APIs add to an organization’s attack surface, so it’s important to know where they are used. Gartner estimates that roughly 90% of web apps will soon have more of their exposed attack surface area accounted for by APIs as opposed to their own interfaces. Indeed, in 2021, malicious traffic around APIs grew by nearly 350%. Despite these trends, API use only continues to grow. Gone are the days of monolithic applications. Modern enterprise web applications are built with coupled services that communicate through APIs galore, and each component is a target for attackers if left unchecked. Pair that widened attack surface with the insane growth of APIs, and the need for strong API security is clear. Organizations need to cover their entire attack surface by implementing automated and accurate scans via user interfaces and APIs if they want to eliminate potential weak spots before they become problems. Put simply, security debt is an organization’s total inventory of unresolved security issues. These issues have a wide variety of sources, including knowledge gaps, inadequate tooling or cutting corners during testing in the race to market.
First and foremost, the frontend code operates in an insecure environment: a user’s browser. SPAs often possess a refresh token that grants offline access to a user’s resources and can obtain new access tokens without interaction from the user. As these credentials are readable by the SPA, they are vulnerable to cross-site scripting (XSS) attacks, which can have dangerous repercussions such as attackers gaining access to users’ personal data and functionalities not normally accessible through the user interface. As the online data pool grows and hackers become more sophisticated, security must be taken seriously to protect customers’ information and businesses’ reputations. However, designing security solutions for SPAs is no easy feat. As well as the strongest browser security and simple and reliable code, software developers must consider how to deliver the best user experience – wrapping all this into a solution that can be deployed anywhere. The SPA’s web content can be deployed to many global locations via a Content Delivery Network (CDN). Web content is then close geographically to all users so that web downloads are faster.
In addition to CSR, there has been much excitement about the future of AI in anti-corruption work. AI has increasingly become a part of our daily lives, from digital assistants like Siri and Alexa, to self-driving cars like Teslas and ride-hailing applications like Uber. Given that AI has been useful in so many ventures, anti-corruption scholars are eager to apply it to their work. In fact, AI has been described as “the next frontier in anti-corruption.” ... However, AI and anti-corruption discussions so far have mostly focused on governmental efforts to address corporate corruption, not on companies using AI to mitigate corporate corruption — even though many of them already use AI to maximize profit. In the corporate anti-corruption context, AI can provide companies with a proposed investment destinations or transactions and help detect corruption risks in such ventures and improve due diligence processes. AI can also provide more information for yearly anti-corruption policy reviews and assist in designing training based on AI analyses of company processes, reports and operations.
Another concept, which resonates well is data products. Managing and providing data as a product isn't the extreme of dumping raw data, which would require all consuming teams to perform repeatable work on data quality and compatibility issues. It also isn't the extreme of building an integration layer, using one (enterprise) canonical data model with strong conformation from all teams. Data product design is a nuanced approach of taking data from your (complex) operational and analytical systems and turning it into read-optimized versions for organizational-wide consumption. This approach of data product design comes with lots of best practices like aligning your data products with the language of your domain, setting clear interoperability standards for fast consumption, capturing it directly from the source of creation, addressing time-variant and non-volatile concerns, encapsulating metadata for security, ensuring discoverability, and so on. More of these best practices you can find here.
The metaverse has a mostly positive impact on brands, but there are still some loopholes that worry them. For instance, the French champagne Armand de Brignac has recently filed trademark applications to register the appearance of its gold bottle packaging in virtual reality, augmented reality, video, social media and the web. Like this, many brands have established identities when it comes to product and packaging. Since this alternate reality is a fairly new territory to brands, it is difficult for them to gauge if a product or its packaging has distinctiveness outside the metaverse. Even if it does, it is unclear whether those rights will be sufficient to claim infringement inside the metaverse. Among other concerns, the metaverse also brings issues regarding privacy and security risks to light. Being an online-enabled space, it is uncertain whether consumers and brands may face new and unknown privacy and authenticity issues. The rise of the metaverse is just like that of the internet – former Amazon strategist Matthew Ball estimates that by 2027, every company will be a gaming company, implying that the metaverse will soon become a normal part of people’s lives.
