Frenemies to friends: Developers and security tools
Cultural shifts happen when security is built into the developer’s existing
flow, as opposed to being injected as its own new stage in the pipeline. Look
for points in their process where they are already in “pause” or “edit” mode,
like at the Pull Request, where you can surface vulnerabilities and ask for
remediation efforts. Doing so can avoid context switching and feelings of
being interrupted. Capitalizing on an existing developer pause point can help
train your developers to look at security vulnerabilities like functionality
bugs, a skill they already have, while also shortening feedback loops. ...
Developer-to-developer enablement is key. There is often a feeling of mistrust
between engineering and security, but developers share the same interests and
have the same priorities. Let individual contributors have an opportunity to
educate and enable other individual contributors. If you have had a successful
pilot or PoC team, or notice self-motivated folks using the tool proactively,
give them space to share their experience with the tool.
The Joys and Pains of DevOps
DevOps is very much a culture change in the way development, operations and
even security work together. Even though DevOps aims to improve this, in many
cases, these areas still function in silos. There are times when one area
implements something that blocks another; and as a DevOps leader, you’re often
in the middle trying to figure out the best path forward while also finding an
acceptable middle ground. ... A well-engineered DevOps solution should render
the team invisible. That includes both the happy path, when deployments
succeed, as well as how well you enable teams to solve their deployment
issues. There is also one common element of what makes DevOps rewarding:
improving developer experience and business outcomes. Dale Francis, director
of product development at Climavision, says the rewards of DevOps come from
solving problems, so day-to-day operations become simple and the experience
for developers better. In addition, maturing as a DevOps organization also
lets everyone focus more on solving business problems, rather than fighting
technical issues.
Why Engineering Is Key To A Flourishing Workplace Culture
If your engineering strategy demands precision but your workplace culture
tolerates ambiguity and shortcuts, you won't get anywhere. If your engineering
strategy demands accountability but your workplace culture doesn't draw
connections between an individual's efforts and the higher goals of the
operation, you won't get anywhere. If your engineering strategy demands
innovation but your workplace culture rewards risk aversion, you won't get
anywhere. ... In an arena as complex and technical as engineering, it's easy
to lose sight of the human side. Whether your workplace is in-person, remote
or hybrid, it's crucial to create spaces (literal or virtual) where employees
feel connected and empowered to ask questions. Trust and creativity flourish
in an environment where autonomy and authentic connections coexist. ...
Inertia is fatal to engineering. Regularly evaluate and adopt new
technologies. Find out what your customers need. Find out what hurdles they're
up against. Think three steps ahead so your tech stack supports the evolving
needs of your business and the market.
Life's Too Short to Work With Incompatible People
Celebrate failure and learn to give feedback. When you embrace failure, you
learn and course-correct more quickly. Failure is a sign you're doing
something right. You're testing, learning, flexing your creative muscles and
moving on efficiently after hitting a brick wall. You must build a team open
to feedback to make the most of your failures for the company's good. Feedback
is the mode by which we make positive changes out of failure. The challenge?
Feedback makes most people cringe. We associate it with criticism as opposed
to growth. ... Clear communication may seem like an obvious necessity on
high-performing teams, but it's something that's often taken for granted.
Unclear communication can quickly tank a team's efforts. A team that has
mastered precise communication, on the other hand, can achieve incredible
outcomes quickly. We follow an "open book" mentality at Wistia. On all-hands
calls, we share candid information about the state of the company – inclusive
of the good and the bad – so everyone has the big picture.
Researchers demo new CI/CD attack techniques in PyTorch supply-chain
Khan initially found a critical vulnerability that could have led to the
poisoning of GitHub Actions’ official runner images. The “runners” are the VMs
that execute build actions defined inside GitHub Actions workflows. After
reporting the vulnerability to GitHub and receiving a $20,000 bug bounty for
it, Khan realized that the core issue he found was systemic and that thousands
of other repositories were likely impacted. Since then, Khan and Stawinski
found vulnerabilities in the software repositories and development
infrastructure of major corporations and software projects and collected
hundreds of thousands of dollars in rewards through bug bounty programs. Their
“victims” included Microsoft Deepspeed, a Cloudflare application, the
TensorFlow machine-learning library, the crypto wallets and nodes of several
blockchains, and PyTorch, one of the most widely used open-source
machine-learning frameworks. PyTorch was originally developed by Meta AI, a
subsidiary of Meta, but its development is now governed by the PyTorch
Foundation, an independent organization that operates under the Linux
Foundation’s umbrella.
