Daily Tech Digest - September 01, 2021

Top 3 API Vulnerabilities: Why Apps are Pwned by Cyberattackers

2021 is already the year of the API security incident, and the year is not over. API flaws impact the entire business – not just dev, or security or the business groups. Finger-pointing has never fixed the problem. The fix begins with collaboration; development needs a full understanding from business groups on how the API should function. API coding is different, so a refresh on secure coding practices is warranted. And security needs to be involved upfront, to help uncover gaps before publication. A great place to start is with the OWASP. It has published the API Security Top 10 and recently published the Completely Ridiculous API, which includes examples of bad APIs in an application. Organizations can use the Completely Ridiculous API online or in-house as an educational platform to train development and security on the errors to avoid when utilizing APIs. Whether you are utilizing an “API-first approach” or just starting your journey into digital transformation aided by APIs, knowing the vulnerabilities that are out there and what might happen if something is missed, is crucial.


How Tech Leaders Can Leverage Their Mentoring and Teaching with Coaching

Putting the focus on the other person means that we are encouraging them to do all of the work of coming up with a solution. We refrain from asking information gathering questions and instead ask questions that will help them solve the problem on their own. After all, anything that they have an answer to ... they already know! We want to help them make new connections in order to come up with new ideas that they didn’t have when they started talking to us. We also refrain from sharing our thoughts and opinions until they ask us for them directly or it is clear that they could benefit from some information that we have that they don’t. To aid in this, consider saying something early on in your conversation like, "I’m going to put my coaching hat on. I’m happy to share my expertise with you, but prefer to explore a bit first. If we get to the point where you really want to know my thoughts or I think of something that may be helpful to share, I can switch to my ‘expert’ hat."


All About Waymo’s AI-Powered Urban Driver

Waymo’s driving software is based on years of AI research, their Waymo Open Dataset Initiative, and research team Google Brain. The engineers working at Waymo operate in coordination with the Google Brain team to apply deep nets to the car’s pedestrian detection system. The team has created a robust, generalisable tech stack based on their operation in multiple environments and cities. The Waymo Driver has learnt to behave assertively and merge into traffic based on this experience. Waymo has invested in creating training softwares for the Waymo Driver. The Simulation City is software to test the autonomous vehicles and assess their performance for the cities Waymo is present in. It creates realistic conditions like spring showers, solar glare, or dimming light for the technology to experience; the researchers further learn from the system’s reactions. ... The Waymo Driver itself is trained with a highly nuanced understanding of city roads with driving experience of more than 20 million miles on public roads and 20 million miles in simulation. It can adapt to the local driving conditions accurately, given this training. 


Security engineer job requirements, certifications, and salary

IT has traditionally been a field that values skills over paper credentials—we all know the stories of tech pioneers who dropped out of high school—but that's changed over the years as the industry has become more professionalized. That said, most hiring managers do value experience and demonstrated skills, and if you can put together that sort of resume, that can help make up for a non-technical undergraduate degree. At any rate, nobody would make an immediate leap from college to a security engineer gig; you would need to pass through an introductory phase of your career first, possibly as a security analyst. One way to signal to your employer or potential future employers that you're ready to advance to a security engineer job is by pursuing some relevant formal certifications. ... One thing to keep in mind is that, while this is a tech job, it's not a job that's limited to the tech industry: just about every company that's larger than a handful of people, in every sector, needs security engineers. Government agencies and financial institutions in particular have a great need for security engineers, but you could also find yourself working in manufacturing or retail as well.


Why should I choose Quarkus over Spring for my microservices?

Quarkus can automatically detect changes made to Java and other resource and configuration files, then transparently re-compile and re-deploy the changes. Usually, within a second, you can view your application’s output or compiler error messages. This feature can also be used with Quarkus applications running in a remote environment. The remote capability is useful where rapid development or prototyping is needed but provisioning services in a local environment isn’t feasible or possible. Quarkus takes this concept a step further with its continuous testing feature to facilitate test-driven development. As changes are made to the application source code, Quarkus can automatically rerun affected tests in the background, giving developers instant feedback about the code they are writing or modifying. ... From the beginning, Quarkus was designed around Kubernetes-native philosophies, optimizing for low memory usage and fast startup times. As much processing as possible is done at build time. Classes used only at application startup are invoked at build time and not loaded into the runtime JVM, reducing the size, and ultimately the memory footprint, of the application running on the JVM.


