Daily Tech Digest - May 15, 2021

Hybrid multiclouds promise easier upgrades, but threaten data risk

Lack of ongoing training and recertification. Such training helps to reduce the number and severity of hybrid cloud misconfigurations. As the leading cause of hybrid cloud breaches today, it’s surprising more CIOs aren’t defending against misconfigurations by paying for their teams to all get certified. Each public cloud platform provider has a thriving sub-industry of partners that automate configuration options and audits. Many can catch incorrect configurations by constantly scanning hybrid cloud configurations for errors and inconsistencies. Automating configuration checking is a start, but a CIO needs a team to keep these optimized scanning and audit tools current while overseeing them for accuracy. Automated checkers aren’t strong at validating unprotected endpoints, for example. Automation efforts often overlook key factors. It is necessary to address inconsistent, often incomplete controls and monitoring across legacy IT systems. That is accompanied by inconsistency in monitoring and securing public, private, and community cloud platforms. Lack of clarity on who owns what part of a multicloud configuration continues because IT and the line of the business debate who will pay for it.

Cybersecurity Oversight and Defense — A Board and Management Imperative

Although it is common to have the cyber risk oversight function fall to the audit committee, this should be carefully considered given the burden on audit committees. An alternative to consider, depending on the magnitude of the oversight responsibility, is the formation of a dedicated, cyber-specific board-level committee or sub-committee. At the same time, because cybersecurity considerations increasingly affect all operational decisions, they should be a recurring agenda item for full board meetings. Companies that already have standalone risk or technology committees should also consider where and how to situate cybersecurity oversight. The appointment of directors with experience in technology should be evaluated alongside board tutorials and ongoing director education on these matters. Robust management-level systems and reporting structures support effective board-level oversight, and enterprise-wide cybersecurity programs should be re-assessed periodically, including to ensure they flow through to individual business units and legacy assets as well as newly acquired or developed businesses.

Linux and open-source communities rise to Biden's cybersecurity challenge

This is not just a problem, of course, with open-source software. With open-source software, you can actually see the code so it's easier to make an SBOM. Proprietary programs, like the recently, massively exploited Microsoft Exchange disaster, are black boxes. There's no way to really know what's in Apple or Microsoft software. Indeed, the biggest supply-chain security disaster so far, the Solarwinds catastrophic failure to secure its software supply chain, was because of proprietary software chain failures. Besides SPDX, the Linux Foundation recently announced a new open-source software signing service: The sigstore project. Sigstore seeks to improve software supply chain security by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. Developers are empowered to securely sign software artifacts such as release files, container images, and binaries. These signing records are then kept in a tamper-proof public log. This service will be free for all developers and software providers to use. The sigstore code and operation tooling that will make this work is still being developed.

DevOps didn’t kill WAF, because WAF will never truly die

WAFs are specific to each application and, therefore, require different protections. The filtering, monitoring, and policy enforcement (such as blocking malicious traffic) provide valuable protections but carry cost implications and consume computing resources. In a DevOps-fed cloud environment, it’s challenging to keep WAFs current with the constant flow of updates and changes. Introducing security into the CI/CD pipeline can solve that problem, but only for those apps being developed that way. It’s impossible to build security sprints into old third-party apps or applications deployed by different departments. The mere existence of those apps presents risk to the enterprise. They still need to be secured, and WAFs are likely still the best option. It’s also important to remember that no approach to cybersecurity will be perfect and that an agile DevOps methodology won’t be enough on its own. Even in an environment believed to be devoid of outdated or third-party apps, you can never be sure what other groups are doing or deploying—shadow IT is a persistent problem for enterprises.

