Daily Tech Digest - December 17, 2021

2022: Supply-Chain Chronic Pain & SaaS Security Meltdowns

With the rise of SaaS adoption, we have witnessed the parallel development of a “business application mesh,” which enables organizations to build custom business logic across multiple, disparate SaaS applications. This mesh also enables transitive trust relationships to be created that enable data to move among these SaaS applications without a central authority that has visibility into or governs the movement of this data. In the past, our IT architecture enabled the enterprise to have a view of how users were interacting with multiple different applications, while remaining at the center of the interactions. But with the business application mesh in place, SaaS applications are connected to each other directly without the enterprise being at the center. GitHub is now automated to interact with Slack on behalf of my organization, for instance. Jira is connected directly with Salesforce. Hubspot sends data to a myriad of other SaaS applications. The growing network of integrations enable automated business workflows and data exchange. 

5 Leadership Trends to Embrace Now to Prepare for 2022

Leaders of the future are paying attention. As we head into 2022, we must create cultures where employee well-being comes first. Change like this starts at the top, and leaders must set an example. Every person on a company’s executive team must be committed to workplace well-being, modeling a holistic lifestyle where top priorities are physical, emotional, mental and spiritual health. The days of work, work and more work are over. People are craving more balance and wellness in life, and leaders who ignore or resist addressing it will be left behind. Second, leaders must build a supportive environment that focuses on the whole person, not just the working portion. A supportive environment offers resources for depression and other mental health issues and incentives for exercise and healthy eating behaviors. Companies must offer EAP services that address mental health and financial, spiritual and social well-being. Creating a supportive environment requires an investment in training. Training on how to create psychological safety where employees feel safe to talk about their well-being.

Optimize your system design using Architecture Framework Principles

When it comes to system design, simplicity is key. If your architecture is too complex to understand, your developers and operations teams can face complications during implementation or ongoing management. Wherever possible, we highly recommend using fully managed services to minimize the risk of managing and maintaining baseline systems, as well as the time and effort required by your teams. If you’re already running your workloads in production, testing managed service offerings can help simplify operational complexities. If you’re starting new, start simple, establish an MVP, and resist the urge to over-engineer. You can identify corner use cases, iterate, and improve your systems incrementally over time. Decoupling is a technique used to separate your applications and service components - such as a monolithic application stack - into smaller components that can operate independently. A decoupled architecture therefore, can run its function(s) independently, irrespective of its various dependencies.

Engineering Manager: Do Not Be a Hero

Our day by day is to support the people and the teams. The teams need to improve their skills, to provide more quality software and many other things. In an ideal world, our organization would have all the resources required or the capacity to provide these team needs. But the real world sometimes is hard, we have to work to achieve it but be careful to promise unrealistic goals. Generating an expectation and not being able to meet it, has a very negative impact on the team. If this behavior occurs many times, the team probably will lose trust in us and probably in the organization. If you are going to work to improve some of their needs, it's important to share with the team and also identify the priorities. Depending on the topic, the timing is also important. I believe in transparency, but transparency doesn´t mean sharing every single thing that goes through your head. For example, if you are working to increase the team salary, it would be good to verify with the organization if there is enough budget to do it before you share it with the team.

Bridging the AppSec and DevOps Disconnect

Culturally, some ingrained attitudes and behaviors challenge the success of any DevSecOps efforts. Security teams have seen DevOps processes accelerate the speed at which software is delivered, but without security considerations, while DevOps teams experienced security slowing down processes and giving inconsistent results and feedback on security issues. Each party has their own manager to please; their own set of metrics that they’re measured against and a priority list as long as their arms already. Both teams follow different processes and, crucially, use different tools. DevOps can’t get around the security tool complexity and lack of integration with their existing toolset and security teams have no control over the CI pipeline to best implement security assurance. One of the best ways to overcome this friction is through better technology, process and culture that enables collaboration between teams. First, DevOps teams do care about security, but it might be lower on their priority list. Security teams must understand that DevOps teams care about code, quality and efficiency.

