Daily Tech Digest - August 01, 2019

Dealing with the Disconnect Between Developers and Security

Image: WrightStudio - Adobe Stock
Developers want to write secure code and catch vulnerabilities early on, Fletcher says, but they many not have the necessary skills or management support to focus on prioritizing security. “It is literally more work to do,” he says. There could be organizational challenges, for example, if development functions such as testing are handled in separate groups. Those different groups could have separate charters and mandates to adhere to. “They’re not necessarily working off of the same page at the data level,” Fletcher says. “It becomes difficult to create a symbiotic relationship needed to get to that DevSecOps nirvana.” The disparity is particularly pronounced given the pace of DevOps deployment, compared with non-DevOps software rollouts. The narrow window of time for delivery of DevOps applications can leave little room for security screening. Fletcher says continuous delivery and continuous integration, where DevOps applications are built and delivered in an ongoing basis, can mean deployment of code several times per day. That compares with non-DevOps generated applications that might be released quarterly or biannually.


How Blockchain-Based Digital Credentialing Impacts The World Of Work

uncaptioned
New technologies like blockchain, along with advancements in mobile security, have enabled Workday to imagine a new form of digital credential—one that puts individuals in control of their data, and is portable, authentic, and secure. As credentials are issued by organizations and educational institutions, held by individuals, and shared with employers or prospective employers that need to verify them, blockchain provides a common trust layer, allowing each of these parties to independently verify their authenticity. As the common source of verification, blockchain enables data to move between parties, and its distributed ledger can prove that the data has not been modified and the credentials are still valid. This kind of credential creates a transparent, trustworthy, and reliable source of truth that is instantly authentic once shared. We are also taking this blockchain application one step further with our approach to openness. Technology is most powerful when it’s open and interoperable, and this is especially the case with blockchain.



5G enthusiasm abounds from tech CEOs: Is it warranted?


The enthusiasm about 5G is flowing out of earnings conference calls. The big question is whether it is justified. Aside from carriers touting their 5G build out, Qualcomm CEO Steve Mollenkopf said 5G will be deployed and with devices faster than expected. He said: We now have over one hundred fifty 5G designs launched or in-development using our 5G chipsets. In addition to core chipsets, virtually all our 5G design wins are powered by our complete RF Front-End solutions for 5G Sub6 and / or millimeter wave. By the first calendar quarter of 2020, we anticipate reaching the inflection point as our financial results begin to reflect the benefits of our substantial efforts over the years in to bring 5G to the market worldwide. Qualcomm's take revolves around China ramping 5G commercial service and US carriers all on track with nationwide 5G coverage by mid-2020. There will be more operators and devices launching with 5G relative to 4G in the same time frame, according Qualcomm. Samsung's conference call was also bullish on 5G. Samsung has multiple ways to play 5G with smartphones, networking gear, memory and chips that'll benefit. 


Hacking security alert issued for small planes, DHS warns modern flight systems are 'exploitable'


A security alert was issued by federal officials Tuesday focusing on small planes after authorities voiced concerns that modern flight systems are vulnerable to hacking in the event a malicious actor is able to gain physical access to the aircraft. The alert from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said that a security flaw of open electronics systems known as "the CAN bus" was discovered by a Boston-based cybersecurity company and reported to the federal government, which found the systems are "exploitable." "An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment," CISA said in its alert. "The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot." Most airports have security officers in place to restrict unauthorized access.


Podcast: 'Know thy user' a key tenet of modern IT design


The first thing you have to do is know who your user is. If you don't know that, then any design work is going to fall short. And now the design work that systems at IT companies are delivering is not only delivered toward IT but also different contingents within their businesses. It might be developers who are in a LOB trying to create the next service or business application that enables their business to be successful. Again, if we look back, the CIO or leaders in IT in the past would have chosen a given platform, whether a database to standardize on or an application server. Nowadays, that's not what happens. Instead, the LOBs have choices. If they want to consume an open source project or use a service that someone else created, they have that choice. Now IT is in the position of having to provide a service that is on par, able to move quickly and efficiently, and meets the needs of developers and LOBs. And that's why it's so important for design to expand the users we are targeting.


