. “In short,
blockchain is on the shelf for now — something we check in on periodically,
but not a priority until it proves its worth in the real world.” The crazy
hype around digital art NFTs turned blockchain into a bit of a joke, adds
Trevor Fry, an IT consultant and fractional CTO. Many organizations haven’t
found other uses for blockchain, he says. “Blockchain was marketed as this
must-have innovation, but in practice, it doesn’t solve a problem that many
companies or people have,” he says. “Unlike AI and LLMs, which have real-world
applications across industries and have such a low barrier to entry that
everyone can easily try it, blockchain’s use cases are very niche, though not
useless.” Fry sees eventual benefits in supply chain tracking and data
integrity, situations where a secure and decentralized record can matter. “But
right now, it’s not solving a big enough pain point for most organizations to
justify the complexity and cost and hiring people who know how to develop and
work with it,” he adds.
The 5 stages of incident response grief
Starting with denial and moving through anger, bargaining, depression, and
acceptance, security experts can take a few lessons from the grieving
process ... when you first see the evidence of an incident in progress, you
might first consider alternate explanations. Is it a false alarm? Did an
employee open the wrong application by mistake? Maybe an automated process
is misfiring, or a misconfiguration is causing an alert to trigger. You want
to consider your options before assuming the worst. ... Once you confirm
that it isn’t a false alarm and there is, in fact, an attacker present in
the system, your first thought is probably, “this is going to consume the
next few days, weeks, or months of my life.” You may become angry at a
specific team for not following security guidelines or shortcutting a
process. ... Sadly, getting an intruder out of your system is rarely a quick
and easy process. But understanding the layout of your digital landscape and
working with stakeholders throughout the organization can help ensure you’re
making the right decisions at the right time. ... With the recovery process
well underway, it’s time to take what you’ve learned and apply it. Now is
the time to start bringing in all those suppressed thoughts from the former
stages. That begins with understanding what went wrong. What was the cyber
kill chain? What vulnerabilities did they exploit to gain access to certain
systems? How did they evade detection solutions? Are certain solutions not
working as well as they should?
How to Manage Software Supply Chain Risks
Developers can’t manage risks on their own, nor can CISOs. “Effectively
protecting, defending and responding to supply chain events should be a
combination among many departments [including] security, IT, legal,
development, product, etc.,” says Ventura. “Not one department should fully
own the entire supply chain program as it touches many business units within
an organization. Spearheading the program typically falls under the CISO or
the security team as cybersecurity risks should be considered business
risks.” One of the most common mistakes is having a false sense of security.
“Thinking with the mindset of, ‘If I haven't had a supply chain issue
before, why fix it now?’ leads to complacency and a lack of taking
cybersecurity serious throughout the business,” says Ventura. “Another
common mistake is organizations relying too heavily on vendor-assessments,
where an organization can say they are secure, but haven't put in robust
controls. Trusting an assessment completely without verification can lead to
major issues down the road.” By failing to focus on supply chain risks,
organizations put themselves at a high risk of a data breach, financial
loss, regulatory and compliance fines and business and reputational
damage.
FinOps for Software as a Service (SaaS)
The challenges of managing public cloud spending are mirrored in the
proliferation of SaaS across organizations through the use of decentralized,
individual-level procurement and corporate-credit-card-funded purchase
orders, resulting in limited organizational-level visibility into cost and
usage. Additionally, SaaS is a consideration in the typical
Build-vs-Buy-vs-Rent discussions. Often, engineers have a choice between
building their own solutions or purchasing one via a SaaS provider. Because
of this, there is less of a clear distinction between what workloads are
managed in Public Cloud versus workloads managed by SaaS vendors (or where
they are shared). Therefore, the spend is all part of the same value
creation process, and engineering teams want to know the total cost of
running their solutions. And naturally, the other FinOps goals and outcomes
follow. By iteratively applying Framework Capabilities to achieve the
outcomes described by the four FinOps Domains: to Understand our Cost &
Usage, to Quantify its Business Value, to Optimize our Cost & Usage, and
to effectively Manage the FinOps Practice, the same financial accountability
and transparency can be established for SaaS spending, ensuring
organizations can keep their SaaS costs aligned with business goals and
associated technology strategy.
The role of data centres in national security
The UK government’s recent decision to designate certain data centres as
Critical National Infrastructure (CNI) represents a significant shift in
recognising their role in safeguarding the nation’s essential services. Data
centres are the backbone of industries like healthcare, finance and
telecommunications, placing them at increased risk of cyberattacks. While
this move enhances protection for specific facilities, it also raises
important questions for the wider industry. ... A critical first step for
data centres is to conduct a thorough security audit. This process helps to
create a complete inventory of all endpoints across both OT and IT
environments, including legacy devices that may have been overlooked.
Understanding the scope of connected systems and their potential
vulnerabilities provides a clear foundation for implementing effective
security measures. Once an inventory is established, technologies like
Endpoint Detection and Response (EDR) can be deployed to monitor critical
endpoints, including servers and workstations, for signs of malicious
activity. EDR solutions enable rapid containment of threats, preventing them
from spreading across the network. Extended Detection and Response (XDR)
builds on this by unifying threat detection across endpoints, networks and
servers, offering a holistic view of vulnerabilities and enabling more
comprehensive protection.
Will the future of software development run on vibes?
