Daily Tech Digest - December 11, 2020

5 signs your agile development process must change

Agile teams figure out fairly quickly that polluting a backlog with every idea, request, or technical issue makes it difficult for the product owner, scrum master, and team to work efficiently. If teams maintain a large backlog in their agile tools, they should use labels or tags to filter the near-term versus longer-term priorities. An even greater challenge is when teams adopt just-in-time planning and prioritize, write, review, and estimate user stories during the leading days to sprint start. It’s far more difficult to develop a shared understanding of the requirements under time pressure. Teams are less likely to consider architecture, operations, technical standards, and other best practices when there isn’t sufficient time dedicated to planning. What’s worse is that it’s hard to accommodate downstream business processes, such as training and change management if business stakeholders don’t know the target deliverables or medium-term roadmap. There are several best practices to plan backlogs, including continuous agile planning, Program Implement planning, and other quarterly planning practices. These practices help multiple agile teams brainstorm epics, break down features, confirm dependencies, and prioritize user story writing.

How to Align DevOps with Your PaaS Strategy

Some organizations are adopting a multi-PaaS strategy which typically takes the form of developing an application on one PaaS and deploying it to multiple public clouds. However, not all PaaS provide that capability. One reason to deploy to multiple clouds is increase application reliability. Despite SLAs, outages may occur from time to time. Alternatively, different applications may require the use of different PaaS because the PaaS services vary from vendor to vendor. However, more vendors mean more complexity to manage. "Tomorrow, your business transaction is going to be going over SaaS services provided by multiple vendors so I might have to orchestrate across multiple clouds, multiple vendors to complete my business transaction," said Chennapragada. "Tying myself [to] a vendor is going to constrain me from orchestrating, so our clients are thinking of a more cloud-agnostic, vendor-agnostic solution." One of the general concerns some organizations have is whether they have the expertise to manage everything themselves, which has led to a huge proliferation of managed service providers. That way, DevOps teams have more time to focus on product development and delivery. PaaS expertise can be difficult to find because PaaS skills are niche skills. 

Low Code: CIOs Talk Challenges and Potential

CIO viewpoints honestly differed. For example, CIO Milos Topic suggests “it is still early in experimentation in our environment, but it is mostly useful in automating and provisioning repetitive processes and modules. But it is essential to stress that low code doesn't mean hands off.” Meanwhile, CIO David Seidl says “the adoption is big because of the ability to make more responsive changes. The trade-off is interesting. The open question is: can you remove one of the cost layers (maintaining code) and trade it for business logic and platform maintenance? And how do you minimize platform maintenance and could cloud services help. The big question is: do we consider business logic code? It can be just as complex to build and debug complex business logic in a drag and drop as traditional code. So, you win on the UI/layout/integration components, but core code remains an open question.” However, CIO Deb Gildersleeve suggests that low code gives business users without technical coding expertise the tools to solve their problems. It takes the burden outside of IT but can be provided with guardrails for security governance.”

Security Think Tank: Integration between SIEM/SOAR is critical

Security operations teams will have a playbook which details the decisions and actions to be taken from detection to containment. This may suggest actions to be taken on detection of a suspicious event through escalation and possible responses. SOAR can automate this, taking autonomous decisions that support the investigation, drawing in threat intelligence and presenting the results to the analyst with recommendations for further action. The analyst can then select the appropriate action, which would be carried out automatically, or the whole process can be automated. For example, the detection of a possible command and control transmission could be followed up in accordance with the playbook to gather relevant threat intelligence and information on which hosts are involved and other related transmissions. The analyst would then be notified and given the option to block the transmissions and isolate the hosts involved. Once selected, the actions would be carried out automatically. Throughout the process, ticketing and collaboration tools would keep the team and relevant stakeholders informed and generate reports as required.

Low-Code To Become Commonplace in 2021

The citizen developer concept has been gathering marketing steam, but it might not be just hype. Now, data suggests low-code tools are actually opening doors for such non-developers. Seventy percent of companies said non-developers in their company already build tools for internal business use, and nearly 80% predict to see more of this trend in 2021. It should be noted that low-code and no-code do not seek to replace all engineering talent; instead, to free them up to engage in more complex tasks. “With low-code, you free up your engineers to work on harder problems, instead of having them work on basic things,” said Arisa Amano, CEO of Internal. She believes this could translate into more innovation companywide. Surprisingly, bringing non-traditional engineers into the development fold is not being met with ambivalence—69.2% of respondents foresee that citizen developers positively affect engineering teams, with the rest primarily exhibiting a neutral reaction. The costs of internal security threats are high. Breaches could decrease customer trust, harm brand reputation and lead to escalating legal fees. With cyberattacks a prevalent concern, cybersecurity must come back in style.