Sustainable transformation of agriculture with the Internet of Things

With the urgency to prevent environmental degradation, reduce waste and increase profitability, farmers around the globe are increasingly opting for more efficient crop management solutions supported by optimization and controlling technologies derived from the Industrial Internet of Things (IIoT). Intelligent information and communication technologies (IICT) (machine Learning (ML), AI, IoT, cloud-based analytics, actuators, and sensors) are being implemented to achieve higher control of spatial and temporal variabilities with the aid of satellite remote sensing. The use and application of this set of related technologies are known as “Smart Agriculture.” In SA, real-time and continuous monitoring of weather, crop growth, plant physical/chemical variables, and other critical environmental factors allow the optimization of yield production, reduction of labor, and improvement of farming products. Practices such as irrigation management, resource management, production, or fertilization operations are being facilitated by integrating IoT systems capable of providing information about multiple crop factors.


Mainframes, ML and digital transformation

Moving from mainframes to client-server didn't just mean you went from renting one kind of box to buying another - it changed the whole way that computing worked. In particular, software became a separate business, and there were all sorts of new companies selling you new kinds of software, some of which solved existing problems but some of which changed how a company could operate. SAP made just-in-time supply chains a lot easier, and that enabled Zara, and Tim Cook’s Apple. New categories of software enabled new ways of doing business. The same shift is happening now, as companies move to the cloud - you go from owning boxes to renting them (perhaps), but more importantly you change what kinds of software you can use. If buying software means a URL, a login and a corporate credit card instead of getting onto the global IT department’s datacenter deployment schedule for sometime in the next three years, then you can have a lot more software from a lot more companies.


What’s next for data privacy in the UK?

Since the implementation of GDPR, there has been a surge in recruitment for roles like ‘head of data governance and privacy’. It’s time to seize this momentum and move to the next milestone – let’s call it GDPR+. GDPR+ needs to answer the question of how we protect and use data within the country and cross-border. Ideally, we need a Data Privacy Act and a cross-party overseer of the whole process whose remit spans all government departments – a kind of ‘data privacy czar’. Ideally this would be an individual with a strong background in data. The question that needs to be answered is how do we ensure businesses align their practices with any new regulation and handle data responsibly rather than selling it for their own gain? Data fiduciaries could be part of the solution; third-party organisations who are given the legal right to handle private data. But it needs to be a non-political government-funded third party. It’s most likely that the government would outsource any enforcement, but it’s pertinent to ask whether a private company would have the best interests of individual citizens.


Why you want what you want

Great marketers are certainly masters of mimetic manipulation. Burgis points to Edward Bernays, the public relations pioneer, as a prime example. In 1929, when the American Tobacco Company realized that breaking the taboo against women smoking in public could generate beaucoup revenue, it hired Bernays’s firm. He convinced 30 New York City debutantes to join the Easter parade and light up Lucky Strikes—and arranged to have them photographed. The next day, the photos of the debs smoking their “torches of freedom” appeared in newspapers across the country. Sales of Lucky Strikes tripled by the following Easter. ... Much of Wanting is devoted to translating and illustrating Girard’s theories in a consumable way, and Burgis does a fine job at that task. The book’s most salient point, even if it is somewhat opaque, is that leaders choose to pursue what Burgis calls transcendent desire: “Magnanimous, great-spirited leaders are driven by transcendent desire—desire that leads outward, beyond the existing paradigm, because the models are external mediators of desire. These leaders expand everyone’s universe of desire and help them explore it.”


Getting ahead of a major blind spot for CISOs: Third-party risk

As the industry has seen firsthand, even mature and well-established enterprise security teams have a lack of visibility into network hygiene of their branches, offices and contractors abroad due to varying security policies and protocols, management hierarchy and known pain points in franchised-based businesses. The same is applicable to their supply chain, where the level of network hygiene is typically a “black box” or something the third-party is simply not willing to discuss. Acquisition of the quantitative, historical and the most recent indicators of compromise is a vital component of TPRM, providing enterprise organizations actionable information to determine if a counterpart may be compromised with malware and what service may be potentially breached by it. This knowledge enables CISOs to make strategic and tactical decisions, as well as to communicate with other teams, including those responsible for vendor management and supply chain and the organization’s legal team.



Quote for the day:

"Leadership is an ever-evolving position." -- Mike Krzyzewski

No comments:

Post a Comment