For a Secure Foundation, Health Systems Must Address Technical Debt
We need update network equipment, workstations. We may still even have Windows
2003 and 2008. And hardware is not as expensive as the applications that are
on there. So that level of technical debt and competing for those dollars
where in healthcare you need to have nice offices and that type of thing. So
we’re competing with those, with other projects or capital where other
organizations may think of that as just an ongoing IT update expense. ... I
might hear this stuff at home occasionally, but it’s the same with IT
projects. “Hey, we had an acquisition. We got them up and running. We didn’t
take care of their technical debt so we’re assuming that.” We’re going through
some of those servers now, it’s like, can we even find anybody that knows
anything about it, or is it just everyone’s afraid to turn it off? What I like
to say is if you didn’t sit around the right campfire, you don’t know the
story. So for me, my job sometimes is just to keep asking those questions:
“Who knows something about this server?” Sometimes it comes down to the scream
test, but I’ve developed a quality, I call it positive persistence. I just
keep asking questions politely until we make progress.
The way forward is to make technology 'human-like': Report
As the world undergoes a massive technological transformation, artificial
intelligence (AI) and other disruptive technologies will increasingly adopt a
more human-like or "Human by Design" approach, according to a new study
published on Wednesday. These technologies becoming more human-like and
intuitive for people to use, will increasingly lead to a new era of
unprecedented productivity and creativity, said the report, titled 'Accenture
Technology Vision 2024: Human by design, how AI unleashes the next level of
human potential,' which also emphasizes that enterprises that prepare for this
shift now will be the winners in the future. The research further highlights
that as human-centric technologies continue to advance, they are becoming
easier to interact with and more seamlessly integrated into every aspect of
our lives. ... As AI, spatial computing, and body-sensing technologies evolve
to imitate human capabilities and become less noticeable, the true focus will
be on the people who are empowered with new capabilities to achieve what was
once considered impossible.
Expert Insight: Andrew Snow on a landmark GDPR ruling
For organisations, it makes clear beyond all doubt that ignorance isn’t an
excuse. In fact, if organisations – or managers within them – plead ignorance
to the infringement now, they may face a higher fine than if they had taken
responsibility for their actions. For regulators, an important precedent has
been set. This ruling has provided them with clear direction on where the line
falls when deciding on issuing administrative penalties, including fines. For
instance, the EDPB [European Data Protection Board] recently reported on
another case, involving the Slovak and Hungarian authorities, where there was
a dispute over the ownership. The Hungarian regulator ultimately determined
that both parties jointly determined the purposes of processing, so were joint
controllers – and as such, breached the GDPR because their agreement failed to
document this and, by extension, their respective responsibilities. Given the
timing of this decision, it probably wasn’t influenced by the ECJ ruling, but
I expect that future cases like this would use the ruling as a precedent.
What Are Digital Twins and How Can They Be Used in Healthcare?
Trayanova’s research is on applying personalized digital twin approaches to
clinical decision-making. She aims to improve predictive diagnostics and to
predict optimal treatment plans for patients. This is currently being used to
treat patients with heart rhythm disorders. At Johns Hopkins, Trayanova and
her team can create a personalized digital twin representing the geometry of a
patient’s heart. The digital twin includes the heart’s structure; disease
remodeling such as damage, fibrosis and inflammation identified through MRI or
PET scans; and its electrical wave propagation. When an electrical wave
propagates to the heart, it triggers a contraction. However, if a patient has
scarring or other damage, the wave will catch in that area and, rather than
propagating through the heart, it will recirculate and cause an arrythmia. To
treat the arrythmia, the digital twin must accurately represent the damage as
well as the electrical activity of each cell in the heart. “Now you have
something that dynamically links the heart’s components,” Trayanova says.
Using the digital twin, she and her team can send a signal and watch how the
electrical wave propagates through the model.
What will the metaverse mean for business models?
In media and entertainment, the primary model of business has evolved from
ownership to subscription. In the past, most people bought CDs and DVDs to
build a collection – today, owning vinyl is booming in popularity again. But
for the majority of people, the accepted model is accessing songs, films and
TV series online and building your own virtual library. The difference is that
if you stop paying the subscription, you have nothing. Will it be the same in
the metaverse? We’ll have to wait and see. But it’s safe to assume that people
will want ownership of their assets without paying a subscription (except for
the wallet that protects them). To complicate things, there is the question of
what role content from Generative AI will play in metaverse business models.
Today, it’s generally accepted that no one owns work created by Generative AI.
But won't this change? In fact, this assumption may even be wrong – in the UK
for example, the law implies that the creators of the AI platform own anything
wholly created by it.
Quote for the day:
"Great leaders do not desire to lead
but to serve." -- Myles Munroe
No comments:
Post a Comment