Top 10 Latest Research On Brain Machine Interface

The Brain Machine interface is a study that captures this neural process to control external software and hardware. Though the technology is at its primary stages, these are the current possibilities of the Brain-Machine Interface. Brain-controlled wheelchair: A technique to ease the life of disabled people. With concentration, users will be able to navigate the wheelchair through familiar environments indoor. Brain-controlled Robotic ARM: A brainwave sensor is used to capture brain signals every time the user blinks, concentrates, meditates to put to use. The Robotic Arm is moved with an EEG sensor based on the brain data collected. Brain Keyboard: Oftentimes, paralyzed people fail to communicate with the surrounding environment. But that can be solved with a Brain Keyboard. EEG sensors will read the eye blink and the system will translate the text on display. Brain-controlled Helicopter: Can you imagine flying a helicopter with your brain? It’s possible. The helicopter can fly according to the pilot’s concentration and meditation, which will navigate the helicopter up and down. Brain-controlled password authentication: EEG can be applied in biometric identification as brain signals and patterns are unique for every individual.

Are business leaders scared by the public cloud?

Security and compliance are the biggest barriers to adoption, respectively. However, for the majority of business leaders, the cloud is more secure and easier to maintain compliance than on-premises. Only a tiny minority of decision-makers find that the public cloud is less capable in terms of both security and data compliance than on-premises. Although superior in terms of capability, switching to cloud-native security and compliance models is a struggle for some enterprises. However, almost everyone is planning on growing their cloud program… despite the concerns some have expressed about vendor lock-in. The vast majority of enterprises will continue on with their cloud journey, although around a third are predicted to go full-steam ahead, migrating “as quickly as is feasible”. This is by no means the case for all enterprises, though. Around half wish to migrate more cautiously. Vendor lock-in appears to also be a major issue for most enterprises. The majority of enterprises express that they are significantly concerned by the consequences of putting their all eggs in one cloud provider’s basket. Only a fearless few do not see this as a concern, and this is the way to go.

Why data and machine intelligence will become the new normal in insurance

In the next 3-5 years, the digital insurance consumer will likely remain the millennials, with higher levels of income and education. It is important though to not assume homogeneity and develop solutions based on lazily assessed group characteristics. Personalisation is more important now than it ever has been. Beyond functionality and ease of access, emotions and personal growth are key drivers in consumption behaviour and like in any other group, there are a diverse set of expectations and desires amongst this group. Tailoring services and online buying journeys to the individual rather than the group is paramount; in the same way that offering life insurance immediately following a bereavement could be viewed as inappropriate, so too an offer of a social insurance be offensive to a staunch individualist. Certain benefits, although appealing on the surface to members of 'the group' may not work at a more nuanced level – a donation with every policy bought to an environmental charity will not appeal to every millennial. 

Paying a Ransom: Does It Really Encourage More Attacks?

Although Phil Reitinger, a former director of the National Cyber Security Center within the Department of Homeland Security, doesn’t expect the pipeline company's apparent ransom payment to serve as a catalyst for other ransomware gangs, he acknowledges the impact the attack had on pipeline operations could encourage those interested in causing similar mayhem. "I don't see paying this particular ransom as that different from others, in the sense of opening up critical infrastructure as a target," he says. "Indeed, I expect there to be a reduction in criminal attacks on critical infrastructure as this ransomware gang now has a big target on its back," says Reitinger, who's now president and CEO of the Global Cyber Alliance. "However, the effectiveness of the attack may well increase the incentive for other actors who want to disrupt rather than cash a check." The ransomware-as-a-service gang behind DarkSide announced Thursday it was shutting down its operation after losing access to part of its infrastructure. A ransomware attack by a nation-state or highly competent gang, such as DarkSide, is almost impossible to stop, Maor says. But he points out that such attacks aren't easy to pull off.

Using Data as Currency: Your Company’s Next Big Advantage

Today’s world is increasingly data-driven, and companies are amassing unique data assets that have numerous and valuable implications for analytics, modeling, insights, personalization and targeting purposes. Most companies don’t know how to turn their mountains of data into real value for their business or their customers. But the companies that do are rewarded with market valuations that far exceed their peers. Amazon, Nike, Progressive, Hitachi, and others recognize that winning in a digitally driven world is about using data as currency, and the CIO and CTO are key to making that happen. But what does “data as currency” mean? For a while now, we have heard a number leaders claim, “data is the new oil”. ... Data’s flexibility arguably gives data even more value than oil and other currencies, assuming companies can leverage it properly. For instance, many product companies sit on customer interaction data that could better predict demand to optimize their manufacturing output and supply chains. Internal data on employee job assignments, self-driven trainings, and micro-experiences could optimize talent versus upcoming opportunities.

