We already see rapidly increasing numbers of data breaches as more connected devices make more attack surfaces available. As companies and governments work continually to protect against cybersecurity attacks through advances in technology, the advent of quantum computing could create a free for all for cybercriminals. But there is a solution in the form of quantum-safe cryptography. The key will be updating quantum-vulnerable solutions in time, and that means understanding now which systems will be affected by quantum risk and planning a migration to potential quantum-safe security solutions that includes appropriate testing and piloting. The transition can begin with hybrid solutions that allow for agile cryptography implementations designed to augment the classical cryptography we use today.
So will there ever be an HTML6? Jaffe suggests that web payments might justify such a whole-number revision, to provide a consistent way of doing payments on the web. “If we were going to linearly call something HTML6, this might be it.” Although buying through the web is not new, the increased dominance of mobile web usage is causing people to abandon shopping carts because of the complexity—and may require a different approach baked into HTML itself. The W3C has a working group to explore this very issue. W3C also is working on Web Components, a framework to identify reusable website components, and Service Workers, to make it easier to run multiple functions inside a browser, featuring offline capabilities. Maybe they’ll justify a name change to HTML6.
WannaCry could have been much more devastating than it was — and it was very disruptive, affecting hospitals and other health services in disproportionate numbers — if not for a “kill switch” that the malware author included in the code. There are various schools of thought as to why this kill switch existed, but the consensus is that the author wanted a way to stop the malware from propagating. The method was to register an obscure web domain. As long as the domain didn’t resolve to anything, the malware would continue to propagate and infect vulnerable devices. But a security researcher discovered the kill switch and registered the domain, which stopped the malware. In the end, something like 200,000 devices (that we know of) were impacted.
Forget technology for a second, culture is arguably the biggest issue with security right now, and this has been the case for 20 years. CEOs think they won’t be targeted and citizens think much the same (i.e. it won’t happen to me). This complacency is misguided, as everyone is a target and a potential victim. Accordingly, this attitude can often result in poor security habits, with individuals and organizations treating, for example, password and Wi-Fi security not as seriously as they should. This is despite the fact that good cybersecurity can be achieved relatively easily, through good password hygiene, regular software updates, anti-virus and even password managers, VPNs and secure encrypted messaging apps.
There is a need to implement more automation around application security. This translates to embedding of security capabilities into the application code itself—referred to as Runtime Application Self-Protection (RASP). While a promising area of security technology, RASP solutions are emerging technologies as their effectiveness and impact on application performance are yet to be fully understood. On the other hand, the Web Application Firewall (WAF) remains a purpose-built application security tool. The more advanced WAFs leverage automation capabilities to improve security and streamline operations. WAFs are preferable because they offer automated policy generation, a feature that analyzes the protected application, generates granular protection rules and applies security policies.
“We are finding that a lot of companies are not aware of this requirement and face losing their government contracts,” said Tamara Wamsley, a strategist with Fastlane. “This issue could impact the success of many local companies, could result in lost jobs. This is a big deal.” “It’s not just for R&D (research and development firms),” Gillen said. “It’s for janitors, it’s for accountants.” “Anyone who has information classified by the government that needs to be protected,” said Shawn Walker, co-founder and vice president of Miamisburg-based Secure Cyber Defense LLC. Today, the rule affects only Department of Defense contractors. But Gillen said it will “almost certainly” expand to impact every federal contractor and sub-contractors, Gillen said. The rule is essentially a list of 110 requirements with which contractors must comply.
To protect IoT deployments, Cisco recommends that customers isolate the devices on network segments. Traditional segmentation using VLANS can become complicated at an IoT-deployment scale though, Cisco says. Cisco’s TrustSec platform that includes network segmentation capabilities. “The logical move is to segment these devices to put them out of attackers’ reach,” Cisco says. “If devices are compromised, organizations can prevent them from being used as pivot points to move through the network, and to activate incident response processes to protect the business.” IoT Threat Defense can detect anomalies in network traffic, block certain traffic and identify infected hosts. Cisco is targeting initial use cases in the medical, power utilities and automated manufacturing industries.
IE retains a sizable share -- Smith called it "a significant presence" -- largely because it's still required in most companies. "There are a lot of [enterprise] applications that only work in IE, because [those apps] use plug-ins," Smith said, ticking off examples like Adobe Flash, Java and Microsoft's own Silverlight. "Anything that requires an ActiveX control needs IE." Many businesses have adopted the two-prong strategy that Gartner and others began recommending years ago: Keep a "legacy" browser to handle older sites, services and web apps, but offer another for everything else. That approach lets employees access the old, but does not punish them with a creaky, sub-standard browser for general-purpose surfing. Under such a model, Internet Explorer has played, and continues to play, the legacy role.
A starting point is to understand that business and IT leaders must work in new, more collaborative ways to identify where value exists. IT must support the endeavor with an agile, flexible IT infrastructure that, among other things, taps clouds, mobility, APIs, artificial intelligence (AI), real-time connectivity and advanced analytics. Accenture's McNeil says that it's important to identify potential use cases before diving into an initiative. These often revolve around financial impact and cost drivers, but they may also touch on business opportunities and remapping processes, workflows and customer interactions to unlock untapped and previously hidden value. New and different thinking is paramount. "Oftentimes, it's really about experimenting with sensors and data inputs to see what makes sense for the business," McNeil explains.
Unit testing achieves several important business objectives: quality improvement, ability to test legacy code, developers stay up-to-date with the latest and greatest methodologies, and yes, good unit testing even increases developer motivation. Writing good unit tests that won't break on every single code change is not difficult and can be achieved easily by following a few simple practices: A unit test should not be dependent on environmental settings, other tests, order of execution or specific order of running. Running the same unit test 1000 times should return the same result. Using global state such as static variables, external data (i.e. registry, database) or environment settings may cause "leaks" between tests. The order of the test run should not affect the test result, and so make sure to properly initialize and clean each global state between test runs or avoid using it completely.
Quote for the day:
"Success. It's got enemies. You can be successful and have enemies or you can be unsuccessful and have friends." -- Dominic, American Gangster