Why So Much Open Source Software Is Vulnerable to Hackers
A high-risk vulnerability is defined by the Cybersecurity Research Center this
way, McGuire said: “They take the advisories from numerous (industry) security
feeds, analyze them and send them out to our customers. And as part of this
analysis, they assign severity scores. When it comes to open source
vulnerabilities, they’re using the CVSS scoring system. It (severity) also
depends on whether or not there’s an exploit; whether or not there is a fix
available; the type of exploit; how easy it is for somebody to go through and
actually exploit the application; whether this can be done remotely; and whether
you have access to the running instance. So all these (attributes) are taken
into consideration for that score. And then that score is what tells us whether
or not it’s a high-severity vulnerability,” McGuire said. Jason Schmitt,
general manager of the Synopsys Software Integrity Group, said that the report
findings underlined the reality of open source as the underlying foundation of
most types of software built today.
Building An Automation Strategy: A Leadership Quandary
A digital transformation is a colossal effort for an organization and it has
multiple parts to it. From legacy modernization, cloud migration, hybrid
development and enterprise data management to automation and reporting,
everything can fall under the purview of digital transformation. Leaders should
know when to take a sequential approach and what needs to be done in parallel
for all of these efforts to converge at some point. A digital transformation
strategy can't be restricted to the board room alone with outside consultants
and CXOs involved, lacking participation from department heads and leaders who
are aware of the factors that contribute to inefficiencies and delays. A
bottom-up approach to digital transformation is critical, as it can help in
identifying priorities, including which departments need automation, the scope
of automation for each department, potential use cases, projected returns and
more. This requires leaders to spend time at a grassroots level, explaining
their vision and ensuring they have organizational support in turning their
digital goals into reality.
Marketing Compliance in 2023: What CPOs Need to Know
Consent refers to the compliance measures taken to abide by laws such as the
European Union’s General Data Protection Regulation law and the various privacy
laws in the United States. In order to be in compliance with the law, companies
must obtain permission to collect consumer data and track consumer activity
across the internet. We most often see this play out online in the form of a
pop-up that appears when one visits a website asking a visitor to ‘accept’ or
‘decline’ cookies. Another example is the ‘opt in to communications’ box one
checks when sharing an email address with a company. Consumer consent is
markedly different than preferences because it requires consumers to give
permission for companies to communicate with them and track their activity
online. Consent varies, however, between different laws; for example, in the
E.U., consumers are required to opt in to cookie tracking, whereas in the United
States, consumers would need to object. All consent laws, however, require
companies to make a consumer’s data available to them upon request.
8 ways to retain top developer talent
DX takes DevOps to the next level. As Guillermo Rauch, CEO and founder of
Vercel told me, “Organizations will move from DevOps to dev experience. Great
developer experience leads to better developer productivity and improved
developer velocity, directly improving your bottom line. Every organization
should be thinking, ‘How do I empower my developers to spend more time on the
application and product layer while spending minimal time on the backend and
infrastructure layer?’” ... Developers create software for two audiences:
users and developers — that is, those developers who will work on the product.
For users, product excellence is critical. But for developers, excellence
inside the product is extremely important as well, and that has big
implications for the business using the software. In this sense, DX is an
indication of code quality, which says everything about the viability of
software. Here, the importance to the business is two-fold. First, systems
with good DX are easier to maintain and extend, with software quality a key
differentiator between code that can grow and evolve and code that is doomed
to degrade and decay.
Stolen credentials increasingly empower the cybercrime underground
"Unlike most modern organizational security teams, threat actors do not
operate in silos, and instead pool resources while learning from one another,"
the company said. "Flashpoint is finding that adept threat actors and
ransomware gangs increasingly share code, in addition to tactics, tools, and
procedures—largely thanks to the proliferation of illicit markets." Just like
ransomware gangs come and go in what seems like a never-ending cycle of
rebranding, illegal markets do, too. While there were several law enforcement
takedowns or self-shutdowns of big and long-running cybercrime markets --
SSNDOB, Raid Forums, and Hydra being some notable ones -- others quickly
popped up to take their place. Cybercriminals usually maintain alternative
communication channels like Telegram, where they can keep each other informed
and advertise new alternative markets after one disappears. In fact, just last
year Flashpoint recorded 190 new illicit markets emerge.