Implementing Microservicilities with Quarkus and MicroProfile

In a microservice architecture, we should develop with failure in mind, especially when communicating with other services. In a monolith application, the application, as a whole, is up or down. But when this application is broken down into a microservice architecture, the application is composed of several services and all of them are interconnected by the network, which implies that some parts of the application might be running while others may fail. It is important to contain the failure to avoid propagating the error through the other services. Resiliency (or application resiliency) is the ability for an application/service to react to problems and still provide the best possible result. ... Elasticity (or scaling) is something that Kubernetes had in mind since the very beginning, for example running kubectl scale deployment myservice --replicas=5 command, the myservice deployment scales to five replicas or instances. Kubernetes platform takes care of finding the proper nodes, deploying the service, and maintaining the desired number of replicas up and running all the time.

Quote for the day:

"To get a feel for the true essence of leadership, assume everyone who works for you is a volunteer." -- Kouzes and Posner

Daily Tech Digest - May 14, 2021

Thoughts on Cloud Security

With good security professionals in high demand, companies are better off investing in their security professionals that show an interest in “cloud”; in order to take their security organization to the next level. Solid training and support, will enable them to better collaborate with development teams and significantly raise the “security” bar of their cloud environment. There are plenty of free resources available today, such as cloud security standards and open source solutions, that can be leveraged. The Center for Internet Security (CIS) controls and/or AWS’ Well-Architected Framework are great resources to help get started. As a reformed cloud security professional, I can say that embracing the cloud takes a shift in mindset. In general, security teams need to stop saying “no” and getting in the way of innovation. Instead, they need to be able to provide development teams the access they need — when they need it, and put guardrails in place to ensure security. To be successful, it is key to do this in a way that it does not have a significant impact in the development experience. 

85% of Data Breaches Involve Human Interaction: Verizon DBIR

"Credentials are the skeleton key," Bassett says. Most know stolen credentials are a problem, but what they may not think about is how they spread across attack patterns and enable the start of many different types of data breaches, from phishing campaigns, to stealing the contents of a target mailbox, to a ransomware campaign in which an attacker encrypts then steals data. The trend toward simplicity is evident in the continued increase of business email compromise (BEC), which followed phishing as the second most common form of social engineering, reflecting a 15x spike in "misrepresentation," a type of integrity breach. BEC doubled last year and again this year. Of the 58% of BEC attacks that successfully stole money, the median loss was $30,000, with 95% of BECs costing between $250 and $984,855, researchers learned. Of the breaches analyzed, 85% had a human element. This is a broad term that encompasses any attack that involves a social action: phishing, BEC, lost or stolen credentials, using insecure credentials, human error, misuse, and even malware that has to be clicked then downloaded.

Hybrid working: creating a sustainable model

The evolution of thinking around the workplace we’ve seen in such a short space of time is quite something. Over the course of the last year, business mindsets have shifted from complete allegiance to the physical office, to fully embracing remote working to survive, to a realisation that a hybrid working model may well be the best way for businesses to thrive. Now, as we begin to move out of the pandemic, IT and business leaders should be considering what their workplace strategy looks like in the long term. What can we learn from the last 12 months? What are the tools, technologies and processes we should keep in place? How do we facilitate a reimagined office space? How do we empower employees to be productive and happy wherever they are? There’s no doubt that hybrid working opens up huge opportunity for businesses, from creating a flexible working environment that appeals to a broad range of talent to enabling more efficient ways of working and a healthier work-life balance. But how do we create a hybrid model that is sustainable in the long term?