People want data privacy but don’t always know what they’re getting

In practice, differential privacy isn’t perfect. The randomization process must be calibrated carefully. Too much randomness will make the summary statistics inaccurate. Too little will leave people vulnerable to being identified. Also, if the randomization takes place after everyone’s unaltered data has been collected, as is common in some versions of differential privacy, hackers may still be able to get at the original data. When differential privacy was developed in 2006, it was mostly regarded as a theoretically interesting tool. In 2014, Google became the first company to start publicly using differential privacy for data collection. Since then, new systems using differential privacy have been deployed by Microsoft, Google and the U.S. Census Bureau. Apple uses it to power machine learning algorithms without needing to see your data, and Uber turned to it to make sure their internal data analysts can’t abuse their power. Differential privacy is often hailed as the solution to the online advertising industry’s privacy issues by allowing advertisers to learn how people respond to their ads without tracking individuals. But it’s not clear that people who are weighing whether to share their data have clear expectations about, or understand, differential privacy.

Widespread malware campaign seeks to silently inject ads into search results

The malware makes changes to certain browser extensions. On Google Chrome, the malware typically modifies “Chrome Media Router”, one of the browser’s default extensions, but we have seen it use different extensions. Each extension on Chromium-based browsers has a unique 32-character ID that users can use to locate the extension on machines or on the Chrome Web store. On Microsoft Edge and Yandex Browser, it uses IDs of legitimate extensions, such as “Radioplayer” to masquerade as legitimate. As it is rare for most of these extensions to be already installed on devices, it creates a new folder with this extension ID and stores malicious components in this folder. On Firefox, it appends a folder with a Globally Unique Identifier (GUID) to the browser extension. ... Despite targeting different extensions on each browser, the malware adds the same malicious scripts to these extensions. In some cases, the malware modifies the default extension by adding seven JavaScript files and one manifest.json file to the target extension’s file path. In other cases, it creates a new folder with the same malicious components. These malicious scripts connect to the attacker’s server to fetch additional scripts, which are responsible for injecting advertisements into search results.

Penetration Testing: A Road Map for Improving Outcomes

Traditional penetration testing is a core element of many organizations' cybersecurity efforts because it provides a reliable measurement of the organization's security and defense measures. However, because a client can classify assets as out of scope, the pen test may not give an accurate read on the organization's full security posture. Because the pen-testing approach, authorization process, and testing ranges are defined in advance, these assessments may not measure an organization's true ability to identify and act on suspicious activities and traffic. Ultimately, placing restrictions on a test's scope or duration can harm the tested organization. In the real world, neither time nor scope are of any consideration to attackers, meaning the results of such a test are not entirely reliable. Incorporating objective-oriented penetration testing can improve typical pen-testing systems and, in turn, enhance an organization's security posture and incident response, as well as limit their risk of exposure. The first step is to agree on attackers' likely objectives and a reasonable time frame. For example, consider ways attackers could access and compromise customer data or gain access to a high-security network or physical location. 

Facial recognition's fate could be decided in 2021

Several lawsuits filed in 2020 that could see resolution next year may also have an impact on facial recognition. Clearview AI is facing multiple lawsuits about its data collection. The company collected billions of public images from social networks including YouTube, Facebook and Twitter. All of those companies have sent a cease-and-desist letter to Clearview AI, but the company maintains that it has a First Amendment right to take these images. That argument is being challenged by Vermont's attorney general, the American Civil Liberties Union and two lawsuits in Illinois. Clearview AI didn't respond to requests for comment. The Clearview decision could play a role in facial recognition's future. The industry relies on hordes of images of people, which it gets in many ways. An NBC News report in 2019 called it a "dirty little secret" that millions of photos online have been getting collected without people's permission to train facial recognition algorithms. "We're likely to also see growing amounts of litigation against schools, businesses and other public accommodations under a new wave of biometric privacy laws, including New York City's forthcoming ban on commercial biometric surveillance," said the Surveillance Technology Oversight Project's Cahn.

Hacking Group Dropping Malware Via Facebook, Cloud Services

While the newly discovered DropBook backdoor uses fake Facebook accounts for its command-and-control operations, the report notes that both SharpStage and DropBook utilize Dropbox to exfiltrate the data stolen from their targets, as well as for storing espionage tools, according to the report. Once a device is compromised, the SharpStage backdoor can capture screenshots, check for Arabic language presence in the victims' device for precision targeting and download and execute additional components. DropBook, on the other hand, is used for reconnaissance and to deploy shell commands, the report notes. The attackers use MoleNet to collect system information from the compromised devices, communicate with the command-and-control servers and maintain persistence, according to the report. Besides the new backdoor components, researchers note the hackers deployed an open-source remote access Trojan called Quasar, which was previously linked to a Molerats campaign in 2017. Cybereason researchers note that once the DropBook malware is in the victims' devices, it begins its operation by fetching a token from a post on a fake Facebook account.

Quote for the day:

"Example has more followers than reason. We unconsciously imitate what pleases us, and approximate to the characters we most admire." -- Christian Nestell Bovee

No comments:

Post a Comment