Darktrace warns of phishing scam powered by ChatGPT
According to Darktrace, there has been a rise in cybercriminals using ChatGPT
to create more personalised and authentic-looking phishing emails in an
attempt to breach users’ finances, since the chatbot was released last
November, reported The Guardian. However, it’s claimed that there isn’t so
much a new wave of attackers targeting businesses and individual users with
phishing techniques, as there is a shift in tactics using the Microsoft–backed
software. Common features within the emails include “linguistic complexity,
including text volume, punctuation and sentence length”, while techniques
relying on malicious links in the text are decreasing. “We’re seeing a big
shift. ‘Hey, guess what, you’ve won the lottery…’ emails are becoming a thing
of the past,” Darktrace CEO Poppy Gustafsson told The Times. “Instead,
phishing emails are much more about trying to elicit trust and communication.
They’re bespoke, with much more sophisticated language — the punctuation is
changing, the language is changing. It’s more about trying to elicit
trust.”
5 tips for designing a cloud-smart transformation strategy
Don't just "lift and shift" everything as it is during your transition to the
cloud. This approach might seem easy but it risks keeping previous mistakes,
blunders, and problems in your program. Instead, reconsider everything. Keep
what works, replace what doesn't, and discard the rest. Then migrate only the
components that your business requires. We have retired (and continue to
retire) many workloads in our transition to a hybrid cloud. The traditional
practice of "lift and shift" is giving way to a more methodical and strategic
approach to modernization. It's a move motivated by years of hard lessons
learned and tears shed during previous cloud implementations. Recognize that
workloads are inextricably linked and have highly complex dependencies. You
can't just move any job to the cloud at random because that might break
something. Even if the long-term goal is to move all workloads to the cloud at
the same time, containerization and orchestration provide a useful hybrid
option for achieving reasonable levels of flexibility and performance.
Synthetic identity fraud calls for a new approach to identity verification
What can be done to tackle the scourge of synthetic identity fraud? At the
industry level, lenders and credit bureaus must come together to develop a
standard approach for identifying, classifying and reporting synthetic
identities. Targeted businesses also need to share data, as criminals use
their synthetic identities at (and often defraud) many different organizations
as they build their credit histories. Forming a consortium to share
intelligence could bring suspicious patterns of activity to light sooner,
likely reducing the risk of massive losses. On an organizational level, a
multipronged detection strategy is highly recommended. Enterprises need to
implement identity verification solutions that combine online and offline data
to comprehensively examine risk signals, such as device behavior biometrics,
device identity and reputation, email tenure and reputation, mobile phone
tenure and reputation, usage patterns of personally identifiable information,
and tenure and activity on social media platforms.
US Intelligence Ranks China as Top National Security Threat
The big-picture challenge with China, the report says, is its "capability to
directly attempt to alter the rules-based global order in every realm and
across multiple regions, as a near-peer competitor that is increasingly
pushing to change global norms and potentially threatening its neighbors." The
U.S. intelligence report also singles out Beijing for its willingness to use
cyber operations and economic espionage to advance its domestic technology
capabilities and knowledge and as a domestic and foreign lever to expand the
Chinese Communist Party's "technology-driven authoritarianism globally." The
country controls key supply chains - for batteries, critical minerals,
pharmaceuticals, less advanced semiconductors and solar panels - which Chinese
President Xi Jinping in 2020 said the country wouldn't hesitate to use for
economic and political gain if required. The intelligence assessment says that
this could include cutting off supply to other countries in a time of
crisis.
IT leadership: 3 ways to boost your Generational IQ (GQ)
People need to feel heard. Across generations, people put a high value on
recognition and respect. As a leader, make sure you have processes that allow
you to listen more than you talk. Create plenty of opportunities to show
appreciation and respect through both informal recognition processes as well
as through formal rewards programs. Leaders who do enough listening (and ask
the right questions) can weave generational preferences into how they
acknowledge and recognize individuals. With the huge amount of diversity not
only across but within generations, using surveys to identify those
preferences is a smart way to test what works. A great example of this is
customizing how you recognize your team after a big project goes live. A
Millennial may value a gift card to use for a trip, while a Boomer may find
more value in having their wisdom documented in an online training course for
future team members.
Quote for the day:
"A good leader can't get too far
ahead of his followers" -- Franklin D. Roosevelt
No comments:
Post a Comment