Daily Tech Digest - August 11, 2021

Solving 3 Pervasive Enterprise Continuous Testing Challenges

A primary goal of continuous testing is to determine if a release candidate is ready for production. As described above, you absolutely need to ensure that the changes in each release don’t break existing functionality. But you also need to test the new functionality to ensure that it works and meets expectations. Making the ultimate go/no-go release decision can be a bit of a guessing game when different teams are responsible for different components and layers of the application: the browser interface, the mobile experience, the various packaged apps at work behind the scenes (SAP, Salesforce, ServiceNow), and all the microservices, APIs and integration platforms that are probably gluing it all together. They’re likely developing new functionality at different cadences and testing their parts in different ways, using different testing practices and different tools. But the user doesn’t make those distinctions. They expect it all to just work, flawlessly. Mo√ęt Hennessy-Louis Vuitton (LVMH), the parent company behind luxury brands such as Christian Dior, TAG Heuer and Dom Perignon, recently decided to streamline its testing process to support ambitious plans for e-commerce growth.

Mind Over Matter: Revamping Security Awareness With Psychology

It's clear that traditional approaches to cybersecurity training have failed. From mistakenly disclosing account information to falling for phishing attacks, time and time again, an organization's sensitive data often leaks through legitimate channels with a worker's unknowing help — demonstrating that cybersecurity is increasingly a behavioral challenge. Instead of clinging onto measures that have repeatedly proven to be ineffective at safeguarding organizations, security leaders must redesign cybersecurity awareness with the human mind at the forefront. For that, we must turn to basic principles of psychology so we can better understand human behavior — and how we can positively influence it. While it's nearly impossible to unlearn these biases, we can improve our employees' understanding of cognitive biases to make it easier to identify and mitigate the impact of psychologically powered cyberattacks — and ultimately facilitate changes in individual cybersecurity behavior. 

Chaos Malware Walks Line Between Ransomware and Wiper

Chaos became more ransomware-ish with version 3.0, when it added encryption to the mix. This sample had the ability to encrypt files under 1 MB using AES/RSA encryption, and featured a decryptor-builder, according to the researcher. Then, in early August, the fourth iteration of Chaos appeared on the forum, with an expansion of the AES/RSA encryption feature. Now, files up to 2MB in size can be encrypted. And, operators can append encrypted files with their own proprietary extensions, like other ransomwares, according to the analysis. It also offers the ability to change the desktop wallpaper of their victims. Ransomware has been on the rise so far in 2021, with global attack volume increasing by 151 percent for the first six months of the year as compared with the year-ago half, according to a recent report. Meanwhile, the FBI has warned that there are now 100 different strains circulating around the world. The most-deployed ransomware in the wild is Ryuk, the report found, which could account for why the Chaos authors attempted to ride its coattails.

Cybersecurity is hands-on learning, but everyone must be on the same page

Most times, we see that cybersecurity “budget” is spread throughout so many other budgets throughout a company or organization. It isn’t owned within a cybersecurity group. This leads to separate strategies, goals, and implementations of cybersecurity thus really wasting that budget entirely. The larger problem of having no cybersecurity budget because “we’ve never had an incident” or “we aren’t a big enough target” is one that many will regret when it is too late. Everything and I mean everything is largely reliant on the internet these days. I challenge companies to start thinking about their most valuable assets, those assets that if they were to disappear or be messed up they would likely have no company. I can guarantee that most of those assets sit on a computer system somewhere. May that be a water system, the grid, a chemical formula, a shopping system, cloud infrastructure, data feeds, medical records, personal records, etc. Look at the cybersecurity budget as one would for regular home maintenance. 

Agile or Waterfall, which method should project developers adopt?

The IT and software industry was amongst the firsts to adopt this approach as often the end objectives (what their customer wants) keep changing and the flexibility afforded by the agile methodology is welcomed. With the successes achieved in various projects, eulogies have been overflowing for the agile method. With almost every industry evolving fast, gross uncertainties, and if the product under development is late to the market, the calls to adopt agile grow. It is impossible, on any given day, to not come across some article that attempts to show how agile can be adopted in yet another industry. The traditional approach adopted by most industries has been the waterfall method where the objective of the project is known in advance and the project progresses through identified stage gates. ... There is a plethora of reasons: new products, new processes, change in businesses, and so on. The decision on whether to proceed with a waterfall or agile method is more seen in product development projects where a company plans to enter a market with a product but may need to change track midway if market needs and expectations change.

