Daily Tech Digest - August 20, 2020

11 penetration testing tools the pros use

Formerly known as BackTrack Linux and maintained by the good folks at Offensive Security (OffSec, the same folks who run the OSCP certification), Kali is optimized in every way for offensive use as a penetration tester. While you can run Kali on its own hardware, it's far more common to see pentesters using Kali virtual machines on OS X or Windows. Kali ships with most of the tools mentioned here and is the default pentesting operating system for most use cases. Be warned, though--Kali is optimized for offense, not defense, and is easily exploited in turn. Don't keep your super-duper extra secret files in your Kali VM. ... Why exploit when you can meta-sploit? This appropriately named meta-software is like a crossbow: Aim at your target, pick your exploit, select a payload, and fire. Indispensable for most pentesters, metasploit automates vast amounts of previously tedious effort and is truly "the world's most used penetration testing framework," as its website trumpets. An open-source project with commercial support from Rapid7, Metasploit is a must-have for defenders to secure their systems from attackers.

The Role of Business Analysts in Agile

A few things that we as BA Managers need to be aware of include: Understanding of the role - because of a BA’s ability to be a flexible, helpful and an overall "fill-in-the-gaps" person, the role of the BA gets blurrier and blurrier. This is what makes it interesting and also so great when it comes to working within an agile team. Ultimately it also makes it complicated to explain to others, especially those unfamiliar with the role. If it is complicated to explain, it is easy for people to underestimate the value it brings so make sure you are clear in your "pitch" of what your BAs do! Being pigeonholed into the role - if you are a great BA, nobody wants to lose you so they will continue giving you BA work even if you want to go into something else like project management. It is key for those managing BAs to actively support their career aspirations even if they are outside of the discipline, and to lobby on their behalf. Hitting an analysis complexity "ceiling" - if you are constantly with your team and helping them solve delivery problems, it is very hard to dedicate focused analysis time on upcoming large initiatives.

Cisco bug warning: Critical static password flaw in network appliances needs patching

The flaws reside in the Cisco Discovery Protocol, a Layer 2 or data link layer protocol in the Open Systems Interconnection (OSI) networking model. "An attacker could exploit these vulnerabilities by sending a malicious Cisco Discovery Protocol packet to the targeted IP camera," explains Cisco in the advisory for the flaws CVE-2020-3506 and CVE-2020-3507. "A successful exploit could allow the attacker to execute code on the affected IP camera or cause it to reload unexpectedly, resulting in a denial-of-service (DoS) condition." The Cisco cameras are vulnerable if they are running a firmware version earlier than 1.0.9-4 and have the Cisco Discovery Protocol enabled. Again, customers need to apply Cisco's update to protect the model because there's no workaround. This bug was reported to Cisco by Qian Chen of Qihoo 360 Nirvan Team. However, Cisco notes it is not aware of any malicious activity using this vulnerability.  The second high-severity advisory concerns a privilege-escalation flaw affecting the Cisco Smart Software Manager On-Prem or SSM On-Prem. It's tracked as CVE-2020-3443 and has a severity score of 8.8 out of 10.

Fuzzing Services Help Push Technology into DevOps Pipeline

"Fuzzing by its very nature is this idea of automated continuous testing," he says. "There is not a lot of human input that is necessary to gain the benefits of fuzz testing in your environment. It's a good fit from the idea of automation and continuous testing, along with this idea of continuous development." Many companies are aiming to create agile software development processes, such as DevOps. Because this change often takes many iterative cycles, advanced testing methods are not usually given high priority. Fuzz testing, the automated process of submitting randomized or crafted inputs into the application, is one of these more complex techniques. Even within the pantheon of security technologies, fuzzing is often among the last adopted. Yet, 2020 may be the year that changes. Major providers and even frameworks have focused on making fuzzing easier, says David Haynes, a product security engineer at Cloudflare. "I think we are just getting started in terms of seeing fuzzing becoming a bit more mainstream, because the biggest factor hindering (its adoption) was available tooling," he says. "People accept that integration testing is needed, unit testing is needed, end-to-end testing is needed, and now, that fuzz testing is needed."

Why We Need Lens as a Kubernetes IDE

The current version of Lens vastly improves quality of life for developers and operators managing multiple clusters. It installs on Linux, Mac or Windows desktops, and lets you switch from cluster to cluster with a single click, providing metrics, organizing and exposing the state of everything running in the cluster, and letting you edit and apply changes quickly and with assurance. Lens can hide all the ephemeral complexity of setting up cluster access. It lets you add clusters manually by browsing to their kubeconfigs, and can automatically discover kubeconfig files on your local machine. You can manage local or remote clusters of virtually any flavor, on any infrastructure or cloud. You can also organize clusters into workgroups any way you like and interact with these subsets. This capability is great for DevOps and SREs managing dozens or hundreds of clusters or just helping to manage cluster sprawl. Lens installs whatever version of kubectl is required to manage each cluster, eliminating the need to manage multiple versions directly. It works entirely within the constraints each cluster’s role-based access control (RBAC) imposes on identity, so Lens users (and teams of users) can see and interact only with permitted resources.

