Daily Tech Digest - October 29, 2021

How to become an entrepreneurial engineer and create your own career path

"To be a successful entrepreneurial engineer, you must wear two hats: one with a deep technical focus and the other focused on the goals of the business," said Loren Goodman, CTO and co-founder of InRule Technology. "This allows you to make decisions in real-time leveraging your understanding of diminishing returns on both fronts. The why, the what and the how are traditionally separated, and small changes to any part can have exaggerated effects on the others. You bring this thinking together—for example, knowing that a feature can be done in a fraction of the time if a small part was removed from scope and also knowing that that part is not core to the business need." Goodman stressed that entrepreneurial engineers must be curious about the bigger picture and be unafraid to take on challenging problems. They must also be success-focused, with a relentless passion for achieving the best solution to difficult problems, no matter how unrealistic things might seem. Finally, he said, a successful entrepreneurial engineer must be scrappy: "You are going to have to be comfortable working without all the necessary resources for a long time while still staying focused on your objectives."

Forensic Monitoring of Blockchains Is Key for Broader Industry Adoption

In the event that an adversary corrupts more than 1/3 of the master nodes in the BFT committee of any given epoch, it is then technically possible for said adversary to violate the safety and jeopardize the consensus by creating forks, resulting in two or more finalized blockchains. However, certain messages would need to be signed and sent by these nodes to make this happen, which can then be detected by the system immediately after a fork with a length of only one appears. The signed messages can then be used as irrefutable proof of the misbehavior. Those messages are embedded into the blockchain and can be obtained by querying master nodes for forked blockchains. This is what enables the forensic monitoring feature, which can identify as many Byzantine master nodes as possible, all while obtaining the proof from querying as few witnesses as possible. For example, two separate honest nodes, each having access to one of the two conflicting blockchains respectively, is sufficient for the proof.

Infrastructure-as-Code: 6 Best Practices for Securing Applications

Research from security platform provider Snyk reveals that many companies are only starting out on their IaC journey, with 63% just beginning to explore the technology and only 7% stating they’ve implemented IaC to meet current industry standards. And with this practice comes changes in responsibility: IaC further extends developers’ responsibility to include securing their code and infrastructure. Misconfigurations can easily introduce security risks if best practices are not followed. In fact, according to Gartner, “70% of attacks against containers will be from known vulnerabilities and misconfigurations that could have been remediated.” Often, security trails behind the usage of IaC, resulting in configuration issues that are only detected after applications are deployed. That doesn’t have to be the case. In fact, the best way to ensure every configuration is secure, while still benefiting from the speed and repeatability of IaC, is to build security testing for IaC into developers’ workflows, the same as other forms of code.

The shift from DevOps and security to DevSecOps: 5 key roadblocks

There is DevOps plus security, and then there’s DevSecOps. What’s the difference? In the first case, security is a third wheel. In the second, it’s the third leg of the stool—an integral part of the system that’s almost unnoticeable unless or until it disappears. Indeed, to be effective, security must be everywhere—throughout the pipeline used to build and deploy as well as the runtime environment. In the DevSecOps model, security is a shared responsibility for development, security and operations teams and throughout the entire IT lifecycle. However, many organizations are challenged to integrate, rather than just tack on, security measures. This is a huge issue when a company’s own security is at stake, but an increasing number of attacks on the software supply chain is leaving tens, hundreds, even thousands of organizations vulnerable. There are many granular recommendations for achieving DevSecOps. Here are the bigger-picture issues that your organization must address to move beyond security as an afterthought.

Agile Architecture - What Is It?

From the definition, the two very important terms emerge including, Emerging Design and Intentional Architecture. Emergent Design is the process of analyzing and extending the architecture just enough to implement and validate the next increment in the development cycle. Intentional Architecture is about seeing the big picture. Large corporations need to simultaneously respond to new business challenges with large-scale architectural initiatives. On large scale we can understand that to meet the business objective, multiple teams, products, and systems will be involved. In this case, Emergent Design is not enough as it is circumscribed in a single team. Without Intentional Architecture, we can have several problems such as difficulty integrating, validate and maintaining the fulfillment of non-functional system requirements, low reuse, redundancy of solutions, etc. The intentional architecture will give the teams a common objective/destination to be reached, allowing the alignment of efforts and the parallelization of the work of independent teams. In other words, it will be the guiding track, the glue between the teams' work.

