Daily Tech Digest - September 18, 2022

5 ways to secure devops

Devops workflows are designed for speed and rapidly iterating with the latest requirements and performance improvements. Gate reviews are static. The tools devops teams rely on for security testing can lead to roadblocks, given their gate-driven design. Devops is a continuous process in high-performance IT teams, while stage gates slow the pace of development. Devops leaders often don’t have the time to train their developers to integrate security from the initial phases of a project. The challenge is how few developers are trained on secure coding techniques. Forrester’s latest report on improving code security from devops teams looked at the top 50 undergraduate computer science programs in the US, as ranked by US News and World Report for 2022, and found that none require secure coding or a secure application design class. CIOs and their teams are stretched thin with the many digital transformation initiatives, support for virtual teams and ongoing infrastructure support projects they have going on concurrently. CIOs and CISOs also face the challenges of keeping their organizations in regulatory compliance with more complex audit and reporting requirements. 


Designing APIs for humans: Error messages

The status code of the response should already tell you if an error happened or not, the message needs to elaborate so you can actually fix the problem. It might be tempting to have deliberately obtuse messages as a way of obscuring any details of your inner systems from the end user; however, remember who your audience is. APIs are for developers and they will want to know exactly what went wrong. It’s up to these developers to display an error message, if any, to the end user. Getting an “An error occurred” message can be acceptable if you’re the end user yourself since you’re not the one expected to debug the problem (although it’s still frustrating). As a developer there’s nothing more frustrating than something breaking and the API not having the common decency to tell you what broke. ... Letting you know what the error was is the bare minimum, but what a developer really wants to know is how to fix it. A “helpful” API wants to work with the developer by removing any barriers or obstacles to solving the problem. The message “Customer not found” gives us some clues as to what went wrong, but as API designers we know that we could be giving so much more information here.


Arm Neoverse roadmap targets enterprise infrastructure, cloud

"Compute workloads are on a relentless march higher, and becoming more complex," said Chris Bergey, senior vice president and general manager of Arm's infrastructure line of business, at a press briefing. "Machine learning and AI are taking over the future, and so infrastructure will look nothing like the past." Over the next year, Arm will work closely with its cloud and software partners to optimize cloud-native software infrastructure, frameworks and workloads. These partnerships include contributions to projects including Kubernetes and Istio, along with several CI/CD tools used for creating cloud-native software for the Arm architecture. Arm will also work to improve machine learning frameworks such as TensorFlow and a number of workloads such as big data, analytics and media processing. The company is moving into more traditional enterprise spaces now, Bergey said, noting the work it has done with VMware on its Project Monterey and providing support for Red Hat's OpenShift and SAP's HANA. "These cloud providers all use GPUs to underpin their cloud workloads, and the majority of them are using Arm," Bergey said.


How quantum physicists are looking for life on exoplanets

So, some of the biggest things in the universe are certainly quantum mechanical, including supermassive blackholes which can lose energy through a quantum phenomenon known as Hawking radiation. The second point is one often thinks quantum deals with very low temperatures. Again, to take our sun as an example—it's very hot, but that's quantum mechanical. Low temperature doesn't serve as a requirement for quantum. This example of a star and the quantumness of the fusion process and the high temperatures associated with that—I just want to broaden the view of what quantum mechanics is and how ubiquitous it is. ... It's quite amazing that we can determine what is in these planets' atmospheres—planets that would be impossible for humans to ever visit. That, and we can look for signatures of life, like, are there molecules that we associate with life floating around in these planets, at least if it's Earth-like life; then we might be able to determine with some probability that some planet way out there that no human could ever visit, harbors life. Or maybe we could discover other candidate forms of life.


How Is Platform Engineering Different from DevOps and SRE?

Over time, thought leaders came up with different metrics for organizations to gauge the success of their DevOps setup. The DevOps bible, “Accelerate,” established lead time, deployment frequency, change failure rate and mean time to recovery (MTTR) as standard metrics. Reports like the State of DevOps from Puppet and Humanitec’s DevOps benchmarking study used these metrics to compare top-performing organizations to low-performing organizations and deduce which practices contribute most to their degree of success. DevOps unlocked new levels of productivity and efficiency for some software engineering teams. But for many organizations, DevOps adoption fell short of their lofty expectations. Manuel Pais and Matthew Skelton documented these anti-patterns in their book “DevOps Topologies.” In one scenario, an organization tries to implement true DevOps and removes dedicated operations roles. Developers are now responsible for infrastructure, managing environments, monitoring, etc., in addition to their previous workload. Often senior developers bear the brunt of this shift, either by doing the work themselves or by assisting their junior colleagues.


