Daily Tech Digest - November 24, 2023

How American Express Created an Open Source Program Office

American Express has established an open source program office that gamifies the safe development of open source code that can be poured back into the community. “Without the program existing, a lot of people at the company wouldn’t know about giving back to open source, they wouldn’t see the power in it,” said Amanda Chesin, software engineer at American Express, during a presentation at OSFF. The AmEx OSPO started as an informal group of developers trying to establish a symbiotic relationship with the open source community, said Tim Klever, vice president of the development experience at AmEx, at the conference. The first step was to convince the skeptical upper management of the value of open source. Security issues were the single largest concern among 56% of executives surveyed by FINOS. That was followed by quality of components, compliance with external regulations, and licensing of intellectual properties. ... “That’s really when we kind of became official because we had someone to worry about this stuff and work on it the whole time, even though we only got [her] for a summer,” Klever said.

Navigating the uncharted waters of the Digital Protection Act 2023: Overcoming unsolicited challenges in the digital realm

Of particular note is the provision for grievance redressal, affording individuals a legal avenue to hold data fiduciaries accountable. However, in contrast to the penalties imposed on data fiduciaries for non-compliance, the Data Protection Board's authority to levy fines on data principals (for violations of duties not to file frivolous complaints or impersonate others) is limited to a modest sum of up to ₹ 10,000. This duality poses a significant concern, as it introduces the possibility of groundless complaints. A successful complaint can yield a substantial ₹ 200 crore award, while an unsuccessful one carries a comparatively nominal penalty of ₹ 10,000. This dynamic could lead to an influx of speculative claims and an environment of undue frustration. There may be merit in revisiting the penalty structure, aligning it with the sum initially sought by the complainant to ensure the integrity of the complaint forum. One notable absence in the Act is the 'right to be forgotten', a provision in comparable digital data protection legislations like the GDPR. 

Could edge computing unlock AI’s vast potential?

Beyond the increased performance that AI applications demand, a key benefit of the edge model is reliability and resilience. Consumers have taken to AI, with 73% worldwide saying they trust content produced by generative AI, and 43% keen for organizations to implement generative AI throughout customer interactions. Businesses that can’t keep their AI-powered services running will suffer from declining customer satisfaction and even a drop in market share. When a traditional data center suffers a power outage – perhaps due to a grid failure or natural disaster – apps reliant on these centralized data centers simply cannot function. Edge computing avoids this single point of failure: with compute more distributed, smart networks can instead use the processing power nearest to them to keep functioning. There are also benefits when it comes to data governance. If sensitive data is processed at the edge of the network, it doesn’t need to be processed in a public cloud or centralized data center, meaning fewer opportunities to steal data at rest or in transit. ... Finally, there are cost savings to think about. Cloud service providers often charge businesses to transfer data from their cloud storage.

Cloud security and devops have work to do

First, they are not given the budget to plug up these vulnerabilities. In some instances, this is true. Cloud and development security are often underfunded. However, in most cases, the funding is good or great relative to their peers, and the problems still exist. Second, they can’t find the talent they need. For the most part, this is also legit. I figure that there are 10 security and development security positions that are chasing a single qualified candidate. As I talked about in my last post, we need to solve this. Despite the forces pushing against you, there are some recommended courses of action. CISOs should be able to capture metrics demonstrating risks and communicate them to executives and the board. Those are hard conversations but necessary if you’re looking to take on these issues as an executive team and reduce the impact on you and the development teams when stuff hits the fan. In many instances, the C-levels and the boards consider this a ploy to get more budget—that needs to be dealt with as well. Actions that can remove some of this risk include continuous security training for software development teams. 

Windows-as-an-app is coming

Windows App, which is still in beta, will let you connect to Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs from, well, pretty much any computing device. Specifically, you can use it from Macs, iPhones, iPads, other Windows machines, and — pay attention! — web browsers. That last part means you'll be able to run Windows from Linux-powered PCs, Chromebooks, and Android phones and tablets. So, if you've been stuck running Windows because your boss insists that you can't get your job done from a Chromebook, Linux PC, or Mac, your day has come. You can still run the machine you want and use Windows for only those times you require Windows-specific software. Mind you, you've been able to do that for some time. As I pointed out recently, all the Windows software vendors don't want you to run standalone Windows applications; they prefer web-based Software-as-a-Service (SaaS) applications. They can make a lot more money from you by insisting you pay a monthly subscription rather than a one-time payment. Sure, Microsoft made its first billions from Windows and the PC desktop, but that hasn't been its business plan for years now.