NRA Reportedly Hit By Russia-Linked Ransomware Attack

The NRA did not immediately respond to Information Security Media Group's request for comment. But Andrew Arulanandam, managing director of public affairs for the NRA, took to Twitter to say: "NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations - and is vigilant in doing so." Allan Liska, a ransomware analyst at the cybersecurity firm Recorded Future, told NBC that Grief is "the same group" as Evil Corp. The news outlet verified that the information in the leaked files includes grant proposal forms, names of recent grant recipients, an email sent to a grant winner, a federal W-9 form and minutes from the organization's virtual meeting in September. Sam Curry, CSO of Cybereason, tells ISMG, "It's unlikely this is a strategic attack, but time will tell. The way it would be strategic is to further divide the left from the right in the U.S. … The most likely scenario is that it's motivated by greed, and it has the potential to inadvertently explode politically. The next move is in the NRA's hands."

Is the Indian SaaS Story Overhyped?

Experts watching the SaaS space opine that after Freshworks recent listing, global perception towards Indian SaaS companies has changed. Last month, Freshworks became the first Indian software maker to list on Nasdaq. “SaaS companies in India are gaining acceptance and attention from investors. Initially, investors were slow due to the nature of revenue which is a money sucker but as the customer base grew with a lower drop, the revenue started to look good. Things have changed a lot after Postman and Freshworks. Indian SaaS companies are now seriously looked at as potential unicorns,” said Anil Joshi, managing partner, Unicorn India Ventures. The SaaS ecosystem is relatively nascent in India and is led by players such as Freshworks, Capillary, Eka, etc., said Anurag Ramdasan, partner, 3one4 Capital. “While there are double-digit unicorns in Indian SaaS today, it’s still a very early ecosystem and we are seeing a lot of innovative SaaS in the seed to series A stage in India,” he said. Many companies that have become soonicorns and unicorns have great consumer stories and investors today look at India as a huge consumer story.

How do I select an SD-WAN solution for my business?

Network security is also gaining greater importance as cyber-security threats multiply, leading to cloud-based security techniques converging with SD-WAN in the SASE framework. But the transition to these technologies can be challenging, with significant support required from the SD-WAN partner. Therefore, enterprises need to evaluate SD-WAN providers based on three principal criteria. First, does the provider’s network reach align with the enterprise’s geographic locations and does the provider offer a Tier 1 IP backbone to realize the full performance advantages of SD-WAN? Second, does the provider offer a managed SD-WAN, including local internet or MPLS access, with end-to-end delivery, technical implementation support, and service assurance to help manage complexity? Third, does the provider have a clear SASE roadmap integral to its SD-WAN vision? This includes services like zero-trust network access (ZTNA) and cloud access security broker (CASB) for remote workers and cloud firewall and secure web gateway (SWG) to support the branch level.

The Rise of Event-Driven Architecture

In the REST framework, an API isn’t aware of the state of objects. The client queries the API to find out the state, and the role of the API is to respond to the client with the information. However, with an event-driven API, a client can subscribe to the API, effectively instructing it to monitor the state of objects and report back with real-time updates. Therefore, behavior shifts from stateless handling of repeatable, independent requests to stateful awareness of the virtual objects modeled on real-world operations. Event-driven APIs are a great way to meet the demands of modern end-users who expect customized and instantaneous access to information. Applying these APIs is easy to do in one-off, bespoke environments. However, things get more complicated when you need to offer this level of service at scale, and not every enterprise is ready to handle that level of complexity. To avoid amassing significant technical debt, organizations and developers should offload this complexity to a third party with the capabilities to synchronize digital experiences in real-time and at scale.

We Are Testing Software Incorrectly and It's Costly

The tests you write are tightly coupled to the underlying design of your code. Design is constantly evolving. You now not only have to refactor the designs of your production code — you have to change your tests, too! In other words, your tests should help you with the refactoring, giving confidence, but instead, it is only making you work harder and it's giving no confidence of things still working correctly. I will not even mention the mock hell for brevity (please Google about it). But instead of abandoning refactoring or unit tests, all you need to do is free yourself from the mistaken definition of "unit testing." Focus on testing behaviors! Instead of writing unit tests for every public method of every class, write unit tests for every component (i.e., user, product, order, etc.), covering every behavior of each component and focusing on the public interface of the unit. To achieve that, you will need to learn how to structure your code properly. Please don't package your code by technical concerns (controllers, services, repositories, etc.). Senior devs structure their code by domain.

Quote for the day:

"The world's greatest achievers have been those who have always stayed focussed on their goals and have been consistent in their efforts." -- Roopleen

No comments:

Post a Comment