5 ways to secure devops
Devops workflows are designed for speed and rapidly iterating with the latest
requirements and performance improvements. Gate reviews are static. The tools
devops teams rely on for security testing can lead to roadblocks, given their
gate-driven design. Devops is a continuous process in high-performance IT teams,
while stage gates slow the pace of development. Devops leaders often don’t have
the time to train their developers to integrate security from the initial phases
of a project. The challenge is how few developers are trained on secure coding
techniques. Forrester’s latest report on improving code security from devops
teams looked at the top 50 undergraduate computer science programs in the US, as
ranked by US News and World Report for 2022, and found that none require secure
coding or a secure application design class. CIOs and their teams are stretched
thin with the many digital transformation initiatives, support for virtual teams
and ongoing infrastructure support projects they have going on concurrently.
CIOs and CISOs also face the challenges of keeping their organizations in
regulatory compliance with more complex audit and reporting
requirements.
Designing APIs for humans: Error messages
The status code of the response should already tell you if an error happened or
not, the message needs to elaborate so you can actually fix the problem. It
might be tempting to have deliberately obtuse messages as a way of obscuring any
details of your inner systems from the end user; however, remember who your
audience is. APIs are for developers and they will want to know exactly what
went wrong. It’s up to these developers to display an error message, if any, to
the end user. Getting an “An error occurred” message can be acceptable if you’re
the end user yourself since you’re not the one expected to debug the problem
(although it’s still frustrating). As a developer there’s nothing more
frustrating than something breaking and the API not having the common decency to
tell you what broke. ... Letting you know what the error was is the bare
minimum, but what a developer really wants to know is how to fix it. A “helpful”
API wants to work with the developer by removing any barriers or obstacles to
solving the problem. The message “Customer not found” gives us some clues as to
what went wrong, but as API designers we know that we could be giving so much
more information here.
Arm Neoverse roadmap targets enterprise infrastructure, cloud
"Compute workloads are on a relentless march higher, and becoming more complex,"
said Chris Bergey, senior vice president and general manager of Arm's
infrastructure line of business, at a press briefing. "Machine learning and AI
are taking over the future, and so infrastructure will look nothing like the
past." Over the next year, Arm will work closely with its cloud and software
partners to optimize cloud-native software infrastructure, frameworks and
workloads. These partnerships include contributions to projects including
Kubernetes and Istio, along with several CI/CD tools used for creating
cloud-native software for the Arm architecture. Arm will also work to improve
machine learning frameworks such as TensorFlow and a number of workloads such as
big data, analytics and media processing. The company is moving into more
traditional enterprise spaces now, Bergey said, noting the work it has done with
VMware on its Project Monterey and providing support for Red Hat's OpenShift and
SAP's HANA. "These cloud providers all use GPUs to underpin their cloud
workloads, and the majority of them are using Arm," Bergey said.
How quantum physicists are looking for life on exoplanets
So, some of the biggest things in the universe are certainly quantum mechanical,
including supermassive blackholes which can lose energy through a quantum
phenomenon known as Hawking radiation. The second point is one often thinks
quantum deals with very low temperatures. Again, to take our sun as an
example—it's very hot, but that's quantum mechanical. Low temperature doesn't
serve as a requirement for quantum. This example of a star and the quantumness
of the fusion process and the high temperatures associated with that—I just want
to broaden the view of what quantum mechanics is and how ubiquitous it is. ...
It's quite amazing that we can determine what is in these planets'
atmospheres—planets that would be impossible for humans to ever visit. That, and
we can look for signatures of life, like, are there molecules that we associate
with life floating around in these planets, at least if it's Earth-like life;
then we might be able to determine with some probability that some planet way
out there that no human could ever visit, harbors life. Or maybe we could
discover other candidate forms of life.
How Is Platform Engineering Different from DevOps and SRE?
Over time, thought leaders came up with different metrics for organizations to
gauge the success of their DevOps setup. The DevOps bible, “Accelerate,”
established lead time, deployment frequency, change failure rate and mean time
to recovery (MTTR) as standard metrics. Reports like the State of DevOps from
Puppet and Humanitec’s DevOps benchmarking study used these metrics to compare
top-performing organizations to low-performing organizations and deduce which
practices contribute most to their degree of success. DevOps unlocked new levels
of productivity and efficiency for some software engineering teams. But for many
organizations, DevOps adoption fell short of their lofty expectations. Manuel
Pais and Matthew Skelton documented these anti-patterns in their book “DevOps
Topologies.” In one scenario, an organization tries to implement true DevOps and
removes dedicated operations roles. Developers are now responsible for
infrastructure, managing environments, monitoring, etc., in addition to their
previous workload. Often senior developers bear the brunt of this shift, either
by doing the work themselves or by assisting their junior colleagues.