The Global Artificial Intelligence Race and Strategic Balance

Countries are under pressure to protect their citizens and even political stability in the face of possible malicious/biased uses of AI and Big Data. Because 5G networks are the future backbone of our increasingly digitised economies and societies, ensuring its security and resilience is essential. Even at current capability levels, AI can be used in the cyber domain to augment attacks on cyberinfrastructure. There is no such thing as perfect security, only varying levels of insecurity. These ‘smart’ technologies rely on bidirectional wireless links to communicate with devices and global services, which gives a larger ‘attack surface’ that cyber threats target. Thus, 5G networks may lead to politically divided and potentially noninteroperable technology spheres of influence, where one sphere would be led by the US and another by China, with some others in between (for example the EU, South Korea and Japan).All of these concerns are most significant in the context of authoritarian states but may also undermine the ability of democracies to sustain truthful public debates. For example, ‘deepfake’ algorithms can create fake images and videos that cannot easily be distinguished from authentic ones by humans. It is threatening to global security if deepfake methods are employed to promulgate misinformation.

5 developer tools for detecting and fixing security vulnerabilities

Dependabot - now a native Github solution - has a simple straightforward workflow: automatically open Pull Requests for new dependency versions, and alert on vulnerable dependencies. Dependabot will also clearly differentiate between security-related PR and normal dependency upgrades by tagging [Security] in the title and label, along with including a changelog of the vulnerabilities fixed. ... Similar to Dependabot, Renovate is a GitHub or CLI app that monitors your dependencies and opens Pull Requests when new ones are available. While it supports fewer languages than Dependabot, the main advantage of Renovate is that it's extremely configurable. Ever wished you could write "schedule": "on the first day of the week" in your configs!? Well, Renovate allows you to do that! It also provides fine-grained control of auto-merging dependencies based on rules set in the config. ... Synk is a new one for me, but I really like that it's a product built with developers in mind, regardless of their previous experience with security. While Snyk is a paid product for business+, their free tier covers open-source, personal projects, and small teams, making it a great resource for personal projects and learning, even if you don't have the opportunity to use it on the job!

Adding Security to Testing to Enable Continuous Security Testing

Security testing is a variant of software testing which ensures that the system and applications in an organization are free from any loopholes that may cause a big loss, Thalayasingam said. Security testing of any system is about finding all possible loopholes and weaknesses of the system which might result in a loss of information at the hands of the employees or outsiders of the organization. To kick off security testing, security experts should train quality engineers about security and how to do manual security testing. Next, quality engineers can work with security experts to narrow down the tests for security testing and add value to existing test cases. This will lead to executing the security tests in sprint level activities, automating them, and making them part of continuous integration. Quality engineers should add the security checks to their test process for each story, Thalayasingam suggested. This would help to find the obvious security vulnerabilities and a very early stay. The right guidance and training will help quality engineers to gain the security testing mindset.

Building AI Leadership Brain Trust Is A Business Imperative: Are You Ready?

There are sufficient markers painting this stark prediction if one chooses to dig deeper. Did you know that over half of technology executives in the 2019 Gartner CIO Survey say they intend to employ AI before the end of 2020, up from 14% today? Board directors and CEO have to accelerate their investments in AI, and ensure they are managing the journey wisely with the right AI leadership skills in place and Machine Learning toolkits required to advance AI with sustainability enablements to modernize your business.. In a recent report by NewVantage Partners, 75% of companies cited fear of disruption from data-driven digital competitors as the top reason they’re investing. There are many questions that board directors and CEOs must ask in the face of any large investment consideration, and AI is not inexpensive. On average an AI project can range from as low as $30K to $1 million plus for a MVP, depending on the complexity of the data set, use case being solved to build a baseline AI model to predict an accurate outcome.

Maximizing a hybrid cloud approach with colocation

Companies are increasingly deploying a hybrid cloud approach to balance the benefits and challenges presented by both the public and private cloud. With the hybrid cloud, both types of cloud environments are integrated, allowing data to move seamlessly between platforms. This hybrid architecture can be designed as a bifurcated system in which the private cloud hosts a company’s sensitive data and mission critical components, and the public cloud hosts the rest. With this type of architecture, the data and applications live permanently in their assigned cloud environment, but the two systems are able to communicate seamlessly. Another option – the cloud bursting model – houses all of a company’s information in the private cloud, but when spikes in demand occur the public cloud provides supplementary capacity. Both hybrid approaches give companies greater control over and access to their IT environments and the ability to implement more stringent security protocols on the private cloud portion of their deployment. In addition, a hybrid approach gives organizations flexibility to build a solution that meets their current needs, but that can also evolve as their needs change.