Improving Testability: Removing Anti-patterns through Joint Conversations

There are many code patterns and anti-patterns that we know are good (and bad) for developers. Usually we look at them in terms of maintainability. But they have an impact on testability as well. Let’s start with an easy one. Let’s say we have a service that’s calling a database. Now, if the database properties are hard-wired into the code, every developer will tell you that’s a bad thing, because you can’t replace the database with an equivalent. In a testing scenario we might want to call a mock or local database, and hard coding a connection will impact our ability to either run the code completely, or call another one. In what we call pluggable architecture it’s easy to do this, but the code needs to be written like that in the first place. That’s a win for both testers and developers. In fact, many clean code practices and patterns improve both code maintainability and testability. Now let’s take a look at another aspect of pluggability. Our service now calls three other services and two databases. But we’re not interested in checking the whole integration.

OpenAI can translate English into code with its new machine learning software Codex

Of course, while Codex sounds extremely exciting, it’s difficult to judge the full scope of its capabilities before real programmers have got to grips with it. I’m no coder myself, but I did see Codex in action and have a few thoughts on the software. OpenAI’s Brockman and Codex lead Wojciech Zaremba demonstrated the program to me online, using Codex to first create a simple website and then a rudimentary game. In the game demo, Brockman found a silhouette of a person on Google Images then told Codex to “add this image of a person from the page” before pasting in the URL. The silhouette appeared on-screen and Brockman then modified its size (“make the person a bit bigger”) before making it controllable (“now make it controllable with the left and right arrow keys”). It all worked very smoothly. The figure started shuffling around the screen, but we soon ran into a problem: it kept disappearing off-screen. To stop this, Brockman gave the computer an additional instruction: “Constantly check if the person is off the page and put it back on the page if so.” This stopped it from moving out of sight, but I was curious how precise these instructions need to be.

Is Automation an Existential Threat to Developers?

“Initially, AI will augment developers, but eventually, it will replace some of them. ML/DL/AI can automate repetitive tasks, catch and correct errors, and vastly reduce the time needed to create a viable project,” says Rob Enderle, principal analyst at technology research firm Enderle Group. “These changes will significantly increase productivity, reducing much of the need for developers on a given project.” Meanwhile, automating tasks has been becoming easier to do than it once was. While automation scripting isn't a lost art, there are more tools available now that don't require it. In the case of software testing, there's even a name for it: “codeless test automation.” ... So, AI isn't an existential threat to developers, at least yet. Bear in mind that today's AI capabilities will not be the same as tomorrow's AI capabilities. The line in the sand between what developers do and what AI does will evolve over time. “DevOps skill requirements are so high that I don't see anything people are worried about. DevOps automation is the best example of that human plus machine augmentation,” says Rajendra Prasad

Six steps to stop manufacturers becoming the next ransomware headline

Many IoT components in use today do not have security resilience built into them, leaving even well-configured environments vulnerable and in need of additional protections. Cyber criminals have recognised both this weakness, and the lucrative opportunity presented by targeting manufacturers. In particular, the industry is highly vulnerable to disruptive attacks such as ransomware. An infection can quickly lead to an entire operation grinding to a halt as systems become inaccessible or are shut down in a bid to halt the spread. Criminals know that every minute of shutdown is painfully expensive for their victims, and manufacturers will be sorely tempted to pay the ransom. Such attacks have serious knock-on effects as entire supply chains are disrupted by resulting shortages. In May, a ransomware attack on US meatpacking company JBS shutdown all of its plants, cutting off the source of almost a quarter of the country’s beef. In another recent case, Palfinger, an Australian company specialising in hydraulic systems and loaders, was hit by a major ransomware attack that took down its IT systems across the world.

Stateful Workloads on Kubernetes with Container Attached Storage

Before the advent of Container Attached Storage, developers working with Kubernetes had to get creative with workarounds in order to handle stateful applications, according to Evans. “Developers have needed to rely on scripts and other home-developed automation that can be used to track the location of data,” Evans told The New Stack. “These solutions aren’t scalable and [are] subject to errors — and ultimately, data loss. Some CAS-type functionality can be achieved using external storage arrays, but the biggest difficulty is mapping the application to the external storage. “The only other alternative is to lock an application to a node, which defeats the purpose of scale-out resiliency.” When building at scale, these workarounds can significantly hinder developer velocity. To meet the needs of developers working with Kubernetes at scale, the CAS field has grown to include tools from PortWorx, Rancher, Robin, Rook, StorageOS and MayaData. OpenEBS, an open source CAS tool introduced by MayaData, has been a Cloud Native Computing Foundation (CNCF) sandbox project for two years.

Quote for the day:

"Little value comes out of the belief that people will respond progressively better by treating them progressively worse." -- Eric Harvey

No comments:

Post a Comment