A Realistic Path Forward for Security Orchestration and Automation


The idea of security orchestration and automation is itself "the shiny new thing on the block," Cavey says. However, investing in more technology to solve the problem of disparate tools not working in orchestration is not a silver bullet. Keeping infrastructure and data secure across the entire organization requires staffing, which is one reason why Cavey says he anticipates a number of failed implementations on the horizon. Many companies have unrealistic motivations when they are investing in these platforms, he says.  Those motivations are coming from the pain points an organization is feeling, according to Cavey: "There's incredible pressure coming down from the board for these security teams to be able to say, 'Tell us you have this; tell us we are in good shape. We have an interest in IT security and knowing that we as a company are not going to be the next headline.'" Take data loss prevention (DLP), for example. When introduced nearly a decade ago, DLP's promise to the average CISO was its implementation would protect data and prevent it from being stolen, Cavey explains.


Intent-Based Networking (IBN): Bridging the gap on network complexity

Network World - Insider Exclusive [Winter 2018] - Intent-Based Networking [IBN] - cover art
Undoubtedly, we need new tools, not just from the physical device’s perspective, but also from the traffic’s perspective. Verifying the manual way will not work anymore. We have 100s of bits in the packet, meaning the traffic could be performing numerous talks at one time. Hence, tracking the end-to-end flow is impossible using the human approach. When it comes to provisioning, CLI is the most common method used to make configuration changes. But it has many drawbacks. Firstly, it offers the wrong level of abstraction. It targets the human operator and there is no validation whether the engineers will follow the correct procedures. Also, the CLI languages are not standardized across multi-vendors. The industry reacted and introduced NETCONF. However, NETCONF has many inconsistencies across the vendor operating systems. Many use their own proprietary format, making it hard to write NETCONF applications across multiple vendor networks. NETCONF was basically meant to make the automation easy but in reality, the irregularities it presented actually made the automation even more difficult.


Learning lessons from the unicorns: the tech phenomena

Learning lessons from the unicorns: the tech phenomena image
In the UK, 17 companies have attained unicorn status to date. These include the digital bank, Monzo, which recently reached a milestone of 2 million customers and is launching in the US, and food delivery start-up, Deliveroo, which raised £452 million in a funding round last year and is currently valued at more than £1.5 billion. For private tech companies, an IPO strategy could be an attractive proposition, potentially delivering the funding boost needed to take the business into new markets or allow it to innovate and/or diversify its product or service offering. Instead of focusing purely on financial data to support the move, ambitious businesses pursuing this strategy might seek to emulate the unicorns by concentrating on developing a compelling growth story, based on metrics about user numbers and preferences or rapid take up in a new market. Of course, a clear business plan, which sets out where profits will come from in the future is also essential. Ambitious, fast-growing businesses are among those most likely to consider an IPO. 


15 signs you've been hacked -- and how to fight back

hacked computer security symbol   hacked rot
The best protection is to make sure you have good, reliable, tested, offlinebackups. Ransomware is gaining sophistication. The bad guys using malware are spending time in compromised enterprise environments figuring how to do the most damage, and that includes encrypting or corrupting your recent online backups. You are taking a risk if you don’t have good, tested, backups that are inaccessible to malicious intruders. If you belong to a file storage cloud service, it probably has backup copies of your data. Don’t be overly confident. Not all cloud storage services have the ability to recover from ransomware attacks, and some services don’t cover all file types. Consider contacting your cloud-based file service and explain your situation. Sometimes tech support can recover your files, and more of them, than you can yourself. Lastly, several websites may be able to help you recover your files without paying the ransom. Either they’ve figured out the shared secret encryption key or some other way to reverse-engineer the ransomware. You will need to identify the ransomware program and version you are facing.


BizDevOps tools await enterprise maturity


Splunk execs also firmly believe BizDevOps is where the market is headed, but said a majority of enterprise customers still struggle with it. "Many of our customers still deal with disjointed teams -- it's like DevSecOps, it's heading in that direction, but [BizDevOps] is probably not as close [to widespread adoption] as IT and security," said Tim Tully, CTO of Splunk. "The business side has to become more agile. People are seeing convergence in IT, and the world is evolving, and business has to evolve along with it." IT experts that consult with enterprise clients, however, said that evolution has been very slow so far. "We see organizations that want to close the gap between the IT perspective and business perspective of products. But that means addressing not just features, but defects, risks and debt, and what we see is companies double down on CI/CD" said Carmen DeArdo



Quote for the day:


"Great leaders go forward without stopping, remain firm without tiring and remain enthusiastic while growing" -- Reed Markham


No comments:

Post a Comment