Fake Android, iOS apps promise lucrative investments while stealing your money

The operators have created dedicated websites linked to each individual app, tailored to appear as the impersonated organizations in an effort to improve the apparent legitimacy of the software -- and the likelihood of a scam being successful. Sophos' investigation into the apps began with a report of a single malicious app masquerading as a trading company based in Asia, Goldenway Group. The victim, in this case, was targeted through social media and a dating website and lured to download the fake app. Rather than relying on mass spam emails or phishing, attackers may now also take a more personal approach and try to forge a relationship with their victim, such as by pretending to be a friend or a potential love match. Once trust is established, they will then offer some form of time-sensitive financial opportunity and may also promise guaranteed returns and excellent profits. However, once a victim downloads a malicious app or visits a fake website and provides their details, they are lured into opening an account or cryptocurrency wallet and transferring funds. 

When AI Becomes the Hacker

The core question Schneier asks is this: What if artificial intelligence systems could hack social, economic, and political systems at the computer scale, speed, and range such that humans couldn't detect it in time and suffered the consequences? It's where AIs evolve into "the creative process of finding hacks." "They're already doing that in software, finding vulnerabilities in computer code. They're not that good at it, but eventually they will get better [while] humans stay the same" in their vulnerability discovery capabilities, he says. In less than a decade from now, Schneier predicts, AIs will be able to "beat" humans in capture-the-flag hacking contests, pointing to the DEFCON contest in 2016 when an AI-only team called Mayhem came in dead last against all-human teams. That's because AI technology will evolve and surpass human capability. Schneier says it's not so much AIs "breaking into" systems, but AIs creating their own solutions. "AI comes up with a hack and a vulnerability, and then humans look at it and say, 'That's good,'" and use it as a way to make money, like with hedge funds in the financial sector, he says.

Quote for the day:

"Effective team leaders realize they neither know all the answers, nor can they succeed without the other members of the team." -- Katzenbach & Smith

Daily Tech Digest - May 13, 2021

Why VMware’s Tom Gillis Calls APIs ‘the Future of Networking’

Gillis says there are three steps to building “world-class security” in the data center. Step one is software-based segmentation, which can be as simple as separating the production environment from the development environment. “And then you want to make those segments smaller and smaller until we get them down to per-app segmentation, which we call microsegmentation,” he explained. Step two requires visibility into in-band network traffic. “We’re gonna go through on a flow-by-flow basis, and starting looking at, okay, this one is legitimate, and this one is WannaCry, and being able to figure that out using a distributed architecture,” Gillis said. Step three involves the ability to do anomaly detection, which allows analysts to find unknown threats as the attackers continually change their tactics. “Most security-conscious companies do this with a network TAP,” Gillis sas. These test access points (TAPs) allow companies to access and monitor network traffic by making copies of the packets. However, deploying all of these network TAPS, and storing the copies in a data lake becomes “very cumbersome, very operationally deficient,” Gillis said.

'FragAttacks' eavesdropping flaws revealed in all Wi-Fi devices

To be clear, these attacks would require the threat actor to be on the local network alongside the targets; these are not remotely exploitable flaws that could, for instance, be embedded in a webpage or phishing email. The attacker would either have to be on a public Wi-Fi network, have gotten access to a private network by obtaining the password or tricked their mark into connecting with a rogue access point. Thus far, there have been no reports of the vulnerabilities being exploited in the wild. Vanhoef opted to hold the public disclosure until vendors could be briefed and given time to patch the bugs. So far, at least 25 vendors have posted updates and advisories. Both Microsoft and the Linux Kernel Organization were warned ahead of time, and users can protect themselves by updating to the latest version of their operating systems. In a presentation set for the Usenix Security conference, Vanhoef explained how by manipulating the unauthenticated "aggregated" flag in a frame, instructions can be slipped into the frame and executed by the target machine. This could, for example, allow an attacker to redirect a victim to a malicious DNS server.