When it comes to defining what exactly constitutes vibe coding, Willison
makes an important distinction: "If an LLM wrote every line of your code,
but you've reviewed, tested, and understood it all, that's not vibe coding
in my book—that's using an LLM as a typing assistant." Vibe coding, by
contrast, involves accepting code without fully understanding how it works.
While "vibe coding" originated with Karpathy as a playful term, it may
encapsulate a real shift in how some developers approach programming
tasks—prioritizing speed and experimentation over deep technical
understanding. And to some people, that may be terrifying. Willison
emphasizes that developers need to take accountability for their code: "I
firmly believe that as a developer you have to take accountability for the
code you produce—if you're going to put your name to it you need to be
confident that you understand how and why it works—ideally to the point that
you can explain it to somebody else." He also warns about a common path to
technical debt: "For experiments and low-stake projects where you want to
explore what's possible and build fun prototypes? Go wild! But stay aware of
the very real risk that a good enough prototype often faces pressure to get
pushed to production."
How the Emerging Market for AI Training Data is Eroding Big Tech’s ‘Fair Use’ Copyright Defense
“It would be impossible to train today’s leading AI models without using
copyrighted materials,” the company wrote in testimony submitted to the
House of Lords. “Limiting training data to public domain books and drawings
created more than a century ago might yield an interesting experiment, but
would not provide AI systems that meet the needs of today’s citizens.”
Missed in OpenAI’s pleading was the obvious point: Of course AI models need
to be trained with high-quality data. Developers simply need to fairly
remunerate the owners of those datasets for their use. One could equally
argue that “without access to food in supermarkets, millions of people would
starve.” Yes. Indeed. But we do need to pay the grocer. ... Anthropic,
developer of the Claude AI model, answered a copyright infringement lawsuit
one year ago by arguing that the market for training data simply didn’t
exist. It was entirely theoretical—a figment of the imagination. In federal
court, Anthropic submitted an expert opinion from economist Steven R.
Peterson. “Economic analysis,” wrote Peterson, “shows that the hypothetical
competitive market for licenses covering data to train cutting-edge LLMs
would be impracticable.” Obtaining permission from property owners to use
their property: So bothersome and expensive.
3 Ways FinOps Strategies Can Boost Cyber Defenses
By providing visibility into cloud costs, FinOps uncovers underutilized or
redundant resources and subscriptions, or over-provisioned budgets that can
be redirected to strengthen cybersecurity. Through continuous real-time
monitoring, organizations can proactively identify trends, anomalies, or
emerging inefficiencies, ensuring they align their resources with strategic
goals. For example, regular audits may uncover unnecessary overlapping
subscriptions or unused security features, while ongoing monitoring ensures
these inefficiencies do not reoccur. ... A FinOps approach also involved
continuous monitoring, which not only identifies potential security gaps
before they escalate but also matches security measures with organizational
goals. Furthermore, FinOps helps with financial risk management by assessing
the costs of potential breaches and allocating resources effectively.
Through ongoing risk assessments and strategic budget adjustments,
organizations can make better use of their security investments, which will
help to maintain a robust defense against threats while still achieving
their business aims. ... Moreover, governance frameworks are built into
FinOps principles, which leads to consistent application of security
policies and procedures. This includes setting up governance frameworks that
define roles, responsibilities, and accountability for security and
financial management.
Black Inc has asked authors to sign AI agreements. But why should writers help AI learn how to do their job?
Writers were reportedly asked to permit Black Inc the ability to exercise
key rights within their copyright to help develop machine learning and AI
systems. This includes using the writers’ work in the training, testing,
validation and subsequent deployment of AI systems. The contract is offered
on an opt-in basis, said a Black Inc spokesperson, and the company would
negotiate with “reputable” AI companies. But authors, literary agents and
the Australian Society of Authors have criticised the move. “I feel like
we’re being asked to sign our own death warrant,” said novelist Laura Jean
McKay. ... In theory, the licensing solution should hold true for authors,
publishers and AI companies. After all, a licensing system would offer a
stream of revenue. But in reality there might just be a trickle of income
for authors and the basis for providing it under existing laws might be
quite weak. Authors and publishers are depending on copyright law to protect
them. Unfortunately, copyright law works in relation to copying, not on the
development of capabilities in probability-driven language outputs. ... To
put it another way, once the AI has learned how to write, it has acquired
that capability. It is true AI can be manipulated to produce output that
reflects copyright protected content.
Outsmarting Cyber Threats with Attack Graphs
An attack graph is a visual representation of potential attack paths within a
system or network. It maps how an attacker could move through different
security weaknesses - misconfigurations, vulnerabilities, and credential
exposures, etc. - to reach critical assets. Attack graphs can incorporate data
from various sources, continuously update as environments change, and model
real-world attack scenarios. Instead of focusing solely on individual
vulnerabilities, attack graphs provide the bigger picture - how different
security gaps, like misconfigurations, credential issues, and network
exposures, could be used together to pose serious risk. Unlike traditional
security models that prioritize vulnerabilities based on severity scores
alone, attack graphs loop in exploitability and business impact. The reason?
Just because a vulnerability has a high CVSS score doesn't mean it's an actual
threat to a given environment. Attack graphs add critical context, showing
whether a vulnerability can actually be used in combination with other
weaknesses to reach critical assets. Attack graphs are also able to provide
continuous visibility. This, in contrast to one-time assessments like red
teaming or penetration tests, which can quickly become outdated.
No comments:
Post a Comment