Computer scientists create benchmarks to advance quantum computer performance

The computer scientists created a family of benchmark quantum circuits with known optimal depths or sizes. In computer design, the smaller the circuit depth, the faster a computation can be completed. Smaller circuits also imply more computation can be packed into the existing quantum computer. Quantum computer designers could use these benchmarks to improve design tools that could then find the best circuit design. “We believe in the ‘measure, then improve’ methodology,” said lead researcher Jason Cong, a Distinguished Chancellor’s Professor of Computer Science at UCLA Samueli School of Engineering. “Now that we have revealed the large optimality gap, we are on the way to develop better quantum compilation tools, and we hope the entire quantum research community will as well.” Cong and graduate student Daniel (Bochen) Tan tested their benchmarks in four of the most used quantum compilation tools. Tan and Cong have made the benchmarks, named QUEKO, open source and available on the software repository GitHub.

Starting strong when building your microservices team

We’re used to hearing the slogan ‘Go big or go home’, but businesses would do well to think small when developing microservices. Here, developing manageable and reusable components will enable companies, partners and customers to use individual microservices across an entire landscape of applications and industries. In doing so, businesses aren’t restricting themselves to siloed applications. In addition, driving success with microservices involves considerable planning to ensure that nothing is left out. After all, microservices-based architecture consists of many moving parts and so developers should be mindful to guarantee service interactions are seamless from start to finish. The pandemic has shone a spotlight on the role of digital transformation in building up crisis resilience. Consequently, businesses are turning en masse to digital and the market is evolving apace. However, as operational and business models shift, companies must be mindful to avoid becoming locked-in to cloud vendor technologies and platforms in such a rapidly changing market. When working with a cloud partner, implementing their platform and other solutions shouldn’t be a given – while such tools will likely work fine in their own cloud environment, companies should be wary of how they will operate elsewhere.

From Legacy to Intelligent ERP: A Blueprint for Digital Transformation

Today’s ERP configuration is for running today’s business. Most run in the data center and capture, manage, and report on all core business transactions. Tomorrow’s intelligent ERP goes far beyond this charter. If you want to be part of the team transforming the business, then you should understand the vision of where the company is targeting growth over the next several years. What markets, products, and services are the priorities? What operations need to scale? What improvements in workflows can free up cash or make financial forecasting more reliable? How can you empower employees, teams, and departments to work efficiently, safely, and effectively as some people return to the office and others work remotely? Intelligent ERPs not only centralize operational workflows and data from sales, marketing, finance, and operations. These RPS also extend data capture, workflow, and analytics around prospects and customers and their experiences interacting with the business. When fully implemented, they enable a full 360-degree view of the customer across all areas of the company that interface with them from marketing to sales, through digital commerce, and from any customer support activities.

Researchers improve perception of robots with new hearing capabilities

Working out of the Robotics Institute at Carnegie Mellon University, Pinto, as well as fellow researchers Dhiraj Gandhi and Abhinav Gupta, presented their findings during the virtual Robotics: Science and Systems conference last month. The three started the project last June, according to a release from the university. "We present three key contributions in this paper: (a) we create the largest sound-action-vision robotics dataset; (b) we demonstrate that we can perform fine grained object recognition using only sound; and (c) we show that sound is indicative of action, both for post-interaction prediction, and pre-interaction forward modeling," they write in the study. "In some domains like forward model learning, we show that sound in fact provides more information than can be obtained from visual information alone." In the published study, the three researchers said sounds did help a robot differentiate between objects and predict the physical properties of new objects. They also found that hearing helped robots determine what type of action caused a particular sound. Robots using sound capabilities were able to successfully classify objects 76% of the time, according to Pinto and the study.

Running Axon Server in Docker and Kubernetes

“Breaking down the monolith” is the new motto, as we finally get driven home the message that gluttony is also a sin in application land. If we want to be able to change in step with our market, we need to increase our deployment speed, and just tacking on small incremental changes has proven to be a losing game. No, we need to reduce interdependencies, which ultimately also means we need to accept that too much intelligence in the interconnection layer worsens the problem rather than solving it, as it sprinkles business logic all over the architecture and keeps creating new dependencies. Martin Fowler phrased it as “Smart endpoints and dumb pipes”, and as we do this, we increase application components’ autonomy and you’ll notice the individual pieces can finally start to shrink. Microservices architecture is a consequence of an increasing drive towards business agility, and woe to those who try to reverse that relationship. Imposing Netflix’s architecture on your organization to kick-start a drive for Agile development can easily destroy your business.

Quote for the day:

"Leadership is like beauty; it's hard to define, but you know it when you see it." -- Warren Bennis

No comments:

Post a Comment