The state of digital transformation in Indonesia

Indonesian firms are facing people-related challenges most often in their digital transformation. Lack of technology skills and knowledge, and a shortage of employee availability, indicate a critical talent crunch. Firms may pay a price already for not putting employee experience higher on their business agenda. Besides data issues, challenges also include securing the digital transformation. Only 17% of firms in Indonesia are currently adopting a zero trust strategic cybersecurity framework. Fewer than 20% mention securing budgeting and funding for DT as a key challenge. This indicates that early successes are recognized in boardrooms and with executive leaders and that the vast majority of firms in Indonesia have prepared their transformation budgets well. Indonesian firms face fewer budget challenges for digital transformation than their peers in other markets. Firms are also prioritizing cloud and are building new applications and services primarily on public cloud. Tech executives in Indonesia therefore face their most immediate challenges around people, skills, and culture. Upskilling, retention, and aligning employee priorities to digital transformation are crucial for ongoing success—and firms must act immediately. Agile has successfully taken hold in IT organizations, but tech executives must take the lead and collaborate across lines of business to drive adaptiveness across the organization.

Law firms are building A.I. expertise as regulation looms

Just because A.I. is an emerging area of law doesn’t mean there aren’t plenty of ways companies can land in legal hot water today using the technology. He says this is particularly true if an algorithm winds up discriminating against people based on race, sex, religion, age, or ability. “It’s astounding to me the extent to which A.I. is already regulated and people are operating in gleeful bliss and ignorance,” he says. Most companies have been lucky so far—enforcement agencies have generally had too many other priorities to take too hard a look at more subtle cases of algorithmic discrimination, such as a chat bot that might steer certain white customers and Black customers to different car insurance deals, Hall says. But he thinks that is about to change—and that many businesses are in for a rude awakening. Working with Georgetown University’s Centre for Security and Emerging Technology and Partnership on A.I., Hall was among the researchers who have helped document 1,200 publicly reported cases of A.I. “system failures” in just the past three years. The consequences have ranged from people being killed to false arrests based on facial recognition systems misidentifying people to individuals being excluded from job interviews.

BRD’s Blockset unveils its white-label cryptocurrency wallet for banks

“The concept is really a result of learnings from working with our customers, tier one financial institutions, who need a couple things,” Traidman told TechCrunch. “Generally they want to custody crypto on behalf of their customers. For example, if you’re running an ETF, like a Bitcoin ETF, or if you’re offering customers buying and selling, you need a way to store the crypto, and you need a way to access the blockchain.” “The Wallet-as-a-Service is the nomenclature we use to talk about the challenge that customers are facing, whereby blockchain is really complex,” he added. “There are three V’s that I talk about: variety, a lot of velocity because there’s a lot of transactions per second, and volume because there’s a lot of total aggregate data.” Blockset also enables clients to add features like trading crypto or fiat or lending Bitcoin or Stablecoins to take advantage of high interest rates. Enterprises can develop and integrate their own solutions or work with Blockset’s partners. Other companies that offer enterprise blockchain infrastructure include Bison Trails, which was recently acquired by Coinbase, and Galaxy Digital.

Democratize Machine Learning with Customizable ML Anomalies

Customizable machine learning (ML) based anomalies for Azure Sentinel are now available for public preview. Security analysts can use anomalies to reduce investigation and hunting time as well as improve their detections. Typically, these benefits come at the cost of a high benign positive rate, but Azure Sentinel’s customizable anomaly models are tuned by our data science team and trained with the data in your Sentinel workspace to minimize the benign positive rate, providing out-of-the box value. If security analysts need to tune them further, however, the process is simple and requires no knowledge of machine learning. ... A new rule type called “Anomaly” has been added to Azure Sentinel’s Analytics blade. The customizable anomalies feature provides built-in anomaly templates for immediate value. Each anomaly template is backed by an ML model that can process millions of events in your Azure Sentinel workspace. You don’t need to worry about managing the ML run-time environment for anomalies because we take care of everything behind the scenes. In public preview, all built-in anomaly rules are enabled by default in your workspace. 