ARC4 Encryption Library

The ARC4 Cryptography Provider Class Library is a DLL file for .NET projects that includes an implementation of a well-known symmetric encryption algorithm that is not present in the System.Security.Cryptography namespace of the mscorlib library. The cryptographic algorithm, known as ARC4 (Alleged RC4), is a stream cipher that is widely used in various information security systems on computer networks (for example, SSL and TLS protocols, WEP and WPA wireless security algorithms). The original RC4 stream cipher was created by Ronald Rivest of RSA Security. For seven years, the cipher was a trade secret, and the exact description of the algorithm was provided only after the signing of a non-disclosure agreement, but in September 1994 its description was anonymously sent to the mailing list of Cypherpunks. ... Despite the fact that this cipher is not recommended, ARC4 remains popular due to its simplicity of software implementation and high speed of operation. Another important advantage is the variable key length and the same amount of encrypted and original data.

A Scalable Approach for Partially Local Federated Learning

Previous approaches for partially local federated learning used stateful algorithms, which require user devices to store a state across rounds of federated training. Specifically, these approaches required devices to store local parameters across rounds. However, these algorithms tend to degrade in large-scale federated learning settings. In these cases, the majority of users do not participate in training, and users who do participate likely only do so once, resulting in a state that is rarely available and can get stale across rounds. Also, all users who do not participate are left without trained local parameters, preventing practical applications. Federated Reconstruction is stateless and avoids the need for user devices to store local parameters by reconstructing them whenever needed. When a user participates in training, before updating any globally aggregated model parameters, they randomly initialize and train their local parameters using gradient descent on local data with global parameters frozen. They can then calculate updates to global parameters with local parameters frozen.

Why Log4j Mitigation Is Fraught With Challenges

One major challenge organizations face in defending against attacks targeting Log4j is figuring out their full exposure to the threat, according to security experts. The vulnerability can be present not just on an organization's Internet-facing assets, but on internal and back-end systems, network switches, SIEM and other logging systems, internally developed and third-party apps, in SaaS and cloud services, and environments they might not even know about. The interdependencies between different applications and components mean even if a component does not directly have the vulnerability, it can still be affected by it. The way Java packing works can often make it hard to identify affected applications, Noname Security says. As an example, a Java archive (JAR) file might contain all the dependencies — including the Log4j library — of a particular component. But that JAR file might contain another JAR file that, in turn, could contain yet another JAR file — essentially burying the vulnerability several layers deep, the security vendor said.

Why employee burnout must be expected, accepted and supported this winter

All businesses must be mindful of the problem of employee burnout. According to one recent poll, 57% of employers claim that the issue is affecting turnover, retention and productivity. Another survey found that seven out of 10 workers would be willing to move jobs to try and reduce the likelihood of burnout. Across a number of leading economies, the summer of 2021 saw worker resignations reach record levels. Failure to address the burnout question in the months ahead and we could be in for a further wave of resignations early into the new year. Organisations should consider that, according to Deloitte, for every £1 spent by employers on mental health interventions, they get back £5 in reduced absence, presenteeism, and staff turnover. Our advice to progressive organisations is to look around for local examples of best-practice wellbeing support as well as burnout paid time off and apply them across every market in which they employ people. Legal obligations must always be met, wherever you operate.

Digital IDs don’t have to impinge on civil liberties and privacy

When implemented correctly, decentralized digital IDs can make it harder to infringe upon civil liberties and privacy. That said, it’s essential that these IDs are not federated or corporatized but are, instead, self-sovereign identities, fully controlled by the end-user — made entirely possible by blockchain’s trustless verification. Decentralized digital IDs are supported by a wide range of emerging technologies and techniques, leading to the creation of a truly Self-Sovereign ID, or SSI — where users hold full control over their personal data. This includes zero-knowledge proofs, a system that allows one party to verify data to another party without revealing any pertinent information, which ensures that personal information never has to be revealed or retained by third-party verifiers. Having self-sovereign identities linked to purchases and payment rails will facilitate trustless trade that also seamlessly can stay in line with regulatory expectations. Better yet, most of this upgrade would be on a software level.

Quote for the day:

"No matter how much you change, you still have to pay the price for the things you've done." -- Doug MacRay

No comments:

Post a Comment