Q-Learning: Advancing Towards AGI and Artificial Superintelligence (ASI) through Reinforcement Learning

At its essence, Q-learning is akin to introducing a reward system to a computer, aiding it in deciphering the most effective strategies for playing a game. This process involves defining various actions that a computer can take in a given situation or state, such as moving left, right, up, or down in a video game. These actions and states are meticulously logged in what is commonly referred to as a Q-table. The Q-table serves as the computer’s playground for learning, where it keeps tabs on the quality (Q-value) of each action in every state. Initially, it’s comparable to a blank canvas – the computer embarks on this journey without prior knowledge of which actions will lead to optimal results. The adventure commences with exploration. The computer takes a plunge into trying out different actions randomly, navigating the game environment, and recording the outcomes in the Q-table. Think of it as the computer playfully experimenting and gradually figuring out the lay of the land. Learning from Rewards forms the core of Q-learning. Each time the computer takes an action, it earns a reward. 

ChatGPT Use Sparks Code Development Risks

Randy Watkins, CTO at Critical Start, advises organizations to build their own policies and methodology when it comes to the implementation of AI-generated code into their software development practices. “In addition to some of the standard coding best practices and technologies like static and dynamic-code analysis and secure CI/CD practices, organizations should continue to monitor the software development and security space for advancements in the space,” he told InformationWeek via email. He says organizations should leverage AI-generated code as a starting point but tap human developers to review and refine the code to ensure it meets standards. John Bambenek, principal threat hunter at Netenrich, adds leadership needs to “value secure code”, make sure that at least automated testing is part of all code going to production. “Ultimately, many of the risks of generative AI code can be solved with effective and thorough mandatory testing,” he noted in an email. He explains as part of the CI/CD pipeline, ensure mandatory testing is done on all production commits and routine comprehensive assessment is done on the entire codebase.

6 common problems with open source code integration

Closed source software is typically maintained, updated and patched exclusively by the software vendors, which can be a big benefit for development teams who lack the time, resources or expertise to do it themselves. Some open source platforms receive active support from proprietary software vendors, such as Red Hat Enterprise Linux and commercial distributions of Kubernetes. For the most part, however, organizations that deploy open source software are responsible for ensuring it remains updated. Failure to do so carries the risk of running outdated code that is buggy or has security vulnerabilities. This challenge is exacerbated by a lack of centralized management consoles or automated update processes that can help ensure all the open source components in use are up to date -- something often highlighted as an advantage of paying the price for proprietary software suites. This is another reason SCA tools are crucial for organizations that commit to the open source approach. While these tools don't provide automated update capabilities, they help the organization track what open source components exist and what each one's current version is. 

More questions for Australia cybersecurity strategy

Fairman believes that strategies are only good if they’re successfully implemented, and committing to reporting deadlines or processes is a way to reassure everyone that the government will do its best to stick to its plan. “We have to consider the financial impact of some of those measures on businesses, and the costs they will have to bear. The economy is still very much in a recovery phase, and many businesses will probably need some sort of financial support to afford cybersecurity upgrades. A cyber-health check for SMBs is great, but if most can’t afford to fill the identified cybersecurity gaps, the plan will fail,” added Fairman. ... As the strategy outlined six shields for cybersecurity, Thompson felt that there could have also been one dedicated solely to citizen responsibility would have been a useful inclusion. ... On sharing threat intelligence in the region, Thompson, who is also the former head of information warfare for the Australian Defense Forces, said that the government’s strong focus on sovereign industry is something for which he and others have long campaigned.

AI and contextual threat intelligence reshape defense strategies

Cybersixgill believes that in 2024, threat actors will use AI to increase the frequency and accuracy of their activities by automating large-scale cyberattacks, creating duplicitous phishing email campaigns, and developing malicious content targeting companies, employees, and customers. Malicious attacks like data poisoning and vulnerability exploitation in AI models will also gain momentum, which cause organizations to provide sensitive information to untrustworthy parties unwittingly. Similarly, AI models can be trained to identify and exploit vulnerabilities in computer networks without detection. Cybersixgill also predicts the rise of shadow generative AI, where employees use AI tools without organizational approval or oversight. Shadow generative AI can lead to data leaks, compromised accounts, and widening vulnerability gaps in a company’s attack surface. ... The C-suite and other executives will need a clearer understanding of their organization’s cybersecurity policies, processes, and tools. Cybersixgill believes companies will increasingly appoint cybersecurity experts on the Board to fulfill progressively stringent reporting requirements and conduct good cyber governance.

Quote for the day:

"Remember, teamwork begins by building trust. And the only way to do that is to overcome our need for invulnerability." -- Patrick Lencioni

No comments:

Post a Comment