How to stop AI from recognizing your face in selfies

Most of the tools, including Fawkes, take the same basic approach. They make tiny changes to an image that are hard to spot with a human eye but throw off an AI, causing it to misidentify who or what it sees in a photo. This technique is very close to a kind of adversarial attack, where small alterations to input data can force deep-learning models to make big mistakes. Give Fawkes a bunch of selfies and it will add pixel-level perturbations to the images that stop state-of-the-art facial recognition systems from identifying who is in the photos. Unlike previous ways of doing this, such as wearing AI-spoofing face paint, it leaves the images apparently unchanged to humans. Wenger and her colleagues tested their tool against several widely used commercial facial recognition systems, including Amazon’s AWS Rekognition, Microsoft Azure, and Face++, developed by the Chinese company Megvii Technology. In a small experiment with a data set of 50 images, Fawkes was 100% effective against all of them, preventing models trained on tweaked images of people from later recognizing images of those people in fresh images. 

Agile Transformation: Bringing the Porsche Experience into the Digital Future with SAFe

Agile means, in fact, many things, but above all, it is a shared commitment. What really matters are the underlying values such as openness, self-commitment, focus. Not to forget the main principles behind agile work: customer orientation, embracing change and continuous improvement, empowerment and self-organization, simplicity, and transparency. In other words, what we learned quite early on is the importance to establish not only ambitious goals but also a shared vision across teams. That requires bringing together different goals and building alignment around a common purpose. Furthermore, we have learned that it is important to focus on incremental change. We now focus on a small number of topics and pursue them persistently. Transformation takes time. Lifelong learning also means that change is an ongoing process — it never ends. Sometimes, change may be hard, but we are not alone. It affects many areas outside the Digital Product Organization and it is essential that we take others along on the journey. Finally, it is important to keep in mind that successful and long-lived companies are usually the ones that learn to be agile and stable at the same time.

Recruiting and retaining diverse cloud security talent

The first step to encouraging more diversity within the cyber security workforce is representation. Businesses need to look at their teams and collaborate with their community and industry to create a platform that will inspire individuals into industries they may not have considered before. For example, company representatives at events act as role models, and their individual passion can be a strong inspiration and draw for a wide range of candidates. For this reason, it’s vital that security and cloud teams – and in particular members from diverse backgrounds – have a voice on traditional media and social platforms. Diverse voices should be seen and heard in newspapers, on corporate blogs, and in broadcast, where they can share insight into their careers and expertise, encouraging new talent to join the industry and their business specifically. Similarly, mentorship programmes help businesses to attract and retain talent. For those moving into the industry, changing companies, or transitioning into a new role, having a mentor provides support, the comfort of representation, and showcases their achievements. 

3 areas of implicitly trusted infrastructure that can lead to supply chain compromises

Once the server a software repository is hosted on is compromised, an attacker can do just about anything with the repositories on that machine if the users of the repository are not using signed git commits. Signing commits works much like with author-signed packages from package repositories but brings that authentication to the individual code change level. To be effective, this requires every user of the repository to sign their commits, which is weighty from a user perspective. PGP is not the most intuitive of tools and will likely require some user training to implement, but it’s a necessary trade-off for security. Signed commits are the one and only way to verify that commits are coming from the original developers. The user training and inconvenience of such an implementation is a necessary inconvenience if you want to prevent malicious commiters masquerading as developers. This would have also made the HTTPS-based commits of the PHP project’s repository immediately suspicious. Signed commits do not, however, alleviate all problems, as a compromised server with a repository on it can allow the attacker to inject themselves into several locations during the commit process.

Quote for the day:

"Leadership is absolutely about inspiring action, but it is also about guarding against mis-action." -- Simon Sinek