2022: Supply-Chain Chronic Pain & SaaS Security Meltdowns
With the rise of SaaS adoption, we have witnessed the parallel development of a
“business application mesh,” which enables organizations to build custom
business logic across multiple, disparate SaaS applications. This mesh also
enables transitive trust relationships to be created that enable data to move
among these SaaS applications without a central authority that has visibility
into or governs the movement of this data. In the past, our IT architecture
enabled the enterprise to have a view of how users were interacting with
multiple different applications, while remaining at the center of the
interactions. But with the business application mesh in place, SaaS applications
are connected to each other directly without the enterprise being at the center.
GitHub is now automated to interact with Slack on behalf of my organization, for
instance. Jira is connected directly with Salesforce. Hubspot sends data to a
myriad of other SaaS applications. The growing network of integrations enable
automated business workflows and data exchange.
5 Leadership Trends to Embrace Now to Prepare for 2022
Leaders of the future are paying attention. As we head into 2022, we must create
cultures where employee well-being comes first. Change like this starts at the
top, and leaders must set an example. Every person on a company’s executive team
must be committed to workplace well-being, modeling a holistic lifestyle where
top priorities are physical, emotional, mental and spiritual health. The days of
work, work and more work are over. People are craving more balance and wellness
in life, and leaders who ignore or resist addressing it will be left behind.
Second, leaders must build a supportive environment that focuses on the whole
person, not just the working portion. A supportive environment offers resources
for depression and other mental health issues and incentives for exercise and
healthy eating behaviors. Companies must offer EAP services that address mental
health and financial, spiritual and social well-being. Creating a supportive
environment requires an investment in training. Training on how to create
psychological safety where employees feel safe to talk about their
well-being.
Optimize your system design using Architecture Framework Principles
When it comes to system design, simplicity is key. If your architecture is too
complex to understand, your developers and operations teams can face
complications during implementation or ongoing management. Wherever possible, we
highly recommend using fully managed services to minimize the risk of managing
and maintaining baseline systems, as well as the time and effort required by
your teams. If you’re already running your workloads in production, testing
managed service offerings can help simplify operational complexities. If you’re
starting new, start simple, establish an MVP, and resist the urge to
over-engineer. You can identify corner use cases, iterate, and improve your
systems incrementally over time. Decoupling is a technique used to separate your
applications and service components - such as a monolithic application stack -
into smaller components that can operate independently. A decoupled architecture
therefore, can run its function(s) independently, irrespective of its various
dependencies.
Engineering Manager: Do Not Be a Hero
Our day by day is to support the people and the teams. The teams need to improve
their skills, to provide more quality software and many other things. In an
ideal world, our organization would have all the resources required or the
capacity to provide these team needs. But the real world sometimes is hard, we
have to work to achieve it but be careful to promise unrealistic goals.
Generating an expectation and not being able to meet it, has a very negative
impact on the team. If this behavior occurs many times, the team probably will
lose trust in us and probably in the organization. If you are going to work to
improve some of their needs, it's important to share with the team and also
identify the priorities. Depending on the topic, the timing is also important. I
believe in transparency, but transparency doesn´t mean sharing every single
thing that goes through your head. For example, if you are working to increase
the team salary, it would be good to verify with the organization if there is
enough budget to do it before you share it with the team.
Bridging the AppSec and DevOps Disconnect
Culturally, some ingrained attitudes and behaviors challenge the success of any
DevSecOps efforts. Security teams have seen DevOps processes accelerate the
speed at which software is delivered, but without security considerations, while
DevOps teams experienced security slowing down processes and giving inconsistent
results and feedback on security issues. Each party has their own manager to
please; their own set of metrics that they’re measured against and a priority
list as long as their arms already. Both teams follow different processes and,
crucially, use different tools. DevOps can’t get around the security tool
complexity and lack of integration with their existing toolset and security
teams have no control over the CI pipeline to best implement security assurance.
One of the best ways to overcome this friction is through better technology,
process and culture that enables collaboration between teams. First, DevOps
teams do care about security, but it might be lower on their priority list.
Security teams must understand that DevOps teams care about code, quality and
efficiency.