The right of access has a broad scope: in addition to basic personal data, according to the EDPB it also includes, for example, subjective notes made during a job application, a history of internet and search engine activity, etc. Unless explicitly stated otherwise, the request must be understood to relate to all personal data relating to the data subject, but the controller may ask the data subject to specify the request if it processes a large amount of data. This applies to each request: if a data subject makes more than one request, it would therefore not be sufficient to provide access only to the changes since the last request. Even data that may have been processed incorrectly or unlawfully should be provided. Data that has already been deleted, for example in accordance with a retention policy, and is therefore no longer available to the controller, does not need to be provided. Specifically, the controller will have to search all IT systems and other archives for personal data using search criteria that reflect the way the information is structured, for example, name and customer or employee number.
Even those organizations that do bring a proactive focus to application security tend to put more emphasis on protecting APIs created for web and mobile applications. In these cases, many organizations often incorrectly assume that their web application firewalls (WAFs) will bear much of the load of securing this type of API usage. But the biggest API protection gap intended — even in sophisticated organizations — is protection of APIs that are open to partners. These APIs are ripe for abuse. Even if they are perfectly written and have no vulnerabilities, they can be abused in unanticipated ways to expose the core business functions and data of the organizations that share them. Perhaps the best example of this is the Cambridge Analytica (CA) scandal that rocked Facebook in 2018. As a brief refresher, CA exploited Facebook's open API to gather extensive data about at least 87 million users. This was accomplished by using a Facebook quiz app that exploited a permissive setting that allowed third-party apps to collect information about the quiz-taker, as well as all of their friends' interests, location data, and more.
“Misconfigurations remain a top risk for cloud applications and data,” says Paul Bischoff, privacy advocate and editor at Comparitech, a website that rates technologies on their cybersecurity. A misconfiguration happens when an IT team inadvertently leaves the door open for hackers by, say, failing to change a default security setting. This is often down to human error and/or a misunderstanding of how a firm’s systems operate and interact. If misconfigurations happen on a non-cloud-connected network, they’re self-contained and, potentially, accessible only to those in the physical workplace. But, once your data is in the cloud, “it is subject to someone else’s security. You do not have any direct control or ability to test it,” notes Steven Furnell, professor of cybersecurity at the University of Nottingham. “This means trusting another party’s measures, so look for the appropriate assurances from them rather than making assumptions.”
Leaders today are faced with the task of taking difficult decisions that can have a profound impact on their workforce and employee wellbeing (although it’s not all grim) in a very uncertain environment. New risks have also emerged with the staggering amount of data created on the internet, such as cyber-attacks that are increasingly frequent and costly. What our Young Global Leaders know well is that it’s easy to lead when times are going well, but real responsibility emerges when you must stand up for what you believe in. Responsible leaders truly shine in times of crisis. With this in mind, we asked eight Young Global Leaders how they will leverage technology and innovate to become better leaders in 2022. New computational and AI tools are already being used by business leaders to guide strategic decision-making. In the next decade, this software will become more powerful and will be applied in new and different settings. Built upon the mathematics of game theory, AI tools harness the computational innovations that power chess engines.
Enter FinOps. This practice is intended to help organizations get maximum business value from cloud "by helping engineering, finance, technology and business teams to collaborate on data-driven spending decisions," according to the FinOps Foundation. (Yes, there's now even an entire foundation devoted to the practice.) In many cases, they are practicing the art of FinOps without even calling it that. Respondents are actively involved in the ongoing usage and cost management for both SaaS (69%) and public cloud IaaS and PaaS (66%). "More and more users are swimming in the FinOps side of the pool, even if they may not know it -- or call it FinOps yet," the Flexera survey's authors state. In addition, for the sixth year in a row, "optimizing the existing use of cloud is the top initiative for all respondents, underscoring the need for FinOps teams or similar ways to improve cost savings initiatives," they also note. While the survey doesn't explicitly ask about FinOps adoption, the authors also state that some organizations have organized FinOps teams to assist in evaluating cloud computing metrics and value.
Quote for the day:
"The art of leadership is saying no, not yes. It is very easy to say yes." -- Tony Blair