The Cyber Security Head Game
Just as the predators of the fish below are never going to go away (which is why this fish camoflages itself and sports huge fake eyes to scare predators), cyber predators also will never go away. And the best of these cyber predators will continue to penetrate even the strongest defenses, because the exponential increase in IT system complexity, which makes it increasingly difficult to even understand the full extent of what you're defending, favors cyber attackers over cyber defenders. So we need to assume that some hackers will inevitably get inside our networks and thus we must adopt strategies of deception, similar to those employed successfully by our fish here, to lessen the harm from competent hackers, who manage to get up close and personal. We also need to create doubt in hackers’ minds, about the benefits of attacking us in the first place, in the same way that the poisonous Cane toad avoids attacks from predators who know the toad’s skin has lethal poison glands, and milk snakes, who have no poison, but discourage would-be predators by mimicking the coloration of coral snakes, who definitely do have deadly venom.
US Cyber-Defense Agency Urges Companies to Automate Threat Testing
Automated threat testing is still not very widespread, according to the
official, who added that organizations sometimes don’t really follow through
after deploying expensive tools on their network and instead just assume they’re
doing the job. Automating security controls will make it easier to stop
attackers from relying on established tactics. The top threat actors are still
going back and leveraging vulnerabilities that are up to 10 years and older,
warned the CISA official. CISA is making the recommendation in collaboration
with the Center for Threat-Informed Defense, a 29-member nonprofit formed in
2019 that draws on MITRE’s framework. Iman Ghanizada, global head of autonomic
security operations at Google Cloud, a research sponsor of the Center, said
automated testing is important for creating continuous feedback loops that can
steadily improve protection. “Whether you are a large company or a startup, you
have to have visibility, analytics, response and continuous feedback,” he
said.
Smart Cities: Mobility ecosystems for a more sustainable future
Although every city is different, leading cities are becoming smarter through
their participation in large, complex, digitally enabled ecosystems. The
question for many urban leaders, however, is how to engage with them
effectively. Our experience in working with large transportation and
communications clients yields a multilayered model and approach to guide the
design and management of urban mobility systems. Given the interconnected nature
of the building blocks of mobility, each layer—demand, supply, and
foundational—is critical. Cities must understand and manage all the interactions
and interdependencies. For example, demand for different forms of transportation
is enabled via available modes of transit and supporting infrastructure. None of
these would be possible without regulations, financing, insurance, and
innovation. ... To achieve its vision of becoming a 45-minute city, Singapore is
focusing on building its infrastructure (e.g., it is building intermodal
mobility hubs to allow commuters to move seamlessly from one mode of
transportation to another). The city is developing a robust innovation
ecosystem, collaborating with many private-sector players.
How to Draw and Retain Top Talent in Cyber Security
Before you introduce policies to increase diversity, you need to know who is
currently applying. Gather data on applicants to establish if you need to take
proactive steps to attract specific groups – you can’t make rational business
decisions without data. Analyze job descriptions to eliminate bias so you aren’t
deterring anyone. Review the language -- are you unconsciously drafting job
advertisements and application forms with a white male in mind? Consider a
post-application survey so you can establish what is appealing to recruits and
what might cause them to drop out. You’ll be surprised how many people want to
share their feedback because a negative job application process can deter an
applicant for good, and you could be missing out on the best talent through
ignorance. We implemented an Applicant Tracking System to understand the sources
our candidates are coming from, see how diverse the candidate pool is (or not),
and improve the candidate experience by being able to track how their process
progresses and ends. ... Once you’ve got these cyber professionals on board, you
need to keep them.
Why shift left is burdening your dev teams
Security and compliance challenges are a significant barrier to most
organizations’ innovation strategies, according to CloudBees. The survey also
reveals agreement among C-suite executives that a shift left security strategy
is a burden on dev teams. 76% of C-suite executives say that compliance
challenges and security challenges (75%) limit their company’s ability to
innovate. This is due, in part, to the significant time spent on compliance
audits, risks, and defects. At the same time, C-suite executives overwhelmingly
favor a shift left approach, a strategy of moving software testing and
evaluation to earlier in the development lifecycle, placing the burden of
compliance on development teams. In fact, 83% of C-suite executives say the
approach is important for them as an organization, and 77% say they are
currently implementing a shift left security and compliance approach. This is
despite 58% of C-suite executives reporting that shift left is a burden on their
developers. “These survey findings underscore the urgent need to transform the
software security and compliance landscape.
Quote for the day:
"Courage is the ability to execute tasks
and assignments without fear or intimidation." --
Jaachynma N.E. Agu
No comments:
Post a Comment