The Cyber Security Head Game

Just as the predators of the fish below are never going to go away (which is why this fish camoflages itself and sports huge fake eyes to scare predators), cyber predators also will never go away. And the best of these cyber predators will continue to penetrate even the strongest defenses, because the exponential increase in IT system complexity, which makes it increasingly difficult to even understand the full extent of what you're defending, favors cyber attackers over cyber defenders. So we need to assume that some hackers will inevitably get inside our networks and thus we must adopt strategies of deception, similar to those employed successfully by our fish here, to lessen the harm from competent hackers, who manage to get up close and personal. We also need to create doubt in hackers’ minds, about the benefits of attacking us in the first place, in the same way that the poisonous Cane toad avoids attacks from predators who know the toad’s skin has lethal poison glands, and milk snakes, who have no poison, but discourage would-be predators by mimicking the coloration of coral snakes, who definitely do have deadly venom.


US Cyber-Defense Agency Urges Companies to Automate Threat Testing

Automated threat testing is still not very widespread, according to the official, who added that organizations sometimes don’t really follow through after deploying expensive tools on their network and instead just assume they’re doing the job. Automating security controls will make it easier to stop attackers from relying on established tactics. The top threat actors are still going back and leveraging vulnerabilities that are up to 10 years and older, warned the CISA official. CISA is making the recommendation in collaboration with the Center for Threat-Informed Defense, a 29-member nonprofit formed in 2019 that draws on MITRE’s framework. Iman Ghanizada, global head of autonomic security operations at Google Cloud, a research sponsor of the Center, said automated testing is important for creating continuous feedback loops that can steadily improve protection. “Whether you are a large company or a startup, you have to have visibility, analytics, response and continuous feedback,” he said.


Smart Cities: Mobility ecosystems for a more sustainable future

Although every city is different, leading cities are becoming smarter through their participation in large, complex, digitally enabled ecosystems. The question for many urban leaders, however, is how to engage with them effectively. Our experience in working with large transportation and communications clients yields a multilayered model and approach to guide the design and management of urban mobility systems. Given the interconnected nature of the building blocks of mobility, each layer—demand, supply, and foundational—is critical. Cities must understand and manage all the interactions and interdependencies. For example, demand for different forms of transportation is enabled via available modes of transit and supporting infrastructure. None of these would be possible without regulations, financing, insurance, and innovation. ... To achieve its vision of becoming a 45-minute city, Singapore is focusing on building its infrastructure (e.g., it is building intermodal mobility hubs to allow commuters to move seamlessly from one mode of transportation to another). The city is developing a robust innovation ecosystem, collaborating with many private-sector players. 


How to Draw and Retain Top Talent in Cyber Security

Before you introduce policies to increase diversity, you need to know who is currently applying. Gather data on applicants to establish if you need to take proactive steps to attract specific groups – you can’t make rational business decisions without data. Analyze job descriptions to eliminate bias so you aren’t deterring anyone. Review the language -- are you unconsciously drafting job advertisements and application forms with a white male in mind? Consider a post-application survey so you can establish what is appealing to recruits and what might cause them to drop out. You’ll be surprised how many people want to share their feedback because a negative job application process can deter an applicant for good, and you could be missing out on the best talent through ignorance. We implemented an Applicant Tracking System to understand the sources our candidates are coming from, see how diverse the candidate pool is (or not), and improve the candidate experience by being able to track how their process progresses and ends. ... Once you’ve got these cyber professionals on board, you need to keep them. 


Why shift left is burdening your dev teams

Security and compliance challenges are a significant barrier to most organizations’ innovation strategies, according to CloudBees. The survey also reveals agreement among C-suite executives that a shift left security strategy is a burden on dev teams. 76% of C-suite executives say that compliance challenges and security challenges (75%) limit their company’s ability to innovate. This is due, in part, to the significant time spent on compliance audits, risks, and defects. At the same time, C-suite executives overwhelmingly favor a shift left approach, a strategy of moving software testing and evaluation to earlier in the development lifecycle, placing the burden of compliance on development teams. In fact, 83% of C-suite executives say the approach is important for them as an organization, and 77% say they are currently implementing a shift left security and compliance approach. This is despite 58% of C-suite executives reporting that shift left is a burden on their developers. “These survey findings underscore the urgent need to transform the software security and compliance landscape. 



Quote for the day:

"Courage is the ability to execute tasks and assignments without fear or intimidation." -- Jaachynma N.E. Agu

No comments:

Post a Comment