ARC4 Encryption Library
The ARC4 Cryptography Provider Class Library is a DLL file for .NET projects
that includes an implementation of a well-known symmetric encryption algorithm
that is not present in the System.Security.Cryptography namespace of the
mscorlib library. The cryptographic algorithm, known as ARC4 (Alleged RC4), is a
stream cipher that is widely used in various information security systems on
computer networks (for example, SSL and TLS protocols, WEP and WPA wireless
security algorithms). The original RC4 stream cipher was created by Ronald
Rivest of RSA Security. For seven years, the cipher was a trade secret, and the
exact description of the algorithm was provided only after the signing of a
non-disclosure agreement, but in September 1994 its description was anonymously
sent to the mailing list of Cypherpunks. ... Despite the fact that this
cipher is not recommended, ARC4 remains popular due to its simplicity of
software implementation and high speed of operation. Another important advantage
is the variable key length and the same amount of encrypted and original data.
A Scalable Approach for Partially Local Federated Learning
Previous approaches for partially local federated learning used stateful
algorithms, which require user devices to store a state across rounds of
federated training. Specifically, these approaches required devices to store
local parameters across rounds. However, these algorithms tend to degrade in
large-scale federated learning settings. In these cases, the majority of users
do not participate in training, and users who do participate likely only do so
once, resulting in a state that is rarely available and can get stale across
rounds. Also, all users who do not participate are left without trained local
parameters, preventing practical applications. Federated Reconstruction is
stateless and avoids the need for user devices to store local parameters by
reconstructing them whenever needed. When a user participates in training,
before updating any globally aggregated model parameters, they randomly
initialize and train their local parameters using gradient descent on local
data with global parameters frozen. They can then calculate updates to global
parameters with local parameters frozen.
Why Log4j Mitigation Is Fraught With Challenges
One major challenge organizations face in defending against attacks targeting
Log4j is figuring out their full exposure to the threat, according to security
experts. The vulnerability can be present not just on an organization's
Internet-facing assets, but on internal and back-end systems, network
switches, SIEM and other logging systems, internally developed and third-party
apps, in SaaS and cloud services, and environments they might not even know
about. The interdependencies between different applications and components
mean even if a component does not directly have the vulnerability, it can
still be affected by it. The way Java packing works can often make it hard to
identify affected applications, Noname Security says. As an example, a Java
archive (JAR) file might contain all the dependencies — including the Log4j
library — of a particular component. But that JAR file might contain another
JAR file that, in turn, could contain yet another JAR file — essentially
burying the vulnerability several layers deep, the security vendor said.
Why employee burnout must be expected, accepted and supported this winter
All businesses must be mindful of the problem of employee burnout. According
to one recent poll, 57% of employers claim that the issue is affecting
turnover, retention and productivity. Another survey found that seven out of
10 workers would be willing to move jobs to try and reduce the likelihood of
burnout. Across a number of leading economies, the summer of 2021 saw worker
resignations reach record levels. Failure to address the burnout question in
the months ahead and we could be in for a further wave of resignations early
into the new year. Organisations should consider that, according to Deloitte,
for every £1 spent by employers on mental health interventions, they get back
£5 in reduced absence, presenteeism, and staff turnover. Our advice to
progressive organisations is to look around for local examples of
best-practice wellbeing support as well as burnout paid time off and apply
them across every market in which they employ people. Legal obligations must
always be met, wherever you operate.
Digital IDs don’t have to impinge on civil liberties and privacy
When implemented correctly, decentralized digital IDs can make it harder to
infringe upon civil liberties and privacy. That said, it’s essential that
these IDs are not federated or corporatized but are, instead, self-sovereign
identities, fully controlled by the end-user — made entirely possible by
blockchain’s trustless verification. Decentralized digital IDs are supported
by a wide range of emerging technologies and techniques, leading to the
creation of a truly Self-Sovereign ID, or SSI — where users hold full control
over their personal data. This includes zero-knowledge proofs, a system that
allows one party to verify data to another party without revealing any
pertinent information, which ensures that personal information never has to be
revealed or retained by third-party verifiers. Having self-sovereign
identities linked to purchases and payment rails will facilitate trustless
trade that also seamlessly can stay in line with regulatory expectations.
Better yet, most of this upgrade would be on a software level.
Quote for the day:
"No matter how much you change, you
still have to pay the price for the things you've done." --
Doug MacRay
No comments:
Post a Comment